Re: (RADIATOR) double attributes
Hello Anton -
Please send me a copy of your configuration file (no secrets) together with a
trace 4 debug from Radiator showing what is happening.
thanks
Hugh
On Fri, 1 Mar 2002 16:42, Anton Krall wrote:
> Ive tested that using the StripFromReply removes the idletimeout and
> sessiontimeout attributes from the proxy but it also removes them from
> the authby file after that Will the allowinreply do the same? Ir
> just remove the ones on the proxy authby radius clause and then let any
> attrbiute from authby file be appended?
>
> Saludos
>
> Anton Krall
> Director de Tecnología
> Inter.net México / Panamá
>
> Tel; 5241-7609 Directo
> Tel: 5241-7600 Conmutador
> Celular: 0445-105-5160 Mobile
> ICQ: 4979450
> email: [EMAIL PROTECTED]
> web: http://www.mx.inter.net
>
> Outside Mexico:
> Office: +52(555)241-7609
> PBX: +52(555)241-7600
> Mobile: +52(555)105-5160
>
>
> Original > -Original Message-
> Original > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> Original > Sent: Jueves, 28 de Febrero de 2002 07:05 p.m.
> Original > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Original > Subject: Re: (RADIATOR) double attributes
> Original >
> Original >
> Original >
> Original > Hello Anton -
> Original >
> Original > You should use the StripFromReply in the AuthBy
> Original > RADIUS clause. If you are
> Original > concerned about reply attributes in general, you can
> Original > explicitly specify the
> Original > list of attributes that you will accept from a proxy
> Original > in an AllowInReply.
> Original >
> Original > See section 6.17.7 in the Radiator 2.19 reference
> Original > manual. ("doc/ref.html").
> Original >
> Original > regards
> Original >
> Original > Hugh
> Original >
> Original >
> Original > On Fri, 1 Mar 2002 11:48, Anton Krall wrote:
> Original > > Guys... Im doing some AUTHBYFILE combined with a
> Original > AUTHBY RADIUS and I
> Original > > have a problem.. the radius AUTHBY RADIproxying is
> Original > returning an
> Original > > Idle-timeout and Session-Timeout settings. but
> Original > what I need is a
> Original > > way to override those and put in my own... which
> Original > are passed from a
> Original > > AUTHBY FILE, here is the config:
> Original > >
> Original > >
> Original > > AuthByPolicy ContinueUntilAccept
> Original > > AuthBy acct
> Original > > AuthBy CheckUserAttributes-mx.inter.net
> Original > >
> Original > >
> Original > >
> Original > > Identifier acct
> Original > > DBSourcedbi:mysql:radius:localhost
> Original > > DBUsername root
> Original > > DBAuth net721009
> Original > > AuthSelect
> Original > > DateFormat %Y%m%d %T
> Original > > AccountingTable accounting
> Original > > #AccountingStopsOnly
> Original > > AcctColumnDef username,%U,formatted
> Original > > AcctColumnDef domain,%R,formatted
> Original > > AcctColumnDef time_stamp,Timestamp,integer
> Original > > AcctColumnDef acctstatustype,Acct-Status-Type
> Original > > AcctColumnDef
> Original > acctdelaytime,Acct-Delay-Time,integer
> Original > > AcctColumnDef
> Original > acctinputoctets,Acct-Input-Octets,integer
> Original > > AcctColumnDef
> Original > acctoutputoctets,Acct-Output-Octets,integer
> Original > > AcctColumnDef acctsessionid,Acct-Session-Id
> Original > > AcctColumnDef
> Original > acctsessiontime,Acct-Session-Time,integer
> Original > > AcctColumnDef
> Original > acctterminatecause,Ascend-Disconnect-Cause
> Original > > AcctColumnDef nasidentifier,NAS-IP-Address
> Original > > AcctColumnDef nasport,NAS-Port,integer
> Original > > AcctColumnDef framedipaddress,Framed-IP-Address
> Original > > AcctColumnDef time,Timestamp,integer-date
> Original > > AcctColumnDef nasipaddress,NAS-IP-Address
> Original > > AcctColumnDef calledstationid,Called-Station-Id
> Original > > AcctColumnDef callingstationid,Calling-Station-Id
> Original > > AcctColumnDef
> Original > disconnectioncause,Ascend-Connect-Progress
> Original > > AcctColumnDef telco,Class
> Original > > AcctColumnDef zone,%{State},formatted
> Original > > DefaultSimultaneousUse 1
> Original > >
> Original > >
> Original > >
> Original > > Identifier CheckUserAttributes-mx.inter.net
> Original > > Filename %D/atributos-mx.inter.net
> Original > > Nocache
> Original > > DefaultSimultaneousUse 1
> Original > >
> Original > >
> Original > > Contents of atributos-mx.inter.net:
> Original > >
> Original > > akrall Auth-Type = CheckUser-nasc
> Original > > Service-Type = Framed-User,
> Original > Framed-Protocol = PPP DEFAULT
> Original > > Auth-Type = CheckUser-nasc
> Original > > Service-Type = Framed-User, Framed-Protoco
RE: (RADIATOR) double attributes
Ive tested that using the StripFromReply removes the idletimeout and
sessiontimeout attributes from the proxy but it also removes them from
the authby file after that Will the allowinreply do the same? Ir
just remove the ones on the proxy authby radius clause and then let any
attrbiute from authby file be appended?
