(RADIATOR) Re: two authby clauses
Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Ascend SNMP Problems
Hugh,
Please help me in trying to setup the SNMP Pull with the non-rewritten
username. I've altered the config for my session db to store both versions
of the username. Following is the session Database as it is defined in our
configuration. Where do I change the behaviour of RADIATOR to use the
non-rewritten username for NAS-SNMP checks?
Leon
#***
#***
# SESSIONS Database holds the sessions for all the users
# /usr/local/bin/Radius-Session-DBCheck.pl removes stale entries
#***
#***
SessionDatabase SQL
Identifier sessiondb
DBSourcedbi:mysql:radadmin:host=host.isdn.net
DBUsername username
DBAuth password
AddQuery insert into RADONLINE (RRUSERNAME, USERNAME,
NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, DNIS, CALLINGSTATIONID, TIME_STAMP)
values ('%U', '%u', '%N', %{NAS-Port}, \
'%{Acct-Session-Id}',
'%{Framed-IP-Address}', '%{Port-Type}', '%{Framed-Protocol}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Timestamp}' )
DeleteQuery delete from RADONLINE where USERNAME='%u' and \
NASIDENTIFIER='%N' and NASPORT='%{NAS-Port}'
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from \
RADONLINE where USERNAME='%u'
# The OLD query:
#select nasid, slotitem, sessionid from ses4web where
username='%u'
/SessionDatabase SQL
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 6:50 PM
To: Leon Oosterwijk; '[EMAIL PROTECTED]'
Subject: Re: (RADIATOR) Ascend SNMP Problems
Hello Leon -
You don't show the session database that you are using, but the problem is
because you are doing a RewriteUsername and the rewritten username is being
used to check against the NAS (which of course won't work).
The usual way to deal with this problem is to use an SQL session database
and
store both the original username and the rewritten username therein with
your
own queries. That way you can use the rewritten username for simultaneous
use
limit checking, and the original username for checking with the NAS.
regards
Hugh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Pseudo-Request-Source ?
Hi all, Does anyone know Pseudo-Request-Source Attribute mean ? As I heard it, it is the source IP where packets were sent from. Is there a way for me to tell whether packets received were proxied or not in the access-request ? Thanks for your help. Daniel Jung System Administrator GMO inc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SimultaneousUse
Hello: We are having problems with this attribute. In some of our installations, the attribute does not work at all and so no restriction is enforced. On another installation, it works but with severe problems. For instance customers with an attribute of 1 who previously connected to our system and later disconnected are having problems reconnecting. This has resulted in a serious problem in which a significant percentage of connection problems were related to the SimultaneousUse attribute. What we have done in the interim is to set the attribute to 3. How can we resolve this problem? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: lloyd [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 29, 2001 8:48 AM Subject: (RADIATOR) Re: two authby clauses Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SimultaneousUse
I have the same problem. Someone can help us??? 'Tunde Ogedengbe wrote: Hello: We are having problems with this attribute. In some of our installations, the attribute does not work at all and so no restriction is enforced. On another installation, it works but with severe problems. For instance customers with an attribute of 1 who previously connected to our system and later disconnected are having problems reconnecting. This has resulted in a serious problem in which a significant percentage of connection problems were related to the SimultaneousUse attribute. What we have done in the interim is to set the attribute to 3. How can we resolve this problem? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: lloyd [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 29, 2001 8:48 AM Subject: (RADIATOR) Re: two authby clauses Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Ascend SNMP Problems
Colin,
The issue at hand is about the fact that the username on the NAS is not the
same that the RADIUS server compares it against.
Leon
-Original Message-
From: Colin D. Easton [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 10:58 AM
To: 'Leon Oosterwijk'
Subject: RE: (RADIATOR) Ascend SNMP Problems
In my experience it's always good to set it at twice what it should be.
For regular users set to 2 and for isdn etc set to 4. This way most
race conditions may be avoided. It's not absolute nor is it perfect but
it works.
