(RADIATOR) Syslog - Logging
I am just wondering if anyone knows the correct format of how to have Syslog log all user authentication attempts. Also, currently we have our Trace set to 3 and don't see any Successful authentications. If anyone can help, it would be appreciated. Regards, Shane
Re: (RADIATOR) Syslog - Logging
Please use AUTHLOG Syslog found in Chapter 6.50 of the Reference manual. Though not SYSLOG, you may want to look at the authlog.cfg in the goodies/ directory. It has an example there. Regards, Neil D. QuioguePSINet Hong Kong Ltd.A MEMBER OF THE CITIC PACIFIC GROUPVoice (852) 2170.7140Fax (852) 2372.0287 "Information and attachments herein are intended for the named recipientsonly. It may contain attorney-client privileged or confidential matter.If you have received this message in error, please notify the senderimmediately, and destroy the original message. Do not disclose thecontents to anyone. Thank you." - Original Message - From: Shane Malden To: [EMAIL PROTECTED] Sent: Tuesday, January 29, 2002 7:00 PM Subject: (RADIATOR) Syslog - Logging I am just wondering if anyone knows the correct format of how to have Syslog log all user authentication attempts. Also, currently we have our Trace set to 3 and don't see any Successful authentications. If anyone can help, it would be appreciated. Regards, Shane
(RADIATOR) Reply based on connection IP?
Wondering if there is a way to configure a set of reply items based on the IP address of the connecting client. One of the roaming partners we're using is insisting on a set of filters be applied to each of the accounts running through their systems but which don't coincide with our configurations here. I'd like to just be able to use AddToReplyIfNotExist to tack on the entries to all requests coming through their proxy servers. From the documentation, it seems I need to use %c to accomplish this, but how do I do a conditional reply based on this? Thanks in advance, Robert -- Robert G. Fisher Sitestar.net, Inc. System Engineer (276) 666-9533 x 116 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Configuring RAS and Radiator
I am having some trouble configuring RAS to use Radiator. I am running NT 4 and RAS. I can't seem to find where you set the shared secret for RAS. Does anybody know where you set it? Thanks for your help. Eric === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddressAllocator SQL Ascend
Thanks again Hugh... as always, You the man! :) cheers, j -- Original Message -- From: Hugh Irvine [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 29 Jan 2002 10:45:26 +1100 Hello Justin - The problem is the AuthByPolicy in your configuration file - it should be AuthByPolicy ContinueWhileAccept The way you have it configured (ContinueUntilAccept) you will never call the AuthBy DYNADDRESS clause. hth Hugh On Tue, 29 Jan 2002 09:09, Justin Scott wrote: Gents, I've been thru the last 6 months of archives, and didn't find anything quite like what's happening to me when I'm trying to use my AddressAllocator SQL setup. Issue: Client wants to be able to have hot standby MAX 4000 chassis in facility where the PRIs can be moved from one MAX to another in case of failure. I figure using AddressAllocator SQL will eliminate the needs to have an IP pool defined on each of the hot standby chassis, thereby making much more efficient use of our Pool IP Space. Anyhow... AddressAllocator does not seem to run for any client who should be getting a DynIP from the SQL pool. The max takes the call, tries to authenticate, is not given an IP address, and disconnects the call. My test max works fine with and without