(RADIATOR) dictionary problems with CISCO and TIGRIS
Hi, we finally got radiator working fine for a while and then we started to get all these dictionary errors: Sat Sep 15 17:16:24 2001: ERR: Attribute number 77 (vendor ) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 30 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 31 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 32 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 33 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 17 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:24 2001: ERR: Attribute number 5 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:39 2001: ERR: Attribute number 18 (vendor 5) is not defined in your dictionary Sat Sep 15 17:16:39 2001: ERR: Attribute number 27 (vendor 5) is not defined in your dictionaryour NAS's are cisco 5400's and tigris i have tried the default dictionaries that came with radiator for acc and cisco, even tried the vendors dictionaries but these errors still come up. any hints? --- Roger Mangraviti Independent Service Providers Ph: 1300 304 288 mailto:[EMAIL PROTECTED] http://www.isp.net.au === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Identical Clients
Hello Todd - On Saturday 15 September 2001 03:53, Todd Dokey wrote: > I'd like to set up a client clause for each type of NAS with the Identical > clients picking up the same for same types. > > How would this look? # define Client clauses IdenticalClients 2.2.2.2, 3.3.3.3, .. .. Have a look at section 6.5.10 in the Radiator 2.18.4 reference manual. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Fwd: BOUNCE radiator@open.com.au: Non-member submission from ["baker" ]
Hello Ba - > > Currently i am testing Radiator with Emerald on MIcrosoft SQL server. I > have have seen how powerfull is the product. But simply i am not Perl > programmer otherwise, the software is just great. I facing problem with: > 1- Realm Default > with defualt the sa.login= Default for some errors not all ( such as the > over login limit). > > 2-The online users dont ever match up with the NAS users online. I have > added SNMP and > added the directionry and NASTYPE With The SNMP Agent And SNMPGET .. > i am missing anything esle or its bad luck ... > Could you please send me a copy of your configuration file (no secrets) together with a trace 4 debug showing what is happening. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) MaxSessions
Hello Todd - On Saturday 15 September 2001 03:04, Todd Dokey wrote: > MaxSessions won't work under text right? > > Don't I need a master online calls table of somekind? > Radiator always uses an Internal session database in any case, even if an external session database is not specified. > Can I use authby radius and authby text, but check accounting on Emerald's > calls table? > Yes (although there is no AuthBy TEXT). BTW - I strongly encourage you to read the rfc's and the reference manual included in the "doc" directory of the Radiator distribution (at least once). hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Identical Clients
I'd like to set up a client clause for each type of NAS with the Identical clients picking up the same for same types. How would this look? - "We sleep safe in our beds because rough men stand ready in the night to visit violence on those who would do us harm." George Orwell === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) MaxSessions
MaxSessions won't work under text right? Don't I need a master online calls table of somekind? Can I use authby radius and authby text, but check accounting on Emerald's calls table? - "We sleep safe in our beds because rough men stand ready in the night to visit violence on those who would do us harm." George Orwell === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Fwd: BOUNCE radiator@open.com.au: Non-member submission from ["baker" ]
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["baker" <[EMAIL PROTECTED]>] Date: Fri, 14 Sep 2001 04:45:01 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] >From [EMAIL PROTECTED] Fri Sep 14 04:45:00 2001 Received: from q80.net ([62.150.36.2]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f8E9ix330820 for <[EMAIL PROTECTED]>; Fri, 14 Sep 2001 04:44:59 -0500 Message-Id: <[EMAIL PROTECTED]> Received: from Q80.net by q80.net with SMTP (MDaemon.v3.1.1.R) for <[EMAIL PROTECTED]>; Fri, 14 Sep 2001 14:09:13 +0300 Date: Fri, 14 Sep 2001 14:09:13 +0300 From: "baker" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: sa.login=DEFAULT X-Mailer: WorldClient Pro 2.2.3 X-MDRcpt-To: [EMAIL PROTECTED] X-Return-Path: [EMAIL PROTECTED] X-MDaemon-Deliver-To: [EMAIL PROTECTED] Currently i am testing Radiator with Emerald on MIcrosoft SQL server. I have have seen how powerfull is the product. But simply i am not Perl programmer otherwise, the software is just great. I facing problem with: 1- Realm Default with defualt the sa.login= Default for some errors not all ( such as the over login limit). 2-The online users dont ever match up with the NAS users online. I have added SNMP and added the directionry and NASTYPE With The SNMP Agent And SNMPGET .. i am missing anything esle or its bad luck ... thanks for your help.. Ba --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple realms in handler
Hello Matt - On Friday 14 September 2001 10:32, Matt Scifo wrote: > Hello > > Can anyone tell me if this is possible to implement? > > Two-Stage Proxy > * All Requests initially parsed by Called-Station-Id > * Option of then parsing requests, within a single Realm to match a > set of criteria based on "@realm" username identifiers > > --- > #Use regexp for called-station-id > > #If user@realm1, then do this > > > Host host1 > Secret secret1 > > > > #If user@realm2, then do this > > > Host host2 > Secret secret2 > > > > #If user@realm3, then do this > > > Host host3 > Secret secret3 > > > > #If realm not found above > > > Host host1 > Secret secret1 > > > > You will need to specify multiple Handlers, like this: . . . . regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RADMIN and radius
Hello Lloyd -
If you specify an AuthBy RADMIN together with a SessionDatabase SQL, the
management of the RADONLINE table is done automatically using the accounting
requests from the NAS.
