(RADIATOR) portmaster 4 and SessionDatabase/Sim-Use checking

[Hugh Irvine]

Hello everyone -

I have recently been investigating a problem on a customer site where a
portmaster4 does not enforce Simultaneous-Use checking properly, either with
NasType TotalControl (using pmwho) or with NasType TotalControlSNMP.

Upon comparing Accounting-Request packets and pmwho output (or snmp) I have
discovered that the port numbers reported are different, hence Simultaneous-Use
cannot be enforced.

Does anyone have any information on what MIB should be used with a portmaster4
(software version 4.1c1)? Or how to query it to get the same port numbers as
reported in the Accounting-Request's? If anyone has this working could they let
us know what they did so we can change the Radiator code or add a separate
NasType that will work correctly?

many thanks in advance

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Re: Check items (Fixed)

[Paul Thornton]

Hi Again,

Ummm, there seems to be a major bug in what I have done with this:

AuthByPolicy ContinueUntilIgnore

   AcceptIfMissing
   Filename /usr/local/etc/raddb/users


   Identifier System
   Filename /etc/master.passwd


This is now allowing anyone to connect with any username or password.

I.E. the username of + with a password of anything will be allowed to
connect. Our Accounts program will kick them off the following minute, but
there there is something really wrong here. Can anyone please tell me why
this is now happenning? This use doesn't even exist on our server.

Regards,

Paul Thornton.

   ,-  __ -, DOVE AUSTRALIA SYSADMIN TEAM
  /   \___/ /__ _  _/   \
 /  _ / _  / _ \ |/ / -_) _  \   Account queries: [EMAIL PROTECTED]
/.-   \_,_/\___/___/\__/-.\  Tech Support: [EMAIL PROTECTED]
   A U S T R A L I A Sales queries:  [EMAIL PROTECTED]
   http://dove.net.auAdmin queries:  [EMAIL PROTECTED]



===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Check items (Fixed)

[Paul Thornton]

To all,

If anyone is looking into the problem regarding the our Check Item failure
then please ignore it. After much persistence and loss of hair, I have
worked it out.

It was actually very simple now I look at it.

Here is the modification to our radius.cfg file.

- SNIP -


   AcceptIfMissing
   Filename /usr/local/etc/raddb/users


   Identifier System
   Filename /etc/master.passwd

RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/detail
AcctLogFileFormat
%{NAS-Port}|%U|%C|%a|dove|PPP|%{Acct-Status-Type}|%t|%
{Acct-Session-Id}|%{Acct-Terminate-Cause}|%{Acct-Output-Octets}|%{Calling-Statio
n-Id}|%{USR-Connect-Speed}
PasswordLogFileName %L/logfile

---

All other realms have been removed and the modification is this
--

   AcceptIfMissing
   Filename /usr/local/etc/raddb/users


   Identifier System
   Filename /etc/master.passwd

--

All DEFAULT entries in the users file have been removed. 

Regards,

Paul Thornton.

   ,-  __ -, DOVE AUSTRALIA SYSADMIN TEAM
  /   \___/ /__ _  _/   \
 /  _ / _  / _ \ |/ / -_) _  \   Account queries: [EMAIL PROTECTED]
/.-   \_,_/\___/___/\__/-.\  Tech Support: [EMAIL PROTECTED]
   A U S T R A L I A Sales queries:  [EMAIL PROTECTED]
   http://dove.net.auAdmin queries:  [EMAIL PROTECTED]



===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) 3Com VSA's

[Mike McCauley]

Hello Steve.

Thanks for that. We have included a copy of that dictionary in the next
release.

Cheers.

