Re: (RADIATOR) Disallow EMail Only accounts from logging in usingRadiator wAuthByPLATYPUS
Kurt, Hugh,
We had a similar situation.
When we fail to get our subscription fee, we don't want our customers be able to
surf the Internet anymore (suing our Internet access service), but we do want
them to use a "guest" account, they can use to dial-in but access only
a single server, where they can check their status and read (webbased) email. I
guess this is a very common problem.
If you have a big dial-in network, possibly
shared, it's very difficult to manage ip-pools over all POPs. Sander Asberg
suggested to tackle this problem like this:
Filename
%D/guest.txt #
this file holds the "guest" account with (ascend)
ip-data-filter
# simulate
like the NAS added the name-value pair ('radiusProfile', '1')
PreAuthHook sub { ${$_[0]}-> add_attr('radiusProfile',
'1'); }
Host xxx
... xxx
CheckAttr
radiusCheck
# The val;ue of this attribute should match
"radiusProfile=0"
When we fail to get our
money, the billing process simply changes the value of radiusCheck into
"radiusProfile=0" and the user is not able to dialin using this
account anymore. He/she can dialin using "guest" and access the
service application.
- Wilbert
-Original Message-From:
Hugh Irvine <[EMAIL PROTECTED]>To: Kurt
Richter <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]>Date:
woensdag 28 juli 1999 4:57Subject: Re: (RADIATOR) Disallow EMail
Only accounts from logging in using Radiator wAuthByPLATYPUS
At
6:32 AM 27/7/99, Kurt Richter wrote:>I've got Radiator authenticating
using Platypus. It's a nice system. I've>enjoyed learning
how to work with it. But before I can put Radiator on
my>production unit, I'd like to know if anybody else has figured out
a slick>way to prevent EMail only accounts from authenticating using
this Platypus>set-up.>I'm not sure how you would like
this to work - could you provide moredetails please?If you are
trying to have two different classes of users in the sameRadiator setup,
many people set up two IP address pools on their NASequipment (with
corresponding filters) and have the two classes of usersallocated from
the two pools.hthHugh--Radiator: the most
portable, flexible and configurable RADIUS serveranywhere. SQL, proxy,
DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside,
TACACS+, PAM, external, etc etc on Unix, Win95/8,NT,
Rhapsody===Archive at http://www.thesite.com.au/~radiator/To
unsubscribe, email '[EMAIL PROTECTED]'
with'unsubscribe radiator' in the body of the
message.===Archive at http://www.thesite.com.au/~radiator/To
unsubscribe, email '[EMAIL PROTECTED]'
with'unsubscribe radiator' in the body of the
message.
Re: (RADIATOR) CHAP with Radiator and Cisco 2511
Hi Simon - At 12:14 PM 28/7/99, Simon Lindsay wrote: >We've just change to Radiator, and are very happy with the results, but >have a single remaining access server to change across, which has some >people who authentication using chap on it. > >This is how i've tried to set it up with cistron (that we used to use), >but it didn't quite work, which we thought was cistrons chap support >causing the problem. > >Is anybody using chap from a cisco 2511, and does this look right ? Also, >each "interface" on the cisco is specifically listed like Async12 below, >surely theres an easier way to do that? (Sorry for being a bit off topic). > >TIA > >users file > >xxx Password = "xxx", >Auth-Type = Local, >Service-Type = Framed-User >Framed-IP-Address = x.x.x.x, >Framed-IP-Netmask = 255.255.255.0, >Framed-Route = "x.x.x.x/24 x.x.x.x 1", >Framed-Routing = None, >Idle-Timeout = 0 > This user entry appears to have Service-Type = Framed-User as a check item, but not as a reply item. Cisco's require that the reply items include a Service-Type = Framed-User in this context. Also, from memory, Cisco configuration files have a shorthand notation for specifying groups of lines - not sure if that will do what you want. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Replay & Check Items Q.
On Mon, 26 Jul 1999, Ben-Nes Michael wrote: > the standard Livingston radius have "Filter-Id" does cisco 2511 accept > it ? The Cisco's do accept Filter-Id to choose ACL's but personally I prefer to use per-user ACL's as the AS5300's I maintain for a client have many different uses/users. The per-user ACL's also allow you to modify ACL's on the fly in the radius server. One realm uses an applications LDAP based security configuration to allow very restricted PPP connections to that application, which I do using the per-user ACL's. Something like the following works well for me: AddToReply \ cisco-avpair="ip:inacl#3=permit tcp any x.x.x.x 0.0.0.0 eq abcd",\ cisco-avpair="ip:inacl#4=deny icmp any any administratively-prohibited",\ cisco-avpair="ip:inacl#5=deny ip any any" Trap: AddToReply isn't cumulative, you can use it only once. You may need to add the following IOS configuration: radius-server vsa send -- ++ / James Pickering/ / Email: [EMAIL PROTECTED] / ++ === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HOw to increase time limits
Hello Ryan - At 1:30 AM 28/7/99, ryanm wrote: >I am curious if Radiator can handle this internally or if I need >to continue using a cron job. I want my user's to have 2 hour session >limits from 8 a.m. to 12 p.m. and 4 hour time limits from 12 p.m. >till 8 a.m. We presently use Merit RADIUS, and have a cron job setup >to increase/decrease time limits at selected times. Can I do this >through a config file?? > Probably the best way to do this is with a PostAuthHook Perl function (see Section 6.12.10 on page 32 of the manual). The function will be called after your AuthBy clauses, and you will be able to do whatever is necessary. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Assign IP address to NAS interface
Hi Richi - >Hi, > >This isn't exactly a Radiator issue, but I'm hoping someone can help. Is >it possible with standard Radius (or any vendor-proprietary RADIUS >implementation) to assign an IP address to the NAS interface as well as >the client interface? The client interface can be done with >Framed-IP-Address ... what about the NAS side? hehe .. Would the >attribute NAS-IP-Address work? (According to RFC 2138, it "is only used in >Access-Request packets") > This is a popular topic just at the moment. As previously discussed, these are NAS-specific issues, with different vendors implementing different features. In all likelihood, you will have to send vendor-specific AV pairs to accomplish what you want. BTW - the latest patch version of Radiator 2.14 has a NasType check item for exactly this purpose. >From the README file: 27/7/99 A new version of AuthGeneric.pm here supports Client-Id and NasType check items for users. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Static IP Addresses
Hello James - At 9:09 AM 27/7/99, James Young wrote: >We are utilising a Cosco 5200 and are having difficulties with >configuring the system for a number of customers who want permanent >internet connections with a static IP address. We have followed the >rules in the guide for the Radiator product and have found that the >configuration doesn't work. > This is a NAS issue, rather than a Radiator/Radius issue. You don't say how you want to configure this, but I presume you are using an ISDN Primary Rate and want to allocate fixed IP addresses to your customers, who all dial the same number? The reason this is a problem is because the inbound calls will come up on any one of the available channels on the PRI, so there is no way to configure a single interface that will always be the same for a given customer. You may be able to use the Cisco-specific AV pairs for this, but you will have to check the Cisco documentation. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
No Subject
