Re: (RADIATOR) Mysql password +encrypted password
Hello again Colin -
On Thu, 27 Apr 2000, colinc wrote:
> Hi
>
> Just wondering if it's possible to check both the password and encrypted
> password column particularly if one column is empty or null.
>
> for example, the default would be to check the encrypted password column
> for authentication, however, if there is no encrypted password present
> we want radiator to check the password column. Or vice versa. We have it
> looking at the encrypted password at the moment.
>
Since responding to this same message a little while ago, Mike and I were
discussing a couple of additional (possibly more suitable) solutions to your
question. The first thing you can do is simply write an AuthSelect in your
AuthBy SQL that returns both the plaintext and the encrypted password fields
and then have AuthColumnDef's for both. Only the password that is actually
returned will be checked, while the null value will be ignored.
A second method is to mix both plaintext and encrypted passwords in the same
column, and as long as the encrypted passwords have the appropriate leading tag
on them (eg. {crypt}, {SHA}, $1$), the plaintext password checker will do the
right thing. See section 13.1.1 in the Radiator 2.15 reference manual.
As to my previous post, the comment I was trying to make is still valid -
defining AuthBy's with Identifier's makes configuration files *much* easier to
build and understand.
cheers
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: More Roaming Problems
On Thu, 27 Apr 2000, Hugh Irvine wrote: > > Both traces above show Access accepted. The line below refers to the session > database that is always updated with the original username as it arrives from > the NAS (or proxy). The logs show its accepted, however, the connection was never started. On the side of the person dialling, it keeps on asking for the password. According to the logs on Merit: Wed Apr 26 18:49:48 2000: Received-Authentication: 234/629 '[EMAIL PROTECTED]' from pop2.i-iloilo.com.ph port 2 PPP Wed Apr 26 18:49:48 2000: child_end: DNS update finished Wed Apr 26 18:49:48 2000: Authentication: 234/629 'roytest\0i-manila.com.ph' via pop2.i-iloilo.com.ph from 208. 155.154.130 port 2 PPP - OK -- total 0, holding 0 Wed Apr 26 18:50:14 2000: Received-Authentication: 235/630 '[EMAIL PROTECTED]' from pop2.i-iloilo.com.ph port 2 PPP Wed Apr 26 18:50:14 2000: Authentication: 235/630 'roytest\0i-manila.com.ph' via pop2.i-iloilo.com.ph from 208. 155.154.130 port 2 PPP - OK -- total 0, holding 0 Wed Apr 26 18:50:21 2000: Received-Authentication: 236/631 '[EMAIL PROTECTED]' from pop2.i-iloilo.com.ph port 2 PPP Wed Apr 26 18:50:21 2000: Authentication: 236/631 'roytest\0i-manila.com.ph' via pop2.i-iloilo.com.ph from 208. 155.154.130 port 2 PPP - OK -- total 0, holding 0 A successful connection would yield: Wed Apr 26 19:20:45 2000: Received-Authentication: 223/655 '[EMAIL PROTECTED]' via 208.155.152.226 from s alvi.i-iloilo.com.ph port 9 PPP Wed Apr 26 19:20:45 2000: Authentication: 223/655 'roytest\0i-manila.com.ph' via 208.155.152.226 from 208.155.1 54.129 port 9 PPP - OK -- total 0, holding 0 Wed Apr 26 19:20:45 2000: Received-Accounting: 224/1167 '[EMAIL PROTECTED]' via 208.155.152.226 from salv i.i-iloilo.com.ph port 9 $"0073" PPP Start Wed Apr 26 19:20:45 2000: Accounting: 224/1167 'roytest\0i-manila.com.ph' via 208.155.152.226 from salvi.i-iloi lo.com.ph port 9 $"0073" PPP Start - OK -- total 0, holding 0 Notice the difference between the two: i) unsuccessful - Authentication - Received Authentication only ii) successful - Authentication-Received Authentication AND Accounting-Received Accounting. As I notice, this (unsuccessful) only happens on USRNetserver16s, while the CISCO connection was successful. Thanks again for your help. Sincerely, Froilan C. Mendoza Manager - Systems Management Tridel Technologies, Inc. http://www.tridel.net === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Mysql password +encrypted password
