Re: (RADIATOR) using the Group check item
On Thu, Sep 02, 1999 at 10:43:24AM +1000, Hugh Irvine wrote:
> > manage our users, simply by making them members (or not) or certain
> > groups. However, I now have a problem: If a user has the primary group
> > "email", radiator does not use it, and auths them with the second entry.
> > However, if I now put the username into the /etc/group file with group
> > "email", it works OK. This becomes a problem because I have more than
> > 1000 users, and the entries in the /etc/group file are limited to a
> > certain length. Is this a failing in Radiator, or am I doing something
> > wrong?
>
> You aren't doing anything wrong - Section 13.1 of the Radiator 2.14.1 reference
> manual explicitly states that the Group check item will check the UNIX
> /etc/group file. I think you will have to do something different - possibly
> have two separate users files corresponding to your two groups.
>
You might also want to look at some of the other Auth modules, as AuthUNIX
is only traditional non-shadow /etc/passwd. AuthPAM or AuthSYSTEM.
A brutal hack on AuthUNIX will also work, here's what I did to mine:
---
#return defined $group_of_last_user_found
# && $self->{GroupsToGID}{$group} == $group_of_last_user_found;
my $grouptest = grep { $_ eq $user } split(/,/, $self->{Groups}{$group});
# getpwnam is not supported on Win95
if ($grouptest == 0 && $^O ne 'MSWin32')
{
my @userarray = getpwnam($user);
my @grouparray = getgrgid($userarray[3]);
$grouptest = 1
if ($grouparray[0] eq $group);
}
return $grouptest;
}
1;
---
The only problem here is that access to the /etc/passwd will be uncached and
you could encounter performance issues if your /etc/passwd changes a lot.
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) using the Group check item
Hello Anand - On Wed, 01 Sep 1999, Anand Buddhdev wrote: > I've been testing Radiator 2.13.1. My platform is Solaris 7. I am using > the following raddb/users file, with 2 entries: > > DEFAULT Auth-Type = "UNIX", Group = email > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.128, > Framed-Routing = None, > Filter-Id = emailonly, > Framed-Compression = Van-Jacobsen-TCP-IP, > Framed-MTU = 1500 > > DEFAULT Auth-Type = "UNIX" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.128, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP, > > And then in my radius.cfg, I have the following for authentication by > unix (the group filename is the default /etc/group): > > > < > Identifier UNIX > Filename /etc/shadow > > > > My idea is that if a user is a member of the unix group "email", then > they are authenticated by the first DEFAULT paragraph, and get a filter > which restricts them to email only. If not, then they get the paragraph, > and have no filters set for them. This makes it very easy for us to > manage our users, simply by making them members (or not) or certain > groups. However, I now have a problem: If a user has the primary group > "email", radiator does not use it, and auths them with the second entry. > However, if I now put the username into the /etc/group file with group > "email", it works OK. This becomes a problem because I have more than > 1000 users, and the entries in the /etc/group file are limited to a > certain length. Is this a failing in Radiator, or am I doing something > wrong? You aren't doing anything wrong - Section 13.1 of the Radiator 2.14.1 reference manual explicitly states that the Group check item will check the UNIX /etc/group file. I think you will have to do something different - possibly have two separate users files corresponding to your two groups. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Reply Attributes
Hello Requiem -
On Wed, 01 Sep 1999, [EMAIL PROTECTED] wrote:
> >%_Hello
>
> I would like to know how to add reply attributes using a perl module
>
It is much simpler to use AddToReply in the AuthBy:
Otherwise, use the add_attr() function. Here is an example:
# Add some reply attributes to the reply message
# if it is a REJECT and there is 1 or fewer there already
PostAuthHook sub { ${$_[1]}->add_attr(`test-attr', \
`test-value') \
if ${$_[2]} == $main::REJECT \
&& ${$_[1]}->attr_count() <= 1; }
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Separate Accounting
Salut Frédéric - On Thu, 02 Sep 1999, Frédéric GARGULA wrote: > Hi, > > > With my radiator proxy, I would like to send authentification to one > server and accounting to another one. > > In the standard case, I have : > > > Identifier xyz > Host radius.xx.com > AuthPort 1812 > AcctPort 1813 > Secret xxx > > > and > > > AuthBy xyz > > > > Want can I do to forward Auth to one server and Acct to another ? > What are the different possibilities ? Try something like this: Identifier auth Host radius.xx.com AuthPort 1812 AcctPort 1813 Secret xxx NoForwardAccounting Identifier acct Host log.xx.com AuthPort 1812 AcctPort 1813 Secret yyy NoForwardAthentication AuthByPolicy ContinueAlways AuthBy auth AuthBy acct hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AccountingLogFile