Ben-Nes Michael, If you wish to limit users to hours, I like to do this in an SQL database, and make the AUTHSELECT statement conditional, on their usage being under their prescribed hours. It's amazing what one can do with SQL :-). Here's my example. This returns their password in two different sections. select password from userbase where (userbase.username = '%n' and ((select sum(usage.sessiontime/3600) from usage where username = '%n') <= userbase.hours)) OR (userbase.username = '%n' and restricted<>'yes') 1st. If they're usage is above their limit the first section does not return their password 2nd If they're a non-restriced user the second section returns their password E.G If username = Joe and his allowed 20 hours ONLY (i.e restriced user) and he has used 25 hours. The first section works this out and does NOT return the password. The second section checks to see if hes a restriced user, and if he is, it does not return his password either. Hence joeb will be bumped off If username = joeb and his allowed 20 hours but can go over that and has used 30 hours. The first section does not return his password because he is over his limit. HOWEVER, the second section does as it checks that he is NOT a restriced user, and returns the password. Quite simple really :-). I mean this is only me, and I find things work better when I can do this sort of NAS stuff in SQL for Radiator to check :-). Much easier to manage - but hey, thats just me. Cheers. Aaron -- Aaron Miles ([EMAIL PROTECTED]) -- System Administrator - Impact Creativity Centre. -- HAVE: 1988 BMW 325i Executive. -- NEED: 321Bhp E36 M3 / E39 M5 - whatever comes first :-) === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Problems with AuthBy NT on Unix
Hello all. Leigh at Winshop has reported that AuthBy NT does not work with recent versions of Authen-Smb like Authen-Smb-0.91 on Unix. A fixed version is available at http://www.open.com.au/radiator/downloads/patches-2.14/AuthNT.pm Thanks for reporting it Leigh. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ipass Perl Module and FreeBSD 3
> >Hello,
> >We are currently running FreeBSD 3.x and using Radiator to
> >authenticate users. We are trying to implement Ipass. I have already
> >installed Ipass and it tests properly. We have hit a snag trying to
> >install the Ipass Perl Module from Open Systems. Here are the errors we
> >have gotten:
> >
> >~~~
> >root[ancillary]/home/oliver/SRC/IpassPerl-1.3 {132}# make test
> >PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
> >-I/usr/libdata/perl/5.00503/mach -I/usr/libdata/perl/5.00503 test.pl
> >1..6
> >Can't load 'blib/arch/auto/Ipass/Ipass.so' for module Ipass:
> >blib/arch/auto/Ipass/Ipass.so: Undefined symbol "ipass_debug" at
> >/usr/libdata/perl/5.00503/DynaLoader.pm line 169.
That looks a lot like the compilation of the IpassPerl module failed. Did you
see any errors when you did the "make" phase?
Cheers.
> >
> > at test.pl line 19
> >BEGIN failed--compilation aborted at test.pl line 19.
> >not ok 1
> >*** Error code 255
> >
> >Stop.
> >~
> >
> >I have run the LIB with and without the -lndbm flag and it has made no
> >difference. Any suggestions?
> >
> >Thanks,
> >Oliver Stockhammer
> >
> >
> >===
> >Archive at http://www.thesite.com.au/~radiator/
> >To unsubscribe, email '[EMAIL PROTECTED]' with
> >'unsubscribe radiator' in the body of the message.
> >
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
>
>
>-- End of excerpt from Hugh Irvine
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Dynamic Ip and As5200
Hello Requiem - At 3:00 AM 27/7/99, Requiem Aurelien (Ext/NTC) wrote: >Hello > >I'm using Radiator nd an As5200 >But i've got problems with my Nas >So i need contacts. >Or an answer >I've setup radiator to assign Ip >address to cleints but the Nas doesn't see >anything. >But if it is the nas that assign the address, >it doesn't send it when accounting start > It would be most helpful if you could include your Radiator configuration file (no Secrets) and a trace output at Level 4, showing exactly what happens when you have problems. You can also turn on Debug on the Cisco AS5200 to see what is happening there. As much as we would like them to give us one (:-), Cisco has not yet provided us with a 5200/5300 NAS, so we can't test your configurations here. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Replay & Check Items Q.