Hi Just wondering if it's possible to check both the password and encrypted password column particularly if one column is empty or null. for example, the default would be to check the encrypted password column for authentication, however, if there is no encrypted password present we want radiator to check the password column. Or vice versa. We have it looking at the encrypted password at the moment. Thanks. Col. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql Passwords + Encrypted p/w
Hello Colin - On Thu, 27 Apr 2000, colinc wrote: > Hi > > Just wondering if it's possible to check both the password and encrypted > password column particularly if one column is empty or null. > > for example, the default would be to check the encrypted password column > for authentication, however, if there is no encrypted password present > we want radiator to check the password column. Or vice versa. We have it > looking at the encrypted password at the moment. > As you are using an SQL database, you could use two AuthBy SQL clauses with different AuthSelect statements and cascade them with an AuthByPolicy. Something like this: #define this AuthBy to check the clear text password Identifier CheckClearTextPassword DBSource DBUsername DBAuth AuthSelect . . # define this AuthBy to check the encrypted password Identifier CheckEncryptedPassword DBSource DBUsername DBAuth AuthSelect . # define an AuthBy GROUP to do both checks Identifer CheckPassword AuthByPolicy ContinueUntilAccept AuthBy CheckClearTextPassword AuthBy CheckEncryptedPassword # the Handler(s) or Realm(s) would contain this AuthBy CheckPassword Note that the same technique can be used in many other cases to simplify configuration files enormously. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) mysql Passwords + Encrypted p/w
Hi Just wondering if it's possible to check both the password and encrypted password column particularly if one column is empty or null. for example, the default would be to check the encrypted password column for authentication, however, if there is no encrypted password present we want radiator to check the password column. Or vice versa. We have it looking at the encrypted password at the moment. Thanks. Col. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Interbase 6 and Radiator.
Hello Thomas, We recently tested Beta 6.0 on Linux 6.1 with Radiator. We built the database with the goodies/interbaseCreate.sql script, and we used DBD-InterBase-0.021 as the interface, and a DBSource line like: DBSourcedbi:InterBase:database=/some/path/radius.gdb DBUsername DBAuth (DBD-Interbase includes IBPerl) One gotcha we had with getting the Interbase server running was that you must have 'localhost' in /etc/hosts.equiv, else the server wont start properly, and you can attach to it with isql etc. Hope that helps. Cheers. On Apr 26, 5:36pm, Thomas Clarke wrote: > Subject: Interbase 6 and Radiator. > Hello to all on the list. > > Can anyone help me to get Radiator installed using Interbase 6 Beta > (superserver) on RedHat 6.1 linux. I am afraid that I am new to Radiator > and Linux. I have got IBPerl installed. Possibly let me have a sample > configuration file. > > TIA. > > Thomas Clarke > VP Operations > SunBeach "The Internet People" > "San Remo" > Belmont Road > St. Michael > Barbados W. I. > > voice (246) 430-1569 > fax (246) 228-6330 > > email [EMAIL PROTECTED] > http://www.sunbeach.net/ > > >-- End of excerpt from Thomas Clarke -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 2000, NT, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: More Roaming Problems