Here is the relevant section from the manual:
6.7.3 AddQuery
This SQL statement is executed whenever a new user session starts (i.e.
when an Accounting-Request Start message is received). It is expected to
record the details of the new session in the SQL database. Special formatting
characters may be used (the %{attribute} ones are probably the most useful).
If AddQuery is defined as an empty string, then the query will not be
executed.
It defaults to: insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE) values ('%u', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}', \
'%{Service-Type}')
If you want to include the DNIS (Called-Station-Id), you will have to modify
the RADONLINE table and change the default AddQuery (shown above).
regards
Hugh
On Friday 14 September 2001 17:08, lloyd dagoc wrote:
> hi to everybody,
>
> im a little bit confused as to where or who does the update of the
> RADONLINE table in the radmin database...we never included the update
> RADONLINE statement in our radius.cfg...any ideas? is the NAS responsible
> on this? if it is responsible, how come they never include the DNIS of the
> user in our RADONLINE database? any ideas?
>
> thanks
> lloyd dagoc
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Little config advice needed
Hello Sergio -
On Friday 14 September 2001 02:34, Sergio Alejandro Gonzalez wrote:
> Hello there.
>
> I recently had a problem with a config that makes me handle
> dynamic address allocation. The problem is I have to
> different RASes (3com and Patton). For admin purposes, some
> dialup clients need to have another ip address pool
> different from the RAS can assign. To do the trick, 3com
> fortunately handles more than one ip pool, but Patton
> doesn't. The config I've now looks like:
>
>
> Identifier myallocator
>
> DBSourcedbi:mysql:radius
> DBUsername X
> DBAuth X
>
>
> Subnetmask 255.255.255.0
> DNSServer aaa.bbb.ccc.ddd
> Range 192.168.2.1 192.168.2.254
>
>
>
>
>
> RejectHasReason
> AccountingHandled
> AuthByPolicy ContinueWhileAccept
>
>
> DefaultSimultaneousUse 1
> DBSource dbi:mysql:radius
> DBUsername
> DBAuth
>
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \
> from SUBSCRIBERS where USERNAME = '%n'
> and STATUS = 1
>
> AccountingStopsOnly
> AccountingTableACCOUNTING%Y%m
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef ACCTCONNECTSPEED,Ascend-Xmit-Rate,integer
> AcctColumnDef ACCTCONNECTSPEED,USR-Connect-Speed,integer
> AcctColumnDef ACCTCALLINGSTATIONID,Calling-Station-Id,string
> AcctColumnDef ACCTCALLEDSTATIONID,Called-Station-Id,string
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
>
>
> Allocator myallocator
> PoolHint %{Reply:Framed_IP_Address_Pool_Name}
> MapAttributeyiaddr,Framed-IP-Address
> MapAttributesubnetmask,Framed-IP-Netmask
>
> PasswordLogFileName %L/password.log
>
>
>
>
>
> Ok, that works, but I only the Auth DYNADDRESS work for the
> Patton request. How can I achieve this?
>
I would suggest you use Identifiers in your Client clauses, and Handlers,
like this:
# define Client clauses
Identifier 3com
Identifier 3com
Identifier Patton
Identifier Patton
..
..
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Taking too long.