At 1:22 AM 27/7/99, Ben-Nes Michael wrote: >Hi All >Sorry for asking so many Q. > No problem - we'll try to help. >what is the best Framed-MTU for modems PPP ? > Well, this is a tricky question, and there is no single "good" answer. This will depend on many factors including the NAS, modems in use, connect speed, TCP/IP implementation in the client, etc., etc. The theory says that larger packets will be better for things like file transfers, while smaller packets will be better for "interactive" use (ie. keystrokes and such). This is because, once a packet transfer is started on the wire, it will continue until completion. It is easy to see that at 56kbps, a 1500 byte packet will take approx. 1/3 of a second to transfer (modulo compression and so forth). You would have to do a detailed packet trace to profile the packet sizes against response times and do some experiments. Of course, in most real world situations, the packet sizes on the modem links won't have too much effect on overall performance, due to the vaguaries of network congestion elsewhere. >the standard Livingston radius have "Filter-Id" does cisco 2511 accept >it ? > You will have to check the Cisco documentation. >I used a samples from the goodies directory for building up a >mysql/radius server, but when someone is logged i don't see him on >RADONLINE :-( > Your config file will have to include the lines: DBSource DBUsername ... DBAuth The example in the goodies directory works correctly. >How can i limit users for 20 hours (for example) ? > Again, this is NAS dependent, you will have to check your documentation. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: [(RADIATOR) Re: []]
Hello Rajesh - At 2:35 AM 27/7/99, Rajesh Khator wrote: >Rajesh K <[EMAIL PROTECTED]> wrote: >Hi >well i wanted to have two different files each having diff. set of users.how >can it be done. I tried the optionin the realm defaultand added 2 >different files each in the tag Auth by .But it didn't worked. > You will need to set up some form of continuation in the Realm, otherwise the first response will stop processing. Something like this: # Set up a single DEFAULT Realm # Step through AuthBy's until one Accepts AuthByPolicy ContinueUntilAccept # AuthBy first file Filename #AuthBy for second file Filename >why is it the authentication becomes slow with more than 1000 users. > This should not happen. Users from are cached internally, unless the Nocache option is used (see page 38 of the manual). hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Disallow EMail Only accounts from logging in using Radiator wAuthByPLATYPUS
At 6:32 AM 27/7/99, Kurt Richter wrote: >I've got Radiator authenticating using Platypus. It's a nice system. I've >enjoyed learning how to work with it. But before I can put Radiator on my >production unit, I'd like to know if anybody else has figured out a slick >way to prevent EMail only accounts from authenticating using this Platypus >set-up. > I'm not sure how you would like this to work - could you provide more details please? If you are trying to have two different classes of users in the same Radiator setup, many people set up two IP address pools on their NAS equipment (with corresponding filters) and have the two classes of users allocated from the two pools. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) CHAP with Radiator and Cisco 2511