On Jan 14, 10:56am, Steve Suehring wrote:
> Subject: (RADIATOR) 3Com VSA's
> Hello-
>
> I posted to the USR Mailing list to see if I could locate the VSA's for
> 3Com gear.  I'm still getting some unknown attributes in the logfile and
> I'm sure others probably are as well.  Here's a website:
>
> http://totalservice.usr.com/ISP/rad/vendor.html
>
> I haven't had a chance to look over much of the page yet, so I can't vouch
> that all VSA's are there.  I know for sure that one that we needed is,
> 38998 is VTS-Session-Key string.  Also I don't believe you need a password
> to get into that part of the totalservice site, but if you do let me know
> and I'll email you the contents of the page.  It appears that the VSA's
> are in hex on the page, but hey, just convert them!
>
> If Mike or Hugh feel as though it would be appropriate to post them to the
> list I(or they) can do so.  Hope this helps some people.
>
> Steve
>
> --
> Steve Suehring
> Voyager.net Network Operations Systems Engineer
> --
>
>
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Steve Suehring



-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Check Items (arrrgghh)

[Paul Thornton]

Hi,

I am still experiencing a dilema with a check item problem (which is not
the check item itself as you will see from the Debug output) What is
happening is that the user "foobar" is being rejected due to a Caller-ID
failure (which is what we want) and then being accepted by the DEFAULT
option above the foobar entry in the user file. (I am assuming)

I can see where it is being rejected but then for some reason it wants to
continue on and verify them using AuthUnix. I can guarantee that this user
foobar is AFTER the DEFAULT entry in the users file, even though it comes
up looking for this entry. (I have been told (by Mike) that the order is
not important anyway, but do have it in this order)

Could it be an error in my config file somewhere? I have supplied it minus
most clients.

I have included the radius.cfg file, Trace 4 dump and a snapshot of the
users entry to help.

Here is a snapshot of the Trace Level 4 for the Caller-Station-Id problem.

 trace 4 dump
Wed Jan 19 09:57:07 2000: DEBUG: Packet dump:
*** Received from 203.15.24.62 port 1026 
Code:   Access-Request
Identifier: 140
Authentic:  <203>s<142><232><134><136><207>w<210>u<197><255>6<4>bZ
Attributes:
User-Name = "foobar"
User-Password =
"<165>#5<208><186><175><18><187>'<222>=(<187>=<250><169>
"
NAS-IP-Address = 203.15.24.62
NAS-Port = 46
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = "5 LAPM/V42BIS"
Called-Station-Id = "8216"
Calling-Station-Id = "882118612"

Wed Jan 19 09:57:07 2000: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Jan 19 09:57:07 2000: DEBUG: Rewrote user name to foobar
Wed Jan 19 09:57:07 2000: DEBUG: Rewrote user name to foobar
Wed Jan 19 09:57:07 2000: DEBUG:  Deleting session for foobar,
203.15.24.62, 46
Wed Jan 19 09:57:07 2000: DEBUG: Handling with Radius::AuthFILE
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthFILE looks for match with
foobar
Wed Jan 19 09:57:07 2000: DEBUG: Handling with Radius::AuthUNIX
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthUNIX looks for match with
foobar
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthUNIX REJECT: Check item
Calling-Sta
tion-Id expression '' does not match '882118612' in request
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthFILE REJECT: Check item
Calling-Sta
tion-Id expression '' does not match '882118612' in request
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthFILE looks for match with
DEFAULT
Wed Jan 19 09:57:07 2000: DEBUG: Handling with Radius::AuthUNIX
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthUNIX looks for match with
foobar
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthUNIX ACCEPT:
Wed Jan 19 09:57:07 2000: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jan 19 09:57:07 2000: DEBUG: Access accepted for foobar
Wed Jan 19 09:57:07 2000: DEBUG: Packet dump:
*** Sending to 203.15.24.62 port 1026 

Code:   Access-Accept
Identifier: 165
Authentic:  4v<178><242><216>o<135>T<160>{r%<191>YEK
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Reply-Message = "Welcome to DOVE Austalia"

Wed Jan 19 09:57:07 2000: DEBUG: Packet dump:
*** Received from 203.15.24.62 port 1026 
Code:   Accounting-Request
Identifier: 141
Authentic:  <247>?<239><140><189><199>,<163>;r<14><135><18><184><227><156>
Attributes:
Acct-Session-Id = "09026A3F"
User-Name = "foobar"
NAS-IP-Address = 203.15.24.62
NAS-Port = 46
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Connect-Info = "5 LAPM/V42BIS"
Called-Station-Id = "8216"
Calling-Station-Id = "882118612"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 203.30.53.225
Acct-Delay-Time = 0

