(RADIATOR) Re: dynaddress
Hello Felipe - On Tue, 30 May 2000, Felipe Salum wrote: > Hi Hugh > > My conf file: > > > Identifier redeip > DBSource dbi:Oracle:radius > DBUsername > DBAuth > > > Subnetmask 255.255.255.0 > Range 200.187.208.1 200.187.208.254 > Range 200.187.209.1 200.187.209.254 > Range 200.187.210.1 200.187.210.254 > Range 200.187.211.1 200.187.211.254 > > > > > > DBSource dbi:Oracle:radius > DBUsername xxx > DBAuth xxx > AuthSelect select PASSWORD from SUBSCRIBERS where ( USERNAME='%n' \ or > username = '%n'||'@zip.net') and ( status != '1' or \ status is null ) > AuthColumnDef 0, Encrypted-Password, check > ... > < > > Allocator redeip > > > > > And the error: > > Mon May 29 21:37:39 2000: DEBUG: Radius::AuthSQL looks for match with > fsalum > Mon May 29 21:37:39 2000: DEBUG: Radius::AuthSQL ACCEPT: > Mon May 29 21:37:39 2000: DEBUG: Handling with Radius::AuthDYNADDRESS > Mon May 29 21:37:39 2000: DEBUG: Query is: select YIADDR, SUBNETMASK, > DNSSERVER from RADPOOL where POOL='' and STATE=0 order by > TIME_STAMP > Mon May 29 21:37:39 2000: ERR: Execute failed for 'select YIADDR, > SUBNETMASK, DNSSERVER from RADPOOL where POOL='' and STATE=0 order by > TIME_STAMP': ORA-03113: end-of-file on communication channel (DBD ERROR: > OCIStmtExecute) > Mon May 29 21:37:39 2000: INFO: Access rejected for fsalum: No available > addresses > Mon May 29 21:37:39 2000: DEBUG: Packet dump: > > > Do I need to add all ipaddress to my radpool table or should the > Radiator get it from my line ?? > There are a couple of things here - first of all, there is nothing wrong with the declaration, although I'm not sure about your subnet mask - you should do some experiments. The problem you have is that you are not specifying a PoolHint and so the SQL query is failing because it is looking for nothing (POOL=''...). By default the AddressAllocator SQL expects to use an attribute called PoolHint in the reply packet, that should have been put there by a previous AuthBy. Have a look at section 6.37.2 in the Radiator 2.16 reference manual. Also note that you should strip the PoolHint reply attribute from the reply packet before sending the packet to the NAS. See the example configuration file "goodies/addressallocatorsql.cfg" for details. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) dynaddress
Hi Hugh My conf file: Identifier redeip DBSource dbi:Oracle:radius DBUsername DBAuth Subnetmask 255.255.255.0 Range 200.187.208.1 200.187.208.254 Range 200.187.209.1 200.187.209.254 Range 200.187.210.1 200.187.210.254 Range 200.187.211.1 200.187.211.254 DBSource dbi:Oracle:radius DBUsername xxx DBAuth xxx AuthSelect select PASSWORD from SUBSCRIBERS where ( USERNAME='%n' \ or username = '%n'||'@zip.net') and ( status != '1' or \ status is null ) AuthColumnDef 0, Encrypted-Password, check ... Allocator redeip And the error: Mon May 29 21:37:39 2000: DEBUG: Radius::AuthSQL looks for match with fsalum Mon May 29 21:37:39 2000: DEBUG: Radius::AuthSQL ACCEPT: Mon May 29 21:37:39 2000: DEBUG: Handling with Radius::AuthDYNADDRESS Mon May 29 21:37:39 2000: DEBUG: Query is: select YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where POOL='' and STATE=0 order by TIME_STAMP Mon May 29 21:37:39 2000: ERR: Execute failed for 'select YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where POOL='' and STATE=0 order by TIME_STAMP': ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute) Mon May 29 21:37:39 2000: INFO: Access rejected for fsalum: No available addresses Mon May 29 21:37:39 2000: DEBUG: Packet dump: Do I need to add all ipaddress to my radpool table or should the Radiator get it from my line ?? Sorry for all questions.. Thanks again! -- Felipe Bariani Salum System Administrator Zip.net === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) [Fwd: Problem in 2.16 version]
Hello Felipe - On Tue, 30 May 2000, Felipe Salum wrote: > I was running Radiator 2.14.1 and just upgraded to Radiator 2.16 because > I need the new facility AuthBy DYNADDRESS. > > So when I start it I'm having this error: > > Mon May 29 13:39:45 2000: ERR: Unknown object 'SessionDatabase' in > ./newrad.cfg line 38 > MMon May 29 13:39:45 2000: ERR: Unknown object 'Realm' in ./newrad.cfg > line 56 > > Anyone know why?? It worked fine in 2.14 version.. > > ps: Do I need to add any IP address to the RADPOOL table ?? > If you are going to use AddressAllocator SQL you will need to define your IP address pools either in your database directly, or with the AddressPool parameter. See sections 6.37 and 6.38 in the Radiator 2.16 reference manual. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) framed ip-netmask
