(RADIATOR) %R
hi,
i have a problem with the special character "%R". the users of our network
have a lot of different user realms where the realm format is specified as:
dnnnk (for example d001k12345678) ore K (for example
K12345678).
for handeling all the requests with one handler we constructed this handler.
Filename /usr/local/lib/radiator/users/%R
and now the problem:
it seems, that if there are many request with different realms, the pointer
( /usr/local/lib/radiator/users/%R) loks at the wrong file to match the
request.
we use radiator 2.18.
by debugging sometimes the file radiator try to match the request is shown
and somtimes not. by rejekt's this information is newer shown, so i can't
check, if radiator looks in the right file or not.
some debugs are attached.
hope you can help me.
best regards
emin
<>
Emin Bozkurt
System Technik
riodata GmbH
Hessenring 13 a
64546 Mörfelden
Fon +49 6105 2843 812
Mobile +49 163 2843 184
Fax +49 6105 2843 777
www.riodata.de
ACCESS ACCEPT:
*** Received from 10.0.5.5 port 1029
Code: Access-Request
Identifier: 22
Authentic: .<139><195>;<129>Ts=<6><227><222><184><247><191>jZ
Attributes:
User-Name = "T000102650001@d001k00010967"
CHAP-Password =
"<1><173><8>g<3><205><146><214><219>S<26><202><170><177><21><249><179>"
NAS-IP-Address = 10.100.14.1
NAS-Port = 1
NAS-Port-Type = 2
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "xxx"
Called-Station-Id = "xxx"
Acct-Session-Id = "376703097"
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=local,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=riocon,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=VPN, Service-Type=Framed-User,
NAS-IP-Address=10.100.14.1 should be used to handle this request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=rioras,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=d001riocon,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=riodata,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=insiders,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=dial_test,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=vpn_test,
Service-Type=Framed-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=local,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=riocon,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=VPN, Service-Type=Login-User,
NAS-IP-Address=10.100.14.1 should be used to handle this request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=rioras,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=d001riocon,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=riodata,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=insiders,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=dial_test,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=vpn_test,
Service-Type=Login-User, NAS-IP-Address=10.100.14.1 should be used to handle this
request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=riocon,
Service-Type=Framed-User should be used to handle this request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler Realm=lite, Service-Type=Framed-User
should be used to handle this request
Sun Dec 9 02:40:36 2001: DEBUG: Check if Handler
Realm=/(^[d]\d{3}[k]\d{8}$)|(^[K]\d{8}$)/, NAS-IP-Address=10.100.14.1 should be used
to handle this request
Sun Dec 9 0
Re: (RADIATOR) %R
Hi, I guess (but Hugh or Mike could prove me wrong) that the problem lies in caching. I didn't read the source, but I guess the file caching is done on an AuthBy basis (and not on a "different file" basis). The manual states (release 2.18.4): > For performance reasons, AuthBy FILE opens and reads the user database > at start-up, reinitialisation and whenever the file's modification > time changes, (i.e. the database is cached within Radiator). Since the > user database is cached in memory, large databases can require large > amounts of memory. Since the actual file name is known when the first @dnnnk or @K comes in, and that is the file checked for every access in that realm. You could do the following: Filename /usr/local/lib/radiator/users/%R Nocache and that might work, alas, at the expense of performance. If one of those files is too large, you would be in trouble (I think the searches in the file are linear). Proably keeping a copy of the files in a ram disk and pointing to them would speed up the look-ups a bit... but they are still linear, if you can, order the users inside a file by rate of use. El 11 Dec 2001 a las 12:28, Bozkurt, Emin escribió: > hi, > i have a problem with the special character "%R". the users of our network > have a lot of different user realms where the realm format is specified as: > dnnnk (for example d001k12345678) ore K (for example > K12345678). > for handeling all the requests with one handler we constructed this handler. > > Service-Type=Framed-User> > > Filename /usr/local/lib/radiator/users/%R > > > > and now the problem: > it seems, that if there are many request with different realms, the pointer > ( /usr/local/lib/radiator/users/%R) loks at the wrong file to match the > request. > we use radiator 2.18. > by debugging sometimes the file radiator try to match the request is shown > and somtimes not. by rejekt's this information is newer shown, so i can't > check, if radiator looks in the right file or not. > some debugs are attached. > > hope you can help me. > best regards > emin > > > > <> > > > Emin Bozkurt > System Technik > > riodata GmbH > Hessenring 13 a > 64546 Mörfelden > > Fon +49 6105 2843 812 > Mobile+49 163 2843 184 > Fax +49 6105 2843 777 > > www.riodata.de > > > > -- Mariano Absatz El Baby -- Gene Police!!! Get out of the pool!! === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) CHAP vs. PAP
Hello all, I have a question regarding CHAP and PAP password authentication. All of our routers use PAP, but now some managed modem companies here are wanting to use CHAP. As far as I can tell from reading through the Radiator docs, it doesn't seem to care (using AuthBy SQL). Is this correct? If Radiator doesn't care whether it is using CHAP or PAP, can anyone tell me what part of the chain would (dialup computer, modem, NAS)? Thanks for any help you can give on this matter. Griff Hamlin, III === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication through DNIS.