Hello Griff - As always, a trace 4 showing what is going on is what is required. For sub-second timer resolution you should use the LogMicroseconds parameter with the Time::HiRes module from CPAN. You may find that you will have to have multiple Radiator hosts with some form of load balancing in front, and/or seperate authentication and accounting instances of Radiator on each host. hth Hugh On Friday 14 September 2001 09:16, Griff Hamlin, III wrote: > Hello, > > I am using an SQL database for authentication, Accounting, and session > database. I also am using snmpget to keep my online database consistent. > I find that when the snmpget takes a little too long, radius gets behind > and will never catch up, effectively denying all users as their > computers time out although eventually they do get authenticated on my > end. I thought about trying to fork processes, but is there no way to > limit the number of running processes that spawn off? Does anyone have > any experience with this type of problem and/or how to solve it? > > Griff Hamlin, III > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthUNIX/FILE Authentication and realms.
Hello Paul - On Thursday 13 September 2001 13:42, Paul Rolfe wrote: > Is it possible to get Radiator to authenticate based on username only, even > if the username is rewritten to include the realm? (it is required that we > rewrite to include the realm as our radius supports over 8 different > "providers" and we need to be able to account for them all based on > username@realm, we also use Called-Station-Id to map to some realms) > > All other realms are working fine as they authenticate from a custom built > authentication module which looks after this, however the below needs to be > authenticated in the following manner. > > I need to be able to authenticate based on the username portion only (for > the AuthUNIX/FILE), but to use the rewritten realm for accounting and > session database entries. > > Ideas? What am I missing? > > > If I add RewriteUsername s/^([^@]+).*/$1/ immediately after the GROUP>, then authentication works. UsernameMatchesWithoutRealm doesn't > seem to work. > > I've also tried writing seperate handlers for Authentication and > Accounting, but the problem then arises, that I can't manage the session > database (SQL) correctly with the realms. > > > > RewriteUsername tr/A-Za-z0-9_@\.-//cd > RewriteUsername s/^([^@]+).*/$1/ > RewriteUsername s/^(.*)/$1\@southwest.com.au/ > RewriteUsername s/^([^@]+)(.*)/lc($1).uc($2)/e > > UsernameMatchesWithoutRealm > AuthByPolicy ContinueWhileAccept > > UsernameMatchesWithoutRealm > Filename %D/users > RejectEmptyPassword > > > UsernameMatchesWithoutRealm > Identifier Unix > Filename /etc/passwd > GroupFilename /etc/group > RejectEmptyPassword > > > PostAuthHook file:"/etc/radiusd/radius.call" > AcctLogFileName /var/adm/radacct/%C/detail > AccountingHandled > > Can you please send me a trace 4 showing what is happening? And what version of Radiator are you running? BTW - I don't think the AuthByPolicy shown above is correct, as both AuthBy clauses will have to accept - but maybe that is what you want? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on Encrypted-Password/User-Password
Hello Viraj -
Section 13.1.2 in the Radiator 2.18.4 reference manual.
regards
Hugh
On Friday 14 September 2001 00:05, Viraj Alankar wrote:
> > Hello,
>
> Is there a functional difference between the following:
>
>
> ...
> AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
> AuthColumnDef 0, User-Password, check
>
>
> and this:
>
>
> ...
> AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
> AuthColumnDef 0, Encrypted-Password, check
>
>
> when the result of the select returns '{crypt}crypted_password' ? In other
> workds, I can use either AuthBy and it should work right?
>
> Thanks,
>
> Viraj.
Content-Type: application/pgp-signature; charset="us-ascii";
name="Attachment: 1"
Content-Transfer-Encoding: 7bit
Content-Description:
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Framed-IP of 0.0.0.0
Hello William -
Note that what you show below is an accounting request that does not have a
Framed-IP-Address in it at all.
Also note that your proposed PostAuthHook below would serve no purpose with
accounting requests.
regards
Hugh
On Thursday 13 September 2001 23:58, William Hernandez wrote:
> Thanks everyone.
>
> Given that we don't use FramedGroupBaseAddress in our Client
> clauses, and given that the problem has been reported with
> Radiator out of the picture, I'll conclude that this is a NAS
> issue.
>
> However, before I close this issue does it make sense to write a
> PostAuthHook that would check FRAMEDIPADDRESS and if matches
> 0.0.0.0 change the Accept to a Reject and basically force the
> user to reconnect and expect (hope) the NAS will generate a
> correct IP the second time around.
>
> Below is a trace 4. It seems that the 0.0.0.0 address occurs when
> Framed-Protocol=MP or Framed-Protocol=MPP. But I'll have to check
> more cases to say for sure.
