RE: (RADIATOR) desperate: NAS port restrictions...
Hello Brian -
On Sun, 30 Apr 2000, Brian Keefe wrote:
Another couple questions:
I want to apply a NAS-Address-Port-List filter to all AuthBy clauses in a
Realm.
I was able to do this as follows:
Handler NAS-Address-Port-List = %{GlobalVar:sportbrain_portlist_file}
AuthBy ...
AuthBy ...
/Handler
Is this the only way to do this?
This is probably the best way to do it.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) rejection precedence
Hello Brian -
On Sun, 30 Apr 2000, Brian Keefe wrote:
The following outlines the test I wrote:
AuthByPolicy ContinueWhileReject
AuthBy FILE
Filename %{GlobalVar:sportbrain_reject_file}
/AuthBy
AuthBy FILE
Filename %{GlobalVar:sportbrain_password_file}
/AuthBy
In the reject file:
reject User-Password="reject", Auth-Type="Reject:discontinued service"
In the password file:
reject User-Password="reject"
The user reject always PASSES.
If I copy the line from the reject file and put it in the password file,
rejection happens.
Or, if I change "Reject" to "Ignore" in the password file, I get a No Reply
message.
Or, if I change Reject to Ignore in the reject file, I get a No Reply
message.
These events suggests to me that the explicit rejection is not treated
differently than other rejections.
I would be interested in knowing what version of Radiator you are running, and
I would like to see the trace 4 debug from the above tests to see exactly what
is happening. It sounds like you may have a DEFAULt that is catching the
request.
In addition, I am not getting the msg at the client if I have an Auth-Type
of "Reject:msg"
I am using mostly default behavior in the radpwtst client. For this reason
it was hard to determine what caused my rejection.
This prompted use of the Ignore Auth-Type to differentiate causes of
rejection.
You will need to set the Handler parameter "RejectHasReason". Our apologies as
this is not currently in the manual (it will be fixed in the next release).
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Dave, It works perfectly with OpenLDAP. OpenLDAP is based on the U of M code. - Joost. Dave Kitabjian wrote: Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) rejection precedence
Thanks for the followup.
We are running Radiator 2.15.
What is the syntax for setting RejectHasReason in the handler?
Here is the trace output I think you wanted.
It appears the user is getting explicitly rejected in the first file, but
accepted by the last file.
-- Brian
Mon May 1 07:45:12 2000: DEBUG: Reading users file
/home/radius/etc/sportbrain_
reject_file
Mon May 1 07:45:12 2000: DEBUG: AuthSBAUTH loaded
Mon May 1 07:45:12 2000: DEBUG: New Radius::AuthSBAUTH constructed
Mon May 1 07:45:12 2000: DEBUG: Reading users file
/home/radius/etc/sportbrain_
password_file
Mon May 1 07:45:12 2000: INFO: Server started: Radiator 2.15
Mon May 1 07:45:13 2000: DEBUG: Packet dump:
*** Received from 192.168.1.8 port 1127
Code: Access-Request
Identifier: 80
Authentic: 1234567890123456
Attributes:
User-Name = "cmgi"
Service-Type = Framed-User
NAS-IP-Address = 206.173.119.101
NAS-Port = 1645
NAS-Port-Type = Async
User-Password =
"291710G[17924713320523170213^125_
"
Mon May 1 07:45:13 2000: DEBUG: Check if Handler NAS-Address-Port-List =
%{Glob
alVar:sportbrain_portlist_file} should be used to handle this request
Mon May 1 07:45:13 2000: DEBUG: NAS-Address-Port-List: reading
/home/radius/etc
/sportbrain_portlist_file
Mon May 1 07:45:13 2000: DEBUG: Handling request with Handler
'NAS-Address-Port
-List = %{GlobalVar:sportbrain_portlist_file}'
Mon May 1 07:45:13 2000: DEBUG: Deleting session for cmgi,
206.173.119.101, 16
45
Mon May 1 07:45:13 2000: DEBUG: Handling with Radius::AuthFILE
Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE looks for match with cmgi
Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected
exp
licitly by Auth-Type=Reject
Mon May 1 07:45:13 2000: INFO: AuthSBAUTH handle_request: Received from
192.168
.1.8 port 1127
Mon May 1 07:45:13 2000: DEBUG: Handling with Radius::AuthFILE
Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE looks for match with cmgi
Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE ACCEPT:
Mon May 1 07:45:13 2000: DEBUG: Access accepted for cmgi
Mon May 1 07:45:13 2000: DEBUG: Packet dump:
*** Sending to 192.168.1.8 port 1127
Code: Access-Accept
Identifier: 80
Authentic: 1234567890123456
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Hugh Irvine
Sent: Monday, May 01, 2000 12:22 AM
To: Brian Keefe; [EMAIL PROTECTED]
Subject: RE: (RADIATOR) rejection precedence
Hello Brian -
On Sun, 30 Apr 2000, Brian Keefe wrote:
The following outlines the test I wrote:
AuthByPolicy ContinueWhileReject
AuthBy FILE
Filename %{GlobalVar:sportbrain_reject_file}
/AuthBy
AuthBy FILE
Filename %{GlobalVar:sportbrain_password_file}
/AuthBy
In the reject file:
reject User-Password="reject", Auth-Type="Reject:discontinued service"
In the password file:
reject User-Password="reject"
The user reject always PASSES.