Wed Jan 19 09:57:07 2000: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Jan 19 09:57:07 2000: DEBUG: Rewrote user name to foobar
Wed Jan 19 09:57:07 2000: DEBUG: Rewrote user name to foobar
Wed Jan 19 09:57:07 2000: DEBUG:  Adding session for foobar, 203.15.24.62,
46
Wed Jan 19 09:57:07 2000: DEBUG: Handling with Radius::AuthFILE
Wed Jan 19 09:57:07 2000: DEBUG: Accounting accepted
Wed Jan 19 09:57:07 2000: DEBUG: Packet dump:
-- end Trace 4 dump

-- radius.cfg
AuthPort1645
AcctPort1646
# Trace 4
BindAddress x.x.x.x
LogDir /usr1/log/radius
# LogStdout
DbDir /usr/local/etc/raddb
DictionaryFile /usr/local/etc/raddb/dictionary

Secret   xx
DupInterval 180




Filename /usr/local/etc/raddb/users

RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/detail
AcctLogFileFormat
%{NAS-Port}|%U|%C|%a|dove|PPP|%{Acct-Status-Type}|%t|%
{Acct-Session-Id}|%{Acct-Terminate-Cause}|%{Acct-Output-Octets}|%{Calling-Statio
n-Id}|%{USR-Connect-Speed}
PasswordLog

Re: (RADIATOR) Authentication over MS SQL 7.0

[Mike McCauley]

On Jan 19, 10:13am, Hugh Irvine wrote:
> Subject: Re: (RADIATOR) Authentication over MS SQL 7.0
>
> Hello Fernando -
>
> On Wed, 19 Jan 2000, Fernando Martin wrote:
> > Hi all,
> >
> > I think this questions is just very answered, but I need some information.
> >
> > Actually I have a NT 4.0 SP5 with Radiator 2.14.1 ( with patches 2.14.1)
> > running properly, but I autherticate with a flat file. because of I have
> > many users I need another way to do that, and I think MS SQL could be one
of
> > the best.
> >
> > I have read the manula pag 82, 107..and I know that:
> >
> > - I need to install DBI ( PPM>install DBI
> > - Then, search the right module/driver to connect database.
> > In my case I think I need ODBC because my MS SQL server is into another NT
> > server that Radiator. So PPM>install DBD-ODBC.
> >
> > Is it right? Is there another way better? May be mSQL? Why?
> > Is the ODBC conector stable?
> >
> > - I need to create the database into SQL server...
> > - I need to configure my radius.cfg to authenticate
> > and also create a System DSN into my Radiator server ( In my case
> > DSN=Radius)to connect database
> > 
> > 
> > <
> > PasswordLogFileName %L/%d-%m-%y-password.log
> > AuthByPolicy ContinueAlways
> > 
> > # Data to open database. DSN= radius
> > DBSource dbi:ODBC:radius
> > DBUsername admrad  # login to connect
> > DBAuth     # pass to connect
> > Is it all ok until this point?
> >
> > AuthSelect select PASSWORD from USERSDB where
> > USERNAME=´%n´
> >
> > I do not know what I need to put here ( select...) to authenticate properly
> > a user and also check his check items ( like Called-station-id, NAS-port,
> > Acct-Status-Type, etc) agains the SQL. I think I need to configure my
Radius
> > databese and table USERSDB with login, pass, and check items... How to do
> > that? Any example?
> >
> > # This enables accounting
> > AccountingTable ACCOUNTING
> > AcctColumnDef   USERNAME,User-Name
> > AcctColumnDef   TIME_STAMP,Timestamp,integer
> > # etc
> > 
> >
> > 
> >
>
> You are definitely on the right track with everything you mention above. The
> best place to start with SQL is in the goodies directory included in the
> Radiator distribution. You will find example SQL table definitions, SQL table
> creation scripts, and SQL configuration files. You can use these exactly as
> they are, or you can use them as a base from which to add your own extra
> features. Also have a look at the radius.cfg file in the main Radiator
> directory to see a very detailed and documented configuration file which
> includes various SQL definitions.

Also, if you are on NT, wanting to talk to SQL on another NT, then DBD-ODBC is
the best way to go.

We usually prefer mysql to MS-SQL, but the ODBC connector to mysql on NT is
still not terribly stable when used with Perl, so probably MS-SQL is best for
you if you can afford it.