C.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Leon Oosterwijk
Sent: Wednesday, August 29, 2001 9:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: (RADIATOR) Ascend SNMP Problems
Hugh,
Please help me in trying to setup the SNMP Pull with the non-rewritten
username. I've altered the config for my session db to store both
versions
of the username. Following is the session Database as it is defined in
our
configuration. Where do I change the behaviour of RADIATOR to use the
non-rewritten username for NAS-SNMP checks?
Leon
#***
#***
# SESSIONS Database holds the sessions for all the users
# /usr/local/bin/Radius-Session-DBCheck.pl removes stale entries
#***
#***
SessionDatabase SQL
Identifier sessiondb
DBSourcedbi:mysql:radadmin:host=host.isdn.net
DBUsername username
DBAuth password
AddQuery insert into RADONLINE (RRUSERNAME, USERNAME,
NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, DNIS, CALLINGSTATIONID, TIME_STAMP)
values ('%U', '%u', '%N', %{NAS-Port}, \
'%{Acct-Session-Id}',
'%{Framed-IP-Address}', '%{Port-Type}', '%{Framed-Protocol}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Timestamp}' )
DeleteQuery delete from RADONLINE where USERNAME='%u' and \
NASIDENTIFIER='%N' and NASPORT='%{NAS-Port}'
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from \
RADONLINE where USERNAME='%u'
# The OLD query:
#select nasid, slotitem, sessionid from ses4web where
username='%u'
/SessionDatabase SQL
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 6:50 PM
To: Leon Oosterwijk; '[EMAIL PROTECTED]'
Subject: Re: (RADIATOR) Ascend SNMP Problems
Hello Leon -
You don't show the session database that you are using, but the problem
is
because you are doing a RewriteUsername and the rewritten username is
being
used to check against the NAS (which of course won't work).
The usual way to deal with this problem is to use an SQL session
database
and
store both the original username and the rewritten username therein with
your
own queries. That way you can use the rewritten username for
simultaneous
use
limit checking, and the original username for checking with the NAS.
regards
Hugh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) snmpget question
Hello, I realize this may fall out of the scope of this list, but I'm trying to use simultaneous use checking, and have downloaded and installed the suggested snmpget program from ucd. When I put it into my radius config file, and start it up. I get the following error when radius tries to use it: snmpget 209.213.159.61 x .3.2.1.1.1.5.43 Error in packet. Reason: There is no such variable name in this MIB. This name doesn't exist: .3.2.1.1.1.5.43 Does anyone know what this means? I am very unfamiliar with snmp in general. Griff Hamlin, III === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Using Alive Accounting packets to update Session DB
Hello Richard - AccountingAlivesOnly is supported in an AuthBy clause (its in the code and the manual will be fixed in the next release). And Alives are also handled automatically by the session database which performs an AddQuery for them. The other things that you mention can either be implemented as you point out by special Handler(s), or by custom hooks. BTW - you can also use an AuthBy SQL in the Handler as above, and just put one or more AcctSQLStatements in it to do whatever you need. Note that we have developed something similar for another customer on a contract basis and we could do the same for you if you are interested. regards Hugh On Wednesday 29 August 2001 21:12, Richard Lennerts wrote: Hi Mike/Hugh, I was going to send the message below to the mailing list, but I thought it might be more appropriate to send it you guys first. Please feel free to send it to the list if it would be better dealt with there. -- Hi, Just wondering whether anyone has managed to use Alive Accounting packets to update the records in an external Session DB. We would like to store in out octets in the session DB along with a timestamp of when the session was last updated. Then perhaps on a client (NAS) basis get Radiator to drop records in the Session database if it hasn't received an Alive packet within x minutes. Perhaps putting in a validity timestamp which would function similar to the Lease periods used with the AddressAllocater would be better, and then have a periodic task cleaning out invalid records in the SessionDatabase and optionally generating Radius stop packets. Is someone able to give me a few pointers on how this could be done perhaps with a Handler Acct-Status-Type = Alive block? Perhaps I could put in a feature request to: - Add a keyword AccountingAliveOnly to the AuthBy module This would enable special handling of Alive packets in an AuthBy clause that could also be used to update Accounting Logs. and/or - Add a keyword to the Handler module like UpdateSessDBWithAlive This would then flag Radiator to use Alive packets to update the Session DB. - Add a method UpdateQuery to the SessionDatabase module - Add a keyword SessionValidNoAlive xxx to the Client module This, if specified, would be added to the Timestamp of the Alive packet and entered as the ValidTo column of the Session DB. - Add a keyword GenerateStopForInvalidSessions in the SessionDatabase module Which would trigger some cleanup process to create an artificial stop packet when clearing invalid records from the Session DB. All these extra features combined should let Radiator cater for the above mentioned scenario. With more ISP's moving to a virtual port model where information to real-time statistics/monitoring is limited, this would be an effective way of ensuring that Session statistics remain relatively accurate and provides some protection on the loss of Alive/Stop packets. Maybe there is already a way to do this but I couldn't see how by scanning the reference manual. Hope you guys can help. Regards, --- | Richard Lennerts | p: +61 8 6211 5500 | | Technical Director | f: +61 8 9325 6855 | | Vianet Communications Pty. Ltd.| e: [EMAIL PROTECTED] | | Lvl 6, 200 Adelaide Tce East Perth WA 6004 | w: www.vianet.net.au | --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ascend SNMP Problems
Hello Leon -
Radiator will always use the original username as received in the request for
checking the NAS.
However I note in your configuration below that you should probably (correct
me if I'm wrong) change the CountQuery to count the rewritten usernames:
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from \
RADONLINE where RRUSERNAME='%U'
hth
Hugh
On Wednesday 29 August 2001 23:46, Leon Oosterwijk wrote:
Hugh,
Please help me in trying to setup the SNMP Pull with the non-rewritten
username. I've altered the config for my session db to store both versions
of the username. Following is the session Database as it is defined in our
configuration. Where do I change the behaviour of RADIATOR to use the
non-rewritten username for NAS-SNMP checks?
Leon
#***
#***
# SESSIONS Database holds the sessions for all the users
# /usr/local/bin/Radius-Session-DBCheck.pl removes stale entries
#***
#***
SessionDatabase SQL
Identifier sessiondb
DBSourcedbi:mysql:radadmin:host=host.isdn.net
DBUsername username
DBAuth password
AddQuery insert into RADONLINE (RRUSERNAME, USERNAME,
NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, DNIS, CALLINGSTATIONID, TIME_STAMP)
values ('%U', '%u', '%N', %{NAS-Port}, \
'%{Acct-Session-Id}',
'%{Framed-IP-Address}', '%{Port-Type}', '%{Framed-Protocol}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Timestamp}' )
DeleteQuery delete from RADONLINE where USERNAME='%u' and \
NASIDENTIFIER='%N' and NASPORT='%{NAS-Port}'
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from \
RADONLINE where USERNAME='%u'
# The OLD query:
#select nasid, slotitem, sessionid from ses4web where
username='%u'
/SessionDatabase SQL
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 6:50 PM
To: Leon Oosterwijk; '[EMAIL PROTECTED]'
Subject: Re: (RADIATOR) Ascend SNMP Problems
Hello Leon -
You don't show the session database that you are using, but the problem is
because you are doing a RewriteUsername and the rewritten username is being
used to check against the NAS (which of course won't work).