We've just change to Radiator, and are very happy with the results, but have a single remaining access server to change across, which has some people who authentication using chap on it. This is how i've tried to set it up with cistron (that we used to use), but it didn't quite work, which we thought was cistrons chap support causing the problem. Is anybody using chap from a cisco 2511, and does this look right ? Also, each "interface" on the cisco is specifically listed like Async12 below, surely theres an easier way to do that? (Sorry for being a bit off topic). TIA users file xxx Password = "xxx", Auth-Type = Local, Service-Type = Framed-User Framed-IP-Address = x.x.x.x, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "x.x.x.x/24 x.x.x.x 1", Framed-Routing = None, Idle-Timeout = 0 cisco config -- aaa new-model aaa authentication login default enable aaa authentication ppp PPP if-needed radius aaa authentication ppp PPPlocal if-needed local aaa authorization network radius aaa accounting network wait-start radius aaa accounting connection start-stop radius interface Async12 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 57600 async mode dedicated no cdp enable ppp authentication pap PPP ! interface Group-Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 57600 async mode dedicated no cdp enable ppp authentication chap pap ! Simon Lindsay[EMAIL PROTECTED] Technical Manager Icq. 1485568 The Internet Company Pty. Ltd. http://www.iweb.net.au/~simon InterWeb Connections and Portal.net Ph. (08) 8221 5444 --- Speed with Service Fx. (08) 8221 5450 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) who
=== Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) L2TP tunneling with Radiator and Bay Networks dialing equipment
Scott, > Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:l2tp tunnel > call failed, link will shutdown, error (Device in use) I believe that this is a bug which was introduced in X15.1.4 and has been subsequently fixed. You haven't mentioned the 5399 software you're using, but I would recommend downloading and installing either 6.1.8 or 7.0.1 from ftp://ftp-support.baynetworks.com/outgoing/RA, assuming you are running a version close to X15.1.4 at the moment. Regards, Andrew = Andrew Foster Tel: 1800 064 008 Nortel Networks Fax: (02) 9927-8811 Customer Network Engineer Asia Pacific TSC === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Assign IP address to NAS interface
Richi Plana wrote: > > Hi, > > This isn't exactly a Radiator issue, but I'm hoping someone can help. Is > it possible with standard Radius (or any vendor-proprietary RADIUS > implementation) to assign an IP address to the NAS interface as well as > the client interface? The client interface can be done with > Framed-IP-Address ... what about the NAS side? hehe .. Would the > attribute NAS-IP-Address work? (According to RFC 2138, it "is only used in > Access-Request packets") > > Hope someone can help. > Not posible with standard Radius attributes. It is posible in a Cisco NAS working with virtual-profiles by aaa, because the interface is a virtual-access interface cloned from a virtual-template and merged with IOS commands in a Cisco Radius VSA. One of the IOS commands in this VSA can be "ip address..." or "ip unnumbered...". This method has no impact on the NAS-IP-Adress, the address will be the loopback or physical interface IP address where the radius packet is originated. I haven't information about this feature in other NAS. I only work with Cisco. :( Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) L2TP tunneling with Radiator and Bay Networks dialing equipment
I'm not having any luck getting L2TP working at all between my
Radiator server and our Bay Networks 5399 blades. The information all
looks correct, but the 5399 gives an error before it attempts to open
the tunnel. I never even see a packet on the tunnel machine, so it
can't be my tunnel software.
Here are the relevant parts of my configuration:
==
=== radius.cfg ===
==
# Strip the realm so we can auth with the bare user name
# in the users file
RewriteUsername s/^([^@]+).*/$1/
Filename /usr/local/etc/radius/users
AddToReply Annex-Local-Username = "%n"
StripFromReply Framed-IP-Address
==
=== users===
==
test023 Auth-Type = System
Annex-User-Server-Location = local,