I sent some patches to the mysql ODBC connector authors, but I dont know if
they have been incorporated yet.

Cheers.



>
> hth
>
> Hugh
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Hugh Irvine



-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
ÿ
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Authentication over MS SQL 7.0

[Hugh Irvine]

Hello Fernando -

On Wed, 19 Jan 2000, Fernando Martin wrote:
> Hi all,
> 
> I think this questions is just very answered, but I need some information.
> 
> Actually I have a NT 4.0 SP5 with Radiator 2.14.1 ( with patches 2.14.1)
> running properly, but I autherticate with a flat file. because of I have
> many users I need another way to do that, and I think MS SQL could be one of
> the best. 
> 
> I have read the manula pag 82, 107..and I know that:
> 
> - I need to install DBI ( PPM>install DBI
> - Then, search the right module/driver to connect database.
> In my case I think I need ODBC because my MS SQL server is into another NT
> server that Radiator. So PPM>install DBD-ODBC.
> 
> Is it right? Is there another way better? May be mSQL? Why?
> Is the ODBC conector stable? 
> 
> - I need to create the database into SQL server...
> - I need to configure my radius.cfg to authenticate 
> and also create a System DSN into my Radiator server ( In my case
> DSN=Radius)to connect database
> 
> 
> <
>   PasswordLogFileName %L/%d-%m-%y-password.log
>   AuthByPolicy ContinueAlways
>   
> # Data to open database. DSN= radius
>   DBSource dbi:ODBC:radius
> DBUsername admrad  # login to connect
> DBAuth     # pass to connect
> Is it all ok until this point?
> 
> AuthSelect select PASSWORD from USERSDB where
> USERNAME=´%n´
> 
> I do not know what I need to put here ( select...) to authenticate properly
> a user and also check his check items ( like Called-station-id, NAS-port,
> Acct-Status-Type, etc) agains the SQL. I think I need to configure my Radius
> databese and table USERSDB with login, pass, and check items... How to do
> that? Any example? 
> 
>   # This enables accounting
>   AccountingTable ACCOUNTING
>   AcctColumnDef   USERNAME,User-Name
>   AcctColumnDef   TIME_STAMP,Timestamp,integer
>   # etc
>   
>   
> 
> 

You are definitely on the right track with everything you mention above. The
best place to start with SQL is in the goodies directory included in the
Radiator distribution. You will find example SQL table definitions, SQL table
creation scripts, and SQL configuration files. You can use these exactly as
they are, or you can use them as a base from which to add your own extra
features. Also have a look at the radius.cfg file in the main Radiator
directory to see a very detailed and documented configuration file which
includes various SQL definitions.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Status-Server requests

[Hugh Irvine]

Hello Alejandro  -

On Wed, 19 Jan 2000, Alejandro Dau wrote:
> Hi,
> 
>  some of our access servers are sending Status-Server requests to 
> our radiator servers. Radiator cant send the reply back to the NAS because 
> the resulting packet is too large, (because of a lot of clients configured) 
> so it logs a 'ERR: sendTo: send failed: Message too long'.  Those requests 
> seem to be useless, so we could supress them. How can i configure radiator 
> to ignore (or send at least a valid truncated response) to Status-Server 
> requests?
> 

I would suggest that you turn off the Status-Server requests in the NAS
equipment in question. That way you will avoid the problem completely.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Re: Running a SQL Query before autheticate a user on MSSQL database

[Hugh Irvine]

Hello Lakmin -

Thanks for sending the file - much better!

On Wed, 19 Jan 2000, S.K.D. Lakmin Premnath wrote:

I'm connecting MSSQL fron BSDI box to authentication and accounting from SQL 
database. Here I need to run a stored procedure (say this procedure update
CHECKATTR column from SUBSCRIBERS table) before it comes to authenticate a
particular user. When I try to do as follows it will reject the authentication
but radpwtst shows accounting is okay. pls advice me how to do this and which
side do I have to run this unix side or NT side...

thankx
lakmin




    DBSource    dbi:FreeTDS:database=icarddb;host=xxx.xx.xxx.xx;port=1433
    DBUsername  x
    DBAuth  x
    AuthSelect execute proc_rupee %n
    AuthSelect select PASSWORD, \
    CHECKATTR, REPLYATTR \
#   ('Session-Timeout = ' + CAST((RUPEEVALUE * 30) AS char(200))), \
#   REPLYATTR \ 
    from SUBSCRIBERS \
    where USERNAME='%n'
    AuthColumnDef 0, User-Password, check
    AuthColumnDef 1, GENERIC, check
    AuthColumnDef 2, GENERIC, reply    
---
---
---


You can only define one AuthSelect in your configuration file. In your case
above, the second AuthSelect will replace the first one when the configuration
file is parsed. You will need to create a single AuthSelect that will first run
the stored procedure then do whatever else you require.