If I copy the line from the reject file and put it in the password file,
rejection happens.
Or, if I change "Reject" to "Ignore" in the password file, I get a No
Reply
message.
Or, if I change Reject to Ignore in the reject file, I get a No Reply
message.
These events suggests to me that the explicit rejection is not treated
differently than other rejections.
I would be interested in knowing what version of Radiator you are running,
and
I would like to see the trace 4 debug from the above tests to see exactly
what
is happening. It sounds like you may have a DEFAULt that is catching the
request.
In addition, I am not getting the msg at the client if I have an
Auth-Type
of "Reject:msg"
I am using mostly default behavior in the radpwtst client. For this reason
it was hard to determine what caused my rejection.
This prompted use of the Ignore Auth-Type to differentiate causes of
rejection.
You will need to set the Handler parameter "RejectHasReason". Our apologies
as
this is not currently in the manual (it will be fixed in the next release).
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Accounting database retry agressiveness...
Last Friday, the server that houses our Rodopi database had a massive hardware failure. As of yet, I am not 100% sure just what the extents of the damage is. Most of the server was replaced just to get it back online as quick as possible. To make a long story short, it was down for 6 days. Our Radiator Radius server reports accounting data to the aformentioned Rodopi database. Authentication is pulled off of a Linux MySQL server, so our users were still able to connect. Ironically enough, even though Rodopi has provisions for serving up Radius right from it's own database, I chose to serve Radius from a seperate out of concern for "What if the Rodopi machine goes down?". Once the Rodopi machine got back online, one of the NT admins noticed that radiusd was no longer connecting and reporting accounting data. I sent a -HUP to radiusd...nothing. Only after completely killing and restarting radiusd, did it resume reporting accounting data to the Rodopi database. I'm just curious what the timeouts and/or agressiveness of the accounting database connectivity is? Also...While I'm on the subject of database connectivity, this same NT admin noticed and commented on how radiusd connects and stays connected to the Rodopi database constantly. He is of the opinion that radiusd(and any other clients, for that matter) should connect and disconnect for every query/write. He feels that performance is not an issue since database servers are designed to, and expect to, take rapid connects, queries/writes and disconnects. "That's their job.", he says. Though I have an opinion on the subject, I promised I would just pose the question to the list and see what you guys had to say. What you about you, Hugh? What is the official word from the development team on this issue? -Danny === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Excellent. Thanks for the feedback! Now for a follow-up question, if I may. We want to merge the LDAP database for our Mail System with this LDAP db for Radiator, so that they exist in the same database. * Are the Radiator LDAP entries able to coexist inside an LDAP database along with other entries of a completely different type (such as mail entries)? * If so, how would such a schema look? Thanks again, in advance! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joost Stegeman Sent: Monday, May 01, 2000 11:06 AM To: Dave Kitabjian Cc: '[EMAIL PROTECTED]' Subject: Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP? Dave, It works perfectly with OpenLDAP. OpenLDAP is based on the U of M code. - Joost. Dave Kitabjian wrote: Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SQL Timeout
Hi all,
We are running Radiator 2.15, using mysqld Ver 3.22.29 for
freebsdelf3.3. Every week or so I am having to reboot the machine when
it stops wanting to authenticate because of a SQL timeout. Here's what
the log says:
--
Mon May 1 16:15:18 2000: ERR: do failed for 'insert into RADUSAGE
(USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME,
ACCTTERMINATECAUSE, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
CONNECTINFO)
values
('mgentry', 957211998, 2, 0, 5870, 917, '100729031', 36,
1, '12.20.159.237', '12.4.96.42', 1538, '', '28800_BPS')': SQL Timeout
--
When I ps auxw, I can see that mysqld is running.