Hello Christian - On Tue, 30 May 2000, [EMAIL PROTECTED] wrote: > hello there, > > using here cisco 3640 in the whole country as accesserver, for some reason > the radius replys always with an framed-netmask of 255.255.255.0 in state > of the configured "255.255.255.254" > > is the reason may that i use static ips within the mysql ? > > AuthColumnDef0,User-Password, check > AuthColumnDef1,Framed-IP-Address,reply > AuthColumnDef2,Simultaneous-Use, check > > these are my authcolums, should i maybe enter in the framed-ip-netmask > always the subnet in state of: > > AddToReply Service-Type = Framed-User,\ > Framed-Protocol = PPP,\ > Framed-IP-Netmask = 255.255.255.254,\ > Framed-Routing = None,\ > Framed-MTU = 1500,\ > Framed-Compression = Van-Jacobson-TCP-IP > > this listed reply field seems not to be working. > and yes the framed-ip-netmask is in the dictionary list. > See my other mail on this topic - I suspect the value 255.255.255.254 is not valid in this context. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ipass <-> radiator
Hello Christian - On Tue, 30 May 2000, [EMAIL PROTECTED] wrote: > hi there, > > i was trying to make the auth-module from ipass. > ipass is succesfully installed... after trying to compile i got following > error. does someone know the reason ? > Have you installed the IpassPerl software? http://www.open.com.au/radiator/downloads/IpassPerl-1.5.tar.gz Also note the realease notes for Radiator 2.16 regarding iPASS. "Due to changes in policy by iPASS, the preferred method of interoperating with iPASS outbound is now to proxy to the iPASS radius server. Altered documentation to suit." > IpassPerl-1.5 > perl Makefile.PL > Note (probably harmless): No library found for -lip > Note (probably harmless): No library found for -lssl > Note (probably harmless): No library found for -lcrypto > Writing Makefile for Ipass > root@p700:/home/steger/ipass/IpassPerl-1.5 > make > cc -c -I/usr/ipass/include -Dbool=char -DHAS_BOOL -I/usr/local/include -O2 > -pipe-DVERSION=\"1.5\" -DXS_VERSION=\"1.5\" -fpic > -I/usr/lib/perl5/5.00503/i586-linux/CORE Ipass.c > Ipass.xs: In function `XS_Ipass_remote_auth': > Ipass.xs:389: structure has no member named `called_number' > Ipass.xs:389: structure has no member named `called_number' > Ipass.xs:389: structure has no member named `called_number' > Ipass.xs: In function `XS_Ipass_remote_auth_chap': > Ipass.xs:446: structure has no member named `called_number' > Ipass.xs:446: structure has no member named `called_number' > Ipass.xs:446: structure has no member named `called_number' > Ipass.xs: In function `XS_Ipass_remote_acct': > Ipass.xs:517: structure has no member named `called_number' > Ipass.xs:517: structure has no member named `called_number' > Ipass.xs:517: structure has no member named `called_number' > Ipass.xs:520: structure has no member named `called_number' > Ipass.xs:520: structure has no member named `called_number' > Ipass.xs:520: structure has no member named `called_number' > make: *** [Ipass.o] Error 1 > > the second question here: > in fact that hopefully the module is working well, can i simply add it in > but it between my REALM DEFAULT ? > > after ? > > like: > > > > should that work ? > It is more usual to use Realms when implementing roaming, something like this: or This is because the outbound requests must have userids of the form [EMAIL PROTECTED] If you are not using Realms currenly for your own users, you can use the DefaultRealm construct in your Client clauses to append it. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) qestion about reply
Hello Christian - On Mon, 29 May 2000, Christian Steger wrote: > hi there, > > all our customers get in state of 255.255.255.254 , 255.255.255.0 as > subnetmask ? > > any idea why ? > > my config as following: > > AddToReply Service-Type = Framed-User,\ > Framed-Protocol = PPP,\ > Framed-IP-Netmask = 255.255.255.254,\ > Framed-Routing = None,\ > Framed-MTU = 1500,\ > Framed-Compression = Van-Jacobson-TCP-IP You will have to run Radiator with a trace 4 debug to see what is actually being sent in the Access-Accept. If the correct Framed-IP-Netmask is being sent, but the NAS is not honouring the value, it is either because of the NAS configuration (or possibly a bug ...). It also may be that the value that you are sending is inconsistent. Normally 255.255.255.254 is not a valid subnet mask, if you are wanting to allocate single IP addresses that appear as part of a NAS subnet, you would use 255.255.255.255 (host address) and if you are wanting to configure a point to point link with addresses at each end, you would use a subnet mask of 255.255.255.252. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) ipass <-> radiator