The usual way to deal with this problem is to use an SQL session database
and
store both the original username and the rewritten username therein with
your
own queries. That way you can use the rewritten username for simultaneous
use
limit checking, and the original username for checking with the NAS.
regards
Hugh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) snmpget question
Hello Griff - I suspect you have not configured SNMP on your NAS. Try running the snmpget queries by hand first of all to verify that you have the NAS configured correctly. hth Hugh On Thursday 30 August 2001 07:53, Griff Hamlin wrote: Hello, I realize this may fall out of the scope of this list, but I'm trying to use simultaneous use checking, and have downloaded and installed the suggested snmpget program from ucd. When I put it into my radius config file, and start it up. I get the following error when radius tries to use it: snmpget 209.213.159.61 x .3.2.1.1.1.5.43 Error in packet. Reason: There is no such variable name in this MIB. This name doesn't exist: .3.2.1.1.1.5.43 Does anyone know what this means? I am very unfamiliar with snmp in general. Griff Hamlin, III === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Pseudo-Request-Source ?
Hello Daniel - I can't find any attribute like that. You can tell whether the requests were proxied by checking which Client clause received the request, either in a Handler, or in a user definition. hth Hugh On Wednesday 29 August 2001 23:55, daniel wrote: Hi all, Does anyone know Pseudo-Request-Source Attribute mean ? As I heard it, it is the source IP where packets were sent from. Is there a way for me to tell whether packets received were proxied or not in the access-request ? Thanks for your help. Daniel Jung System Administrator GMO inc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SimultaneousUse
Hello Camilo, Hello 'Tunde - In general, problems with simultaneous use are usually due to dropped accounting packets (sometimes congested links, sometimes NAS bugs, sometimes configuration problems with Radiator). I am happy to assist with any problems, but I need to see what is going on. Please send me a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing the problem. It would also be helpful if you could provide some description of what you are trying to accomplish. thanks Hugh On Thursday 30 August 2001 01:04, Camilo Fernando Corena G. wrote: I have the same problem. Someone can help us??? 'Tunde Ogedengbe wrote: Hello: We are having problems with this attribute. In some of our installations, the attribute does not work at all and so no restriction is enforced. On another installation, it works but with severe problems. For instance customers with an attribute of 1 who previously connected to our system and later disconnected are having problems reconnecting. This has resulted in a serious problem in which a significant percentage of connection problems were related to the SimultaneousUse attribute. What we have done in the interim is to set the attribute to 3. How can we resolve this problem? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: lloyd [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 29, 2001 8:48 AM Subject: (RADIATOR) Re: two authby clauses Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) MaxSessions
Title: MaxSessions
Hello,
Is it possible to prevent executing AuthBy clauses when MaxSessions exceeds (within a Handler).
When radiator receives Access-Request, it determine an appropriate handler to process request.
Then it checks whether the user has reach MaxSessions.
In this case user has reach MaxSessions, therefore it should send Access-Reject to NAS and stop executing AuthBy clauses.
However radiator still go through the clauses and eventually send out Access-Accept to NAS.
At the same time, our NAS takes in Access-Accept and open a PPP session.
Pls find attached trace 4 capture and extracts of our radius.cfg.
Can anyone give us a hint.
