RE: (RADIATOR) desperate: NAS port restrictions...
Hello Brian - On Sun, 30 Apr 2000, Brian Keefe wrote: Another couple questions: I want to apply a NAS-Address-Port-List filter to all AuthBy clauses in a Realm. I was able to do this as follows: Handler NAS-Address-Port-List = %{GlobalVar:sportbrain_portlist_file} AuthBy ... AuthBy ... /Handler Is this the only way to do this? This is probably the best way to do it. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) rejection precedence
Hello Brian - On Sun, 30 Apr 2000, Brian Keefe wrote: The following outlines the test I wrote: AuthByPolicy ContinueWhileReject AuthBy FILE Filename %{GlobalVar:sportbrain_reject_file} /AuthBy AuthBy FILE Filename %{GlobalVar:sportbrain_password_file} /AuthBy In the reject file: reject User-Password="reject", Auth-Type="Reject:discontinued service" In the password file: reject User-Password="reject" The user reject always PASSES. If I copy the line from the reject file and put it in the password file, rejection happens. Or, if I change "Reject" to "Ignore" in the password file, I get a No Reply message. Or, if I change Reject to Ignore in the reject file, I get a No Reply message. These events suggests to me that the explicit rejection is not treated differently than other rejections. I would be interested in knowing what version of Radiator you are running, and I would like to see the trace 4 debug from the above tests to see exactly what is happening. It sounds like you may have a DEFAULt that is catching the request. In addition, I am not getting the msg at the client if I have an Auth-Type of "Reject:msg" I am using mostly default behavior in the radpwtst client. For this reason it was hard to determine what caused my rejection. This prompted use of the Ignore Auth-Type to differentiate causes of rejection. You will need to set the Handler parameter "RejectHasReason". Our apologies as this is not currently in the manual (it will be fixed in the next release). thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Dave, It works perfectly with OpenLDAP. OpenLDAP is based on the U of M code. - Joost. Dave Kitabjian wrote: Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) rejection precedence
Thanks for the followup. We are running Radiator 2.15. What is the syntax for setting RejectHasReason in the handler? Here is the trace output I think you wanted. It appears the user is getting explicitly rejected in the first file, but accepted by the last file. -- Brian Mon May 1 07:45:12 2000: DEBUG: Reading users file /home/radius/etc/sportbrain_ reject_file Mon May 1 07:45:12 2000: DEBUG: AuthSBAUTH loaded Mon May 1 07:45:12 2000: DEBUG: New Radius::AuthSBAUTH constructed Mon May 1 07:45:12 2000: DEBUG: Reading users file /home/radius/etc/sportbrain_ password_file Mon May 1 07:45:12 2000: INFO: Server started: Radiator 2.15 Mon May 1 07:45:13 2000: DEBUG: Packet dump: *** Received from 192.168.1.8 port 1127 Code: Access-Request Identifier: 80 Authentic: 1234567890123456 Attributes: User-Name = "cmgi" Service-Type = Framed-User NAS-IP-Address = 206.173.119.101 NAS-Port = 1645 NAS-Port-Type = Async User-Password = "291710G[17924713320523170213^125_ " Mon May 1 07:45:13 2000: DEBUG: Check if Handler NAS-Address-Port-List = %{Glob alVar:sportbrain_portlist_file} should be used to handle this request Mon May 1 07:45:13 2000: DEBUG: NAS-Address-Port-List: reading /home/radius/etc /sportbrain_portlist_file Mon May 1 07:45:13 2000: DEBUG: Handling request with Handler 'NAS-Address-Port -List = %{GlobalVar:sportbrain_portlist_file}' Mon May 1 07:45:13 2000: DEBUG: Deleting session for cmgi, 206.173.119.101, 16 45 Mon May 1 07:45:13 2000: DEBUG: Handling with Radius::AuthFILE Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE looks for match with cmgi Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected exp licitly by Auth-Type=Reject Mon May 1 07:45:13 2000: INFO: AuthSBAUTH handle_request: Received from 192.168 .1.8 port 1127 Mon May 1 07:45:13 2000: DEBUG: Handling with Radius::AuthFILE Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE looks for match with cmgi Mon May 1 07:45:13 2000: DEBUG: Radius::AuthFILE ACCEPT: Mon May 1 07:45:13 2000: DEBUG: Access accepted for cmgi Mon May 1 07:45:13 2000: DEBUG: Packet dump: *** Sending to 