Re: (RADIATOR) Rcrypt Question
Hello Francine -
Could you please send me a copy of your configuration file (no secrets)
together with a trace 4 debug showing what is happening. I will also need a
copy of the encrypted password and the RcryptKey value.
Also - what version of Radiator are you using?
thanks
Hugh
On Fri, 11 Jan 2002 18:37, KHOO,FRANCINE-TL (HP-Singapore,ex7) wrote:
Hi,
I am trying to use Rcrypt to encrypt the passwords in my users file for
radiator.
I have created a small perl script using the Radius::Rcrypt, and in this
program i encrypt and immediately decrypt the password. It seems to work as
i get an encrypted string, and it decrypts successfully back to the
original password.
I copied the encrypted password into the flat file user database, according
to the example given in 13.1 Check items of the radiator reference manual,
{rcrypt}encrypted string. I have also put the RcryptKey value into my
AuthBy clause.
When i try to authenticate with radius, using a plaintext password, i get a
Bad password error.
Can i please find out how to properly use Rcrypt to encrypt the user
database?
Is my concept of Rcrypt wrong? My understanding is that it stores the
encrypted password in the user database, decrypts the user database
password and subsequently compares it to the plaintext password given by
the user. but it seems like if i encrypt the same password over and over
again, it gives me a different encrypted string each time.
Any help would be greatly appreciated!
Thanks.
Regards,
Francine.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Different User
Hi all I need some help I have two kind or user. example pppa0001... pppa0010 and pppb0001... pppb0020 So far all of them coming for the same realm. I want to give to all pppa ipconfig from the Ip pool using address allocator. and I want to give all pppb user Ipconfig from my terminal server the pppb is working fine but really I do not know how can I tell to the radius to do this with the pppa I have 2 radiator in two different machine working as primary auth and secondary auth, and one of them is also accounting server. pppa and pppb are in the user file. Any body can help me Thanks Ivan
(RADIATOR) Enforcing Proxied Framed-Route
How would you enforce IP addresses assigned via Proxy? In other words, if I proxy someone's realm over to their RADIUS server (which is some other brand of radius software) and trust them to assign the right subnet, that's *OK* but not great. Is there a way to enforce or limit addresses that are assigned by the proxy? Not just single IPs but subnets too...? Thanks Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Enforcing Proxied Framed-Route
Hello Chris - You would probably need to do this in a ReplyHook. regards Hugh On Sat, 12 Jan 2002 08:41, Chris M wrote: How would you enforce IP addresses assigned via Proxy? In other words, if I proxy someone's realm over to their RADIUS server (which is some other brand of radius software) and trust them to assign the right subnet, that's *OK* but not great. Is there a way to enforce or limit addresses that are assigned by the proxy? Not just single IPs but subnets too...? Thanks Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different User
Hello Ivan - It is probably easiest to use Handlers for this sort of thing: # define Handlers Handler User-Name = /^pppa/ . /Handler Handler User-Name = /^pppb/ . /Handler .. Note that you should not mix Realms and Handlers in the same configuration file, and more specific Handlers must appear before more general Handlers. regards Hugh On Fri, 11 Jan 2002 22:55, Ivan Arias wrote: Hi all I need some help I have two kind or user. example pppa0001... pppa0010 and pppb0001... pppb0020 So far all of them coming for the same realm. I want to give to all pppa ipconfig from the Ip pool using address allocator. and I want to give all pppb user Ipconfig from my terminal server the pppb is working fine but really I do not know how can I tell to the radius to do this with the pppa I have 2 radiator in two different machine working as primary auth and secondary auth, and one of them is also accounting server. pppa and pppb are in the user file. Any body can help me Thanks Ivan -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with changing attributes during an PreAuthHook
Hello Atto -
You would simply use a regular expression like this:
someuser Calling-Station-Id = /11223344|556677|889900|/
regards
Hugh
On Sat, 12 Jan 2002 00:39, Atto Lorenz wrote:
The problem is, that I can define only one calling-station-id in the check
attributes. But the user is allowed to call from up to fife numbers.
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 11, 2002 2:38 AM
To: Atto Lorenz; [EMAIL PROTECTED]
Cc: Atto Lorenz; [EMAIL PROTECTED]
Subject: Re: (RADIATOR) problem with changing attributes during an
PreAuthHook
Hello Atto -
Why don't you just use a check item in the user definition?
someuser Calling-Station-Id = 11223344
Your AuthBy SQL clause would look something like this:
AuthBy SQL
.
AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
from SUBSCRIBERS where USERNAME = '%n'
AuthColumnDef 0, Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
.
/AuthBy
BTW - the latest version of Radiator is 2.19 and you should
really consider
upgrading.
Have a look at section 6.28 in the Radiator 2.19 reference manual.
regards
Hugh
On Thu, 10 Jan 2002 20:31, Atto Lorenz wrote:
Hi,
today I tried to write an PreAuthHook, which checks the
Calling-Station-ID.
I have stored the telephonenumbers also in the database.
The idea to check the calling_station_id was to compare the
calling_station_id from the user with the calling_station_ids from the
database. If the calling_staton_id from the user don't match one number
from the database, the hook change the password from the user and the
normal following authentication fails/reject's the user.
At first I tested the hook with radpwtst script. With the
script the hook
reject a user if the calling_station_id is wrong. So all was
working fine.
The next step was to test it with a real NAS. But with this
test the hook
didnt work. In the debug log and the accounting data I can see
if I change
attributes but the NAS get always an Access-Accept.
Must I use an other command the change attributes? I tried it with
${$_[0]}-change_attr('') and with ${$_[1]}-change_attr('...')
An other idea was the use a PostAuthHook and use the
${$_[1]}-set_code('Access-Reject'). But this solution also didn't
work.
Are there any bugs in the Radiator version 2.16, which damages
the hook's?
I looked in the history of the next versions but I can't find
any relevant
informations.
#
# PreAuthHook for Radiator
#
# Check if the caller_id is ok and deny or permit the user
#
sub
{
my $request = ${$_[0]};
my $reply = ${$_[1]};
# Get Username and split it in username and realmname
my($realmusername)=$request-getUserName();
my($username,$realmname)=$realmusername=~/^(.+?)@(.+?)$/;
my($dialok)=1;
# Get Calling-Station-Id if not exist quit
my($calling_station_id)=$request-get_attr('Calling-Station-Id');
if(!$calling_station_id)
{
return();
}
# get the caller_id from database if caller_id not exist quit
my($authby_handle)= Radius::AuthGeneric::find('callerid');
my($query)= select * from snapshot where
loginname='$username' AND
realmname='$realmname';
my($sth)= $authby_handle-prepareAndExecute($query);
my($val)=$sth-fetchrow_hashref();
if(!$val-{caller_id})
{
return();
}
# check if caller_id is ok
my(@callerid)=split(/,/,$val-{caller_id});
$calling_station_id=~s/^0*//;
foreach(@callerid)
{
$dialok=0;
s/^0*//;
if($_ eq $calling_station_id)
{
$dialok=1;
last;
}
}
# if wrong calling_station_id change the password
if ( not $dialok ) {
${$_[0]}-change_attr('User-Password',xxx);
${$_[1]}-change_attr('User-Password',xxx);
#$reply-set_code ('Access-Reject');
}
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware,