Harrison
SmarTone BroadBand Services Limited
MaxSession.txt radius.cfg
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Received from 202.140.97.153 port 1812
Code: Access-Request
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
User-Name = [EMAIL PROTECTED]
User-Password = 293FVW{V30275k2491511207[
NAS-Identifier = LAPB01
NAS-IP-Address = 202.140.97.153
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100663738
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler User-Name = /(?![\w\.\-@])+/ should
be used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.60 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.240 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 10.20.2.2 should be used
to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.152 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.153 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Handling request with Handler 'Client-Id =
202.140.97.153'
Wed Aug 29 16:19:49 2001: DEBUG: Rewrote user name to fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: bras Deleting session for
[EMAIL PROTECTED], 202.140.97.153, 100663738
Wed Aug 29 16:19:49 2001: DEBUG: do query is: delete from BBONLINE where
NASIDENTIFIER='202.140.97.153' and NASPORT=100663738
Wed Aug 29 16:19:49 2001: DEBUG: Query is: select NASIDENTIFIER,NASPORT from BBONLINE
where USERNAME='[EMAIL PROTECTED]
'
Wed Aug 29 16:19:49 2001: DEBUG: Checking if user is still online: unknown,
[EMAIL PROTECTED], 202.140.97.153, 10066400
0,
Wed Aug 29 16:19:49 2001: INFO: Access rejected for fieldsvc: MaxSessions exceeded
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Sending to 202.140.97.153 port 1812
Code: Access-Reject
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
Reply-Message = Request Denied
Reply-Message = MaxSessions exceeded
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthLDAPwOBJ
Wed Aug 29 16:19:49 2001: DEBUG: Connecting to 202.140.96.53, port 389
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got result for
cn=fieldsvc,ou=People,o=SmarTone,c=hk
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got authserviceprotocol: Framed-User
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got framedprotocol: PPP
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got sessiontimeoutnumber: 86000
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got userpassword: {crypt}vt3QIHUqVTcGE
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ looks for match with fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ ACCEPT:
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL
Wed Aug 29 16:19:49 2001: DEBUG: Query is: select FRAMEDIPADDRESS from SUBSCRIBERS
where USERNAME='fieldsvc'
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL looks for match with fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL ACCEPT:
Wed Aug 29 16:19:49 2001: DEBUG: Access accepted for fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Sending to 202.140.97.153 port 1812
Code: Access-Accept
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
Reply-Message = Request Denied
Reply-Message = MaxSessions exceeded
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 86000
Framed-IP-Address = 203.133.144.3
Wed Aug 29 16:19:51 2001: DEBUG: Packet dump:
*** Received from 202.140.97.153 port 1812
Code: Accounting-Request
Identifier: 0
Authentic: ?'6192m?193164?Op255206s@
Attributes:
User-Name = [EMAIL PROTECTED]
NAS-Identifier = LAPB01
NAS-IP-Address = 202.140.97.153
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100663738
LAC-Port = 117446876
LAC-Real-Port = 403638128
(RADIATOR) Token-based authentication and Encotone TeleID
Radiator now works with Encotone's TeleID token-based one-time-password system (www.encotone.com). Encotone are bundling Radiator with their PAM TeleID software and a combined solution is now available from them. A white paper discussing how Radiator and TeleID can be used to secure dialup and network access, see http://www.open.com.au/radiator/NetworkAccessSolution_Radiator.pdf Cheers. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Version 2.18.2 released