Hello Wasim -
The trace 4 below (thanks for sending it) shows that your NAS is sending the
number "7159" as the value for the Called-Station-Id (note the spelling). You
can check for this in a users file as follows:
cool Password = ., Called-Station-Id = 7159, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
Note that Called-Station-Id is the number that the user has dialled.
If you want to check the number the user is dialling from you would do this:
cool Password = ., Calling-Station-Id = 13155131, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
All check items must appear on the first line of a user definition and the
reply items on the second and following lines with white space at the
beginning and a comma at the end of every reply line except the last.
Have a look at section 13 of the Radiator 2.19 reference manual.
regards
Hugh
On Sat, 8 Dec 2001 20:22, Wasim Ahmed Khan wrote:
> Hi All,
>
> I want to authenticate few of our users defined in radiator's user file
> on basis of DNIS. How can we do that through radiator. As first i try
> to pass Called-Station-ID attribute in users file but strangely it is
> not authenticating. Here is sumthing detail shows:
> It is picking "7159" as called-station-Id.
>
> Is there any other way to authenticate specific user on the basis on
> DNIS or otherwise where i m wrong in this whole scenario.
>
> Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on
> netops-2
> Wed Dec 8 12:31:40 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1645
> Code: Access-Request
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> User-Password = "<240>Q<142><218><240>K<177>T?
> 1@<15><215>z<250><224>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Wed Dec 8 12:31:40 1999: DEBUG: Handling request with
> Handler 'Realm=DEFAULT'
> Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool,
> 202.63.217.245, 62
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'cool' or sa.shell = 'cool')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match
> with cool
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE
> Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with
> cool
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool
> Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Sending to 202.63.217.245 port 1645
> Code: Access-Accept
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Simultaneous-Use = 4
> Called-Station-Id = "13155131"
>
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1646
> Code: Accounting-Request
> Identifier: 227
> Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17>
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> Acct-Status-Type = Start
>
Re: (RADIATOR) CHAP vs. PAP
Hello Griff -
As long as you have plain-text passwords in your database, the NAS(s) can use
either PAP or CHAP. If you have encrypted passwords in your database, the
NAS(s) can only use PAP.
Have a look at rfc2865 for the details ("doc/rfc2865.txt").
regards
Hugh
On Wed, 12 Dec 2001 11:26, Griff Hamlin, III wrote:
> Hello all,
>
> I have a question regarding CHAP and PAP password authentication. All of
> our routers use PAP, but now some managed modem companies here are
> wanting to use CHAP. As far as I can tell from reading through the
> Radiator docs, it doesn't seem to care (using AuthBy SQL). Is this
> correct? If Radiator doesn't care whether it is using CHAP or PAP, can
> anyone tell me what part of the chain would (dialup computer, modem,
> NAS)?
>
> Thanks for any help you can give on this matter.
>
> Griff Hamlin, III
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) %R
Hello Emin - Thanks for sending the log, but I can't see anything wrong with it (other than the second packet shown does not match the debug). Could you please provide me with a bit more detail? BTW - the latest version of Radiator is 2.19. regards Hugh On Tue, 11 Dec 2001 22:28, Bozkurt, Emin wrote: > hi, > i have a problem with the special character "%R". the users of our network > have a lot of different user realms where the realm format is specified as: > dnnnk (for example d001k12345678) ore K (for example > K12345678). > for handeling all the requests with one handler we constructed this > handler. > > Service-Type=Framed-User> > > Filename /usr/local/lib/radiator/users/%R > > > > and now the problem: > it seems, that if there are many request with different realms, the pointer > ( /usr/local/lib/radiator/users/%R) loks at the wrong file to match the > request. > we use radiator 2.18. > by debugging sometimes the file radiator try to match the request is shown > and somtimes not. by rejekt's this information is newer shown, so i can't > check, if radiator looks in the right file or not. > some debugs are attached. > > hope you can help me. > best regards > emin > > > > <> > > > Emin Bozkurt > System Technik > > riodata GmbH > Hessenring 13 a > 64546 Mörfelden > > Fon +49 6105 2843 812 > Mobile+49 163 2843 184 > Fax +49 6105 2843 777 > > www.riodata.de -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad login count
Hello Chairath -
I apologise, but I don't understand the question. Could you please provide me
with more details and a trace 4 debug showing the problem.
thanks
Hugh
On Tue, 11 Dec 2001 17:51, Chairath K wrote:
> Hello Hugh,
>
> Our Nas send a user with realm. And when I set Bad login count to zero , I
> can login with user2@test2 also.