Tunnel-Medium-Type = IP,
Tunnel-Server-Endpoint = "\000205.138.41.248 ppp",
Tunnel-Type = L2TP
And here's what I see in my logs:
==
=== annex.log ===
==
Jul 27 14:06:51 mico25.tir.com ppp[4331]: Sent RADIUS Access-Request to 216.40.128.71
Jul 27 14:06:51 mico25.tir.com ppp[4331]: Received RADIUS Access-Accept from
216.40.128.71
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:l2tp tunnel call connection
starting to 205.138.41.248
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:L2TP:failed to make tunnel
connection Device in use
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:l2tp tunnel call failed, link will
shutdown, error (Device in use)
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:Security Failed PAP
[ ... ]
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42: *** PAP SYSLOG HISTORY ***
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:: Using Authentication Server to
authenticate remote PAP request
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42:: PAP - L2TP - Tunnel call failed
- authentication failed
Jul 27 14:06:51 mico25.tir.com ppp[4331]: ppp:asy42: *** END PAP HISTORY ***
==
=== radius.log ===
==
*** Received from 209.140.180.250 port 1267
Packet length = 172
01 62 00 ac 4f b0 04 47 3e a0 03 36 2e a0 02 26
1e a0 01 00 01 10 74 65 73 74 30 32 33 40 74 75
6e 6e 65 6c 02 12 08 5a c3 4d 1d c6 43 2a c2 d7
12 03 00 49 c7 c3 06 06 00 00 00 02 07 06 00 00
00 01 04 06 d1 8c b4 fa 08 06 d1 8c b4 c0 05 06
00 00 00 2a 3d 06 00 00 00 00 1e 09 32 34 39 39
30 39 39 1f 0c 38 31 30 37 32 30 37 32 30 33 4d
13 32 31 36 30 30 20 20 32 34 30 30 30 20 56 2e
33 34 1a 0c 00 00 06 30 32 06 00 00 54 60 1a 0c
00 00 06 30 33 06 00 00 5d c0 50 12 0c f2 ef a4
40 58 5b 7b f7 dd b6 15 25 ee 5e 0b
Code: Access-Request
Identifier: 98
Authentic: O<176><4>G><160><3>6.<160><2>&<30><160><1><0>
Attributes:
User-Name = "test023@tunnel"
User-Password = "<8>Z<195>M<29><198>C*<194><215><18><3><0>I<199><195>"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 209.140.180.250
Framed-IP-Address = 209.140.180.192
NAS-Port = 42
NAS-Port-Type = Async
Called-Station-Id = "2499099"
Calling-Station-Id = "8107207203"
Connect-Info = "21600 24000 V.34"
Annex-Transmit-Speed = 21600
Annex-Receive-Speed = 24000
Signature = "<12><242><239><164>@X[{<247><221><182><21>%<238>^<11>"
Tue Jul 27 14:06:51 1999: DEBUG: Handling request with Handler 'Realm=tunnel'
Tue Jul 27 14:06:51 1999: DEBUG: Rewrote user name to test023
Tue Jul 27 14:06:51 1999: DEBUG: Deleting session for test023@tunnel, 209.140.180.250,
42
Tue Jul 27 14:06:51 1999: DEBUG: Handling with Radius::AuthFILE
Tue Jul 27 14:06:51 1999: DEBUG: Reading users file /usr/local/etc/radius/users
Tue Jul 27 14:06:51 1999: DEBUG: Radius::AuthFILE looks for match with test023
Tue Jul 27 14:06:51 1999: DEBUG: Handling with Radius::AuthUNIX
Tue Jul 27 14:06:51 1999: DEBUG: Radius::AuthUNIX looks for match with test023
Tue Jul 27 14:06:51 1999: DEBUG: Radius::AuthUNIX ACCEPT:
Tue Jul 27 14:06:51 1999: DEBUG: Radius::AuthFILE ACCEPT:
Tue Jul 27 14:06:51 1999: DEBUG: Access accepted for test023
Tue Jul 27 14:06:51 1999: DEBUG: Packet dump:
*** Sending to 209.140.180.250 port 1267
Code: Access-Accept
Identifier: 98
Authentic: O<176><4>G><160><3>6.<160><2>&<30><160><1><0>
Attributes:
Annex-User-Server-Location = local
Tunnel-Medium-Type = IP
Tunnel-Server-Endpoint = "<0>205.138.41.248 ppp"
Tunnel-Type = L2TP
Annex-Local-Username = "test023"
I don't receive another access packet from the 5399, as the
documentation hints that I might. And I don't think it's any kind of
authentication problem, even though the logs mention that, because the
"Device Busy" error is first.
And, of course, Bay says that Radiator is completely unsupported and
will only provide me with minimal assistance.
Anybody have any ideas? I'm not really sure where to start with
this...