Has anyone run into this and know how I can go about resolving it?
Also, is there any kind of monitoring software that anyone knows of that
can check Radiator maybe every minute to see that it's running - and
MySQL?
Thanks,
Beth
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) 2 x start/stop records
Hi For some reason Radiator is creating 2 x start and stop records with identical times for each session. Any ideas why this would be happening and a possible fix? Regards +---+ Dean Brandt - Technical Director Cain Internet Services Pty Ltd ACN 091949405 Melbourne - Adelaide Ph/Fax: 61-3-95373699 Mobile: 0413247188 Flat Rate Satellite Access $29.95 per month NO DOWNLOAD LIMIT +---+ === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) PostAuthHook and Vendor Attributes
--- Forwarded mail from [EMAIL PROTECTED]
Date: Tue, 2 May 2000 05:10:14 +1000 (EST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Michael
Dustin [EMAIL PROTECTED]]
From owner-radiator Tue May 2 05:10:10 2000
Received: by oscar.open.com.au (8.9.0/8.9.0) id FAA00661
for [EMAIL PROTECTED]; Tue, 2 May 2000 05:10:09 +1000 (EST)
Received: from alastair.tir.com (alastair.tir.com [216.40.128.69]) by
perki.connect.com.au with ESMTP id EAA21743
(8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Tue, 2 May 2000 04:56:07 +1000
(EST)
Received: from alastair.tir.com (alastair.tir.com [216.40.128.69]) by
perki.connect.com.au with ESMTP id EAA21743
(8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Tue, 2 May 2000 04:56:07 +1000
(EST)
Received: from darren.tir.com (darren.tir.com [216.40.128.70])
by alastair.tir.com (8.9.1/8.9.1) with ESMTP id OAA11703
for [EMAIL PROTECTED]; Mon, 1 May 2000 14:55:51 -0400 (EDT)
Received: from localhost (dusty@localhost)
by darren.tir.com (8.9.1/8.9.1) with ESMTP id OAA09906
for [EMAIL PROTECTED]; Mon, 1 May 2000 14:55:41 -0400 (EDT)
X-Authentication-Warning: darren.tir.com: dusty owned process doing -bs
Date: Mon, 1 May 2000 14:55:41 -0400 (EDT)
From: Michael Dustin [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: PostAuthHook and Vendor Attributes
Message-ID: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hello,
I am working on a PostAuthHook that will give us more compact
logging but I have run into a problem. I can get standard
attributes pretty easily by using the examples I have seen
in the Docs and the list. However when I try to get Vendor
Specific Attributes I come up empty handed. Can anyone give
me example code where they are pulling vendor specific
attributes using a hook ?? I have attached some code from my
hook.
my $p = ${$_[0]};
#These come through fine
my $username = $p-getAttrByNum($Radius::Radius::USER_NAME);
my $nasaddress = $p-getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
my $ipaddress = $p-getAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS);
my $called = $p-getAttrByNum($Radius::Radius::CALLING_STATION_ID);
my $calling = $p-getAttrByNum($Radius::Radius::CALLED_STATION_ID);
my $nasport = $p-getAttrByNum($Radius::Radius::NAS_PORT);
#These "specific to Ascend Attributes" do not seem to be available
#using this code even though they do show up in the main logfile
#
my $shelfno = $r-getAttrByNum($Radius::Radius::ASCEND_MODEM_SHELFNO) ;
my $slotno = $r-getAttrByNum($Radius::Radius::ASCEND_MODEM_SLOTNO) ;
my $portno = $r-getAttrByNum($Radius::Radius::Ascend_Modem_PortNo) ;
-thanx
-dusty
---End of forwarded mail from [EMAIL PROTECTED]
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
2000, NT, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
