(RADIATOR) Re:
Hello Kailash - On Wed, 09 Feb 2000, kailash wrote: Hello Everybody I am a ISP and being using radius from last 2 years,it is fabulous.Now from last 5 to 6 days I am facing a problem.My customers are complaining that after they dial they sometimes they don't see the username and password prompt and also our welcome message that appears in the start,what can be the problem.I am using cisco 2509 and 2511 series router.Can any body help me. The first question is "what has changed?". Have you upgraded the Cisco IOS? It sounds like the Cisco's are starting PPP by default. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Storing entire radius packet in SQL
Hi! Is it posible to store the entire radius accounting packet in a single sql blob field like a comma or new-line separated list? thanks. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler
Hi,
Because we get garbage usernames, i've used the handler bit in the config file
(see below):
Handler User-Name = /\\x/
AuthBy FILE
Filename %D/reject-users
/AuthBy
/Handler
Handler
AuthByPolicy ContinueWhileIgnore
RewriteUsername tr/A-Z/a-z/
AuthBy LDAP2
Hosthostname
AuthDN cn=radius,o=WISH, c=NL
BaseDN o=WISH, c=NL
AuthPasswordencrypted
UsernameAttruid
PasswordAttruserPassword
AddToReply Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Address = 255.255.255.254,\
Framed-MTU = 1500,\
Primary-DNS-Server= 212.123.129.68, \
Secondary-DNS-Server= 212.123.128.16
/AuthBy
AuthBy LDAP2
Hosthostname
AuthDN cn=radius,o=WISH, c=NL
BaseDN o=WISH, c=NL
AuthPasswordencrypted
UsernameAttruid
PasswordAttruserPassword
AddToReply Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Address = 255.255.255.254,\
Framed-MTU = 1500,\
Primary-DNS-Server= 212.123.129.68, \
Secondary-DNS-Server= 212.123.128.16
/AuthBy
/Handler
Only the first handler doesn't work realy. Here is a dump:
*** Received from 195.7.137.163 port 1812
Code: Access-Request
Identifier: 21
Authentic: 4t18026252168t177148196f\10,20611
Attributes:
User-Name = "1631381881431592352421595176177
o177X22721913015725322324422681561706
2178%228?201141W23728135NssSB135165w147iv138$244z140O255134L152150247209_191224112
160.140239255197241168190147J203223216254239205255229227155201:210154247T2282022
1[218185/(4168|252255|234139P23015011134231239255230131161728y30,$210~230254237n
235i16826X252239255K29176135K139185N2031626cx144%254206254188225iT208"
User-Password = 210;=220139O164a|203176227AT172432m
1452051541371372Z15515730YN11B281
97173320421SJ160O221424{)190L173223)9y152199Kq204234184179)u220K156d*18v144150148
"192172152`3163167205130177133224180229715254147
NAS-IP-Address = 195.7.137.163
NAS-Port = 1299
Acct-Session-Id = "85066624"
Interface-Index = 2555
Supports-Tags = 0
Service-Type = Login
Chassis-Call-Slot = 6
Chassis-Call-Span = 1
Chassis-Call-Channel = 19
Connect-Speed = NONE
Calling-Station-Id = "0478631728"
Called-Station-Id = ""
NAS-Port-Type = Async
Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler User-Name = /\\x/ should be
used to handle this request
Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler should be used to handle this
request
Wed Feb 9 18:22:39 2000: DEBUG: Handling request with Handler ''
Wed Feb 9 18:22:39 2000: DEBUG: Rewrote user name to
\xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1x\xe3\xdb\x82\x9d\xfd\xdf\xf4\x
e28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dw\xed^\\x87nsssb\x87\xa5w\x93iv\x8a$\xf4z\x8co\xff\x86l\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\x
ff\xc5\xf1\xa8\xbe\x93j\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7t\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bp\xe6\
x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^Zx\xfc\xef\xffk^]\xb0\x87k\x8b\xb9n\xcb\xa26cx\x90%\xfe\xce\xf
e\xbc\xe1it\xd0
Wed Feb 9 18:22:39 2000: DEBUG: Deleting session for
\xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1X\xe3\xdb\x82\x9d\xfd\xdf\xf4\
xe28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dW\xed^\\x87NssSB\x87\xa5w\x93iv\x8a$\xf4z\x8cO\xff\x86L\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\
xff\xc5\xf1\xa8\xbe\x93J\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7T\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bP\xe6
\x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^ZX\xfc\xef\xffK^]\xb0\x87K\x8b\xb9N\xcb\xa26cx\x90%\xfe\xce\x
fe\xbc\xe1iT\xd0, 195.7.137.163, 1299
Wed Feb 9 18:22:39 2000: DEBUG: Handling with Radius::AuthLDAP2
Wed Feb 9 18:22:39 2000: DEBUG: Connecting to lrad.inside.servers, port 389
Wed Feb 9 18:25:11 2000: DEBUG: Reading users file /etc/raddb/reject-users
Wed Feb 9 18:25:12 2000: INFO: Server started
It says that it is reading the /etc/raddb/reject-users, but also you see that he
tries to contact the ldap server..
