(RADIATOR) Re:
Hello Kailash - On Wed, 09 Feb 2000, kailash wrote: Hello Everybody I am a ISP and being using radius from last 2 years,it is fabulous.Now from last 5 to 6 days I am facing a problem.My customers are complaining that after they dial they sometimes they don't see the username and password prompt and also our welcome message that appears in the start,what can be the problem.I am using cisco 2509 and 2511 series router.Can any body help me. The first question is "what has changed?". Have you upgraded the Cisco IOS? It sounds like the Cisco's are starting PPP by default. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Storing entire radius packet in SQL
Hi! Is it posible to store the entire radius accounting packet in a single sql blob field like a comma or new-line separated list? thanks. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler
Hi, Because we get garbage usernames, i've used the handler bit in the config file (see below): Handler User-Name = /\\x/ AuthBy FILE Filename %D/reject-users /AuthBy /Handler Handler AuthByPolicy ContinueWhileIgnore RewriteUsername tr/A-Z/a-z/ AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy /Handler Only the first handler doesn't work realy. Here is a dump: *** Received from 195.7.137.163 port 1812 Code: Access-Request Identifier: 21 Authentic: 4t18026252168t177148196f\10,20611 Attributes: User-Name = "1631381881431592352421595176177 o177X22721913015725322324422681561706 2178%228?201141W23728135NssSB135165w147iv138$244z140O255134L152150247209_191224112 160.140239255197241168190147J203223216254239205255229227155201:210154247T2282022 1[218185/(4168|252255|234139P23015011134231239255230131161728y30,$210~230254237n 235i16826X252239255K29176135K139185N2031626cx144%254206254188225iT208" User-Password = 210;=220139O164a|203176227AT172432m 1452051541371372Z15515730YN11B281 97173320421SJ160O221424{)190L173223)9y152199Kq204234184179)u220K156d*18v144150148 "192172152`3163167205130177133224180229715254147 NAS-IP-Address = 195.7.137.163 NAS-Port = 1299 Acct-Session-Id = "85066624" Interface-Index = 2555 Supports-Tags = 0 Service-Type = Login Chassis-Call-Slot = 6 Chassis-Call-Span = 1 Chassis-Call-Channel = 19 Connect-Speed = NONE Calling-Station-Id = "0478631728" Called-Station-Id = "" NAS-Port-Type = Async Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler User-Name = /\\x/ should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Handling request with Handler '' Wed Feb 9 18:22:39 2000: DEBUG: Rewrote user name to \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1x\xe3\xdb\x82\x9d\xfd\xdf\xf4\x e28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dw\xed^\\x87nsssb\x87\xa5w\x93iv\x8a$\xf4z\x8co\xff\x86l\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\x ff\xc5\xf1\xa8\xbe\x93j\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7t\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bp\xe6\ x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^Zx\xfc\xef\xffk^]\xb0\x87k\x8b\xb9n\xcb\xa26cx\x90%\xfe\xce\xf e\xbc\xe1it\xd0 Wed Feb 9 18:22:39 2000: DEBUG: Deleting session for \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1X\xe3\xdb\x82\x9d\xfd\xdf\xf4\ xe28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dW\xed^\\x87NssSB\x87\xa5w\x93iv\x8a$\xf4z\x8cO\xff\x86L\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\ xff\xc5\xf1\xa8\xbe\x93J\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7T\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bP\xe6 \x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^ZX\xfc\xef\xffK^]\xb0\x87K\x8b\xb9N\xcb\xa26cx\x90%\xfe\xce\x fe\xbc\xe1iT\xd0, 195.7.137.163, 1299 Wed Feb 9 18:22:39 2000: DEBUG: Handling with Radius::AuthLDAP2 Wed Feb 9 18:22:39 2000: DEBUG: Connecting to lrad.inside.servers, port 389 Wed Feb 9 18:25:11 2000: DEBUG: Reading users file /etc/raddb/reject-users Wed Feb 9 18:25:12 2000: INFO: Server started It says that it is reading the /etc/raddb/reject-users, but also you see that he tries to contact the ldap server.. Why? Owya, this is what the reject-users file contains: DEFAULT Auth-Type = Reject -- Regards, Robin Gruyters - SYS/B.O.F.H. - [EMAIL PROTECTED] - http://www.phear.nl RIPE nic-hdl: RG3771-RIPE http://www.ripe.net/cgi-bin/whois?AS9133 WISH Worldwide Websites B.V. PGP key ID DEB8C991 Tel: +31(0)413242500 - Fax: +31(0)413332281 - http://www.wish.net/ -- System
(RADIATOR) Question regarding DupInterval
