Re: (RADIATOR) cisco-avpair
Hi, try at the cisco: debug aaa per-user debug aaa authentication debig aaa negotiation it usually is helpfull rgds. On Fri, 6 Apr 2001 09:44:25 -0500, Mike McCauley wrote: --- Forwarded mail from [EMAIL PROTECTED] Date: Fri, 6 Apr 2001 01:10:25 +1000 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Andrew [EMAIL PROTECTED]] From mikem Fri Apr 6 01:10:16 2001 Received: by oscar.open.com.au (8.9.0/8.9.0) id BAA02483 for [EMAIL PROTECTED]; Fri, 6 Apr 2001 01:10:16 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from logic.bm (liquid.logic.bm [207.228.176.214]) (authenticated as andrew with PLAIN) by outgoing.logic.bm (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f35EmBS05536 for [EMAIL PROTECTED]; Thu, 5 Apr 2001 11:48:11 -0300 Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 05 Apr 2001 11:47:24 -0300 From: Andrew [EMAIL PROTECTED] X-Mailer: Mozilla 4.73 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: cisco-avpair Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hello, Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Jesus M Diaz [EMAIL PROTECTED] Telia Iberia, S.A. Planificacin y Diseo de Red Tfno: +34 91 623 2909 Fax: +34 91 623 2911 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair
Hello Andrew - I will need to see a trace 4 debug from Radiator, but I agree with you - it looks like Radiator is doing the right thing and sending the attribute. You will probably need to run a debug on the Cisco to see what is happening at that end, and you may have to configure something to make the Cisco listen to the radius reply. hth Hugh Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) (Radiator) Problem with dial-up users
Hi Hugh,
I need your help for the Radiator 2.16.3's
functionality. The customer has no problem with the
Radiator for a long time. Now only one user can log
on at the given time. Which means, the first user
logs on, then the second one comes in. As soon as the
second one gets authenticated, the first one can no
longer use any other services.
After a long trace, we have found that the first
user's PPP session is still on, he still can ping but
never get the ICMP reply. The server that is pingged
actually sends back the reply. So it means that the
first user's IP is not routable anymore. When the
first user terminates the session, the "Stop" request
comes to the Radiator from the RAS. This guarantees
that the IP connection between RAS and Radiator is
still ok.
1. Does Radiator disconnect users? As far as I know,
it doesn't. Anything else to check?
2. I see that RADONLINE table inside MySql is
different. Before it contains all the online users.
Now when the first user logs on, there will be one
record there. Then the second user comes in, the
first user's record will be deleted and the second
user's record will be there instead. I found
something in the log:
"delete from RADONLINE where
NASIDENTIFIER='10.178.24.57' and NASPORT=0"
This command will actually remove everybody from the
RADONLINE table because every record will come from
the same NAS and will have the same NASPORT.
I add this log for your info:
Access-Request packet:
[snip]
Thu Apr 5 14:37:26 2001: DEBUG: Check if Handler
NAS-IP-Address=10.178.24.57 sho
uld be used to handle this request
Thu Apr 5 14:37:26 2001: DEBUG: Handling request with
Handler 'NAS-IP-Address=10
.178.24.57'
Thu Apr 5 14:37:26 2001: DEBUG: OnlineUser Adding
session for ba, 10.178.24
.57,
Thu Apr 5 14:37:26 2001: DEBUG: do query is: delete
from RADONLINE where NASIDENTIFIER='10.178.24.57' and
NASPORT=0
Thu Apr 5 14:37:26 2001: DEBUG: do query is: insert
into RADONLINE (USERNAME, NAS
IDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERV
ICETYPE) values ('ba', '10.178.24.57', 0, '313D0C90',
986452646, '10.171.19
4.31', '', '')
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthGROUP
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthLDAP2
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthDYNADDRESS
Thu Apr 5 14:37:26 2001: DEBUG: Accounting accepted
Thu Apr 5 14:37:26 2001: DEBUG: Packet dump:
TIA,
Peter
=
P. Srivaree-Ratana
__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Radiator) Problem with dial-up users
Hello Peter -
On Friday 06 April 2001 19:31, Peter Srivaree-Ratana wrote:
Hi Hugh,
I need your help for the Radiator 2.16.3's
functionality. The customer has no problem with the
Radiator for a long time. Now only one user can log
on at the given time. Which means, the first user
logs on, then the second one comes in. As soon as the
second one gets authenticated, the first one can no
longer use any other services.