Hello Froilan - On Wed, 26 Apr 2000, Froilan Mendoza wrote: > Hello. > > I tried Hugh's solution on my query last March 23 (yes, I only had the > chance to do this a month after) re: <0> symbol in the realm field. > > Well, there still seems to be problem. Here is the current setup: > > I-Manila is local ISP (i-manila.com.ph) > I-Cebu is provincial ISP (i-cebu.com.ph) > > The idea is I-Manila users in Cebu should be able to connect using > [EMAIL PROTECTED] in Cebu's trunks. > > The I-Manila setup is: > > > Secret > RewriteUsername s/\0/@/ <-- remove that <0> from Merit Radius > DupInterval 15 > IgnoreAcctSignature > > > > > RewriteUsername s/^([^@]+).*/$1/ <-- get just the username > RewriteUsername tr/0-9|a-z|\-|_//cd <-- remove any characters > #other than [a-z], [0-9], dash and underscore > > Command /radius/radauth > DecryptPassword > > PasswordLogFileName %L/password.imanila.log > > > > > The logs however show: > > For local I-Manila user who uses [EMAIL PROTECTED], this example > was able to authenticate properly: > > Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to > [EMAIL PROTECTED] > Wed Apr 26 11:04:54 2000: DEBUG: Handling request with Handler > 'Realm=i-manila.com.ph' > Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to daleones > Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to daleones > Wed Apr 26 11:04:54 2000: DEBUG: Deleting session for > [EMAIL PROTECTED], 203.167.0.34, 30 > Wed Apr 26 11:04:54 2000: DEBUG: Running command: /radius/radauth > Wed Apr 26 11:04:55 2000: DEBUG: Access accepted for daleones > Wed Apr 26 11:04:55 2000: DEBUG: Packet dump: > > For I-Manila users roaming in Cebu: > > Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to > roytest^@i-manila.com.ph > Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to > [EMAIL PROTECTED] > Wed Apr 26 15:02:14 2000: DEBUG: Handling request with Handler > 'Realm=i-manila.com.ph' > Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 15:02:14 2000: DEBUG: Deleting session for > roytest^@i-manila.com.ph, 208.164.193.180, 12 > Wed Apr 26 15:02:14 2000: DEBUG: Running command: /radius/radauth > Wed Apr 26 15:02:14 2000: DEBUG: Access accepted for roytest > Wed Apr 26 15:02:14 2000: DEBUG: Packet dump: > > > Note the differenct between [EMAIL PROTECTED] after deleting session > when successful, and username^@i-manila.com.ph if not successful > Both traces above show Access accepted. The line below refers to the session database that is always updated with the original username as it arrives from the NAS (or proxy). > Wed Apr 26 15:02:14 2000: DEBUG: Deleting session for > roytest^@i-manila.com.ph, 208.164.193.180, 12 regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) max-sessions per reelms
Hello Jesus - On Wed, 26 Apr 2000, Jesus M Diaz wrote: > is there any way to limit the number of concurrent users of a realm? > Yes, you would use the AuthBy PORTLIMITCHECK clause, cascaded after your normal authentication clause(s). See section 6.35 in the Radiator 2.15 reference manual for further details. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ERR: No orig_authenticator supplied to check_authenticator
Hello Richi - On Thu, 27 Apr 2000, Richi Plana wrote: > Hi, > > Still using Radiator-1.13.1 in one of our systems. What does the ff. error > mean: > > ERR: No orig_authenticator supplied to check_authenticator > > We think its one of the last things that gets logged before Radiator dies. > It could be a problem in MD5->hash or AuthRADIUS.pm (somewhere). > > Radiator dies (on the average) ten times a day. It's on a production > system. Is there an easy way we can find out what the problem is without > any downtimes? > I think you will find that AuthRADIUS.pm is calling the function check_authenticator which is defined in Radius.pm, and check_authenticator is where that message is displayed. What it means is that you are trying to process a radius packet that does not have an authenticator present. Where are the packets in question coming from, and what type of packets are they? If they are accounting packets, you could try setting IgnoreAcctSignature for that Client. The latest version of Radiator is 2.15 and I would suggest you plan an upgrade. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: More Roaming Problem -- hmmm, interesting