Allocator configured if it is set with a pool defined internally. I have removed the internal pool information, changed the Answer profile to state Assign Addr=No, and still when it's set with no pool, and Allocator is enabled, no IP is even queried from the database in RADPOOL to be replied back to the NAS. The log shows nothing in regards to RADPOOL table except for the reclaim checks during startup and every reclaim interval. It also shows nothing in regards to AuthBy DYNADDRESS or AddressAllocator. Here is my config file: Please tell me there is a simple error in the way it's been constructed, because I've given myself a monster headache trying to figure this one out. :) As always, I maintain that Radiator should win an award as best software of the new millenium or something... I have nothing but good things to say about it to my collegues. The only problems really are that sometimes I cannot seem to speak its language properly. :) cheers, j #Foreground #LogStdout LogDir c:/radiator/logs DbDir c:/radiator/raddb # User a lower trace level in production systems: #Trace 4 Trace 3 RewriteUsername tr/A-Z/a-z/ RewriteUsername s/ //g UsernameCharset a-zA-Z0-9\.-_@ # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Client DEFAULT Secret xxx DupInterval 15 /Client # Ensure the SQL DynIP Pool is in a sane state AddressAllocator SQL Identifier SQLAllocate DBSourcedbi:ODBC:Radiator DBUsername xxx DBAuth xxx # Our maximum IP Lease Time is 12 hours DefaultLeasePeriod 43200 # Check for expired Leases once every five minutes LeaseReclaimInterval300 # Define valid pool of addresses AddressPool DynIP1 Subnetmask 255.255.255.255 DNSServer 10.1.1.1 Range 10.4.1.1 10.4.1.254 /AddressPool /AddressAllocator # This is our default Realm. Realm DEFAULT AuthByPolicy ContinueUntilAccept RejectHasReason # We do our Authentication by SQL using ODBC AuthBy SQL DBSourcedbi:ODBC:Radiator DBUsername xxx DBAuth xxx # These are the criteria we pull from the database to ensure we have # a valid user who is not expired. We use the radattr Class to # tell the maxen what the CID for this customer is for accounting # purposes AuthSelect select PASSWORD,CID,EXPIREDATE,VALIDDATE,REPLYATTR,MAXSESSIONS from tblsubscribers where USERNAME = %0 AuthColumnDef 0,User-Password,check AuthColumnDef 1,Class,reply AuthColumnDef 2,Expiration,check AuthColumnDef 3,ValidFrom,check AuthColumnDef 4,GENERIC,reply AuthColumnDef 5,Simultaneous-Use,check # We need to add some extra reply items for this realm: AddToReply Idle-Timeout = 900 AddToReply Ascend-Maximum-Time = 43200 # Set up the accounting table defenitions AccountingTable tblaccounting AcctColumnDef CID,Class AcctColumnDef TIME_STAMP,Timestamp,integer-date AcctColumnDef USERNAME,User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef
RE: (RADIATOR) SessionDatabase Problem
Hugh,
Thanks, that did the trick.
Julian
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: 26 January 2002 01:29
To: Julian Rose; [EMAIL PROTECTED]
Subject: Re: (RADIATOR) SessionDatabase Problem
Hello Julian -
The entries in the session database are maintained by the
accounting records
sent by the NAS once the session starts. If you are not receiving
accounting
records, you will not see any entries in the RADONLINE table.
regards
Hugh
On Sat, 26 Jan 2002 03:51, Julian Rose wrote:
Hi All,
I am having problems with getting the session database function to work
correctly,
When I issue a request to the server, I see the server try to run the
delete query, but not the add or count queries.
Is something wrong here, or do I not understand the function properly ;)
Best regards.. Julian.