>
> Thanks in advance,
> William
>
>
> Mon Aug 27 14:22:24 2001: DEBUG: Packet dump:
> *** Received from 208.249.78.9 port 1028
> Code: Accounting-Request
> Identifier: 18
> Authentic:
> (<196><208><254>x<239><243><235><22>#<196>x<166><138><182><15>
> Attributes:
> User-Name = "horizonmm.com"
> NAS-IP-Address = 208.249.78.9
> NAS-Port = 10207
> Ascend-NAS-Port-Format = 3
> NAS-Port-Type = Sync
> Acct-Status-Type = Start
> Acct-Delay-Time = 0
> Acct-Session-Id = "364406391"
> Acct-Authentic = RADIUS
> Ascend-Multilink-ID = 1309213583
> Ascend-Num-In-Multilink = 2
> Acct-Link-Count = "<0><0><0>0"
> Acct-Multi-Session-Id = "4e09038f"
> Ascend-Modem-PortNo = 31
> Ascend-Modem-SlotNo = 9
> Calling-Station-Id = "7879778517"
> Called-Station-Id = "6419200"
> Framed-Protocol = MP
>
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
> Realm=surfea.net should be use
> d to handle this request
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
> Realm=prwebtv.net should be us
> ed to handle this request
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
> Realm=holaplaneta.net should b
> e used to handle this request
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
> Realm=prdigital.com should be
> used to handle this request
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
> Called-Station-Id=/5050$/ shou
> ld be used to handle this request
> Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler should be used
> to handle this
> request
> Mon Aug 27 14:22:24 2001: DEBUG: Handling request with Handler ''
> Mon Aug 27 14:22:24 2001: DEBUG: prw-sessiondb Adding session for
> horizonmm.com,
> 208.249.78.9, 10207
> Mon Aug 27 14:22:24 2001: DEBUG: do query is: delete from
> RADONLINE where NASIDE
> NTIFIER='208.249.78.9' and NASPORT=010207
>
> Mon Aug 27 14:22:24 2001: DEBUG: do query is: insert into
> RADONLINE (USERNAME, N
> ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS, NASPORTTYPE,
> SERVICETYPE) values ('horizonmm.com', '208.249.78.9', 010207,
> '364406391', 99893
> 6544, '0.0.0.0', 'Sync', '')
>
> Mon Aug 27 14:22:24 2001: DEBUG: Handling with Radius::AuthFILE
> Mon Aug 27 14:22:24 2001: DEBUG: Processing
> PostAuthHook:setSessionTimeout
> Mon Aug 27 14:22:24 2001: DEBUG: setSessionTimeout: username is:
> horizonmm.com
> Mon Aug 27 14:22:24 2001: DEBUG: setSessionTimeout:
> Called-Station-Id is: 641920
> 0
> Mon Aug 27 14:22:24 2001: DEBUG: Query is: select
> USERNAME,TIMEBLOCK,CLASS,DISAB
> LETIME,DISABLECLASS from XSTOP where USERNAME='horizonmm.com'
> Mon Aug 27 14:22:24 2001: DEBUG: Accounting accepted
> Mon Aug 27 14:22:24 2001: DEBUG: Packet dump:
> *** Sending to 208.249.78.9 port 1028
> Code: Accounting-Response
> Identifier: 18
> Authentic:
> (<196><208><254>x<239><243><235><22>#<196>x<166><138><182><15>
> Attributes:
>
>
> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 12, 2001 7:35 PM
> To: William Hernandez; Radiator
> Subject: Re: (RADIATOR) Framed-IP of 0.0.0.0
>
>
>
> Hello William -
>
> The only way to understand what is happening is to look at a
> trace 4 debug
> from Radiator to see in what circumstances this occurs. As it is
> the NAS that
> sends the accounting packets that are used to maintain the
> session database,
> it is highly likely that this is a NAS issue.
>
> Note that we have seen similar behaviour occassionally when it is
> Radiator
> allocating the addresses, and one work-around is to send a copy
> of the
> address in a Class attribute and use a PreClientHook to restore
> it.
>
> Obviously if it is the NAS that is allocating the addresses, you
> will need to
> check with the NAS vendor if there is a fix for the problem.
>
> regards
>
> Hugh
>
> On Thursday 13 September 2001 00:16, William Hernandez wrote:
> > Hello everyone,
> >
> > We're using 2.18.2. Recently we sta
Re: (RADIATOR) Cisco ADSL
Hello Quintin -
Here is a PreClientHook (included in Radiator 2.18.4) that will do some of
what you require.