Saludos
Anton Krall
Director de Tecnología
Inter.net México / Panamá
Tel; 5241-7609 Directo
Tel: 5241-7600 Conmutador
Celular: 0445-105-5160 Mobile
ICQ: 4979450
email: [EMAIL PROTECTED]
web: http://www.mx.inter.net
Outside Mexico:
Office: +52(555)241-7609
PBX: +52(555)241-7600
Mobile: +52(555)105-5160
Original > -Original Message-
Original > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Original > Sent: Jueves, 28 de Febrero de 2002 07:05 p.m.
Original > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Original > Subject: Re: (RADIATOR) double attributes
Original >
Original >
Original >
Original > Hello Anton -
Original >
Original > You should use the StripFromReply in the AuthBy
Original > RADIUS clause. If you are
Original > concerned about reply attributes in general, you can
Original > explicitly specify the
Original > list of attributes that you will accept from a proxy
Original > in an AllowInReply.
Original >
Original > See section 6.17.7 in the Radiator 2.19 reference
Original > manual. ("doc/ref.html").
Original >
Original > regards
Original >
Original > Hugh
Original >
Original >
Original > On Fri, 1 Mar 2002 11:48, Anton Krall wrote:
Original > > Guys... Im doing some AUTHBYFILE combined with a
Original > AUTHBY RADIUS and I
Original > > have a problem.. the radius AUTHBY RADIproxying is
Original > returning an
Original > > Idle-timeout and Session-Timeout settings. but
Original > what I need is a
Original > > way to override those and put in my own... which
Original > are passed from a
Original > > AUTHBY FILE, here is the config:
Original > >
Original > >
Original > > AuthByPolicy ContinueUntilAccept
Original > > AuthBy acct
Original > > AuthBy CheckUserAttributes-mx.inter.net
Original > >
Original > >
Original > >
Original > > Identifier acct
Original > > DBSourcedbi:mysql:radius:localhost
Original > > DBUsername root
Original > > DBAuth net721009
Original > > AuthSelect
Original > > DateFormat %Y%m%d %T
Original > > AccountingTable accounting
Original > > #AccountingStopsOnly
Original > > AcctColumnDef username,%U,formatted
Original > > AcctColumnDef domain,%R,formatted
Original > > AcctColumnDef time_stamp,Timestamp,integer
Original > > AcctColumnDef acctstatustype,Acct-Status-Type
Original > > AcctColumnDef
Original > acctdelaytime,Acct-Delay-Time,integer
Original > > AcctColumnDef
Original > acctinputoctets,Acct-Input-Octets,integer
Original > > AcctColumnDef
Original > acctoutputoctets,Acct-Output-Octets,integer
Original > > AcctColumnDef acctsessionid,Acct-Session-Id
Original > > AcctColumnDef
Original > acctsessiontime,Acct-Session-Time,integer
Original > > AcctColumnDef
Original > acctterminatecause,Ascend-Disconnect-Cause
Original > > AcctColumnDef nasidentifier,NAS-IP-Address
Original > > AcctColumnDef nasport,NAS-Port,integer
Original > > AcctColumnDef framedipaddress,Framed-IP-Address
Original > > AcctColumnDef time,Timestamp,integer-date
Original > > AcctColumnDef nasipaddress,NAS-IP-Address
Original > > AcctColumnDef calledstationid,Called-Station-Id
Original > > AcctColumnDef callingstationid,Calling-Station-Id
Original > > AcctColumnDef
Original > disconnectioncause,Ascend-Connect-Progress
Original > > AcctColumnDef telco,Class
Original > > AcctColumnDef zone,%{State},formatted
Original > > DefaultSimultaneousUse 1
Original > >
Original > >
Original > >
Original > > Identifier CheckUserAttributes-mx.inter.net
Original > > Filename %D/atributos-mx.inter.net
Original > > Nocache
Original > > DefaultSimultaneousUse 1
Original > >
Original > >
Original > > Contents of atributos-mx.inter.net:
Original > >
Original > > akrall Auth-Type = CheckUser-nasc
Original > > Service-Type = Framed-User,
Original > Framed-Protocol = PPP DEFAULT
Original > > Auth-Type = CheckUser-nasc
Original > > Service-Type = Framed-User, Framed-Protocol = PPP,
Original > > Idle-Timeout = 600, Session-Timeout = 14500
Original > >
Original > >
Original > >
Original > > The radius server is returning something like this:
Original > >
Original > > Code: Access-Accept
Original > > Identifier: 5
Original > > Authentic: '<148><168><158><188>z+<231>,<191>|7<254">T@
Original > >
Original > <170>'<148><168><158><188>z
Re: (RADIATOR) RewriteUsername
Try naming the realm DEFAULT. It looks at anything after the @ to determine the realm name. So, if a customer logs in as [EMAIL PROTECTED], it is going to look for a realm called . By default, if Radiator finds no matches, it will try to use . -Ronan - Original Message - From: Barry Andersson To: [EMAIL PROTECTED] Sent: Thursday, 28 February, 2002 19:36 Subject: (RADIATOR) RewriteUsername Hi, I have RewriteUsername s/^([^@]+).*/$1/ in my radius.cfg file however domains don't appear to be stripped from users who inadvertently login with their email address. I'm getting errors in the logfile such as "Could not find a handler for username@domainname: request is ignored" Below is the appropriate section from my radius.cfg Regards Barry Andersson UseGetspnamf Identifier System RewriteUsername s/^([^@]+).*/$1/ MaxSessions 1 Filename ./users AcctLogFileName /var/log/radius/detail AcctResult ACCEPT
Re: (RADIATOR) double attributes
Hello Anton -
You should use the StripFromReply in the AuthBy RADIUS clause. If you are
concerned about reply attributes in general, you can explicitly specify the
list of attributes that you will accept from a proxy in an AllowInReply.