debug
Attributes:
NAS-IP-Address = 195.54.226.39
NAS-Port = 38
NAS-Port-Type = Async
User-Name = test
Called-Station-Id = 408
Calling-Station-Id = 2074281900
User-Password =
210t233:243d3125n190201146194fz141
Service-Type = Framed-User
Framed-Protocol = PPP
Fri Jan 25 16:13:41 2002: DEBUG: Handling request with Handler
'Realm=atlas.co.uk'
Fri Jan 25 16:13:41 2002: DEBUG: rad-a Deleting session for test,
195.54.226.39, 38
Fri Jan 25 16:13:41 2002: DEBUG: do query is: delete from
RADONLINE where
NASIDENTIFIER='195.54.226.39' and NASPORT=038
Fri Jan 25 16:13:41 2002: DEBUG: Handling with Radius::AuthSQL
Fri Jan 25 16:13:41 2002: DEBUG: Handling with Radius::AuthSQL:
Fri Jan 25 16:13:41 2002: DEBUG: Query is: select s.PASSWORD, r.ATTR1,
r.ATTR2, s.ATTR1, s.ATTR2, s.ATTR3, s.ATTR4 from STANDARD s,
REALMS r where
s.REALM = r.REALM AND s.USERNAME=test and s.ACTIVE=Y
Fri Jan 25 16:13:41 2002: DEBUG: Radius::AuthSQL looks for match with
[EMAIL PROTECTED]
Fri Jan 25 16:13:41 2002: DEBUG: Radius::AuthSQL ACCEPT:
Fri Jan 25 16:13:41 2002: DEBUG: Access accepted for [EMAIL PROTECTED]
Fri Jan 25 16:13:41 2002: DEBUG: do query is: insert into AUTHLOG values
('1011975221', 'test', 'atlas.co.uk', '195.54.226.39', 'OK', '')
Fri Jan 25 16:13:41 2002: DEBUG: Packet dump:
*** Sending to 195.54.226.39 port 1645
Packet length = 44
02 0f 00 2c 10 13 24 a6 08 dd 7c 3c d9 91 02 a4
78 04 e3 09 08 06 c3 36 e9 01 06 06 00 00 00 02
0d 06 00 00 00 01 07 06 00 00 00 01
Code: Access-Accept
Identifier: 15
Authentic:
14451328160231211138i146153254177209\e
Attributes:
Framed-IP-Address = 195.54.233.1
User-Service = 2
Framed-Compression = Van-Jacobsen-TCP-IP
Framed-Protocol = PPP
/debug
config
Realm atlas.co.uk
AuthBy SQL
DBSourcedbi:mysql:radius
DBUsername ###
DBAuth ###
AuthSelect \
select s.PASSWORD, r.ATTR1, r.ATTR2, s.ATTR1, \
s.ATTR2, s.ATTR3, s.ATTR4 from STANDARD s, REALMS r \
where s.REALM = r.REALM AND s.USERNAME=%U and
s.ACTIVE=Y AuthColumnDef 0, User-Password, check
AuthColumnDef 1, User-Service, reply
AuthColumnDef 2, Framed-Compression, reply
AuthColumnDef 3, Framed-Protocol, reply
AuthColumnDef 4, Framed-IP-Address, reply
AuthColumnDef 5, cisco-avpair, reply
AuthColumnDef 6, Idle-Timeout, reply
# Accounting Logs
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName %L/missedaccounting
/AuthBy
AuthLog sqllog
/Realm
SessionDatabase SQL
DBSourcedbi:mysql:radius
DBUsername ###
DBAuth ###
/SessionDatabase
/config---
_
This message has been checked for all known viruses by Atlas Internet
Powered by MessageLabs - http://www.atlas.net.uk
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and
(RADIATOR) AccountingHandled Question
Currently Radiator is configured to write accounting start/stop records to the detail file. The NAS retransmits accounting start/stop records if an acknowledgement is not received. In our particular setup an acknowledgement will never be sent to the NAS. Can I use AccountingHandled to eliminate from the detail file the retransmitted accounting start/stop records? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple radius servers RADONLINE table
-- Forwarded Message --
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Gordon
Smith [EMAIL PROTECTED]]
Date: Tue, 29 Jan 2002 13:34:01 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
From [EMAIL PROTECTED] Tue Jan 29 13:34:00 2002
Received: from morenet.net.nz (mail.morenet.net.nz [210.185.31.14])
by server1.open.com.au (8.11.0/8.11.0) with SMTP id g0TJXx307006
for [EMAIL PROTECTED]; Tue, 29 Jan 2002 13:34:00 -0600
Received: (qmail 20700 invoked by uid 504); 29 Jan 2002 21:04:16 -
Received: from [EMAIL PROTECTED] by mail.morenet.net.nz with
qmail-scanner-1.03 (. Clean. Processed in 0.028611 secs); 29 Jan 2002
21:04:16 - Received: from unknown (HELO gordonlaptop) (210.185.16.221)
by 0 with SMTP; 29 Jan 2002 21:04:16 -
Reply-To: [EMAIL PROTECTED]
From: Gordon Smith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Multiple radius servers RADONLINE table
Date: Wed, 30 Jan 2002 10:10:39 +1300
Message-ID: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Hi Hugh,
I'm setting up 2 radius servers that talk to a backend database (MySQL) on a
separate box.
Problem is, for some reason the local RADONLINE table is updated, which I
don't want, as the user can be processed by either radius server. I want the
sessions to be checked against the backend DB, which I thought was
configured with the SessionDatabase attribute.
Can you shed some light on this for me? The goal is to have both front end
servers checking the back end radonline table for enforcing simultaneous use
policies.
Cheers,
Gordon
This is the relevent config:
AuthBy SQL
Identifier AcctSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername
DBAuth zz
AuthSelect
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef CALLERID,Calling-Station-Id
/AuthBy
AuthBy RADMIN
Identifier AuthSQL
DBSource dbi:mysql:radmin
DBUsername xxx
DBAuth zzz
AddToReply \
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP,\
Service-Type = Framed-User,\
Session-Timeout = 14400,\
Idle-Timeout = 900,\
Ascend-Client-Primary-DNS = 210.185.31.4,\
Ascend-Client-Secondary-DNS = 210.185.31.5
/AuthBy
SessionDatabase SQL
Identifier SessSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername xxx
DBAuth zzz
/SessionDatabase
AuthLog SQL
Identifier logAuth
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername radmin
DBAuth radminpw
Table AUTH_LOG
LogSuccess 0
LogFailure 1
SuccessQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('OK','%t','%n','%0','%1')
FailureQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('NO','%t','%n','%0','%1')
/AuthLog
Realm infogen.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
Realm morenet.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
---
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+,
(RADIATOR) FW: Multiple radius servers RADONLINE table
Hi Hugh,
I'm setting up 2 radius servers that talk to a backend database (MySQL) on a
separate box.
Problem is, for some reason the local RADONLINE table is updated, which I
don't want, as the user can be processed by either radius server. I want the
sessions to be checked against the backend DB, which I thought was
configured with the SessionDatabase attribute.
Can you shed some light on this for me? The goal is to have both front end
servers checking the back end radonline table for enforcing simultaneous use
policies.
Cheers,
Gordon
This is the relevent config:
AuthBy SQL
Identifier AcctSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername
DBAuth zz
AuthSelect
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef CALLERID,Calling-Station-Id
/AuthBy
AuthBy RADMIN
Identifier AuthSQL
DBSource dbi:mysql:radmin
DBUsername xxx
DBAuth zzz
AddToReply \
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP,\
Service-Type = Framed-User,\
Session-Timeout = 14400,\
Idle-Timeout = 900,\
Ascend-Client-Primary-DNS = 210.185.31.4,\
Ascend-Client-Secondary-DNS = 210.185.31.5
/AuthBy
SessionDatabase SQL
Identifier SessSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername xxx
DBAuth zzz
/SessionDatabase
AuthLog SQL
Identifier logAuth
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername radmin
DBAuth radminpw
Table AUTH_LOG
LogSuccess 0
LogFailure 1
SuccessQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('OK','%t','%n','%0','%1')
FailureQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('NO','%t','%n','%0','%1')
/AuthLog
Realm infogen.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
Realm morenet.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) UCD-SNMP now Net-SNMP
---Article Snip From (www.sourceforge.net)- The ucd-snmp project has now moved from UCDavis, and is now based at SourceForge (www.sourceforge.net), under the new name 'net-snmp'. The new project can be found at http://www.net-snmp.org/ The 4.2 line is the last release line that will use the ucd-snmp name. 4.2.1, 4.2.2, 4.2.3 and any subsequent ucd-snmp releases will be bug-fixes only. All further developments will be released under the net-snmp name. --- Looks as if UCD has stopped work on SNMP. They have handed it over to SourceForge. You may want to update your Docs, and HyperLinks. Also, Will net-snmp work with Radiator? I assume it will, but want to check before I install. Thanks in advance. Cortney Thompson [EMAIL PROTECTED] Brilliance is often born in the crucible of desperation.
Re: (RADIATOR) Reply based on connection IP?