Hello Requiem - On Wed, 01 Sep 1999, [EMAIL PROTECTED] wrote: > >%_Hello > > I have tried this but it doesn't work. > Could you please be a little more specific? It would be most helpful if you included the relevant debug output and log output. Your previous email said that the PreClientHook was working (is this the PreClientHook?) and that you wanted to access the log filename. What is being printed by the "print $logfile;" line? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Session-Limit database
Hello David - On Thu, 02 Sep 1999, David Lloyd wrote: > Hello, I'm considering using the Session-Limit feature to limit > simultanious usage, with an external MySQL seesion-database and > user-database to allow me to run two Radiator servers (one primary, one > backup). > > We have 4 different NAS types, and I would like to set them each up to > 'talk' to Radiator to keep the database current. > > I was wondering, have other people run a setup like this? Has anyone had > any problems with the reliability of the Session-Limit (letting people on > when they shouldn't, or blocking access unneccissarily)? Has anyone had > success with multiple NAS types? > Many Radiator customers are using this feature successfully. You will need to configure the following: # Configure SessionDatabase DBSource ... DBUsername ... DBAuth ... ... # Add NasType to Clients NasType ... ... And then you will have to configure whatever is required for the NasType checking ie. SNMP communities, etc. You may also be interested in the radacct.cgi and radwho.cgi scripts that will query the SQL database and display the results in a web browser. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: Radiator Error Logs.
Was this of any help? Omar On Sat, Aug 28, 1999 at 09:17:28PM -0400, Omar Thameen wrote: > Is this what you're looking for? > > Thanks for your continued help on this. > Omar > > # MySQL dump 5.13 > # > # Host: localhostDatabase: radiator > # > # Server version 3.22.22 > > # > # Table structure for table 'ACCOUNTING' > # > CREATE TABLE ACCOUNTING ( > USERNAME char(50) DEFAULT '' NOT NULL, > CLIENT_ID char(22), > TIME_STAMP int(11), > ACTUAL_TIME char(50), > ACCTSTATUSTYPE char(10), > ACCTDELAYTIME int(11), > ACCTINPUTOCTETS int(11), > ACCTOUTPUTOCTETS int(11), > ACCTSESSIONID char(30), > ACCTSESSIONTIME int(11), > ACCTTERMINATECAUSE char(30), > NAS_IDENTIFIER char(50), > NAS_IP_ADDRESS char(22), > NAS_PORT int(11), > NAS_PORT_TYPE char(10), > ACCTAUTHENTIC char(10), > SERVICE_TYPE char(20), > USR_MODEM_TIME int(11), > USR_INTERFACE int(11), > USR_CHASSIS_SLOT int(11), > USR_CHASSIS_SPAN int(11), > USR_CHASSIS_CHANNEL int(11), > USR_UNAUTH_TIME int(11), > CALLING_STATION_ID char(10), > CALLED_STATION_ID char(10), > USR_MODULATION_TYPE char(20), > USR_SMNP_LEVELS char(20), > USR_SimplifiedV42BIS_USAGE char(20), > USR_CONNECT_SPEED char(20), > FRAMED_PROTOCOL char(10), > FRAMED_IP_ADDRESS char(22), > USR_MP_MRRU int(11), > ACCTLINKCOUNT int(11), > ACCTMULTISESSION_ID char(10), > ORIGIN char(20), > KEY ACCOUNTING_I (USERNAME) > ); > > # > # Table structure for table 'RADLOG' > # > CREATE TABLE RADLOG ( > TIME_STAMP int(11), > PRIORITY int(11), > MESSAGE char(200), > ACTUAL_TIME char(40) > ); > > # > # Table structure for table 'RADONLINE' > # > CREATE TABLE RADONLINE ( > USERNAME char(50) DEFAULT '' NOT NULL, > CLIENT_ID char(22), > TIME_STAMP int(11), > ACTUAL_TIME char(50), > ACCTSTATUSTYPE char(10), > ACCTDELAYTIME int(11), > ACCTINPUTOCTETS int(11), > ACCTOUTPUTOCTETS int(11), > ACCTSESSIONID char(30) DEFAULT '' NOT NULL, > ACCTSESSIONTIME int(11), > ACCTTERMINATECAUSE char(30), > NAS_IDENTIFIER char(50) DEFAULT '' NOT NULL, > NAS_IP_ADDRESS char(22), > NAS_PORT int(11) DEFAULT '0' NOT NULL, > NAS_PORT_TYPE char(10), > ACCTAUTHENTIC char(10), > SERVICE_TYPE char(20), > USR_MODEM_TIME int(11), > USR_INTERFACE int(11), > USR_CHASSIS_SLOT int(11), > USR_CHASSIS_SPAN int(11), > USR_CHASSIS_CHANNEL int(11), > USR_UNAUTH_TIME int(11), > CALLING_STATION_ID char(10), > CALLED_STATION_ID char(10), > USR_MODULATION_TYPE char(20), > USR_SMNP_LEVELS char(20), > USR_SimplifiedV42BIS_USAGE char(20), > USR_CONNECT_SPEED char(20), > FRAMED_PROTOCOL char(10), > FRAMED_IP_ADDRESS char(22), > USR_MP_MRRU int(11), > ACCTLINKCOUNT int(11), > ACCTMULTISESSION_ID char(10), > ORIGIN char(25), > UNIQUE RADONLINE_I (NAS_IDENTIFIER,NAS_PORT), > KEY RADONLINE_I2 (USERNAME) > ); > > On Thu, Aug 26, 1999 at 04:31:11PM +1000, Hugh Irvine wrote: > > > > I sent a message earlier asking for a copy of your database schema. This is > > because I have been testing your configuration here, with no problems, against > > a local mysql database. The only thing I can think of is that there is a > > field type mismatch between your AcctColumnDef's and your database. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) iPASS Perl Module