See section 6.17.7 in the Radiator 2.19 reference manual.
("doc/ref.html").
regards
Hugh
On Fri, 1 Mar 2002 11:48, Anton Krall wrote:
> Guys... Im doing some AUTHBYFILE combined with a AUTHBY RADIUS and I
> have a problem.. the radius AUTHBY RADIproxying is returning an
> Idle-timeout and Session-Timeout settings. but what I need is a way
> to override those and put in my own... which are passed from a AUTHBY
> FILE, here is the config:
>
>
> AuthByPolicy ContinueUntilAccept
> AuthBy acct
> AuthBy CheckUserAttributes-mx.inter.net
>
>
>
> Identifier acct
> DBSourcedbi:mysql:radius:localhost
> DBUsername root
> DBAuth net721009
> AuthSelect
> DateFormat %Y%m%d %T
> AccountingTable accounting
> #AccountingStopsOnly
> AcctColumnDef username,%U,formatted
> AcctColumnDef domain,%R,formatted
> AcctColumnDef time_stamp,Timestamp,integer
> AcctColumnDef acctstatustype,Acct-Status-Type
> AcctColumnDef acctdelaytime,Acct-Delay-Time,integer
> AcctColumnDef acctinputoctets,Acct-Input-Octets,integer
> AcctColumnDef acctoutputoctets,Acct-Output-Octets,integer
> AcctColumnDef acctsessionid,Acct-Session-Id
> AcctColumnDef acctsessiontime,Acct-Session-Time,integer
> AcctColumnDef acctterminatecause,Ascend-Disconnect-Cause
> AcctColumnDef nasidentifier,NAS-IP-Address
> AcctColumnDef nasport,NAS-Port,integer
> AcctColumnDef framedipaddress,Framed-IP-Address
> AcctColumnDef time,Timestamp,integer-date
> AcctColumnDef nasipaddress,NAS-IP-Address
> AcctColumnDef calledstationid,Called-Station-Id
> AcctColumnDef callingstationid,Calling-Station-Id
> AcctColumnDef disconnectioncause,Ascend-Connect-Progress
> AcctColumnDef telco,Class
> AcctColumnDef zone,%{State},formatted
> DefaultSimultaneousUse 1
>
>
>
> Identifier CheckUserAttributes-mx.inter.net
> Filename %D/atributos-mx.inter.net
> Nocache
> DefaultSimultaneousUse 1
>
>
> Contents of atributos-mx.inter.net:
>
> akrall Auth-Type = CheckUser-nasc
> Service-Type = Framed-User, Framed-Protocol = PPP
> DEFAULT Auth-Type = CheckUser-nasc
> Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout
> = 600, Session-Timeout = 14500
>
>
>
> The radius server is returning something like this:
>
> Code: Access-Accept
> Identifier: 5
> Authentic: '<148><168><158><188>z+<231>,<191>|7<254">T@
> <170>'<148><168><158><188>z+<231>,<191>|7<254>
> Attributes:
> Framed-IP-Address = 255.255.255.254
> Port-Limit = 1
> Session-Timeout = 14400
> Idle-Timeout = 1800
> Framed-IP-Netmask = 255.255.255.255
> Class = "38616/217030/10803096/41/NASC"
>
> As you can see. there is some Idle and Session timeoutouts here... but
> what I need to do is replace them with the ones in
> atributos-mx.inter.net if the user is not found (DEFAULT user) and if he
> is on the list (akrall for example) then strip all Idle and Sesion
> timeouts
>
> Problem is that I cant seem to override the radius sent ones... and if I
> use something like StripFromReply... all idle and session attributes are
> stripped.. incluind mine or the radius server sent ones
>
> Any ideas?