Hello Robert - The simplest way to do this is with Handlers. Here is an example: # define Clients Client n.n.n.n Identifier GlobalRoaming Secret . . /Client ... # define Handlers Handler Client-Identifier = GlobalRoaming ... /Handler Handler .. ... /Handler Handler ... /Handler Note that you should not mix Realms and Handlers in the same configuration file, so if you are currently using Realms, you should change them to Handlers. Handlers are also evaluated in the order they appear in the configuration file, so the more specific must appear before the more general. regards Hugh On Wed, 30 Jan 2002 00:45, Robert G. Fisher wrote: Wondering if there is a way to configure a set of reply items based on the IP address of the connecting client. One of the roaming partners we're using is insisting on a set of filters be applied to each of the accounts running through their systems but which don't coincide with our configurations here. I'd like to just be able to use AddToReplyIfNotExist to tack on the entries to all requests coming through their proxy servers. From the documentation, it seems I need to use %c to accomplish this, but how do I do a conditional reply based on this? Thanks in advance, Robert -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Multiple radius servers RADONLINE table
Hello Gordon -
As far as I can see, your configuration is correct. Do the AcctSQL and
AuthSQL clauses operate correctly? And could you please send me a trace 4
debug showing what is happening?
thanks
Hugh
On Wed, 30 Jan 2002 08:10, Gordon Smith wrote:
Hi Hugh,
I'm setting up 2 radius servers that talk to a backend database (MySQL) on
a separate box.
Problem is, for some reason the local RADONLINE table is updated, which I
don't want, as the user can be processed by either radius server. I want
the sessions to be checked against the backend DB, which I thought was
configured with the SessionDatabase attribute.
Can you shed some light on this for me? The goal is to have both front end
servers checking the back end radonline table for enforcing simultaneous
use policies.
Cheers,
Gordon
This is the relevent config:
AuthBy SQL
Identifier AcctSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername
DBAuth zz
AuthSelect
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef CALLERID,Calling-Station-Id
/AuthBy
AuthBy RADMIN
Identifier AuthSQL
DBSource dbi:mysql:radmin
DBUsername xxx
DBAuth zzz
AddToReply \
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP,\
Service-Type = Framed-User,\
Session-Timeout = 14400,\
Idle-Timeout = 900,\
Ascend-Client-Primary-DNS = 210.185.31.4,\
Ascend-Client-Secondary-DNS = 210.185.31.5
/AuthBy
SessionDatabase SQL
Identifier SessSQL
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername xxx
DBAuth zzz
/SessionDatabase
AuthLog SQL
Identifier logAuth
DBSource dbi:mysql:radmin:d3.morenet.net.nz
DBUsername radmin
DBAuth radminpw
Table AUTH_LOG
LogSuccess 0
LogFailure 1
SuccessQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('OK','%t','%n','%0','%1')
FailureQuery INSERT INTO AUTH_LOG \
(ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \
VALUES \
('NO','%t','%n','%0','%1')
/AuthLog
Realm infogen.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
Realm morenet.net.nz
AuthByPolicy ContinueAlways
AuthBy AcctSQL
AuthBy AuthSQL
AuthLog logAuth
SessionDatabase SessSQL
/Realm
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AccountingHandled Question
Hello William - Yes - the AccountingHandled flag will always reply to any accounting requests for the Realm of Handler in which it is used. Section 6.16.10 in the Radiator 2.19 reference manual. regards Hugh On Wed, 30 Jan 2002 06:32, William Hernandez wrote: Currently Radiator is configured to write accounting start/stop records to the detail file. The NAS retransmits accounting start/stop records if an acknowledgement is not received. In our particular setup an acknowledgement will never be sent to the NAS. Can I use AccountingHandled to eliminate from the detail file the retransmitted accounting start/stop records? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) UCD-SNMP now Net-SNMP
Hello Cortney - Thanks for the information. Yes, we have already used the net-snmp package successfully. regards Hugh On Wed, 30 Jan 2002 08:40, Cortney Thompson wrote: ---Article Snip From (www.sourceforge.net)- The ucd-snmp project has now moved from UCDavis, and is now based at SourceForge (www.sourceforge.net), under the new name 'net-snmp'. The new project can be found at http://www.net-snmp.org/ The 4.2 line is the last release line that will use the ucd-snmp name. 4.2.1, 4.2.2, 4.2.3 and any subsequent ucd-snmp releases will be bug-fixes only. All further developments will be released under the net-snmp name. --- Looks as if UCD has stopped work on SNMP. They have handed it over to SourceForge. You may want to update your Docs, and HyperLinks. Also, Will net-snmp work with Radiator? I assume it will, but want to check before I install. Thanks in advance. Cortney Thompson [EMAIL PROTECTED] Brilliance is often born in the crucible of desperation. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) CHAP detection
How do I detect if the NAS sends a CHAP versus PAP request?