We are pleased to announce the release of Radiator version 2.18.3 This version provides a number of bug fixes and some new features. As usual, the new version is available free of charge to current licensees from http://www.open.com.au/radiator/downloads/Radiator-2.18.3.tgz or http://www.open.com.au/radiator/downloads/Radiator-2.18.3-1.noarch.rpm and to current evaluators from http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-2.18.3.tgz or http://www.open.com.au/radiator/downloads/Radiator-Demo-2.18.3-1.noarch.rpm An extract from the history file is attached - Revision 2.18.3 (30/8/01) Significant new features, some bug fixes Added EAP support for OTP and MD5-Challenge, works with AuthBy OPIE and any authentication database with plaintext passwords (eg AuthBy FILE, AuthBy SQL, etc). Extensible mechanism in EAP.pm permits new EAP protocols to be added. Added support for improvements in RAdmin 1.5, including Service Profiles and arbitrary per-user and per-service RADIUS check and reply items. Caution: the default AuthSelect has changed. Added beta version of AuthBy ACE, permitting authentication direct to a SecureID ACE server, instead of proxying. Certification by RSA is still pending. Example goodies/ace.cfg is included. Requires Authen-ACE4 perl module from Open System Consultants. Default behaviour of Log SYSLOG and AuthLog SYSLOG changed to log via unix sockets by default. This works correctly with more syslog daemons. New parameter LogSock permits this to be changed. Added new comand line argument -rawfile to radpwtst. SessionDatabase SQL DeleteQuery now has the column values of the record to delete passed as %0 to %4. Improvements to RPM packaging suggested by Gustav Foseid ([EMAIL PROTECTED]) Added AuthSQLStatement, similar to AcctSQLStatement: any number of SQL statements that will run before authentication. Patch provided by ([EMAIL PROTECTED]). Thanks! Performance improvements in tunnel password and mppe key encryption and decryption. All port parameters (eg AuthPort, AcctPort, Port, OutPort etc) may contain special formatting characters. A typical use of special formatting characters is with GlobalVar and command line arguments. Fixes to AuthBy EMERALD so that if HonourDNISGroups is defined but there is no DNIS in the request, or if HonourServerPortAccess is defined, but there is no Nas-Port in the request, the constraints are not applied. Improvement to AuthBy LDAP2 so that illegal charcaters in a user name wont cause disconnection from the LDAP server. Identified and patched by Carlos Canau ([EMAIL PROTECTED]) Added support for group check items to AuthBy PAM, for PAM modules that support the notion of a group (such as pam_teleid). Loading database export files now works independently of the export file was generated on Unix or Windows. Logging of 'Handling with $type' now includes the Identifier of the AuthBy moodule. Added example code to goodies/asplog.txt: How to display Radiator SQL accounting logs with an ASP/VB script. Contributed by Michael Audet ([EMAIL PROTECTED]) Thanks Michael! Fixed problem with AuthBy RODOPI that was broken by 2.18.1. Added support for Rcrypt reversibly encrypted passwords. Now your user database can contain passwords that are reversibly encrypted with a secret key. Radius::Rcrypt module provides encrypt and decrypt routines that can be used by any other code. Forthcoming version of RAdmin will also support Rcrypt encryption. Structural improvements to AuthGeneric, which allows some modules that previously implemented their own handle_request to piggy-back off AuthGeneric, saving lots of replicated code Added CheckGroupServer and CheckGroup to AuthBy ADSI and AuthBy NT, so that you can set a Class in the reply that depends on which NT group the user is in. Primary key violation in MySQL and unique constraint violation in Oracle now does not cause disconnection. Added example configuration file prepaid.cfg showing how to implement a simple prepaid card system with an SQL database. AuthLDAP* now handles multiple LDAP attributes for check, reply and request AuthAttrDef. Multiple LDAP attribtues will be added as multiple instances of the same Radius attribute. Contributed by Robert Kiessling ([EMAIL PROTECTED]) Thanks Robert. In AuthBy LDAP, HoldServerConnection worked in reverse to the correct behaviour. Added Global and per-Handler UsernameCharset allowing you to easily specify what characters are permitted in a user name. In AuthBy RADIUS, Host names for remote servers can now contain special formatting characaters. Added Acct-Input-Gigawords and Acct-Output-Gigawords to dictionary. Reported by Bruno Tiago Rodrigues ([EMAIL PROTECTED]). Improvements to sample Linux startup script. Now sources /etc/sysconfig/radiator if present, so you can put config file name and arguments there for preference. Suggested by Ted kandell ([EMAIL PROTECTED]). Thanks Ted. Added AuthLog SYSLOG,
Fwd: (RADIATOR) Version 2.18.3 released