>
> Saludos
>
> Anton Krall
> Director de Tecnología
> Inter.net México / Panamá
>
> Tel; 5241-7609 Directo
> Tel: 5241-7600 Conmutador
> Celular: 0445-105-5160 Mobile
> ICQ: 4979450
> email: [EMAIL PROTECTED]
> web: http://www.mx.inter.net
Re: (RADIATOR) RewriteUsername
Hello Barry - The way your configuration file is set up, you will only get usernames of the form "user@auth" in the clause. If the username is of the form [EMAIL PROTECTED], it will not go to the clause, hence will not get rewritten. The other clause will only match usernames without realm suffixes, hence the message "Could not find a handler ...". regards Hugh On Fri, 1 Mar 2002 11:36, Barry Andersson wrote: > Hi, > > I have RewriteUsername s/^([^@]+).*/$1/ in my radius.cfg file however > domains don't appear to be stripped from users who inadvertently login with > their email address. I'm getting errors in the logfile such as "Could not > find a handler for username@domainname: request is ignored" > > Below is the appropriate section from my radius.cfg > > Regards > > Barry Andersson > > > > > UseGetspnamf > > Identifier System > > > > > > RewriteUsername s/^([^@]+).*/$1/ > > MaxSessions 1 > > > > Filename ./users > > > > AcctLogFileName /var/log/radius/detail > > > > > > > > AcctResult ACCEPT > > > > -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) double attributes
Title: Message
Guys... Im doing
some AUTHBYFILE combined with a AUTHBY RADIUS and I have a problem.. the
radius AUTHBY RADIproxying is returning an Idle-timeout and Session-Timeout
settings. but what I need is a way to override those and put in my own...
which are passed from a AUTHBY FILE, here is the config:
AuthByPolicy
ContinueUntilAccept AuthBy
acct AuthBy
CheckUserAttributes-mx.inter.net
Identifier
acct
DBSource
dbi:mysql:radius:localhost
DBUsername
root
DBAuth
net721009
AuthSelect
DateFormat %Y%m%d
%T AccountingTable
accounting#
AccountingStopsOnly
AcctColumnDef username,%U,formatted
AcctColumnDef
domain,%R,formatted
AcctColumnDef
time_stamp,Timestamp,integer
AcctColumnDef
acctstatustype,Acct-Status-Type
AcctColumnDef
acctdelaytime,Acct-Delay-Time,integer
AcctColumnDef
acctinputoctets,Acct-Input-Octets,integer
AcctColumnDef
acctoutputoctets,Acct-Output-Octets,integer
AcctColumnDef
acctsessionid,Acct-Session-Id
AcctColumnDef
acctsessiontime,Acct-Session-Time,integer
AcctColumnDef
acctterminatecause,Ascend-Disconnect-Cause
AcctColumnDef
nasidentifier,NAS-IP-Address
AcctColumnDef
nasport,NAS-Port,integer
AcctColumnDef
framedipaddress,Framed-IP-Address
AcctColumnDef time,Timestamp,integer-date
AcctColumnDef
nasipaddress,NAS-IP-Address
AcctColumnDef
calledstationid,Called-Station-Id
AcctColumnDef
callingstationid,Calling-Station-Id
AcctColumnDef
disconnectioncause,Ascend-Connect-Progress
AcctColumnDef
telco,Class
AcctColumnDef
zone,%{State},formatted
DefaultSimultaneousUse 1
Identifier
CheckUserAttributes-mx.inter.net
Filename
%D/atributos-mx.inter.net
Nocache
DefaultSimultaneousUse 1
Contents of
atributos-mx.inter.net:
akrall
Auth-Type = CheckUser-nasc
Service-Type = Framed-User, Framed-Protocol = PPPDEFAULT Auth-Type =
CheckUser-nasc Service-Type =
Framed-User, Framed-Protocol = PPP, Idle-Timeout = 600, Session-Timeout =
14500
The radius server
is returning something like this:
Code: Access-AcceptIdentifier:
5Authentic: T@<170>'<148><168><158><188>z+<231>,<191>|7<254>Attributes:
Framed-IP-Address =
255.255.255.254 Port-Limit =
1 Session-Timeout =
14400 Idle-Timeout =
1800 Framed-IP-Netmask =
255.255.255.255 Class =
"38616/217030/10803096/41/NASC"
As you can see.
there is some Idle and Session timeoutouts here... but what I need to do is
replace them with the ones in atributos-mx.inter.net if the user is not found
(DEFAULT user) and if he is on the list (akrall for example) then strip all Idle
and Sesion timeouts
Problem is that I
cant seem to override the radius sent ones... and if I use something like
StripFromReply... all idle and session attributes are stripped.. incluind mine
or the radius server sent ones
Any
ideas?