Which customer is this?
The obvious question is "what has changed?".
After a long trace, we have found that the first
user's PPP session is still on, he still can ping but
never get the ICMP reply. The server that is pingged
actually sends back the reply. So it means that the
first user's IP is not routable anymore. When the
first user terminates the session, the "Stop" request
comes to the Radiator from the RAS. This guarantees
that the IP connection between RAS and Radiator is
still ok.
It sounds to me like a routing issue either on the RAS, or on the internal
network leading to the RAS. What IP addresses are being used by the sessions
on the RAS? Are they correct or are they broken?
1. Does Radiator disconnect users? As far as I know,
it doesn't. Anything else to check?
Radiator does not disconnect users, the NAS does that - either because the
user hangs up or because the NAS drops the session (timeout or modem dropout).
2. I see that RADONLINE table inside MySql is
different. Before it contains all the online users.
Now when the first user logs on, there will be one
record there. Then the second user comes in, the
first user's record will be deleted and the second
user's record will be there instead. I found
something in the log:
"delete from RADONLINE where
NASIDENTIFIER='10.178.24.57' and NASPORT=0"
This is part of the problem - why is the NAS-Port attribute now 0? It should
indicate the port number on the NAS to which the user is connected.
This command will actually remove everybody from the
RADONLINE table because every record will come from
the same NAS and will have the same NASPORT.
As mentioned above, it is the NAS that is sending the wrong information. Has
the software on the NAS, or the configuration on the NAS changed?
I add this log for your info:
Access-Request packet:
[snip]
Thu Apr 5 14:37:26 2001: DEBUG: Check if Handler
NAS-IP-Address=10.178.24.57 sho
uld be used to handle this request
Thu Apr 5 14:37:26 2001: DEBUG: Handling request with
Handler 'NAS-IP-Address=10
..178.24.57'
Thu Apr 5 14:37:26 2001: DEBUG: OnlineUser Adding
session for ba, 10.178.24
..57,
Thu Apr 5 14:37:26 2001: DEBUG: do query is: delete
from RADONLINE where NASIDENTIFIER='10.178.24.57' and
NASPORT=0
Thu Apr 5 14:37:26 2001: DEBUG: do query is: insert
into RADONLINE (USERNAME, NAS
IDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERV
ICETYPE) values ('ba', '10.178.24.57', 0, '313D0C90',
986452646, '10.171.19
4.31', '', '')
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthGROUP
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthLDAP2
Thu Apr 5 14:37:26 2001: DEBUG: Handling with
Radius::AuthDYNADDRESS
Thu Apr 5 14:37:26 2001: DEBUG: Accounting accepted
Thu Apr 5 14:37:26 2001: DEBUG: Packet dump:
You may also have a problem with the AuthBy DYNADDRESS - what is it giving as
an IP address for a request?
I will need to see the configuration file (no secrets) together with a trace
4 debug to see what is going on.
BTW - we have still not been paid for the extra work that I did for Telekom
Malaysia when I saw you last. Could you perhaps ask Azahar what is going on?
And perhaps you can send me Azahar's boss's email address so I can contact
him directly to get some action on this issue.
Many thanks - when will you need me to come to KL again?