hi there, i was trying to make the auth-module from ipass. ipass is succesfully installed... after trying to compile i got following error. does someone know the reason ? IpassPerl-1.5 > perl Makefile.PL Note (probably harmless): No library found for -lip Note (probably harmless): No library found for -lssl Note (probably harmless): No library found for -lcrypto Writing Makefile for Ipass root@p700:/home/steger/ipass/IpassPerl-1.5 > make cc -c -I/usr/ipass/include -Dbool=char -DHAS_BOOL -I/usr/local/include -O2 -pipe-DVERSION=\"1.5\" -DXS_VERSION=\"1.5\" -fpic -I/usr/lib/perl5/5.00503/i586-linux/CORE Ipass.c Ipass.xs: In function `XS_Ipass_remote_auth': Ipass.xs:389: structure has no member named `called_number' Ipass.xs:389: structure has no member named `called_number' Ipass.xs:389: structure has no member named `called_number' Ipass.xs: In function `XS_Ipass_remote_auth_chap': Ipass.xs:446: structure has no member named `called_number' Ipass.xs:446: structure has no member named `called_number' Ipass.xs:446: structure has no member named `called_number' Ipass.xs: In function `XS_Ipass_remote_acct': Ipass.xs:517: structure has no member named `called_number' Ipass.xs:517: structure has no member named `called_number' Ipass.xs:517: structure has no member named `called_number' Ipass.xs:520: structure has no member named `called_number' Ipass.xs:520: structure has no member named `called_number' Ipass.xs:520: structure has no member named `called_number' make: *** [Ipass.o] Error 1 the second question here: in fact that hopefully the module is working well, can i simply add it in but it between my REALM DEFAULT ? after ? like: should that work ? christian steger === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) [Fwd: Problem in 2.16 version]
I was running Radiator 2.14.1 and just upgraded to Radiator 2.16 because I need the new facility AuthBy DYNADDRESS. So when I start it I'm having this error: Mon May 29 13:39:45 2000: ERR: Unknown object 'SessionDatabase' in ./newrad.cfg line 38 Mon May 29 13:39:45 2000: ERR: Unknown object 'Realm' in ./newrad.cfg line 56 Anyone know why?? It worked fine in 2.14 version.. ps: Do I need to add any IP address to the RADPOOL table ?? Thanks!! -- Felipe Bariani Salum System Administrator Zip.net === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) framed ip-netmask
hello there, using here cisco 3640 in the whole country as accesserver, for some reason the radius replys always with an framed-netmask of 255.255.255.0 in state of the configured "255.255.255.254" is the reason may that i use static ips within the mysql ? AuthColumnDef0,User-Password, check AuthColumnDef1,Framed-IP-Address,reply AuthColumnDef2,Simultaneous-Use, check these are my authcolums, should i maybe enter in the framed-ip-netmask always the subnet in state of: AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.254,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP this listed reply field seems not to be working. and yes the framed-ip-netmask is in the dictionary list. any idears ? thanks! Christian -- Inode.Internet ++ Christian Steger === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
patch: Re: (RADIATOR) multiple cisco-avpair attributes
Hello
Thanks for the suggestions to my problem but here's the patch which
*really* solves it:
Symtom:
logfile: LDAP got radiuscisco-avpair: ip:idletime=89 ip:addr=1.2.3.4
output: cisco-avpair = "ip:idletime=89" (and no more)
Reason:
For some strange reason there's always only the first element of the
return array used.
Patch:
--- AuthLDAP2.pm.orig Mon May 29 16:17:16 2000
+++ AuthLDAP2.pmMon May 29 16:27:58 2000
@@ -408,7 +408,12 @@
}
else
{
- $user->get_reply->add_attr($attrib, $vals[0]);
+ # Sometimes we like to have more than one attribute
+with
+ # the same name.
+ my($value);
+ foreach $value (@vals) {
+ $user->get_reply->add_attr($attrib, $value);
+ }
}
}
}
(BTW: Mike, you're indent-style is horrible :-))
bye,
-christian-
--
Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) qestion about reply
hi there, all our customers get in state of 255.255.255.254 , 255.255.255.0 as subnetmask ? any idea why ? my config as following: AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.254,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP thanks christian steger -- Inode.Internet ++ Christian Steger === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator 2.16 released
We are pleased to announce the release of Radiator 2.16.