Saludos
Anton KrallDirector de
TecnologíaInter.net
México / Panamá
Tel; 5241-7609
Directo
Tel: 5241-7600
Conmutador
Celular:
0445-105-5160 Mobile
ICQ:
4979450
email:
[EMAIL PROTECTED]
web:
http://www.mx.inter.net
Outside
Mexico:Office: +52(555)241-7609PBX: +52(555)241-7600Mobile:
+52(555)105-5160
(RADIATOR) RewriteUsername
Hi, I have RewriteUsername s/^([^@]+).*/$1/ in my radius.cfg file however domains don't appear to be stripped from users who inadvertently login with their email address. I'm getting errors in the logfile such as "Could not find a handler for username@domainname: request is ignored" Below is the appropriate section from my radius.cfg Regards Barry Andersson UseGetspnamf Identifier System RewriteUsername s/^([^@]+).*/$1/ MaxSessions 1 Filename ./users AcctLogFileName /var/log/radius/detail AcctResult ACCEPT
Re: (RADIATOR) 2 copies of User-Name attribute
Hello Dave -
I'm glad I didn't have to point you to that section of the RFC.
:-)
The easy way to deal with the problem is with a PreClientHook to remove any
duplicate attributes.
You know where to find the examples ("goodies/hooks.txt").
cheers
Hugh
On Fri, 1 Mar 2002 03:02, Dave Kitabjian wrote:
> Follow up:
>
> I did some more digging in the RFC:
>
>Some attributes MAY be included more than once. The effect of this
>is attribute specific, and is specified in each attribute
>description.
>
>5.13. Table of Attributes
>
>The following table provides a guide to which attributes may be found
>in Accounting-Request packets. No attributes should be found in
>Accounting-Response packets except Proxy-State and possibly Vendor-
>Specific.
>
>
> # Attribute
> 0-1 User-Name
>
> In other words, the accounting record may contain 0 or 1 copies of the
> User-Name. That means it's out of spec to send 2 copies. I'll take this
> up with Cisco. Meanwhile, I'm still open to feedback on the Radiator
> side (since Cisco notoriously drags its feet on our bug reports).
>
> Dave
>
> > -Original Message-
> > From: Dave Kitabjian
> > Sent: Thursday, February 28, 2002 9:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: (RADIATOR) 2 copies of User-Name attribute
> >
> >
> > Recently I've been noticing that the Radius Accounting
> > packets coming from some of our Cisco gear has been sending
> > some attributes in duplicate; in particular, we get two
> > copies each of User-Name and Nas-Port.
> >
> > Fortunately, the two copies have identical values. But it
> > still causes a problem. We have lots of logic that rewrites
> > usernames, parses out the realm, adds in custom attributes,
> > etc. The problem is that Radiator's RewriteUserName appears
> > to be only acting on the FIRST instance of the User-Name
> > attribute, and the 2nd instance remains unrewritten. Down the
> > line, our post-processing software doesn't know how to tell
> > which one is the "right one", and so we get messed up results.
> >
> > I've asked our networking people to look into why we're
> > getting dups of some attributes. But meanwhile, I checked out
> > the Radius Accounting RFC
> > (http://www.ietf.org/rfc/rfc2866.txt?> number=2866), and I noticed
>
> this:
> >Attributes
> >
> > Attributes may have multiple instances, in such a case the order
> > of attributes of the same type SHOULD be preserved.
> > The order of
> > attributes of different types is not required to be preserved.
> >
> > So this makes me wonder if Radiator should not be able to
> > support this. Without looking deep into the code, my guess is
> > that the attributes are stored in a hash, and much of the
> > logic depends on assuming the key is unique, which would make
> > support for this difficult to add. But perhaps at least
> > supporting it for RewriteUserName would be sensible?
> >
> > Your thoughts are welcome...
> >
> > Dave
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Radonline flushing every 2 hours
I don't know about all of you, but my Radiator uses SNMP and it querys the NAS to see if a user is still on.if they are not, it removes them from RADONLINE and lets them connect. It doesn't detect the NAS restarting, but it does query it with SNMP and sees that the user is no longer on that port. It puts a message in the log along the lines of "Sat Feb 23 16:33:42 2002: NOTICE: RADONLINE Session for aplus at 216.54.217.6:31 has gone away". Also, if someone logs onto a NAS/port that is in the sessiondb, the first thing that it does is a query to delete out of the db any entries that reference that port. Not sure if this is what you were looking for. I'm sure Hugh will answer it better. :) Hugh. You da man! :) -Ronan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank Danielson Sent: Tuesday, 26 February, 2002 19:47 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: (RADIATOR) Radonline flushing every 2 hours Hugh- For general education purposes could you elaborate on Radiator clearing entries for a NAS if it sees a NAS restart? I'm not sure how Radiator would detect that event and if some certain Client config is needed support this. Thanks. -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 5:33 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: (RADIATOR) Radonline flushing every 2 hours Hello Anton - Please send me a copy of your configuration file (no secrets) together with a trace 4 debug showing what is happening. Radiator will automatically remove all entries for a NAS if it sees a NAS restart, but I can't think of any reason why the entire RADONLINE table would be cleared. regards Hugh On Wed, 27 Feb 2002 08:45, Anton Krall wrote: > Guys.. Im having