This question was discussed on the list some months ago (for Oracle I believe)
and you might have a look at the archive:

http://www.thesite.com.au/~radiator/

I seem to remember that the syntax was not completely obvious, but it worked
fine.

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) How to suppress an answer from a remote Radius host

[Hugh Irvine]

Hello Arturo -

On Tue, 18 Jan 2000, Arturo Pina wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> > I see. Unfortunately, I don't see any way that you can avoid the
> > two Accounting-Accept's. I've copied Mike on this so he can  offer
> > his opinion, but it looks to me like this is the way it is.
> 
> Hi Hugh,
> So what should happen if we had the Acct Radius Server (Acct) answers
> suppressed or we filtered them so that Radiator couldn't see them.
> Would it have any effect on Radiator's performance? (This is a very
> important issue)
> Would Radiator keep waiting for it or writing lots of warnings to the
> logfile?

Because the radius protocol specifies a retransmission policy (due to UDP), if
Radiator does not see a response to a Request that it has sent, it will
continue to resend the packet until it receives a reply or until it has sent
the maximum number of retries defined in the configuration file. I don't think
putting filters in place is the right course of action.

Perhaps you could tell me what the problem is? Why are multiple responses a
problem - there may be another way to deal with it.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Status-Server requests

[Alejandro Dau]

Hi,

 some of our access servers are sending Status-Server requests to 
our radiator servers. Radiator cant send the reply back to the NAS because 
the resulting packet is too large, (because of a lot of clients configured) 
so it logs a 'ERR: sendTo: send failed: Message too long'.  Those requests 
seem to be useless, so we could supress them. How can i configure radiator 
to ignore (or send at least a valid truncated response) to Status-Server 
requests?


Regards
Alejandro Dau



===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Authentication over MS SQL 7.0

[Fernando Martin]

Hi all,

I think this questions is just very answered, but I need some information.

Actually I have a NT 4.0 SP5 with Radiator 2.14.1 ( with patches 2.14.1)
running properly, but I autherticate with a flat file. because of I have
many users I need another way to do that, and I think MS SQL could be one of
the best. 

I have read the manula pag 82, 107..and I know that:

- I need to install DBI ( PPM>install DBI
- Then, search the right module/driver to connect database.
In my case I think I need ODBC because my MS SQL server is into another NT
server that Radiator. So PPM>install DBD-ODBC.

Is it right? Is there another way better? May be mSQL? Why?
Is the ODBC conector stable? 

- I need to create the database into SQL server...
- I need to configure my radius.cfg to authenticate 
and also create a System DSN into my Radiator server ( In my case
DSN=Radius)to connect database

...

PasswordLogFileName %L/%d-%m-%y-password.log
AuthByPolicy ContinueAlways

# Data to open database. DSN= radius
DBSource dbi:ODBC:radius
DBUsername admrad  # login to connect
DBAuth     # pass to connect
Is it all ok until this point?

AuthSelect select PASSWORD from USERSDB where
USERNAME=´%n´

I do not know what I need to put here ( select...) to authenticate properly
a user and also check his check items ( like Called-station-id, NAS-port,
Acct-Status-Type, etc) agains the SQL. I think I need to configure my Radius
databese and table USERSDB with login, pass, and check items... How to do
that? Any example? 

# This enables accounting
AccountingTable ACCOUNTING
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
# etc






I hope you could help me.

Thank you for your time and help.

Best regards,

Fernando Martín
Dpto. Técnico 
Interlinea 2000 Comunicaciones, S.A.
Gabiria, 2 - Edif. Servícios - Local X
20.305  Irún - Gipuzkoa 
Telephone:(+34) 943  621033
Fax  :(+34) 943  627340


ÿ
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Re: IMPORTANT - Re: Logging to Syslog

[Daniel Senie]

Well, it was a good try...