2.16 includes some significant new features such as IP address allocation, and
a number of fixes.
Existing customers can download the new version from
http://www.open.com.au/radiator/downloads/Radiator-2.16.tgz
Current evaluators can download the new version from
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-2.16.tgz
Excerpt from the history file follows:
Revision 2.16 (19/5/00)
Added totals of sessions, time, octets and packets to the user page in
radacct.cgi.
Session-Timeout as a reply item can now takes a value "until Time"
which calculates the session timeout until the end the permitted time
period defined by a Time check item.
Added Auth-Type=Accept, code contributed by David Daney
([EMAIL PROTECTED]). Thanks David.
Added PreProcessingHook to Handlers, which fires before accounting log
files etc are written. Code contributed by David Daney
([EMAIL PROTECTED]). Thanks David.
AddToReplyIfNotExist parameter with multiple attr=val, and with white
space before the attribute namew would not be parsed properly,
resulting in a "Bad attribute=value pair:" error message.
Simultaneous-Use would sometimes check the wrong user name for excess
sessions when RewriteUsername or Prefix or Suffix was involved.
Fixes so that multiple DEFAULT users with Prefixes and/or Suffixes
wont strip the the user name for the following DEFAULT. Contributed by
David Daney ([EMAIL PROTECTED])
Added new module that does logging to a Platypus and RadiusNT
compatible message log table.
Testing with Windows 2000.
Fixed radpwtst -gui to work with Tk800.018 and better.
Fixed a bug in AuthLDAPSDK.pm, that produces the following error:
Global symbol "@vals" requires explicit package name at
Radius/AuthLDAPSDK.pm line 256, chunk 39. Reported by Bradley
Clayton ([EMAIL PROTECTED])
Workaround in AuthRADKEY.pm for problems with password lengths on some
MAXen.
Reinstated the changes that make %a get the Framed-IP-Address from the
reply packet instead of the request, and to take ma.overdue into
account in in AuthBy EMERALD. These changes were inadvertently lost
from the 2.15 distribution.
Changes to all SQL based modules to fix an infrequent problem with
Sybase on some platforms, and in some environments. Some versions
would sometimes hang during the SQL finish operation, which was not
protected by timeout.
DefaultRealm now only adds the realm if there actually was a User-Name
present in the request. Requests without a
User-Name will not now have a fake User-Name added.
Added cisco-h323* entries to the standard dictionary for Cisco VOIP.
The password log for CHAP logins now shows "UNKNOWN-CHAP", instead of
"UNKNOWN", to help distinguish form the case where there is no
password in the request.
Added SessNULL.pm to the distribution, contributed by Daniel Senie
([EMAIL PROTECTED]). Thanks Daniel. SessNULL.pm provides a session
database that does not store any session details and always permits
multiple logins. Useful for very large user populations where ther is
no multiple-login prevention required: this will require much less
memory than SessINTERNAL.
Added support for HoldServerConnection, plus disconnection after each
request to AuthBy LDAPSDK, at the request of Thomas Braber
([EMAIL PROTECTED]).
Special formatting can now refer to any attribute in the current reply
with %{Reply:attributename}
Check items can now refer to attributes in the currently constructed
reply. This can be useful for adding more reply items, depending on
the reply items that are already there. For example, you might set a
Profile psuedo attribute in an AuthBy and in a following AuthBy, add
some real reply attributes that depend on the value of the Profile you
added before
Added support for IP address allocation, and a specific SQL
implementation. See goodies/addressallocator.cfg for examples on how
to use. STOP PRESS: minor changes in database schema since the 2.16
alpha release. Alpha testers will have to recreate their RADPOOL
table.
Fixed algorithm for computing port index for Total Control SNMP access
checking. Contributed by Aaron Nabil ([EMAIL PROTECTED]). Thanks
Aaron.
Fixed a problem with AuthAttrDef in AuthBy LDAP and LDAP2.
Added the -p switch to builddbm to print out a flat file
equivalent. Contributed by Joost Stegeman ([EMAIL PROTECTED]). Thanks
Joost.
ipaddr type attributes can now be specified as a 4 byte string, as
well as dotted-quad notation. Useful for putting IP addresses and
netmasks in databases as binary instead of strings. Suggested by Mike
Nerone ([EMAIL PROTECTED]).
Updated GRIC Roaming attributes in various dictionaries.
Log SQL and AuthBy RADMIN now permit LogQuery parameters configure the
query used to insert into the log table database.
AuthBy DBFILE and SessionDatabase DBM now support a DBType parameter,
allowing you to specify the type of DBM database to use.
AuthBy RADMIN was incorrectly logging all level log messages. Now it
honours