Hi Ferhat, You can find the iPASS perl module at http://www.open.com.au/radiator/downloads/IpassPerl-1.3.tar.gz Cheers. On Sep 2, 12:19am, Ferhat Dilman wrote: > Subject: (RADIATOR) iPASS Perl Module > > [ Attachment (text/plain): 220 bytes > Character set: iso-8859-9 > Encoded with "quoted-printable" ] > > [ Attachment (text/x-html): 757 bytes > Character set: iso-8859-9 > Encoded with "quoted-printable" ] >-- End of excerpt from Ferhat Dilman I was trying to find the iPASS perl module and asked if it is delivered by iPASS. Their answer is that Radiator ppl will supply this. Is this true? Where can I find the iPASS perl module? -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) iPASS Perl Module
Hi, I was trying to find the iPASS perl module and asked if it is delivered by iPASS. Their answer is that Radiator ppl will supply this. Is this true? Where can I find the iPASS perl module? Best regards, Ferhat
Re: (RADIATOR) Non-responding Radius initiative
Hello Frederic! Frédéric GARGULA wrote: > > I would like to know if my proxy can accept an incoming connection if > the radius server that should make the authentication isn't > responding... > > I know this could become a security hole, but I think the radius server > can be up again one or two hours later... > (I want to do this to increase service quality) > > Thanks for Ideas... I think it's better for this case, to think in a periodic user database replication, or radius auth proxy with fallback to local replicated database, and for the accounting issue, to configure an accounting-only radius proxy with local backup. In my opinion your idea is more than a security hole, it's a protocol violation. Cheers. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question regarding Session-Limit database
Hello, I'm considering using the Session-Limit feature to limit simultanious usage, with an external MySQL seesion-database and user-database to allow me to run two Radiator servers (one primary, one backup). We have 4 different NAS types, and I would like to set them each up to 'talk' to Radiator to keep the database current. I was wondering, have other people run a setup like this? Has anyone had any problems with the reliability of the Session-Limit (letting people on when they shouldn't, or blocking access unneccissarily)? Has anyone had success with multiple NAS types? I just want to make sure I'm not going to attempt the impossible. :-) === David M. Lloyd mailto:[EMAIL PROTECTED] Administrator Internet Express, Inc. 802 W. Broadway, Suite 0101 Madison, WI. 53713-1866 Voice: (608) 663- http://www.inxpress.net Fax: (608) 663-5595 mailto:[EMAIL PROTECTED] Data: (608) 663-5551mailto:[EMAIL PROTECTED] === === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LQQK 279
"Lon R. Stockton, Jr." wrote: > > Another happy Radiator user, I assume? *grin* > Well, Radius is a security protocol, perhaps some user has thinked in Radiator in order to get secure sex. :) Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Non-responding Radius initiative
I would like to know if my proxy can accept an incoming connection if the radius server that should make the authentication isn't responding... I know this could become a security hole, but I think the radius server can be up again one or two hours later... (I want to do this to increase service quality) Thanks for Ideas... Fred. -- Frederic GARGULA Ingenieur Reseaux & Systemes EASYNET France Tel.: +33 1 44 54 70 55 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Separate Accounting
Hi, With my radiator proxy, I would like to send authentification to one server and accounting to another one. In the standard case, I have : Identifier xyz Host radius.xx.com AuthPort 1812 AcctPort 1813 Secret xxx and AuthBy xyz Want can I do to forward Auth to one server and Acct to another ? What are the different possibilities ? May I do something like : Identifier X Host radius.xx.com AuthPort 1812 NoForwardAccounting Secret xxx Host log.xx.com AcctPort 1813 NoForwardAuthentication Secret yyy I thought about doing a redir between Auth server port 1813 to Acct server port 1813, but I think it's not a good idea. Thank a lot for your help ! Fred. -- Frederic GARGULA Ingenieur Reseaux & Systemes EASYNET France Tel.: +33 1 44 54 70 00 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AccountingLogFile
Hello
I have tried this but it doesn't work.