# cisco-nas-port.pl
# PreClientHook to extract NAS-Port information.
#
# Cisco encodes information in the NAS-Port attribute as follows:
#
# nl-rt-sh-vpn-aer11(config)#radius-server attribute nas-port format ?
#? a ?Format is type, channel, port
#? b ?Either interface(16) or isdn(16), async(16)
#? c ?Data format(bits): shelf(2), slot(4), port(5), channel(5)
#? d ?Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)
#
# This hook is written for Cisco format "d" above (ATM vpi/vci).
#
# The encoded information is extracted and the individual data elements
# are added to the request packet as pseudo-attributes.
#
# Hugh Irvine, Open System Consultants, 20010622
sub
{
my $p = ${$_[0]};
my $nasport = $p->get_attr('NAS-Port');
if (defined($nasport))
{
my ($slot, $module, $port, $vpi, $vci);
$vci = $nasport & 0x;
$nasport = $nasport >> 16;
$vpi = $nasport & 0xff;
$nasport = $nasport >> 8;
$port = $nasport & 0x7;
$nasport = $nasport >> 3;
$module = $nasport & 0x1;
$nasport = $nasport >> 1;
$slot = $nasport & 0xf;
$p->add_attr('Cisco-NAS-Port-Vci', $vci)
if defined $vci;
$p->add_attr('Cisco-NAS-Port-Vpi', $vpi)
if defined $vpi;
$p->add_attr('Cisco-NAS-Port-Port', $port)
if defined $port;
$p->add_attr('Cisco-NAS-Port-Module', $module)
if defined $module;
$p->add_attr('Cisco-NAS-Port-Slot', $slot)
if defined $slot;
}
}
regards
Hugh
On Thursday 13 September 2001 20:21, Quintin Lam wrote:
> Hi,
>
> Does anyone knows how to get the Virtual-Access Port in cisco IOS
> 12.1(5)dc1. After upgrade the IOS and using format d, the accounting
> record becomes
>
> Thu Sep 13 16:53:18 2001
> NAS-IP-Address = 192.168.200.17
> NAS-Port = 1879713553
> NAS-Port-Type = Virtual
> User-Name = "tcltk"
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Service-Type = Framed-User
> Acct-Session-Id = "7/0/0/10.10001_00B1"
> Framed-Protocol = PPP
> Acct-Delay-Time = 0
> Timestamp = 1000371198
>
> Can the accounting data record the Client-IP address (%C instead of %N)
> too?
>
> The NAS-Port shows that it is not the Virtual Access Port which was using
> IOS 12.1(3.15)T.
>
> The Acct-Session-Id is important for us and it didn't present in the old
> IOS version, that's why we need this new IOS version. Moreover, the
> NAS-Port is also important for us but now is not meaningful.
>
> Anyone who knows how to convert the NAS-Port to the "real" virtual access
> port.
>
> Thanks a lot!
>
> Quintin
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Splitting Auth and Accounting
Hello Paul - There are two ways of doing this, either with Handlers or by running two instances of Radiator (one for authentication the other for accounting). Using Handlers you would do this: . . Using two instances, you would do this on the authentication server: AuthPort 1812 AcctPort and this on the accounting server: AuthPort AcctPort 1813 You would of course use the port numbers that are appropriate for your installation. hth Hugh On Thursday 13 September 2001 14:24, Paul Thorton wrote: > Hi, > > I have been reading the Mailing list archives in an attempt to find out > how > to split the Authentication and Accounting up, in order to authenticate > from > a flat file, but send the accounting packet to another radius server > (Proxy it) > > I have seen one example of this, but it was not very clear. Can you > please help. > > I was thinking, something like this might work? > > > AcctLogFileName /var/log/radacct/detail > PreAuthHook file:"/usr/local/etc/preauthhook.pl" > AuthByPolicy DoAllAuths > > Filename %D/auth_file > > > Host 1.1.1.1 > Secretblahblah > # AuthPort 1812 # Commented out as only > want to send account > AcctPort 1813 > ReplyHook file:"/usr/local/etc/replyhook.pl" > > > > I am guessing if the fails, it will reject the user > completely and > not send the accounting packet? If this is the right way to do it? I > basically > do not want the radius server to know about it unless it authenticates > of the > flat file correctly. > > Cheers, > > Paul Thornton. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