problems with my radonline table on mysql.. Seems that > every 2 hours.. The ocntents flush and start from 0... Anybody has any > problems like this? > > I noticed this because Im graphing the radonline total user count every > 5 minute from MRTG, and I noticed that every 2 hours.. The database > flushes and the graph on MRTG looks funny... Like restarted from 0 every > 2 hours.. > > Anybody has any ideas? > > Saludos > > Anton Krall > Director de Tecnología > Inter.net México / Panamá > > Tel; 5241-7609 Directo > Tel: 5241-7600 Conmutador > Celular: 0445-105-5160 Mobile > ICQ: 4979450 > email: [EMAIL PROTECTED] > web: http://www.mx.inter.net > > Outside Mexico: > Office: +52(555)241-7609 > PBX: +52(555)241-7600 > Mobile: +52(555)105-5160 > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) 2 copies of User-Name attribute
Follow up: I did some more digging in the RFC: Some attributes MAY be included more than once. The effect of this is attribute specific, and is specified in each attribute description. 5.13. Table of Attributes The following table provides a guide to which attributes may be found in Accounting-Request packets. No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor- Specific. # Attribute 0-1 User-Name In other words, the accounting record may contain 0 or 1 copies of the User-Name. That means it's out of spec to send 2 copies. I'll take this up with Cisco. Meanwhile, I'm still open to feedback on the Radiator side (since Cisco notoriously drags its feet on our bug reports). Dave > -Original Message- > From: Dave Kitabjian > Sent: Thursday, February 28, 2002 9:34 AM > To: [EMAIL PROTECTED] > Subject: (RADIATOR) 2 copies of User-Name attribute > > > Recently I've been noticing that the Radius Accounting > packets coming from some of our Cisco gear has been sending > some attributes in duplicate; in particular, we get two > copies each of User-Name and Nas-Port. > > Fortunately, the two copies have identical values. But it > still causes a problem. We have lots of logic that rewrites > usernames, parses out the realm, adds in custom attributes, > etc. The problem is that Radiator's RewriteUserName appears > to be only acting on the FIRST instance of the User-Name > attribute, and the 2nd instance remains unrewritten. Down the > line, our post-processing software doesn't know how to tell > which one is the "right one", and so we get messed up results. > > I've asked our networking people to look into why we're > getting dups of some attributes. But meanwhile, I checked out > the Radius Accounting RFC > (http://www.ietf.org/rfc/rfc2866.txt?> number=2866), and I noticed this: > >Attributes > > Attributes may have multiple instances, in such a case the order > of attributes of the same type SHOULD be preserved. > The order of > attributes of different types is not required to be preserved. > > So this makes me wonder if Radiator should not be able to > support this. Without looking deep into the code, my guess is > that the attributes are stored in a hash, and much of the > logic depends on assuming the key is unique, which would make > support for this difficult to add. But perhaps at least > supporting it for RewriteUserName would be sensible? > > Your thoughts are welcome... > > Dave > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) 2 copies of User-Name attribute
Recently I've been noticing that the Radius Accounting packets coming from some of our Cisco gear has been sending some attributes in duplicate; in particular, we get two copies each of User-Name and Nas-Port. Fortunately, the two copies have identical values. But it still causes a problem. We have lots of logic that rewrites usernames, parses out the realm, adds in custom attributes, etc. The problem is that Radiator's RewriteUserName appears to be only acting on the FIRST instance of the User-Name attribute, and the 2nd instance remains unrewritten. Down the line, our post-processing software doesn't know how to tell which one is the "right one", and so we get messed up results. I've asked our networking people to look into why we're getting dups of some attributes. But meanwhile, I checked out the Radius Accounting RFC (http://www.ietf.org/rfc/rfc2866.txt?number=2866), and I noticed this: Attributes Attributes may have multiple instances, in such a case the order of attributes of the same type SHOULD be preserved. The order of attributes of different types is not required to be preserved. So this makes me wonder if Radiator should not be able to support this. Without looking deep into the code, my guess is that the attributes are stored in a hash, and much of the logic depends on assuming the key is unique, which would make support for this difficult to add. But perhaps at least supporting it for RewriteUserName would be sensible? Your thoughts are welcome... Dave === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: re config file
Hello Buck - On Wed, 27 Feb 2002 11:22, buck lane wrote: > ok, i sent you the file, now i got a questoin to get radiator to talk to > a MS SQL server i have to get an ODBC driver manager ( unixODBC ) a ODBC > driver ( FreeTDS OOB ) and i need to install perl-DBi and DBD::ODBC so > radiator can talk to unixODBC, could someone let me know if i am missing > a step? You will also need to create the database, of course. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radonline flushing every 2 hours
Hello Frank, Hello Anton -
The special accounting requests of Accounting-On and Accounting-Off are used
for this, as are a couple of other special cases.