Why?
Owya, this is what the reject-users file contains:
DEFAULT Auth-Type = Reject
--
Regards,
Robin Gruyters - SYS/B.O.F.H. - [EMAIL PROTECTED] - http://www.phear.nl
RIPE nic-hdl: RG3771-RIPE http://www.ripe.net/cgi-bin/whois?AS9133
WISH Worldwide Websites B.V. PGP key ID DEB8C991
Tel: +31(0)413242500 - Fax: +31(0)413332281 - http://www.wish.net/
-- System
(RADIATOR) Question regarding DupInterval
From the documentation, DupInterval is applied to the client, ie the
host sending the request, eventually an intermediate proxy.
From reading the Client.pm source code I see following :
$self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier]
$nas_id is there supposed to be the NAS-IP-Address, or if not
available NAS-Identifier, which is possibly not the proxy. Only
if none of these attributes are present $nas_id will contain the IP
address of the Client. The $code identifies the type of request, so
on a standard setup that gives a 256 packets history for each kind of
request.
If my understanding is correct this is somewhat different from what
the documentation as well as the comment at the beginning of Client.pm
say.
Now let's go to my particular situation : I have an central accountng Radius
server which gets all accounting packets from the proxys. Whenever this
machine gets really odd (or just out of CPU) the proxies start doing
retransmissions, and then the NASes also start retransmitting (via
a different proxy). By having a really high DupInterval (19) on this
accounting Radius I reduce the number of duplicate records in the
accounting files on that machine, but my clients won't get their
Accounting-Accept because Radiator believes it comes from the same client.
I would conclude that my design is wrong and that I should reduce the
DupInterval on the accounting Radius a lot and have the scripts who
handle the accounting files manage to eliminate the duplicate. Can
someone more knowledgable confirm me this is the way I should go ?