An idea was to see if {CHAP-Password} is defined in the current
Access-Request Packet. Will that work?
Nick Rogness [EMAIL PROTECTED]
- Don't mind me...I'm just sniffing your packets
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Simultaneous logins allowed but logged?
I have been looking through the mail list archives on simultaneous logins. I have a request to allow simultaneous logins but to kick out a log message about the simultaneous use that also shows calling number, user name, etc. Can radiator be tweaked to do this? The logfile could then be used to contact the offending users. Thanks, Mike Forbes University of Colorado Boulder === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Session database SQL
I have set up a session database using the following
SessionDatabase SQL
DBSourcedbi:mysql:RADONLINE
DBUsername
DBAuth
AddQuery insert into RADONLINE (FRAMEDIPADDRESS, USERNAME, NASIDENTIFIER,
NASPORT, PASSWORD) values ('%{Framed-Address}', '%U', '%N', 0%{NAS-Port},
'%{User-Password}')
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and NASPORT=0%2
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery
FailureBackoffTime 5
/SessionDatabase
All work wells accept the getting the user's password details. I have also
tried %P but it just inserts nothing into the database how do I get this
to work ?
Also in the manual it says
If CountQuery is defined as an empty string, then the query will not be
executed, and the current session count will be fixed at 0.
So what is the syntax for this ?
Thanks
Matthew Hobbs
Speedlink
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Authenticating against multiple NT 2000 domains
Hello Mr Radiator, A further question, if I may ... :-) Given the response below, what if I want the best of both worlds ? We have an NT4 domain that requires the traditional MS form of domain\username, but the 2000 domain is fine for [EMAIL PROTECTED] Will Radiator be able to handle this in the multi-realm config noted in the original response below ? Regards, Brad Cook Senior Network Engineer Tourism Queensland Level 10 Tourism Qld House 30 Makerston St Brisbane, Australia 4000 Ph: +61 7 3535 5504 Fax: +61 7 3535 5246 mailto:[EMAIL PROTECTED] web : http://www.tq.com.au Hello, I'm in the process of setting up my eval copy of Radiator 2.19 to authenticate users dialing into my NT domain via an Ascend NAS. No issue with the single NT4 domain , hopefully , but what if I want to be able to deal with users who might specify either that NT4 or our other native Win2000 domain in their login settings ? Our aim is that the user will specify the username+domain they require in their dialin profile settings (as per LAN login) , have the NAS pass the relevant details to the RADIUS server and have it deal with polling the requisite domain controller/ AD server. Can I expect to have issues, or do you have a recommended way of dealing with dialin users hitting a single NAS to gain access either one of two domains ? This is a common situation. You would usually deal withthis in your Radaitor configuration by creating 3 realm clauses. One that handles username@domain1, one for username@domain2, and one to handle just username. Somthing like this: Realm domain1.tq.com.au # strip the realm RewriteUsername s/^([^@]+).*/$1/ AuthBy NT Domain domain1 /AuthBy /Realm Realm domain2.tq.com.au # strip the realm RewriteUsername s/^([^@]+).*/$1/ AuthBy NT Domain domain2 /AuthBy /Realm # If they dont have a realm, auth from domain1 Realm DEFAULT # strip the realm RewriteUsername s/^([^@]+).*/$1/ AuthBy NT Domain domain1 /AuthBy /Realm with only a little more effort, you users can use the domain\username form instead of username@domain, but this may be incompatible with global roaming or other plans you might have. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Asigning Static IP Address from mysql Database to cisco ras