Here is the relevant code from Handler.pm (sub handle_request):
if ($status_type eq 'Start')
{
# Some Ciscos dont send accounting-on, so we will
# detect a reboot with the first session (ID 0001)
$sessdb->clearNas($nas_id, $p)
if$session_id eq ''
|| ( $session_id eq '0001'
&& $p->{Client}->{NasType} eq 'Cisco');
$sessdb->add($original_username, $nas_id, $nas_port, $p);
}
elsif ($status_type eq 'Alive')
{
# When Cisco sends an Alive, we are going to do an update,
# not an insert.
$sessdb->update($original_username, $nas_id, $nas_port, $p);
}
elsif ($status_type eq 'Stop')
{
$sessdb->delete($original_username, $nas_id, $nas_port, $p,
$session_id, $framed_ip_address);
}
elsif ($status_type eq 'Accounting-On'
|| $status_type eq 'Accounting-Off')
{
# Detect the various kinds of NAS reboots
# Remove all session entries for a given NAS.
$sessdb->clearNas($nas_id, $p);
}
As you can see, an Accounting-On or an Accounting-Off will clear the NAS, as
will an accounting start with a session identifier of '', as will an
accounting start from a Client with a NasType of Cisco with a session
identifier of '0001'.
And here is the code for clearNas() in SessSQL.pm:
sub clearNas
{
my ($self, $nas_id, $p) = @_;
# query is optional
return unless $self->{ClearNasQuery};
# (Re)-connect to the database if necessary,
return undef unless $self->reconnect;
&main::log($main::LOG_DEBUG,
"$self->{Identifier} Deleting all sessions for $nas_id");
my $q = &Radius::Util::format_special($self->{ClearNasQuery}, $p);
$self->do($q);
}
There is indeed a LOG_DEBUG message to indicate when it is called.
regards
Hugh
On Wed, 27 Feb 2002 16:34, Anton Krall wrote:
> Also when radiator does this.. Is there a log entry to show the action?
>
> Saludos
>
> Anton Krall
> Director de Tecnología
> Inter.net México / Panamá
>
> Tel; 5241-7609 Directo
> Tel: 5241-7600 Conmutador
> Celular: 0445-105-5160 Mobile
> ICQ: 4979450
> email: [EMAIL PROTECTED]
> web: http://www.mx.inter.net
>
> Outside Mexico:
> Office: +52(555)241-7609
> PBX: +52(555)241-7600
> Mobile: +52(555)105-5160
>
>
> Original > -Original Message-
> Original > From: [EMAIL PROTECTED]
> Original > [mailto:[EMAIL PROTECTED]] On Behalf Of
> Original > Frank Danielson
> Original > Sent: Martes, 26 de Febrero de 2002 06:47 p.m.
> Original > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Original > Subject: RE: (RADIATOR) Radonline flushing every 2 hours
> Original >
> Original >
> Original > Hugh-
> Original >
> Original > For general education purposes could you elaborate
> Original > on Radiator clearing entries for a NAS if it sees a
> Original > NAS restart? I'm not sure how Radiator would detect
> Original > that event and if some certain Client config is
> Original > needed support this.
> Original >
> Original > Thanks.
> Original >
> Original > -Original Message-
> Original > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> Original > Sent: Tuesday, February 26, 2002 5:33 PM
> Original > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Original > Subject: Re: (RADIATOR) Radonline flushing every 2 hours
> Original >
> Original >
> Original >
> Original > Hello Anton -
> Original >
> Original > Please send me a copy of your configuration file (no
> Original > secrets) together with a
> Original > trace 4 debug showing what is happening.
> Original >
> Original > Radiator will automatically remove all entries for a
> Original > NAS if it sees a NAS
> Original > restart, but I can't think of any reason why the
> Original > entire RADONLINE table would
> Original > be cleared.
> Original >
> Original > regards
> Original >
> Original > Hugh
> Original >
> Original >
> Original > On Wed, 27 Feb 2002 08:45, Anton Krall wrote:
> Original > > Guys.. Im having problems with my radonline table
> Original > on mysql.. Seems
> Original > > that every 2 hours.. The ocntents flush and start
> Original > from 0... Anybody
> Original > > has any problems like this?
> Original > >
> Original > > I noticed this because Im graphing the radonline
> Original > total user count
> Original > > every 5 minute from MRTG, and I noticed that every
> Original > 2 hours.. The
> Original > > database flushes and the graph on MRTG looks
> Original > funny... Like restarted
> Original > > from 0 every 2 hours..
> Original > >
> Original > > Anybody has any ideas?