--
Christophe Wolfhugel -+- [EMAIL PROTECTED] -+- France Telecom Oleane
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) OFF TOPIC: authentication for large-scale internet mail applications
Oh, I want to clarify that we're *not* on NT -- I'm using Sun Solaris boxes (2.5.1 and 2.6) for RADIUS, sendmail, and POP3 services. At 08:17 AM 2/9/00 +0100, [EMAIL PROTECTED] wrote: On Tue, Feb 08, 2000 at 06:53:30PM -0600, John Coy wrote: use Radiator for dial-up authentication. I was wondering if there are solutions out there which integrate Radius (or LDAP, or whatever is the appropriate piece) along with Sendmail and POP3 services. What I'm looking for is a way to distribute e-mail systems across multiple servers with a common authentication (and user directory) scheme. we're using Radiator with mysql and qmail with a virtual domain addon (www.inter7.com/vpopmail) that uses the same mysql database to store users for receiving mail and authorizing pop. it shouldnt be a problem to use vpopmail on more servers... if you want to stick to NT... if i'm not mistaken, exchange supports LDAP and so does radiator... Ricardo. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) OFF TOPIC: authentication for large-scale internetmail applications
I believe Solaris 7 and 8 support ldap as a name service switch. Hence, any system calls (getpwnam, getspnam, etc.) are passed to ldap and then to anything else you've specified in /etc/nsswitch.conf -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Feb 9, John Coy molded the electrons to say Oh, I want to clarify that we're *not* on NT -- I'm using Sun Solaris boxes (2.5.1 and 2.6) for RADIUS, sendmail, and POP3 services. At 08:17 AM 2/9/00 +0100, [EMAIL PROTECTED] wrote: On Tue, Feb 08, 2000 at 06:53:30PM -0600, John Coy wrote: use Radiator for dial-up authentication. I was wondering if there are solutions out there which integrate Radius (or LDAP, or whatever is the appropriate piece) along with Sendmail and POP3 services. What I'm looking for is a way to distribute e-mail systems across multiple servers with a common authentication (and user directory) scheme. we're using Radiator with mysql and qmail with a virtual domain addon (www.inter7.com/vpopmail) that uses the same mysql database to store users for receiving mail and authorizing pop. it shouldnt be a problem to use vpopmail on more servers... if you want to stick to NT... if i'm not mistaken, exchange supports LDAP and so does radiator... Ricardo. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding DupInterval
Hi Christophe,
My advice is to reduce the DupInterval to something like 2 seconds. It is
really only intended to catch genuine duplicate packets (ie packets sent along
duplicate parallel network paths, or from some other pathological network
problem). Its really not supposed to catch _retransmissions_ by the NAS. As you
have found, when it starts to catch _retransmissions_ (as opposed to
duplicates), you start to have problems.
Hope that helps.
Cheers.
On Feb 9, 8:35pm, Christophe Wolfhugel wrote:
Subject: (RADIATOR) Question regarding DupInterval
From the documentation, DupInterval is applied to the client, ie the
host sending the request, eventually an intermediate proxy.
From reading the Client.pm source code I see following :
$self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier]
$nas_id is there supposed to be the NAS-IP-Address, or if not
available NAS-Identifier, which is possibly not the proxy. Only
if none of these attributes are present $nas_id will contain the IP
address of the Client. The $code identifies the type of request, so
on a standard setup that gives a 256 packets history for each kind of
request.
If my understanding is correct this is somewhat different from what
the documentation as well as the comment at the beginning of Client.pm
say.
Now let's go to my particular situation : I have an central accountng Radius
server which gets all accounting packets from the proxys. Whenever this
machine gets really odd (or just out of CPU) the proxies start doing
retransmissions, and then the NASes also start retransmitting (via
a different proxy). By having a really high DupInterval (19) on this
accounting Radius I reduce the number of duplicate records in the
accounting files on that machine, but my clients won't get their
Accounting-Accept because Radiator believes it comes from the same client.
I would conclude that my design is wrong and that I should reduce the
DupInterval on the accounting Radius a lot and have the scripts who
handle the accounting files manage to eliminate the duplicate. Can
someone more knowledgable confirm me this is the way I should go ?