Hi, I am trying to assgin static ip address from database (MYSQL using RADMIN) to cisco ras. From the logs ..RADIATOR is sending the FRAMED-IP-ADDRESS as shown below :- log file - Attributes: NAS-IP-Address = 202.171.29.51 NAS-Port = 40 NAS-Port-Type = Async User-Name = jAI User-Password = 21920711192C7b207163b9193e21320329 Tue Jan 29 13:28:40 2002: DEBUG: Rewrote user name to jAI Tue Jan 29 13:28:40 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Jan 29 13:28:40 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='202.171.129.51' and NASPORT=040 Tue Jan 29 13:28:41 2002: DEBUG: Access accepted for jAI Tue Jan 29 13:28:41 2002: DEBUG: Packet dump: *** Sending to 202.71.129.151 port 1645 Code: Access-Accept Identifier: 87 Authentic: 23a1610197O61630192f188160189189u Attributes: *** FROM DATABASE STATIPADDRESS FIELD *** ** Framed-IP-Address = 192.168.168.168 Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast Framed-MTU = 1500 Framed-Compression = None Authentication-Type = RADIUS Acct-Authentic = RADIUS cisco-avpair = ip:addr_pool=net4 --- END At the same time, cisco is geting that FRAMED-IP-ADDRESS passed from RADIUS ... as seen below... DEBUG CISCO - %LINK-3-UPDOWN: Interface Async40, changed state to up AAA/AUTHEN: create_user (0x80EA54F8) user='jai' ruser='' port='Async40' rem_addr='async' authen_type=PAP service=PPP priv=1 AAA/AUTHEN/START (39658391): port='Async40' list='net4' action=LOGIN service=PPP AAA/AUTHEN/START (39658391): found list net4 AAA/AUTHEN/START (39658391): Method=RADIUS RADIUS: Initial Transmit id 89 202.71.129.91:1812, Access-Request, len 73 Attribute 4 6 CA478197 Attribute 5 6 0028 Attribute 61 6 Attribute 1 5 6A616902 Attribute 2 18 D945A55A Attribute 6 6 0002 Attribute 7 6 0001 RADIUS: Received from id 89 202.71.129.91:1812, Access-Accept, len 93 Attribute 8 6 C0A8A8A8 - FRAMED IP ADDRESS : 192.168.168.168 # Attribute 7 6 0001 Attribute 9 6 FF00 Attribute 10 6 0001 Attribute 12 6 05DC Attribute 13 6 Attribute 3 6 0004 Attribute 45 6 0001 Attribute 26 25 000901136970 RADIUS: saved authorization data for user 80EA54F8 at 80C0F57C AAA/AUTHEN (39658391): status = PASS --- END - Can anybody help me in this matter, I need to assgin static ip address to specific dial user ###CISCO RAS CONFIG ## aaa new-model aaa authentication password-prompt Password# aaa authentication username-prompt account# aaa authentication login net4 radius local aaa authentication ppp net4 radius local aaa accounting exec default start-stop radius aaa accounting network default start-stop radius interface Group-Async1 ip unnumbered Ethernet0/0 ip access-group 105 in no ip directed-broadcast encapsulation ppp dialer in-band dialer idle-timeout 1500 dialer-group 1 async default routing async dynamic routing async mode interactive peer default ip address pool 3660 no cdp enable ppp authentication pap callin net4 group-range 33 48 ! ip local pool 3660 202.171.112.97 202.171.112.112 line 33 48 session-timeout 10 autoselect during-login autoselect ppp login authentication net4 modem InOut modem autoconfigure discovery autocommand ppp transport input all transport output pad v120 telnet rlogin line aux 0 line vty 0 4 -END -- RADIUS CONFIG FILE - Realm DEFAULT AuthBy RADMIN # FramedGroup 0 DBSourcedbi:mysql:radmin DBUsername DBAuth xx AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef ANIS,Calling-Station-Id