Thanks
Here is my source code ( Swap Phone and Login to authenticate on phone +
password )
use Radius::Radius;
use strict;
sub
{
my $p = ${$_[0]};
my $code = $p->code;
my $subcodetype =
$p->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);
my $username;
my $msisdn;
if ( $code eq 'Access-Request')
{
my $username = $p->getAttrByNum($Radius::Radius::USER_NAME);
my $msisdn =
$p->getAttrByNum($Radius::Radius::CALLING_STATION_ID);
if (!$msisdn)
{
$msisdn="0";
}
$p->{CachedAttrs}{$Radius::Radius::USER_NAME} = $msisdn;
$p->changeAttrByNum($Radius::Radius::USER_NAME, $msisdn);
$p->{CachedAttrs}{$Radius::Radius::CALLING_STATION_ID} =
$username;
$p->changeAttrByNum($Radius::Radius::CALLING_STATION_ID,
$username);
my $logfile;
foreach $logfile ($p->{Handler}->{AcctLogFileName})
{
# Only do this to check the filename
print $logfile;
print "\n---\n";
}
}
}
And now my config File
# radius.cfg
LogDir /var/log/radius
DbDir /usr/local/etc/radiator
LogStdout
Trace 4
PidFile %L/radiusd.pid
AuthPort 1645
AcctPort 1646
LogFile %L/radius.log
DictionaryFile /usr/local/etc/radiator/dictionary
PreClientHook file:"/usr/local/etc/radiator/accessldap.pl"
Secret xx
DupInterval 0
FramedGroupBaseAddress 10.1.0.1
IdenticalClients 192.168.10.20 192.168.202.61 192.168.20.15
#NasType Cisco
Secret mysecret
DupInterval 0
FramedGroupBaseAddress 10.1.0.1
#NasType Cisco
AcctLogFileName %L/%m-%Y-detail
PostAuthHook file:"/usr/local/etc/radiator/checkstate.pl"
Host192.168.20.30
Port389
AuthDN cn=Directory Manager
AuthPasswordpassword
BaseDN o=servicesusers
UsernameAttrwapUserMsisdn
PasswordAttrwapUserPassword
-Original Message-
From: EXT Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 01, 1999 8:14 AM
To: Requiem Aurelien (Ext/NTC)
Cc: [EMAIL PROTECTED]
Subject: RE: (RADIATOR) AccountingLogFile
Hello Requiem -
Here is a copy of my response to this question last week.
Hugh
On Thu, 26 Aug 1999, Requiem Aurelien (Ext/NTC) wrote:
> >%_Hello
>
> I know about SQL logging
> but i must use a file accounting file to add informations
> So i just need actually to retrieve the correct file for
> the accouting logfile
> I've got a preclienthook function that works fine
> and i have added those lines
> my $p = ${$_[0]};
> my logfilename = ($p->{AcctLogFilename});
> but i have't got any filename. So just tell me how please
>
$p is a pointer to the current radius packet (which does not contain
AcctLogFilename), so you will need to do this:
$p->{Handler}->{AcctLogFilename}
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
application/ms-tnef
Re: (RADIATOR) L/C Login Ids
Thanks John, Thats a really useful feature, I've put it in and it is working well. Is there any way to get Radiator to translate all passwords to lowercase? Cheers. Paul John Coy wrote: > > This is handled by the RewriteUsername directive. You > can have a global one or one applied to a specific client > or realm. To make usernames all lower case: > > RewriteUsername tr/A-Z/a-z/ > > See the radiator docs section 6.3.19 RewriteUsername for a > start (that's the section for the 2.13 docs). === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: strange ascend profiles
Hi, I have seen this answered, but I can't find it in the archives. How do you handle the case where an ascend max or tnt sends out an infinite stream of radius requests for profiles like the pools, initial-banner, frdlink, ipxroute, permconn, etc. Thanks, Mickey === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