Hello Froilan - On Wed, 26 Apr 2000, Froilan Mendoza wrote: > Hello again. > > Here's something interesting - whenever they dial into a Cisco, they > authenticate (and account) fine. But whenever they connect to a > USRNetserver16, they can't. > > Here are the comparative logs: > > Cisco: > > *** Received from 208.155.152.36 port 1026 > Code: Access-Request > Identifier: 143 > Authentic: Cm<182><9><217><221><9>m<234><250>2]<189><22><19><6> > Attributes: > NAS-IP-Address = 208.155.154.129 > NAS-Port = 9 > NAS-Port-Type = Async > User-Name = "roytest<0>i-manila.com.ph" > User-Password = > "F<182><201><24><14>`<9><240><176>a<133><187><19>ou<" > Service-Type = Framed-User > Framed-Protocol = PPP > User-Id = "roytest" > NAS-Identifier = "salvi.i-iloilo.com.ph" > User-Realm = "i-manila.com.ph" > Service-Type = Framed-User > Framed-Protocol = PPP > Login-Service = Rlogin > Session-Timeout = 21600 > Framed-MTU = 576 > Proxy-State = 0 > > Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to > roytest^@i-manila.com.ph > Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to > [EMAIL PROTECTED] > Wed Apr 26 19:20:46 2000: DEBUG: Handling request with Handler > 'Realm=i-manila.com.ph' > Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 19:20:46 2000: DEBUG: Deleting session for > roytest^@i-manila.com.ph, 208.155.154.129, 9 > Wed Apr 26 19:20:46 2000: DEBUG: Running command: /radius/radauth > Wed Apr 26 19:20:47 2000: DEBUG: Access accepted for roytest > Wed Apr 26 19:20:47 2000: DEBUG: Packet dump: > *** Sending to 208.155.152.36 port 1026 > Code: Access-Accept > Identifier: 143 > Authentic: Cm<182><9><217><221><9>m<234><250>2]<189><22><19><6> > Attributes: > Proxy-State = 0 > Session-Timeout = 21600 > > > -- > USR Netserver16 > > *** Received from 208.155.152.36 port 1026 > Code: Access-Request > Identifier: 117 > Authentic: <237>><148>v<247>M<175>^<168><215><16>*a<173><21><11> > Attributes: > User-Name = "roytest<0>i-manila.com.ph" > User-Password = > "]<242><228>2<170><26>Dd<159><221><167><176><233><20>m)" > NAS-IP-Address = 208.155.154.130 > NAS-Port = 2 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Id = "roytest" > NAS-Identifier = "pop2.i-iloilo.com.ph" > User-Realm = "i-manila.com.ph" > Service-Type = Framed-User > Framed-Protocol = PPP > Login-Service = Rlogin > Session-Timeout = 21600 > Framed-MTU = 576 > Proxy-State = 0 > > Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to > roytest^@i-manila.com.ph > Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to > [EMAIL PROTECTED] > Wed Apr 26 18:49:49 2000: DEBUG: Handling request with Handler > 'Realm=i-manila.com.ph' > Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to roytest > Wed Apr 26 18:49:49 2000: DEBUG: Deleting session for > roytest^@i-manila.com.ph, 208.155.154.130, 2 > Wed Apr 26 18:49:49 2000: DEBUG: Running command: /radius/radauth > Wed Apr 26 18:49:50 2000: DEBUG: Access accepted for roytest > Wed Apr 26 18:49:50 2000: DEBUG: Packet dump: > *** Sending to 208.155.152.36 port 1026 > Code: Access-Accept > Identifier: 117 > Authentic: <237>><148>v<247>M<175>^<168><215><16>*a<173><21><11> > Attributes: > Proxy-State = 0 > Session-Timeout = 21600 > > > What's the difference between the two setup? > In what you have sent above, nothing. Both traces are from the same source and unsurprisingly they are both Accepted. cheers Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Accounting for Realms?
Hello Dave -
On Wed, 26 Apr 2000, Dave Kitabjian wrote:
> Thanks for the note.
>
> My servers (one in C, the other VB) which parse and upload the detail
> records are expecting a standard Livingston-style accounting record, one
> attribute per line. They get mapped one-to-one with SQL Columns, and
> then get inserted.
>
> Attaching special treatment for the attribute named "Username" would be
> a hack, and would spoil the elegance and flexibility of this approach :(
>
> Since Radiator is so flexible, I was hoping that something this
> straightforward and common would be doable from within Radiator. If not,
> then I may end up putting in the hack.
>
I misunderstood your situation - I thought as you were already processing the
files externally, adding another step would be easy.