However, the -r has been on all along to allow logging the syslog output
of the MAX6000. Since I work with RedHat a lot (and with routers or
other devices near it) I was well aware of the -r switch.

I also use ipchains (ip firewall filtering) in the server. I do permit
ALL traffic from the loopback address (which is, I assume, what the
Syslog libary would be using) and syslog specifically from the MAX 6000.
I will turn on an explicit filter to allow syslog from the local IP
address, too, just to be sure.

Dan


Hugh Irvine wrote:
> 
> Hello Dan -
> 
> On Thu, 23 Dec 1999, Daniel Senie wrote:
> > Hugh Irvine wrote:
> > >
> > > Hello Dan -
> > >
> > > On Mon, 20 Dec 1999, Daniel Senie wrote:
> > > > I have the following in my radius.cfg:
> > > >
> > > > 
> > > >   Facility local1
> > > >   Trace 4
> > > > 
> > > >
> > > > Nothing gets logged.
> > > >
> > >
> > > Check your syslog.conf to make sure you have a local1 defined.
> > >
> >
> > From syslog.conf file. Note that the MAX6000 stuff comes through just
> > fine.
> >
> > local0.*/var/log/max6000
> > local1.*/var/log/rad
> >
> 
> Well, after a remarkable amount of messing around, we have discovered what is
> going on (thanks Mike!). Here is the entry from the FAQ:
> 
> 66. Why doesn't my syslog logging from Radiator work on Red Hat 6.1 and similar 
>platforms?
> 
>Recent versions of Linux syslogd do not by default listen to the UDP port 
>that the Perl
>Sys::Syslog module uses. In order to let Radiator and other Perl
>sysloggers work, you need to restart syslogd with the -r flag.
> 
> hth
> 
> Hugh
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody


-- 
-
Daniel Senie[EMAIL PROTECTED]
Amaranth Networks Inc.http://www.amaranthnetworks.com

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Running a SQL Query before autheticate a user on MSSQL database

[S.K.D. Lakmin Premnath]

hi hugh

sorry about previous mail in HTML format. I have attached text file with
this mail.
pls see it and let me know

lakmin

hi hugh

I'm connecting MSSQL fron BSDI box to authentication and accounting from SQL database. 
Here I need to run a stored procedure (say this procedure update CHECKATTR column from 
SUBSCRIBERS table) before it comes to authenticate a particular user. When I try to do 
as follows it will reject the authentication but radpwtst shows accounting is okay.
pls advice me how to do this and which side do I have to run this unix side or NT 
side...

thankx
lakmin



   
    DBSource    dbi:FreeTDS:database=icarddb;host=xxx.xx.xxx.xx;port=1433
    DBUsername  x
    DBAuth  x
    AuthSelect execute proc_rupee %n
    AuthSelect select PASSWORD, \
    CHECKATTR, REPLYATTR \
#   ('Session-Timeout = ' + CAST((RUPEEVALUE * 30) AS char(200))), \
#   REPLYATTR \ 
    from SUBSCRIBERS \
    where USERNAME='%n'
    AuthColumnDef 0, User-Password, check
    AuthColumnDef 1, GENERIC, check
    AuthColumnDef 2, GENERIC, reply    
---
---
---







S.K.D. Lakmin Premnath.
(Systems Engineer)
Lanka Internet Services Limited.
(
http://www.lanka.net
)
Network Operating Center
No, 156 1/1 Walukarama Road,
Colombo 3,
Sri Lanka.
Tel : +94 1 565071
Fax : +94 75 335637
Email : [EMAIL PROTECTED]

=

RE: (RADIATOR) How to suppress an answer from a remote Radius host

[Arturo Pina]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> I see. Unfortunately, I don't see any way that you can avoid the
> two Accounting-Accept's. I've copied Mike on this so he can  offer
> his opinion, but it looks to me like this is the way it is.

Hi Hugh,
So what should happen if we had the Acct Radius Server (Acct) answers
suppressed or we filtered them so that Radiator couldn't see them.
Would it have any effect on Radiator's performance? (This is a very
important issue)
Would Radiator keep waiting for it or writing lots of warnings to the
logfile?
Thx a lot for your help.