From the documentation, DupInterval is applied to the client, ie the host sending the request, eventually an intermediate proxy. From reading the Client.pm source code I see following : $self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier] $nas_id is there supposed to be the NAS-IP-Address, or if not available NAS-Identifier, which is possibly not the proxy. Only if none of these attributes are present $nas_id will contain the IP address of the Client. The $code identifies the type of request, so on a standard setup that gives a 256 packets history for each kind of request. If my understanding is correct this is somewhat different from what the documentation as well as the comment at the beginning of Client.pm say. Now let's go to my particular situation : I have an central accountng Radius server which gets all accounting packets from the proxys. Whenever this machine gets really odd (or just out of CPU) the proxies start doing retransmissions, and then the NASes also start retransmitting (via a different proxy). By having a really high DupInterval (19) on this accounting Radius I reduce the number of duplicate records in the accounting files on that machine, but my clients won't get their Accounting-Accept because Radiator believes it comes from the same client. I would conclude that my design is wrong and that I should reduce the DupInterval on the accounting Radius a lot and have the scripts who handle the accounting files manage to eliminate the duplicate. Can someone more knowledgable confirm me this is the way I should go ? -- Christophe Wolfhugel -+- [EMAIL PROTECTED] -+- France Telecom Oleane === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) OFF TOPIC: authentication for large-scale internet mail applications
Oh, I want to clarify that we're *not* on NT -- I'm using Sun Solaris boxes (2.5.1 and 2.6) for RADIUS, sendmail, and POP3 services. At 08:17 AM 2/9/00 +0100, [EMAIL PROTECTED] wrote: On Tue, Feb 08, 2000 at 06:53:30PM -0600, John Coy wrote: use Radiator for dial-up authentication. I was wondering if there are solutions out there which integrate Radius (or LDAP, or whatever is the appropriate piece) along with Sendmail and POP3 services. What I'm looking for is a way to distribute e-mail systems across multiple servers with a common authentication (and user directory) scheme. we're using Radiator with mysql and qmail with a virtual domain addon (www.inter7.com/vpopmail) that uses the same mysql database to store users for receiving mail and authorizing pop. it shouldnt be a problem to use vpopmail on more servers... if you want to stick to NT... if i'm not mistaken, exchange supports LDAP and so does radiator... Ricardo. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) OFF TOPIC: authentication for large-scale internetmail applications
I believe Solaris 7 and 8 support ldap as a name service switch. Hence, any system calls (getpwnam, getspnam, etc.) are passed to ldap and then to anything else you've specified in /etc/nsswitch.conf -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Feb 9, John Coy molded the electrons to say Oh, I want to clarify that we're *not* on NT -- I'm using Sun Solaris boxes (2.5.1 and 2.6) for RADIUS, sendmail, and POP3 services. At 08:17 AM 2/9/00 +0100, [EMAIL PROTECTED] wrote: On Tue, Feb 08, 2000 at 06:53:30PM -0600, John Coy wrote: use Radiator for dial-up authentication. I was wondering if there are solutions out there which integrate Radius (or LDAP, or whatever is the appropriate piece) along with Sendmail and POP3 services. What I'm looking for is a way to distribute e-mail systems across multiple servers with a common authentication (and user directory) scheme. we're using Radiator with mysql and qmail with a virtual domain addon (www.inter7.com/vpopmail) that uses the same mysql database to store users for receiving mail and authorizing pop. it shouldnt be a problem to use vpopmail on more servers... if you want to stick to NT... if i'm not mistaken, exchange supports LDAP and so does radiator... Ricardo. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding DupInterval
Hi Christophe, My advice is to reduce the DupInterval to something like 2 seconds. It is really only intended to catch genuine duplicate packets (ie packets sent along duplicate parallel network paths, or from some other pathological network problem). Its really not supposed to catch _retransmissions_ by the NAS. As you have found, when it starts to catch _retransmissions_ (as opposed to duplicates), you start to have problems. Hope that helps. Cheers. On Feb 9, 8:35pm, Christophe Wolfhugel wrote: Subject: (RADIATOR) Question regarding DupInterval From the documentation, DupInterval is applied to the client, ie the host sending the request, eventually an intermediate proxy. From reading the Client.pm source code I see following : $self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier] $nas_id is there supposed to be the NAS-IP-Address, or if not available NAS-Identifier, which is possibly not the proxy. Only if none of these attributes are present $nas_id will