In any case, you can use the AcctLogFileName and AcctLogFileFormat parameters
to specify whatever you wish in the accounting file output. I am not sure from
your descriptions how the username comes in (nor how it is processed), but you
can specify %{Realm} to get the Realm output to the file. Have a look at
sections 6.13.4 and 6.13.5 in the Radiator 2.15 reference manual.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) ERR: No orig_authenticator supplied to check_authenticator
Hi, Still using Radiator-1.13.1 in one of our systems. What does the ff. error mean: ERR: No orig_authenticator supplied to check_authenticator We think its one of the last things that gets logged before Radiator dies. It could be a problem in MD5->hash or AuthRADIUS.pm (somewhere). Radiator dies (on the average) ten times a day. It's on a production system. Is there an easy way we can find out what the problem is without any downtimes? L L Richi Plana 8^) ,-,-. ,-,-. ,-,-. ,-,-. ,- LL LL Systems Administrator / / \ \ / / \ \ / / \ \ / / \ \ / / L Mosaic Communications, Inc. \ \ / / \ \ / / \ \ / / \ \ / / L mailto:[EMAIL PROTECTED] `-'-' `-'-' `-'-' `-'-' === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) max-sessions per reelms
is there any way to limit the number of concurrent users of a realm? thank you Jesus M Diaz <[EMAIL PROTECTED]> Telia Iberia, S.A. Planificación y Diseño de Red Tfno: +34 91 623 2909 Fax: +34 91 623 2950 Úrchive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Accounting for Realms?
Thanks for the note. My servers (one in C, the other VB) which parse and upload the detail records are expecting a standard Livingston-style accounting record, one attribute per line. They get mapped one-to-one with SQL Columns, and then get inserted. Attaching special treatment for the attribute named "Username" would be a hack, and would spoil the elegance and flexibility of this approach :( Since Radiator is so flexible, I was hoping that something this straightforward and common would be doable from within Radiator. If not, then I may end up putting in the hack. Dave -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 25, 2000 6:22 PM To: Dave Kitabjian; '' Subject: RE: (RADIATOR) Accounting for Realms? On Tue, 25 Apr 2000, Dave Kitabjian wrote: > Thanks for the tip. > > From a Radiator point of view, we are simply logging to a standard > "detail" file. (However, from our *system's* point of view, we parse > that file and upload it into a Sql database. Don't worry about this; > I'll handle those details.) > > So I just need the detail file to appear correct. Yes, I would rather > log "UserName and Realm". What I'm asking is *how*? Username doesn't > appear to strip off the Realm for accounting, even after a Rewrite; and > the Realm doesn't appear anywhere else in the accounting record. How can > I split them apart from within Radiator ? > Why not just split into UserName and Realm when you parse the file? Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) More Roaming Problem -- hmmm, interesting
Hello again. Here's something interesting - whenever they dial into a Cisco, they authenticate (and account) fine. But whenever they connect to a USRNetserver16, they can't. Here are the comparative logs: Cisco: *** Received from 208.155.152.36 port 1026 Code: Access-Request Identifier: 143 Authentic: Cm<182><9><217><221><9>m<234><250>2]<189><22><19><6> Attributes: NAS-IP-Address = 208.155.154.129 NAS-Port = 9 NAS-Port-Type = Async User-Name = "roytest<0>i-manila.com.ph" User-Password = "F<182><201><24><14>`<9><240><176>a<133><187><19>ou<" Service-Type = Framed-User Framed-Protocol = PPP User-Id = "roytest" NAS-Identifier = "salvi.i-iloilo.com.ph" User-Realm = "i-manila.com.ph" Service-Type = Framed-User Framed-Protocol = PPP Login-Service = Rlogin Session-Timeout = 21600 Framed-MTU = 576 Proxy-State = 0 Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to roytest^@i-manila.com.ph Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to [EMAIL PROTECTED] Wed Apr 26 19:20:46 2000: DEBUG: Handling request with Handler 'Realm=i-manila.com.ph' Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 19:20:46 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 19:20:46 2000: DEBUG: Deleting session for roytest^@i-manila.com.ph, 208.155.154.129, 9 Wed Apr 26 19:20:46 2000: DEBUG: Running command: /radius/radauth