Arturo.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 for non-commercial use 

iQA/AwUBOIQZVWXwKH++xlSbEQKplQCfUTnImHeXOuufcH+1YDlNEs9Q0MIAnR1e
BPdb2PsB0musye9xiU34VAPL
=Z72X
-END PGP SIGNATURE-


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) IMPORTANT - Re: Logging to Syslog

[Hugh Irvine]

Hello Dan -

On Thu, 23 Dec 1999, Daniel Senie wrote:
> Hugh Irvine wrote:
> > 
> > Hello Dan -
> > 
> > On Mon, 20 Dec 1999, Daniel Senie wrote:
> > > I have the following in my radius.cfg:
> > >
> > > 
> > >   Facility local1
> > >   Trace 4
> > > 
> > >
> > > Nothing gets logged.
> > >
> > 
> > Check your syslog.conf to make sure you have a local1 defined.
> > 
> 
> From syslog.conf file. Note that the MAX6000 stuff comes through just
> fine.
> 
> local0.*/var/log/max6000
> local1.*/var/log/rad
> 

Well, after a remarkable amount of messing around, we have discovered what is
going on (thanks Mike!). Here is the entry from the FAQ:

66. Why doesn't my syslog logging from Radiator work on Red Hat 6.1 and similar 
platforms?

   Recent versions of Linux syslogd do not by default listen to the UDP port that 
the Perl 
   Sys::Syslog module uses. In order to let Radiator and other Perl
   sysloggers work, you need to restart syslogd with the -r flag. 

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Running a SQL Query before autheticate a user on MSSQL database

[Hugh Irvine]

Hello Lakmin -

This is what your email looks like (see below). Please send your configuration
file as an attachment so I can read it and help you.

thanks

Hugh


On Wed, 19 Jan 2000, S.K.D. Lakmin Premnath wrote:
> hi hugh
> 
> I'm connecting MSSQL fron BSDI box to authentication and accounting
> from SQL database. Here I need to run a stored procedure (say this
> procedure update CHECKATTR column from SUBSCRIBERS table) before it comes
> to authenticate a particular user. When I try to do as follows it will
> reject the authentication but radpwtst shows accounting is okay.
> pls advice me how to do this and which side do I have to run this
> unix side or NT side...
> 
> thankx
> lakmin
> 
> 
> 
>    
>    
> DBSource   
> dbi:FreeTDS:database=icarddb;host=xxx.xx.xxx.xx;port=1433
>    
> DBUsername  x
>    
> DBAuth  
> x
>     AuthSelect execute
> proc_rupee %n
>     AuthSelect select
> PASSWORD, \
>     CHECKATTR, REPLYATTR
> \
> #   ('Session-Timeout = ' +
> CAST((RUPEEVALUE * 30) AS char(200))), \
> #   REPLYATTR \ 
>     from SUBSCRIBERS 
> \
> 
>   
> where USERNAME='%n'
>     AuthColumnDef 0,
> User-Password, check
>     AuthColumnDef 1, GENERIC,
> check
>     AuthColumnDef 2, GENERIC,
> reply    
> 
>   ---
> 
>   ---
> 
>   ---
> 
> 
>   
> 
> 
> 
> 
> S.K.D. Lakmin Premnath.
> (Systems Engineer)
> Lanka Internet Services Limited.
> (
> http://www.lanka.net/" eudora="autourl">http://www.lanka.net
> )
> Network Operating Center
> No, 156 1/1 Walukarama Road,
> Colombo 3,
> Sri Lanka.
> Tel : +94 1 565071
> Fax : +94 75 335637
> Email : [EMAIL PROTECTED]
> 
> =
> 
> 
> 
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Radiator Freezing

[Hugh Irvine]