contain the IP address of the Client. The $code identifies the type of request, so on a standard setup that gives a 256 packets history for each kind of request. If my understanding is correct this is somewhat different from what the documentation as well as the comment at the beginning of Client.pm say. Now let's go to my particular situation : I have an central accountng Radius server which gets all accounting packets from the proxys. Whenever this machine gets really odd (or just out of CPU) the proxies start doing retransmissions, and then the NASes also start retransmitting (via a different proxy). By having a really high DupInterval (19) on this accounting Radius I reduce the number of duplicate records in the accounting files on that machine, but my clients won't get their Accounting-Accept because Radiator believes it comes from the same client. I would conclude that my design is wrong and that I should reduce the DupInterval on the accounting Radius a lot and have the scripts who handle the accounting files manage to eliminate the duplicate. Can someone more knowledgable confirm me this is the way I should go ? -- Christophe Wolfhugel -+- [EMAIL PROTECTED] -+- France Telecom Oleane === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Christophe Wolfhugel -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Handler
Hello Robin - On Thu, 10 Feb 2000, Robin Gruyters wrote: Hi, Because we get garbage usernames, i've used the handler bit in the config file (see below): Handler User-Name = /\\x/ AuthBy FILE Filename %D/reject-users /AuthBy /Handler Handler AuthByPolicy ContinueWhileIgnore RewriteUsername tr/A-Z/a-z/ AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy /Handler Only the first handler doesn't work realy. Here is a dump: *** Received from 195.7.137.163 port 1812 Code: Access-Request Identifier: 21 Authentic: 4t18026252168t177148196f\10,20611 Attributes: User-Name = "1631381881431592352421595176177 o177X22721913015725322324422681561706 2178%228?201141W23728135NssSB135165w147iv138$244z140O255134L152150247209_191224112 160.140239255197241168190147J203223216254239205255229227155201:210154247T2282022 1[218185/(4168|252255|234139P23015011134231239255230131161728y30,$210~230254237n 235i16826X252239255K29176135K139185N2031626cx144%254206254188225iT208" User-Password = 210;=220139O164a|203176227AT172432m 1452051541371372Z15515730YN11B281 97173320421SJ160O221424{)190L173223)9y152199Kq204234184179)u220K156d*18v144150148 "192172152`3163167205130177133224180229715254147 NAS-IP-Address = 195.7.137.163 NAS-Port = 1299 Acct-Session-Id = "85066624" Interface-Index = 2555 Supports-Tags = 0 Service-Type = Login Chassis-Call-Slot = 6 Chassis-Call-Span = 1 Chassis-Call-Channel = 19 Connect-Speed = NONE Calling-Station-Id = "0478631728" Called-Station-Id = "" NAS-Port-Type = Async Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler User-Name = /\\x/ should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Handling request with Handler '' Wed Feb 9 18:22:39 2000: DEBUG: Rewrote user name to \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1x\xe3\xdb\x82\x9d\xfd\xdf\xf4\x e28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dw\xed^\\x87nsssb\x87\xa5w\x93iv\x8a$\xf4z\x8co\xff\x86l\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\x ff\xc5\xf1\xa8\xbe\x93j\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7t\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bp\xe6\ x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^Zx\xfc\xef\xffk^]\xb0\x87k\x8b\xb9n\xcb\xa26cx\x90%\xfe\xce\xf e\xbc\xe1it\xd0 Wed Feb 9 18:22:39 2000: DEBUG: Deleting session for \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1X\xe3\xdb\x82\x9d\xfd\xdf\xf4\ xe28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dW\xed^\\x87NssSB\x87\xa5w\x93iv\x8a$\xf4z\x8cO\xff\x86L\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\ xff\xc5\xf1\xa8\xbe\x93J\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7T\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bP\xe6 \x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^ZX\xfc\xef\xffK^]\xb0\x87K\x8b\xb9N\xcb\xa26cx\x90%\xfe\xce\x fe\xbc\xe1iT\xd0, 195.7.137.163, 1299 Wed Feb 9 18:22:39 2000: DEBUG: Handling with Radius::AuthLDAP2 Wed Feb 9 18:22:39 2000: DEBUG: Connecting to lrad.inside.servers, port 389 Wed Feb 9 18:25:11 2000: DEBUG: Reading users file /etc/raddb/reject-users Wed Feb 9 18:25:12 2000: INFO: Server started It says that it is reading the /etc/raddb/reject-users, but also you see that he tries to contact the ldap server.. Why? Owya, this is what the reject-users file contains: DEFAULT Auth-Type = Reject This actually looks like Radiator is restarting at 18:25:11 - why is that? Did you send it a kill signal? or are you using