Wed Apr 26 19:20:47 2000: DEBUG: Access accepted for roytest Wed Apr 26 19:20:47 2000: DEBUG: Packet dump: *** Sending to 208.155.152.36 port 1026 Code: Access-Accept Identifier: 143 Authentic: Cm<182><9><217><221><9>m<234><250>2]<189><22><19><6> Attributes: Proxy-State = 0 Session-Timeout = 21600 -- USR Netserver16 *** Received from 208.155.152.36 port 1026 Code: Access-Request Identifier: 117 Authentic: <237>><148>v<247>M<175>^<168><215><16>*a<173><21><11> Attributes: User-Name = "roytest<0>i-manila.com.ph" User-Password = "]<242><228>2<170><26>Dd<159><221><167><176><233><20>m)" NAS-IP-Address = 208.155.154.130 NAS-Port = 2 Service-Type = Framed-User Framed-Protocol = PPP User-Id = "roytest" NAS-Identifier = "pop2.i-iloilo.com.ph" User-Realm = "i-manila.com.ph" Service-Type = Framed-User Framed-Protocol = PPP Login-Service = Rlogin Session-Timeout = 21600 Framed-MTU = 576 Proxy-State = 0 Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to roytest^@i-manila.com.ph Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to [EMAIL PROTECTED] Wed Apr 26 18:49:49 2000: DEBUG: Handling request with Handler 'Realm=i-manila.com.ph' Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 18:49:49 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 18:49:49 2000: DEBUG: Deleting session for roytest^@i-manila.com.ph, 208.155.154.130, 2 Wed Apr 26 18:49:49 2000: DEBUG: Running command: /radius/radauth Wed Apr 26 18:49:50 2000: DEBUG: Access accepted for roytest Wed Apr 26 18:49:50 2000: DEBUG: Packet dump: *** Sending to 208.155.152.36 port 1026 Code: Access-Accept Identifier: 117 Authentic: <237>><148>v<247>M<175>^<168><215><16>*a<173><21><11> Attributes: Proxy-State = 0 Session-Timeout = 21600 What's the difference between the two setup? Thanks again. Sincerely, Froilan C. Mendoza Manager - Systems Management Tridel Technologies, Inc. http://www.tridel.net === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) More Roaming Problems
Hello. I tried Hugh's solution on my query last March 23 (yes, I only had the chance to do this a month after) re: <0> symbol in the realm field. Well, there still seems to be problem. Here is the current setup: I-Manila is local ISP (i-manila.com.ph) I-Cebu is provincial ISP (i-cebu.com.ph) The idea is I-Manila users in Cebu should be able to connect using [EMAIL PROTECTED] in Cebu's trunks. The I-Manila setup is: Secret RewriteUsername s/\0/@/ <-- remove that <0> from Merit Radius DupInterval 15 IgnoreAcctSignature RewriteUsername s/^([^@]+).*/$1/ <-- get just the username RewriteUsername tr/0-9|a-z|\-|_//cd <-- remove any characters #other than [a-z], [0-9], dash and underscore Command /radius/radauth DecryptPassword PasswordLogFileName %L/password.imanila.log The logs however show: For local I-Manila user who uses [EMAIL PROTECTED], this example was able to authenticate properly: Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to [EMAIL PROTECTED] Wed Apr 26 11:04:54 2000: DEBUG: Handling request with Handler 'Realm=i-manila.com.ph' Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to daleones Wed Apr 26 11:04:54 2000: DEBUG: Rewrote user name to daleones Wed Apr 26 11:04:54 2000: DEBUG: Deleting session for [EMAIL PROTECTED], 203.167.0.34, 30 Wed Apr 26 11:04:54 2000: DEBUG: Running command: /radius/radauth Wed Apr 26 11:04:55 2000: DEBUG: Access accepted for daleones Wed Apr 26 11:04:55 2000: DEBUG: Packet dump: For I-Manila users roaming in Cebu: Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to roytest^@i-manila.com.ph Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to [EMAIL PROTECTED] Wed Apr 26 15:02:14 2000: DEBUG: Handling request with Handler 'Realm=i-manila.com.ph' Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 15:02:14 2000: DEBUG: Rewrote user name to roytest Wed Apr 26 15:02:14 2000: DEBUG: Deleting session for roytest^@i-manila.com.ph, 208.164.193.180, 12 Wed Apr 26 15:02:14 2000: DEBUG: Running command: /radius/radauth Wed Apr 26 15:02:14 2000: DEBUG: Access accepted for roytest Wed Apr 26 15:02:14 2000: DEBUG: Packet dump: Note the differenct between [EMAIL PROTECTED] after deleting session when successful, and username^@i-manila.com.ph if not successful Any workaround? TIA. Sincerely, Froilan C. Mendoza Manager - Systems Management Tridel Technologies, Inc. http://www.tridel.net === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