>
> Regards,
> Chairath
>
> > Hello Chairath -
> >
> > The log message shown below is due to the username "user2@test2" not
> > being found in the database. This is probably because you have not used a
> > RewriteUsername in the Handler to strip the realm (you should use the
> > same one that you used in the Realm clause).
> >
> > regards
> >
> > Hugh
> >
> > On Tue, 11 Dec 2001 15:17, Chairath K wrote:
> > > Hello Hugh,
> > >
> > > I have got problem about Bad login count. According to section 5.1.9 in
> > > reference manual of RAdmin version 1.4 , it said that if we leave this
> > > field blank, then no bad login limits will be applied. But !! when I
> > > try
>
> ,
>
> > > I can't login . In log file shows a message like these
> > >
> > >
> > > Tue Dec 11 10:53:56 2001: INFO: Access rejected for user2@test2: No
> > > such user Tue Dec 11 10:53:56 2001: DEBUG: Packet dump:
> > > *** Sending to 10.20.0.2 port 49156
> > > Code: Access-Reject
> > > Identifier: 159
> > > Authentic: <0><0>4G<0><0><13><21><0><0><31>><0><0>/<172>
> > > Attributes:
> > > Reply-Message = "Request Denied"
> > >
> > > So how can I fixed it .
> > > Futhermore , how can I expand login limit to more than 5
> > >
> > > Regards,
> > > Chairath
> > >
> > > P.S. Our system are running with Radiator 2.18 and Radmin 1.4
> > >
> > > Foreground
> > > LogStdout
> > > LogDir d:/Radiator-2.18/log
> > > DbDir d:/Radiator-2.18
> > > LogFile %L/logfile-%d-%m-%Y
> > >
> > > # Dont turn this up too high, since all log messages are logged
> > > # to the RADMESSAGES table in the database. 3 will give you everything
> > > # except debugging messages
> > > Trace 4
> > >
> > >
> > > # PreClientHook to add NAS-Port attribute
> > > PreClientHook file:"%D/addNASPort"
> > >
> > > # You will probably want to change this to suit your site.
> > > # You should list all the clients you have, and their secrets
> > > # If you are using the Radmin Clients table, you wil probably
> > > # want to disable this.
> > > #
> > > # Secret mysecret
> > > # DupInterval 0
> > > #
> > >
> > > # You can put additonal (or all) client details in your Radmin
> > > # database table
> > > # and get their details from there with something like this:
> > > # You can then use the Radmin 'Add Radius Client' to add new clients.
> > >
> > > DBSource dbi:ODBC:Radmin
> > > DBUsername xxx
> > > DBAuth
> > >
> > >
> > > #
> > > # Identifier ProxyTofunk
> > > # Host 10.2.0.6
> > > # Secret test
> > > #
> > >
> > > #
> > > # strip Realm
> > > # RewriteUsername s/^([^@]+).*/$1/
> > > # AuthBy ProxyTofunk
> > > #
> > >
> > >
> > > Identifier RADMINAUTH
> > > # Change DBSource, DBUsername, DBAuth for your database
> > > # See the reference manual. You will also have to
> > > # change the one in below
> > > # so its the same
> > > DBSource dbi:ODBC:Radmin
> > > DBUsername xxx
> > > DBAuth
> > > DateFormat %e %m %Y %T
> > > # You can add to or change these if you want, but you
> > > # will probably want to change the database schema first
> > > AccountingTable RADUSAGE
> > > AcctColumnDef USERNAME,User-Name
> > > AcctColumnDef TIME_STAMP,Timestamp,integer
> > > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> > > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> > > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> > > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> > > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > > AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> > > AcctColumnDef NASPORT,NAS-Port,integer
> > > AcctColumnDef DNIS,Called-Station-Id
> > > AcctColumnDef DATE,Timestamp,integer-date
> > > # This updates the time and octets left
> > > # for this user
> > > AcctSQLStatement update RADUSERS set
> > > TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> > > OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> > > OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
> > >
> > >
> > >
> > >
> > > Identifier WithIdleTimeout
> > > AuthBy RADMINAUTH
> > > # These are the classic things to add to each users
> > > # reply to allow a PPP dialup session. It may be
> > > # different for your NAS. This will add some
> > > # reply items to everyone's reply
> > > AddToReply Framed-Protocol = PPP,\
> > > Service-Type = Framed-User,\
> > > Framed-IP-Netmask = 255.255.255.255,\
> > > Framed-Routing = None,\
(RADIATOR) Radmin problem
Dear all, I have found some problem on setup radmin, after all the stuffs done, I would like to know 2 things 1. Can I set the user with no expiry date ? 2. when I edit user with password masked, after I click update, the user password will become "" how can I solve ??? thx regards, ++ +Billy Li+ ++ +System Engineer + +Unitech Computer System Ltd.+ ++ + mailto:[EMAIL PROTECTED] + ++ === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