Hello All - The subject line of course should say Radiator Version 2.18.3. regards Hugh -- Forwarded Message -- Subject: (RADIATOR) Version 2.18.2 released Date: Thu, 30 Aug 2001 14:41:23 +1000 From: Mike McCauley [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] We are pleased to announce the release of Radiator version 2.18.3 This version provides a number of bug fixes and some new features. As usual, the new version is available free of charge to current licensees from http://www.open.com.au/radiator/downloads/Radiator-2.18.3.tgz or http://www.open.com.au/radiator/downloads/Radiator-2.18.3-1.noarch.rpm and to current evaluators from http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-2.18.3.tgz or http://www.open.com.au/radiator/downloads/Radiator-Demo-2.18.3-1.noarch.rpm An extract from the history file is attached - Revision 2.18.3 (30/8/01) Significant new features, some bug fixes Added EAP support for OTP and MD5-Challenge, works with AuthBy OPIE and any authentication database with plaintext passwords (eg AuthBy FILE, AuthBy SQL, etc). Extensible mechanism in EAP.pm permits new EAP protocols to be added. Added support for improvements in RAdmin 1.5, including Service Profiles and arbitrary per-user and per-service RADIUS check and reply items. Caution: the default AuthSelect has changed. Added beta version of AuthBy ACE, permitting authentication direct to a SecureID ACE server, instead of proxying. Certification by RSA is still pending. Example goodies/ace.cfg is included. Requires Authen-ACE4 perl module from Open System Consultants. Default behaviour of Log SYSLOG and AuthLog SYSLOG changed to log via unix sockets by default. This works correctly with more syslog daemons. New parameter LogSock permits this to be changed. Added new comand line argument -rawfile to radpwtst. SessionDatabase SQL DeleteQuery now has the column values of the record to delete passed as %0 to %4. Improvements to RPM packaging suggested by Gustav Foseid ([EMAIL PROTECTED]) Added AuthSQLStatement, similar to AcctSQLStatement: any number of SQL statements that will run before authentication. Patch provided by ([EMAIL PROTECTED]). Thanks! Performance improvements in tunnel password and mppe key encryption and decryption. All port parameters (eg AuthPort, AcctPort, Port, OutPort etc) may contain special formatting characters. A typical use of special formatting characters is with GlobalVar and command line arguments. Fixes to AuthBy EMERALD so that if HonourDNISGroups is defined but there is no DNIS in the request, or if HonourServerPortAccess is defined, but there is no Nas-Port in the request, the constraints are not applied. Improvement to AuthBy LDAP2 so that illegal charcaters in a user name wont cause disconnection from the LDAP server. Identified and patched by Carlos Canau ([EMAIL PROTECTED]) Added support for group check items to AuthBy PAM, for PAM modules that support the notion of a group (such as pam_teleid). Loading database export files now works independently of the export file was generated on Unix or Windows. Logging of 'Handling with $type' now includes the Identifier of the AuthBy moodule. Added example code to goodies/asplog.txt: How to display Radiator SQL accounting logs with an ASP/VB script. Contributed by Michael Audet ([EMAIL PROTECTED]) Thanks Michael! Fixed problem with AuthBy RODOPI that was broken by 2.18.1. Added support for Rcrypt reversibly encrypted passwords. Now your user database can contain passwords that are reversibly encrypted with a secret key. Radius::Rcrypt module provides encrypt and decrypt routines that can be used by any other code. Forthcoming version of RAdmin will also support Rcrypt encryption. Structural improvements to AuthGeneric, which allows some modules that previously implemented their own handle_request to piggy-back off AuthGeneric, saving lots of replicated code Added CheckGroupServer and CheckGroup to AuthBy ADSI and AuthBy NT, so that you can set a Class in the reply that depends on which NT group the user is in. Primary key violation in MySQL and unique constraint violation in Oracle now does not cause disconnection. Added example configuration file prepaid.cfg showing how to implement a simple prepaid card system with an SQL database. AuthLDAP* now handles multiple LDAP attributes for check, reply and request AuthAttrDef. Multiple LDAP attribtues will be added as multiple instances of the same Radius attribute. Contributed by Robert Kiessling ([EMAIL PROTECTED]) Thanks Robert. In AuthBy LDAP, HoldServerConnection worked in reverse to the correct behaviour. Added Global and per-Handler UsernameCharset allowing you to easily specify what characters are permitted in a user name. In AuthBy RADIUS, Host names for remote servers can now contain special formatting characaters. Added Acct-Input-Gigawords and Acct-Output-Gigawords to dictionary. Reported by