--
Christophe Wolfhugel -+- [EMAIL PROTECTED] -+- France Telecom Oleane
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
-- End of excerpt from Christophe Wolfhugel
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Handler
Hello Robin -
On Thu, 10 Feb 2000, Robin Gruyters wrote:
Hi,
Because we get garbage usernames, i've used the handler bit in the config file
(see below):
Handler User-Name = /\\x/
AuthBy FILE
Filename %D/reject-users
/AuthBy
/Handler
Handler
AuthByPolicy ContinueWhileIgnore
RewriteUsername tr/A-Z/a-z/
AuthBy LDAP2
Hosthostname
AuthDN cn=radius,o=WISH, c=NL
BaseDN o=WISH, c=NL
AuthPasswordencrypted
UsernameAttruid
PasswordAttruserPassword
AddToReply Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Address = 255.255.255.254,\
Framed-MTU = 1500,\
Primary-DNS-Server= 212.123.129.68, \
Secondary-DNS-Server= 212.123.128.16
/AuthBy
AuthBy LDAP2
Hosthostname
AuthDN cn=radius,o=WISH, c=NL
BaseDN o=WISH, c=NL
AuthPasswordencrypted
UsernameAttruid
PasswordAttruserPassword
AddToReply Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Address = 255.255.255.254,\
Framed-MTU = 1500,\
Primary-DNS-Server= 212.123.129.68, \
Secondary-DNS-Server= 212.123.128.16
/AuthBy
/Handler
Only the first handler doesn't work realy. Here is a dump:
*** Received from 195.7.137.163 port 1812
Code: Access-Request
Identifier: 21
Authentic: 4t18026252168t177148196f\10,20611
Attributes:
User-Name = "1631381881431592352421595176177
o177X22721913015725322324422681561706
2178%228?201141W23728135NssSB135165w147iv138$244z140O255134L152150247209_191224112
160.140239255197241168190147J203223216254239205255229227155201:210154247T2282022
1[218185/(4168|252255|234139P23015011134231239255230131161728y30,$210~230254237n
235i16826X252239255K29176135K139185N2031626cx144%254206254188225iT208"
User-Password = 210;=220139O164a|203176227AT172432m
1452051541371372Z15515730YN11B281
97173320421SJ160O221424{)190L173223)9y152199Kq204234184179)u220K156d*18v144150148
"192172152`3163167205130177133224180229715254147
NAS-IP-Address = 195.7.137.163
NAS-Port = 1299
Acct-Session-Id = "85066624"
Interface-Index = 2555
Supports-Tags = 0
Service-Type = Login
Chassis-Call-Slot = 6
Chassis-Call-Span = 1
Chassis-Call-Channel = 19
Connect-Speed = NONE
Calling-Station-Id = "0478631728"
Called-Station-Id = ""
NAS-Port-Type = Async
Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler User-Name = /\\x/ should be
used to handle this request
Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler should be used to handle this
request
Wed Feb 9 18:22:39 2000: DEBUG: Handling request with Handler ''
Wed Feb 9 18:22:39 2000: DEBUG: Rewrote user name to
\xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1x\xe3\xdb\x82\x9d\xfd\xdf\xf4\x
e28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dw\xed^\\x87nsssb\x87\xa5w\x93iv\x8a$\xf4z\x8co\xff\x86l\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\x
ff\xc5\xf1\xa8\xbe\x93j\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7t\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bp\xe6\
x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^Zx\xfc\xef\xffk^]\xb0\x87k\x8b\xb9n\xcb\xa26cx\x90%\xfe\xce\xf
e\xbc\xe1it\xd0
Wed Feb 9 18:22:39 2000: DEBUG: Deleting session for
\xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1X\xe3\xdb\x82\x9d\xfd\xdf\xf4\
xe28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dW\xed^\\x87NssSB\x87\xa5w\x93iv\x8a$\xf4z\x8cO\xff\x86L\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\
xff\xc5\xf1\xa8\xbe\x93J\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7T\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bP\xe6
\x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^ZX\xfc\xef\xffK^]\xb0\x87K\x8b\xb9N\xcb\xa26cx\x90%\xfe\xce\x
fe\xbc\xe1iT\xd0, 195.7.137.163, 1299
Wed Feb 9 18:22:39 2000: DEBUG: Handling with Radius::AuthLDAP2
Wed Feb 9 18:22:39 2000: DEBUG: Connecting to lrad.inside.servers, port 389
Wed Feb 9 18:25:11 2000: DEBUG: Reading users file /etc/raddb/reject-users
Wed Feb 9 18:25:12 2000: INFO: Server started
It says that it is reading the /etc/raddb/reject-users, but also you see that he
tries to contact the ldap server..
Why?
Owya, this is what the reject-users file contains:
DEFAULT Auth-Type = Reject
This actually looks like Radiator is restarting at 18:25:11 - why is that? Did
you send it a kill signal? or are you using