192.168.1.8 port 1127 Code: Access-Accept Identifier: 80 Authentic: 1234567890123456 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hugh Irvine Sent: Monday, May 01, 2000 12:22 AM To: Brian Keefe; [EMAIL PROTECTED] Subject: RE: (RADIATOR) rejection precedence Hello Brian - On Sun, 30 Apr 2000, Brian Keefe wrote: The following outlines the test I wrote: AuthByPolicy ContinueWhileReject AuthBy FILE Filename %{GlobalVar:sportbrain_reject_file} /AuthBy AuthBy FILE Filename %{GlobalVar:sportbrain_password_file} /AuthBy In the reject file: reject User-Password="reject", Auth-Type="Reject:discontinued service" In the password file: reject User-Password="reject" The user reject always PASSES. If I copy the line from the reject file and put it in the password file, rejection happens. Or, if I change "Reject" to "Ignore" in the password file, I get a No Reply message. Or, if I change Reject to Ignore in the reject file, I get a No Reply message. These events suggests to me that the explicit rejection is not treated differently than other rejections. I would be interested in knowing what version of Radiator you are running, and I would like to see the trace 4 debug from the above tests to see exactly what is happening. It sounds like you may have a DEFAULt that is catching the request. In addition, I am not getting the msg at the client if I have an Auth-Type of "Reject:msg" I am using mostly default behavior in the radpwtst client. For this reason it was hard to determine what caused my rejection. This prompted use of the Ignore Auth-Type to differentiate causes of rejection. You will need to set the Handler parameter "RejectHasReason". Our apologies as this is not currently in the manual (it will be fixed in the next release). thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Accounting database retry agressiveness...
Last Friday, the server that houses our Rodopi database had a massive hardware failure. As of yet, I am not 100% sure just what the extents of the damage is. Most of the server was replaced just to get it back online as quick as possible. To make a long story short, it was down for 6 days. Our Radiator Radius server reports accounting data to the aformentioned Rodopi database. Authentication is pulled off of a Linux MySQL server, so our users were still able to connect. Ironically enough, even though Rodopi has provisions for serving up Radius right from it's own database, I chose to serve Radius from a seperate out of concern for "What if the Rodopi machine goes down?". Once the Rodopi machine got back online, one of the NT admins noticed that radiusd was no longer connecting and reporting accounting data. I sent a -HUP to radiusd...nothing. Only after completely killing and restarting radiusd, did it resume reporting accounting data to the Rodopi database. I'm just curious what the timeouts and/or agressiveness of the accounting database connectivity is? Also...While I'm on the subject of database connectivity, this same NT admin noticed and commented on how radiusd connects and stays connected to the Rodopi database constantly. He is of the opinion that radiusd(and any other clients, for that matter) should connect and disconnect for every query/write. He feels that performance is not an issue since database servers are designed to, and expect to, take rapid connects, queries/writes and disconnects. "That's their job.", he says. Though I have an opinion on the subject, I promised I would just pose the question to the list and see what you guys had to say. What you about you, Hugh? What is the official word from the development team on this issue? -Danny === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Excellent. Thanks for the feedback! Now for a follow-up question, if I may. We want to merge the LDAP database for our Mail System with this LDAP db for Radiator, so that they exist in the same database. * Are the Radiator LDAP entries able to coexist inside an LDAP database along with other entries of a completely different type (such as mail entries)? * If so, how would such a schema look? Thanks again, in advance! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joost Stegeman Sent: Monday, May 01, 2000 11:06 AM To: Dave Kitabjian Cc: '[EMAIL PROTECTED]' Subject: Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP? Dave, It works perfectly with OpenLDAP. OpenLDAP is based on the U of M code. - Joost. Dave Kitabjian wrote: Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SQL Timeout