> Original > >
> Original > > Saludos
> Original > >
> Original > > Anton Krall
> Origi
Re: (RADIATOR) Re: Problem about SQL 7 SP3
Hello Chairath - You will need to make the same change that you made to the Radiator configuration file in the Radmin file called "Radmin/Sql.pm". You will either need to change the file in the Radmin distribution directory and re-install, or you can change the file in the Perl hierarchy directly. regards Hugh On Thu, 28 Feb 2002 12:50, Chairath K wrote: > Hello Hugh, > > Now I can start Radaitor Service by re-setting ODBC System DSN . But the > problem still occure when I use Radmin. Error Message below is shown when I > use web-browser to open Radmin > > Error > A serious error has occurred: > Could not connect to SQL database dbi:ODBC:Radmin: [Microsoft][ODBC SQL > Server Driver][SQL Server]Login failed for user 'RADTEMP\IUSR_RADTEMP'. > (SQL-28000)(DBD: db_login/SQLConnect err=-1) > > So how can I fix it? > > Regards, > Chairath > > P.S. Our system is running Radiator 2.18 and Radmin 1.4 on Windows NT > > > > - Original Message - > From: Chairath K > To: Hugh Irvine > Sent: Wednesday, February 27, 2002 10:52 AM > Subject: Problem about SQL 7 SP3 > > > Hello Hugh, > > I have install Service Pack 3 of Microsoft SQL server 7.0 for NT in oder > for Replication Application . But after I install it , I can't start > Radiator Service . So how can I fix it to work provperly with SQL 7 SP3 ? > > Regards, > Chairath > > Wed Feb 27 10:37:33 2002: DEBUG: Adding Clients from SQL database > Wed Feb 27 10:37:33 2002: DEBUG: Query is: select > NASIDENTIFIER, > SECRET, > IGNOREACCTSIGNATURE, > DUPINTERVAL, > DEFAULTREALM, > NASTYPE, > SNMPCOMMUNITY, > LIVINGSTONOFFS, > LIVINGSTONHOLE, > FRAMEDGROUPBASEADDRESS, > FRAMEDGROUPMAXPORTSPERCLASSC, > REWRITEUSERNAME, > NOIGNOREDUPLICATES, > PREHANDLERHOOK from RADCLIENTLIST > > Wed Feb 27 10:37:33 2002: ERR: Execute failed for 'select > NASIDENTIFIER, > SECRET, > IGNOREACCTSIGNATURE, > DUPINTERVAL, > DEFAULTREALM, > NASTYPE, > SNMPCOMMUNITY, > LIVINGSTONOFFS, > LIVINGSTONHOLE, > FRAMEDGROUPBASEADDRESS, > FRAMEDGROUPMAXPORTSPERCLASSC, > REWRITEUSERNAME, > NOIGNOREDUPLICATES, > PREHANDLERHOOK from RADCLIENTLIST': [Microsoft][ODBC SQL Server > Driver][SQL Server]Invalid object name 'RADCLIENTLIST'. (SQL-S0002) > [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be > prepared. (SQL-37000)(DBD: st_prepare/SQLPrepare err=-1) Wed Feb 27 > 10:37:33 2002: ERR: Execute failed for 'select > NASIDENTIFIER, > SECRET, > IGNOREACCTSIGNATURE, > DUPINTERVAL, > DEFAULTREALM, > NASTYPE, > SNMPCOMMUNITY, > LIVINGSTONOFFS, > LIVINGSTONHOLE, > FRAMEDGROUPBASEADDRESS, > FRAMEDGROUPMAXPORTSPERCLASSC, > REWRITEUSERNAME, > NOIGNOREDUPLICATES, > PREHANDLERHOOK from RADCLIENTLIST': [Microsoft][ODBC SQL Server > Driver][SQL Server]Invalid object name 'RADCLIENTLIST'. (SQL-S0002) > [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be > prepared. (SQL-37000)(DBD: st_prepare/SQLPrepare err=-1) > > --- > > Foreground > LogStdout > LogDir d:/Radiator-2.18/log > DbDir d:/Radiator-2.18 > LogFile %L/logfile-%d-%m-%Y > > # Dont turn this up too high, since all log messages are logged > # to the RADMESSAGES table in the database. 3 will give you everything > # except debugging messages > Trace 4 > > > # PreClientHook to add NAS-Port attribute > PreClientHook file:"%D/addNASPort" > > # You will probably want to change this to suit your site. > # You should list all the clients you have, and their secrets > # If you are using the Radmin Clients table, you wil probably > # want to disable this. > # > # Secret mysecret > # DupInterval 0 > # > > # You can put additonal (or all) client details in your Radmin > # database table > # and get their details from there with something like this: > # You can then use the Radmin 'Add Radius Client' to add new clients. > > DBSource dbi:ODBC:Radmin > DBUsername > DBAuth > > > # > # Identifier ProxyTofunk > # Host 10.2.0.6 > # Secret test > # > > # > # strip Realm > # RewriteUsername s/^([^@]+).*/$1/ > # AuthBy ProxyTofunk > # > > > Identifier RADMINAUTH > # Change DBSource, DBUsername, DBAuth for your database > # See the reference manual. You will also have to > # change the one in below > # so its the same > DBSource dbi:ODBC:Radmin > DBUsername xxx > DBAuth xxx > DateFormat %e %m %Y %T > > AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,MAXLOGINS from RADUSERS > where USERNAME='%n' and BADLOGINS < 8 and VALIDFROM < %t and VALIDTO > %t > > # You can add to or change these if you want, but you > # will probably want to change the database schema first > AccountingTable RADUSAGE > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer > AcctColumnDef ACCTDELAY