Thanks,
(RADIATOR) Assign IP address to NAS interface
Hi, This isn't exactly a Radiator issue, but I'm hoping someone can help. Is it possible with standard Radius (or any vendor-proprietary RADIUS implementation) to assign an IP address to the NAS interface as well as the client interface? The client interface can be done with Framed-IP-Address ... what about the NAS side? hehe .. Would the attribute NAS-IP-Address work? (According to RFC 2138, it "is only used in Access-Request packets") Hope someone can help. L L Richi Plana 8^) ,-,-. ,-,-. ,-,-. ,-,-. ,- LL LL Systems Administrator / / \ \ / / \ \ / / \ \ / / \ \ / / L Mosaic Communications, Inc. \ \ / / \ \ / / \ \ / / \ \ / / L mailto:[EMAIL PROTECTED] `-'-' `-'-' `-'-' `-'-' === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) HOw to increase time limits
I am curious if Radiator can handle this internally or if I need to continue using a cron job. I want my user's to have 2 hour session limits from 8 a.m. to 12 p.m. and 4 hour time limits from 12 p.m. till 8 a.m. We presently use Merit RADIUS, and have a cron job setup to increase/decrease time limits at selected times. Can I do this through a config file?? Thanks for any information, Ryan === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) plaintext pw inside module..?
You may recall I've been trying to authenticate against an NDS password via an LDAP server... I have it mostly working (most code cannabalised from existing modules) except for one thing: I need to get the plaintext version of the password that the NAS sent in its access request packet into a variable. I am grabbing the supplied username as the $name passed to the finduser subroutine (or in other attempts via '$p->getUserName'). Whats the equivalent for getting the password, please? Advice welcomed. Thanks. M. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mark O'Leary,| Voice: +44 (0161) 2756110 | Mark O'Leary, Network Support Officer, | Fax: +44 (0161) 2756040 | Deputy Warden, Manchester Computing, UK | Email: [EMAIL PROTECTED] | Moberly Hall, UoM. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Timestamp & dictionary
Hi, I'm almost finnished with setting up our radiator to handle accounting... It works really great, just another example of how powerful radiator is :) (and our old accounting system doesnt even notice any difference because radiator sends copies of the accounting requests!) There's one little odd thing though... Radiator gives me these warnings in de logfile: Tue Jul 27 16:16:47 1999: WARNING: No such attribute Timestamp when i look in the dictionary supplied with Radiator, i see the Timestamp Attribute has nr. 103 : ATTRIBUTE Timestamp 103 integer normally when i see something like this, i just add it to my ascend dictionary, but the ascend dictionary has this: # Source Auth information (in connection of "authcode-" user profile) # ATTRIBUTE Ascend-Source-Auth 103 string so what should/can i do about it? strangely, the timestamps added to the SQL accounting tables and SessionDatabase are *correct*... Ricardo. --- -- E-Mail: Ricardo Kustner <[EMAIL PROTECTED]> Date: 27-Jul-99 Time: 16:13:52 This message was sent by XFMail -- === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) password log file.....
On Tue, Jul 27, 1999 at 06:05:04PM +0800, Mark Anthony Lastrilla wrote: > > can i costumize radiator passwordlogfile? how? > and i How can i limit users for 10 hours (for example) ? > You can limit the PasswordLogFile to certain Realms or Handlers, as well as naming it using the special formatting characters (%M, %s etc). You can exclude specified users from appearing in there. After that, you take an axe to the code and make it do what you want. You can limit users only if your NAS supports it, Session-Limit or the Ascend Ascend-Maximum-Time (the value is in seconds). I've had weird problems setting Ascend-Maximum-Time on Cisco's to very large numbers - hundreds of hours means that the user is rejected when they try to login. 10 hours would look like: Session-Limit = 36000 You have to feed that back to the NAS as a Reply attribute. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) password log file.....
can i costumize radiator passwordlogfile? how? and i How can i limit users for 10 hours (for example) ? mark -P-h-i-l-i-p-p-i-n-e-s--O-n-l-i-n-e---Mark Anthony R. Lastrilla , CNE,MCP System Administrator Phone : +63 (2) 411-4545 Quezon CityE-mail : [EMAIL PROTECTED] Cel. # : +63 (917) 90-36-7573rd Flr. F.C. Building, 288 Tomas Morato cor. Sct. Rallos St., Quezon City, Philippines 1203---