Hello Aaron -

On Tue, 18 Jan 2000, Aaron Liu wrote:
> Hi Hugh,
> 
> >
> > You should try using AuthBy LDAP2 and the corresponding Net::LDAP module.
> > Please have a look at section 6.30 in the Radiator 2.14.1 reference manual
> for
> > a discussion of the various LDAP options.
> >
> > Could you also let us know what LDAP server you are using?
> >
> > Note that there is a recent patch for Radiator 2.14.1:
> >
> > 7/1/00 Fixed a problem with AuthBy LDAP2, where recent versions
> >of Net::LDAP do not support ldap_error_message.
> >Download a new AuthLDAP2.pm from here.
> >
> 
> Thank you for your reply. We have tried the modification yesterday
> evening and it seemed that the situation became worse. What we have done
> were:
> 
> 1. Installed perl-ldap-0.13.tar.gz
>(perl Makefile.PL; make; make test; no error-> make install)
> 2. Upgraded the AuthLDAP2.pm in perl lib directory.
> 3. Changed radius.cfg so it used  instead of .
> 4. Restarted the server.
> 
> Afterwards we observed the log and the requests and response kept coming
> in, so we thought the change was okay. However, upon further testing with
> radpwtst we found that we got "No Reply" with all three types of requests.
> When we did actual dialup testing, the client timed out even though the log
> said Radiator has sent back both access-accept and accounting-response (our
> NAS here at the local telco was set to grant permission only after receiving
> accounting-reponse).
> Investigation from telco told us our radius service did not respond from
> time to time. So finally we reverted the configuration to use old LDAP
> service and it started working again (for the time being).
> 
> We are using openldap-1.2.7-2 rpm for redhat6.1 for providing LDAP
> service.
> 
> Thank you very much for your advice in this issue again, in particular I
> would like to know whether we have skipped any steps in changing to the
> LDAP2 module, and why the radpwtst stopped working with the new
> configuration.

We have had numerous reports of problems with openldap. You might try either
University of Michigan LDAP or Netscape's LDAP server, both of which we know to
work quite reliably.

>From your description above, I do not understand how Radiator could be sending
both Access-Accept and Accounting-Accept, and still have your telco NAS not
proceeding with the connection. I would like to see a trace 4 debug of both
AuthBy LDAP and LDAP2 showing the differences.

BTW - it is very useful to have both your configuration file (no secrets) and
the trace 4 debug output discussed above when you submit a problem. It makes
it much, much easier to help!

Meanwhile, I will be doing some LDAP testing here shortly (on a Redhat 6.1
system), so I will have some good test results on both openldap and Umich LDAP.

I'll let you know how I get on.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) cisco-avpair and 5300

[Matt Nichols]

You have to use virtual profiles in the AS5300.
Usually, you do this by entering the following config

aaa authentication ppp default radius
aaa authorization network default radius
aaa accounting network start-stop radius
virtual-profile aaa
virtual-profile virtual-template 1
!
interface virtual-template 1
ip unnumbered fastethernet 0
encapsulation ppp
!

Doing this will allow you to pass the per-user config onto a virtual access 
interface which will peer from the ip pool you want. Remember that you 
virtual-template interface will have to have the same authentication 
information in it as your group-async. Also, be careful not just to put the 
config sample above in, research it and make sure it will not break 
anything. We have been using this config for some months now and it is 
extremely flexible.

This document will help 
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_ 
c/dcvprof.htm
Hope this helps

Matt

At 11:42 AM 18/01/00 +0530, you wrote:
>Hi
>
>I am consulting for an ISP in india who are using radiator.
>
>They are using a 5300 with two ip pools on the ras.
>
>Now when users dial in, certain users have a prticular realm, and so
>drop into adiff authentication realm, the reply
>cisco-avpair = "ip:addr-pool=mypool" is added to this.
>
>  After debugging the radius i think that the reply is being sent to the
>  box, however the cisco always seems to pick the ip from the first pool
>instead of theone I am telling it to goto.
>
>I have also tried to use FramedGroup item, and again in the radius
>accounting all is fine, but when it gets back through cisco all is
>changed again.
>
>  Has anyone done this kind of a setup with cisco, I have read through
>just about all the docs on the cisco website, but still no luck.
>
>
>  Iqbal
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.

---
Matthew Nichols - CCNA
Network / Systems Engineer
HunterLink Pty Ltd
Newcastle NSW Australia
Phone: +61 2 4969 0122  Fax: +61 2 4969 0133
Reply To: [EMAIL PROTECTED]
PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html
HunterLink Web Site: http://www.hunterlink.net.au


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.