Hi all, We are running Radiator 2.15, using mysqld Ver 3.22.29 for freebsdelf3.3. Every week or so I am having to reboot the machine when it stops wanting to authenticate because of a SQL timeout. Here's what the log says: -- Mon May 1 16:15:18 2000: ERR: do failed for 'insert into RADUSAGE (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME, ACCTTERMINATECAUSE, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS, CONNECTINFO) values ('mgentry', 957211998, 2, 0, 5870, 917, '100729031', 36, 1, '12.20.159.237', '12.4.96.42', 1538, '', '28800_BPS')': SQL Timeout -- When I ps auxw, I can see that mysqld is running. Has anyone run into this and know how I can go about resolving it? Also, is there any kind of monitoring software that anyone knows of that can check Radiator maybe every minute to see that it's running - and MySQL? Thanks, Beth === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) 2 x start/stop records
Hi For some reason Radiator is creating 2 x start and stop records with identical times for each session. Any ideas why this would be happening and a possible fix? Regards +---+ Dean Brandt - Technical Director Cain Internet Services Pty Ltd ACN 091949405 Melbourne - Adelaide Ph/Fax: 61-3-95373699 Mobile: 0413247188 Flat Rate Satellite Access $29.95 per month NO DOWNLOAD LIMIT +---+ === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) PostAuthHook and Vendor Attributes
--- Forwarded mail from [EMAIL PROTECTED] Date: Tue, 2 May 2000 05:10:14 +1000 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Michael Dustin [EMAIL PROTECTED]] From owner-radiator Tue May 2 05:10:10 2000 Received: by oscar.open.com.au (8.9.0/8.9.0) id FAA00661 for [EMAIL PROTECTED]; Tue, 2 May 2000 05:10:09 +1000 (EST) Received: from alastair.tir.com (alastair.tir.com [216.40.128.69]) by perki.connect.com.au with ESMTP id EAA21743 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Tue, 2 May 2000 04:56:07 +1000 (EST) Received: from alastair.tir.com (alastair.tir.com [216.40.128.69]) by perki.connect.com.au with ESMTP id EAA21743 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Tue, 2 May 2000 04:56:07 +1000 (EST) Received: from darren.tir.com (darren.tir.com [216.40.128.70]) by alastair.tir.com (8.9.1/8.9.1) with ESMTP id OAA11703 for [EMAIL PROTECTED]; Mon, 1 May 2000 14:55:51 -0400 (EDT) Received: from localhost (dusty@localhost) by darren.tir.com (8.9.1/8.9.1) with ESMTP id OAA09906 for [EMAIL PROTECTED]; Mon, 1 May 2000 14:55:41 -0400 (EDT) X-Authentication-Warning: darren.tir.com: dusty owned process doing -bs Date: Mon, 1 May 2000 14:55:41 -0400 (EDT) From: Michael Dustin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PostAuthHook and Vendor Attributes Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hello, I am working on a PostAuthHook that will give us more compact logging but I have run into a problem. I can get standard attributes pretty easily by using the examples I have seen in the Docs and the list. However when I try to get Vendor Specific Attributes I come up empty handed. Can anyone give me example code where they are pulling vendor specific attributes using a hook ?? I have attached some code from my hook. my $p = ${$_[0]}; #These come through fine my $username = $p-getAttrByNum($Radius::Radius::USER_NAME); my $nasaddress = $p-getAttrByNum($Radius::Radius::NAS_IP_ADDRESS); my $ipaddress = $p-getAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS); my $called = $p-getAttrByNum($Radius::Radius::CALLING_STATION_ID); my $calling = $p-getAttrByNum($Radius::Radius::CALLED_STATION_ID); my $nasport = $p-getAttrByNum($Radius::Radius::NAS_PORT); #These "specific to Ascend Attributes" do not seem to be available #using this code even though they do show up in the main logfile # my $shelfno = $r-getAttrByNum($Radius::Radius::ASCEND_MODEM_SHELFNO) ; my $slotno = $r-getAttrByNum($Radius::Radius::ASCEND_MODEM_SLOTNO) ; my $portno = $r-getAttrByNum($Radius::Radius::Ascend_Modem_PortNo) ; -thanx -dusty ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 2000, NT, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.