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair
Actually the only problem was I wasnt sending the "service-type" back to the cisco, it appears to be very picky about that vsa in the reply - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "Andrew" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, April 06, 2001 3:51 AM Subject: Re: (RADIATOR) cisco-avpair Hello Andrew - I will need to see a trace 4 debug from Radiator, but I agree with you - it looks like Radiator is doing the right thing and sending the attribute. You will probably need to run a debug on the Cisco to see what is happening at that end, and you may have to configure something to make the Cisco listen to the radius reply. hth Hugh Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Problems using Authby NT
Hello All, I'd like to use Authby NT from a standalone W2K server. The problem is, radiator does not authenticate accounts in other domains (either W2K or NT4, and either local or domain accounts). When I make drive mappings to these domains (using account x) it does authenticate account y (both local and domain accounts) in W2K environments. It does authenticate a local account yon a standalone NT4 server,but still no authenctication to NT4 domains. The following errors are shown in trace 4: When trying to authenticate to NT4 domain (without drive mappings) Fri Apr 6 12:55:29 2001: INFO: Access rejected for velden01: NT GetAttributes failed: 1726: The remote procedure call failed. When trying to authenticate to W2K standalone server or domain (without drivemappings): Thu Apr 5 11:10:09 2001: INFO: Access rejected for test_radius: NT GetAttributes failed: 1326: Logon failure: unknown user name or bad password. When looking at network traces, I can see Authby NT tries to authenticate (if no drive mapping exists) by connecting to the IPC$ share with the account the Radiator process is running. This is never going to work with radiator running a certain account and authenticating accounts in domains it has no trusts to. When the drive mapping is available, the connection to this share (IPC$) is donefirst with an empty username and secondly with the username given to radiator and authentication goes correct. My radius server has W2K + SP1, Perl 5.6.0 build 623, Radiator 2.18 including the latest Authby NT patch (april 2). According to me it should be possible to authenticate using Authby NT with the radius server not being part of any particular domain. Does anybody have a clue? Regards, Karel van der Velden - Karel van der Velden | telnr: +31 50 5881003 Peizerweg 156| faxnr: +31 50 5883216 9727 AR Groningen | e-mail: [EMAIL PROTECTED] The Netherlands DISCLAIMER: This Statement is not an official statement from, nor does it represent an official postion of KPN Telecom -
Re: (RADIATOR) Problems using Authby NT
If you are running a Win2k domain then you should use AuthByADSI. Active Directory Services should provide the same lvl of authentication over native NT authentication mode. -Michael Audet Network Services Chubb Son - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 06, 2001 9:36 AM Subject: (RADIATOR) Problems using Authby NT Hello All, I'd like to use Authby NT from a standalone W2K server. The problem is, radiator does not authenticate accounts in other domains (either W2K or NT4, and either local or domain accounts). When I make drive mappings to these domains (using account x) it does authenticate account y (both local and domain accounts) in W2K environments. It does authenticate a local account yon a standalone NT4 server,but still no authenctication to NT4 domains. The following errors are shown in trace 4: When trying to authenticate to NT4 domain (without drive mappings) Fri Apr 6 12:55:29 2001: INFO: Access rejected for velden01: NT GetAttributes failed: 1726: The remote procedure call failed. When trying to authenticate to W2K standalone server or domain (without drivemappings): Thu Apr 5 11:10:09 2001: INFO: Access rejected for test_radius: NT GetAttributes failed: 1326: Logon failure: unknown user name or bad password. When looking at network traces, I can see Authby NT tries to authenticate (if no drive mapping exists) by connecting to the IPC$ share with the account the Radiator process is running. This is never going to work with radiator running a certain account and authenticating accounts in domains it has no trusts to. When the drive mapping is available, the connection to this share (IPC$) is donefirst with an empty username and secondly with the username given to radiator and authentication goes correct. My radius server has W2K + SP1, Perl 5.6.0 build 623, Radiator 2.18 including the latest Authby NT patch (april 2). According to me it should be possible to authenticate using Authby NT with the radius server not being part of any particular domain. Does anybody have a clue? Regards, Karel van der Velden - Karel van der Velden | telnr: +31 50 5881003 Peizerweg 156| faxnr: +31 50 5883216 9727 AR Groningen | e-mail: [EMAIL PROTECTED] The Netherlands DISCLAIMER: This Statement is not an official statement from, nor does it represent an official postion of KPN Telecom -
