Re: (RADIATOR) Rcrypt Question
Hello Francine - Could you please send me a copy of your configuration file (no secrets) together with a trace 4 debug showing what is happening. I will also need a copy of the encrypted password and the RcryptKey value. Also - what version of Radiator are you using? thanks Hugh On Fri, 11 Jan 2002 18:37, KHOO,FRANCINE-TL (HP-Singapore,ex7) wrote: Hi, I am trying to use Rcrypt to encrypt the passwords in my users file for radiator. I have created a small perl script using the Radius::Rcrypt, and in this program i encrypt and immediately decrypt the password. It seems to work as i get an encrypted string, and it decrypts successfully back to the original password. I copied the encrypted password into the flat file user database, according to the example given in 13.1 Check items of the radiator reference manual, {rcrypt}encrypted string. I have also put the RcryptKey value into my AuthBy clause. When i try to authenticate with radius, using a plaintext password, i get a Bad password error. Can i please find out how to properly use Rcrypt to encrypt the user database? Is my concept of Rcrypt wrong? My understanding is that it stores the encrypted password in the user database, decrypts the user database password and subsequently compares it to the plaintext password given by the user. but it seems like if i encrypt the same password over and over again, it gives me a different encrypted string each time. Any help would be greatly appreciated! Thanks. Regards, Francine. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Different User
Hi all I need some help I have two kind or user. example pppa0001... pppa0010 and pppb0001... pppb0020 So far all of them coming for the same realm. I want to give to all pppa ipconfig from the Ip pool using address allocator. and I want to give all pppb user Ipconfig from my terminal server the pppb is working fine but really I do not know how can I tell to the radius to do this with the pppa I have 2 radiator in two different machine working as primary auth and secondary auth, and one of them is also accounting server. pppa and pppb are in the user file. Any body can help me Thanks Ivan
(RADIATOR) Enforcing Proxied Framed-Route
How would you enforce IP addresses assigned via Proxy? In other words, if I proxy someone's realm over to their RADIUS server (which is some other brand of radius software) and trust them to assign the right subnet, that's *OK* but not great. Is there a way to enforce or limit addresses that are assigned by the proxy? Not just single IPs but subnets too...? Thanks Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Enforcing Proxied Framed-Route
Hello Chris - You would probably need to do this in a ReplyHook. regards Hugh On Sat, 12 Jan 2002 08:41, Chris M wrote: How would you enforce IP addresses assigned via Proxy? In other words, if I proxy someone's realm over to their RADIUS server (which is some other brand of radius software) and trust them to assign the right subnet, that's *OK* but not great. Is there a way to enforce or limit addresses that are assigned by the proxy? Not just single IPs but subnets too...? Thanks Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different User
Hello Ivan - It is probably easiest to use Handlers for this sort of thing: # define Handlers Handler User-Name = /^pppa/ . /Handler Handler User-Name = /^pppb/ . /Handler .. Note that you should not mix Realms and Handlers in the same configuration file, and more specific Handlers must appear before more general Handlers. regards Hugh On Fri, 11 Jan 2002 22:55, Ivan Arias wrote: Hi all I need some help I have two kind or user. example pppa0001... pppa0010 and pppb0001... pppb0020 So far all of them coming for the same realm. I want to give to all pppa ipconfig from the Ip pool using address allocator. and I want to give all pppb user Ipconfig from my terminal server the pppb is working fine but really I do not know how can I tell to the radius to do this with the pppa I have 2 radiator in two different machine working as primary auth and secondary auth, and one of them is also accounting server. pppa and pppb are in the user file. Any body can help me Thanks Ivan -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with changing attributes during an PreAuthHook
Hello Atto - You would simply use a regular expression like this: someuser Calling-Station-Id = /11223344|556677|889900|/ regards Hugh On Sat, 12 Jan 2002 00:39, Atto Lorenz wrote: The problem is, that I can define only one calling-station-id in the check attributes. But the user is allowed to call from up to fife numbers. -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Friday, January 11, 2002 2:38 AM To: Atto Lorenz; [EMAIL PROTECTED] Cc: Atto Lorenz; [EMAIL PROTECTED] Subject: Re: (RADIATOR) problem with changing attributes during an PreAuthHook Hello Atto - Why don't you just use a check item in the user definition? someuser Calling-Station-Id = 11223344 Your AuthBy SQL clause would look something like this: AuthBy SQL . AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS where USERNAME = '%n' AuthColumnDef 0, Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply . /AuthBy BTW - the latest version of Radiator is 2.19 and you should really consider upgrading. Have a look at section 6.28 in the Radiator 2.19 reference manual. regards Hugh On Thu, 10 Jan 2002 20:31, Atto Lorenz wrote: Hi, today I tried to write an PreAuthHook, which checks the Calling-Station-ID. I have stored the telephonenumbers also in the database. The idea to check the calling_station_id was to compare the calling_station_id from the user with the calling_station_ids from the database. If the calling_staton_id from the user don't match one number from the database, the hook change the password from the user and the normal following authentication fails/reject's the user. At first I tested the hook with radpwtst script. With the script the hook reject a user if the calling_station_id is wrong. So all was working fine. The next step was to test it with a real NAS. But with this test the hook didnt work. In the debug log and the accounting data I can see if I change attributes but the NAS get always an Access-Accept. Must I use an other command the change attributes? I tried it with ${$_[0]}-change_attr('') and with ${$_[1]}-change_attr('...') An other idea was the use a PostAuthHook and use the ${$_[1]}-set_code('Access-Reject'). But this solution also didn't work. Are there any bugs in the Radiator version 2.16, which damages the hook's? I looked in the history of the next versions but I can't find any relevant informations. # # PreAuthHook for Radiator # # Check if the caller_id is ok and deny or permit the user # sub { my $request = ${$_[0]}; my $reply = ${$_[1]}; # Get Username and split it in username and realmname my($realmusername)=$request-getUserName(); my($username,$realmname)=$realmusername=~/^(.+?)@(.+?)$/; my($dialok)=1; # Get Calling-Station-Id if not exist quit my($calling_station_id)=$request-get_attr('Calling-Station-Id'); if(!$calling_station_id) { return(); } # get the caller_id from database if caller_id not exist quit my($authby_handle)= Radius::AuthGeneric::find('callerid'); my($query)= select * from snapshot where loginname='$username' AND realmname='$realmname'; my($sth)= $authby_handle-prepareAndExecute($query); my($val)=$sth-fetchrow_hashref(); if(!$val-{caller_id}) { return(); } # check if caller_id is ok my(@callerid)=split(/,/,$val-{caller_id}); $calling_station_id=~s/^0*//; foreach(@callerid) { $dialok=0; s/^0*//; if($_ eq $calling_station_id) { $dialok=1; last; } } # if wrong calling_station_id change the password if ( not $dialok ) { ${$_[0]}-change_attr('User-Password',xxx); ${$_[1]}-change_attr('User-Password',xxx); #$reply-set_code ('Access-Reject'); } === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware,