(RADIATOR)
Hi Hugh, The function IdenticalClients strongly needs the possibility to use wildchar in specifying ip-adresses. I'm sure that others would appreciate this feature.. - se my example : Client 222-routers Identifier RouterLogin SecretRadius IdenticalClients 192.162.222.1 192.162.222.2 192.162.222.3 192.162.222.4 192.162.222.5 192.162.223.6 192.162.223.7 192.162.223.8 192.162.223.9 192.162.223.3 /Client The syntax could bee something like . Client 222-routers Identifier RouterLogin SecretRadius IdenticalClients 192.162.222.* 192.162.223.* /Client Would you discuss this with development...? Regards Per Lütkemeyer DMdata a/s
(RADIATOR) DeallocateQuery
Hi , Radiator Ver 2.18.2 . issue : DeallocateQuery I want to deallocate SQL query not just by YIADDR but by USERNAME too . The basic is : update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0' what extension should I add ? Thanks , Eyal . === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiusd crashes with strange error
Hello Leon -
I can only conclude that either you are running a different version of Perl,
or that the current directory when you run radiusd is somewhere other than
the Perl directory you show below.
BTW - this is why I always recommend using the source tarball and installing
the different versions in different directories - then only do this:
perl Makefile.PL; make; make test
** do not install **
Then when you run radiusd, you do this:
cd /Radiator-3.1; ./radiusd ..
regards
Hugh
On Wed, 10 Jul 2002 07:16, Leon Oosterwijk wrote:
Hugh,
I understand the problem with the ports. However I do believe I have the
correct install of Radius. Concider:
[root@nashrad01 log]# tail -n 30
/usr/lib/perl5/site_perl/5.6.0/Radius/Util.pm
}
$s =~ s/^\s*//; # Strip leading white space
}
return @ret;
}
#
# Convert a numeric or symbolic UDP port into a port number
sub get_port
{
my ($p) = @_;
$p = Radius::Util::format_special($p);
if ($p =~ /^\d+$/)
{
# Completely numeric, 0 is permitted
return $p;
}
else
{
my $ret = getservbyname($p, 'udp');
main::log($main::LOG_WARNING, Unknown service name $p)
unless $ret;
return $ret;
}
}
1;
It clearly shows the get_port routine . And:
# Util.pm
#
# Utility routines required by Radiator
# Author: Mike McCauley ([EMAIL PROTECTED]),
# strftime and friends based on code by David Muir Sharnoff
# [EMAIL PROTECTED] in CTime.pm. Source code provided on request.
# $Id: Util.pm,v 1.25 2002/03/24 23:07:49 mikem Exp $
package Radius::Util;
use Digest::MD5;
use Socket;
use File::Path;
use File::Basename;
use strict;
# This is the official Radiator version number:
$main::VERSION = '3.0';
It is also of the correct version.
Sincerely,
Leon Oosterwijk
ISDN-NET Inc.
(615) 221-4200
http://www.isdn.net
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 09, 2002 3:39 PM
To: Leon Oosterwijk; '[EMAIL PROTECTED]'
Subject: Re: (RADIATOR) Radiusd crashes with strange error
Hello Leon -
There are two problems here -
the first is that the port number that radiusd is trying to
open is already in
use by another program or another instance of radiusd
the second is that you have not installed the new version of Radiator
correctly and the get_port subroutine is not present in the
Radius/Util
module that you are running
BTW - the current version is Radiator 3.1 (plus patches).
regards
Hugh
On Wed, 10 Jul 2002 02:58, Leon Oosterwijk wrote:
I've recently upgraded two machines to 3.0. I'm now getting the
following error sporadically:
our program
/usr/bin/radiusd -config_file /etc/radiator/radius.cfg
-dictionary_file /etc/radiator/dictionary
exited unexpectedly with exit status 0,
signal number 0 and dump indication 0.
The STDERR output was Error:
creating socket: Address already in use
Undefined subroutine Radius::Util::get_port called at
/usr/bin/radiusd line 328. .
The program will be restarted again by
/usr/local/sbin/restartWrapper
in 600 seconds.
==
This mail message was automatically generated by
restartWrapper, part
of the OSC Radiator package.
==
What could be causing this? The Util.pm under the Radius
dir have the
routine called get_port all the way at the bottom of the file.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe
radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS
server anywhere. Available on *NIX, *BSD, Windows 95/98/2000,
NT, MacOS X.
-
Nets: internetwork inventory and management - graphical,
extensible, flexible with hardware, software, platform and
database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR)
Hello Per - We are of the opinion that it is actually preferable to define individual Client clauses for each device in the interests of control and security. If you have large numbers of Client clauses, you should consider using the ClientListSQL clause and storing the definitions in an SQL database. I have copied this mail to Mike in any case, and he may have other views. regards Hugh On Wed, 10 Jul 2002 18:42, Per Lütkemeyer wrote: Hi Hugh, The function IdenticalClients strongly needs the possibility to use wildchar in specifying ip-adresses. I'm sure that others would appreciate this feature.. - se my example : Client 222-routers Identifier RouterLogin Secret Radius IdenticalClients 192.162.222.1 192.162.222.2 192.162.222.3 192.162.222.4 192.162.222.5 192.162.223.6 192.162.223.7 192.162.223.8 192.162.223.9 192.162.223.3 /Client The syntax could bee something like . Client 222-routers Identifier RouterLogin Secret Radius IdenticalClients 192.162.222.* 192.162.223.* /Client Would you discuss this with development...? Regards Per Lütkemeyer DMdata a/s -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DeallocateQuery
Hello Eyal - You can specify your own SQL queries in the AddressAllocator SQL clause. Have a look at section 6.52 in the Radiator 3.1 reference manual. (doc/ref.html). regards Hugh On Wed, 10 Jul 2002 18:51, [EMAIL PROTECTED] wrote: Hi , Radiator Ver 2.18.2 . issue : DeallocateQuery I want to deallocate SQL query not just by YIADDR but by USERNAME too . The basic is : update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0' what extension should I add ? Thanks , Eyal . === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Garbage in log files
Hello -
The only way I can tell what is going on is to see a copy of your
configuration file (no secrets) together with as much information you can
gather regarding the problem - including version of Radiator,
hardware/software platform, trace 4 debug showing a request that works and a
request that doesn't, etc., etc.
regards
Hugh
On Wed, 10 Jul 2002 19:22, [EMAIL PROTECTED] wrote:
Hmm, I dont think its an issue of shared secret, coz it doesnt fail all the
time, it seems to be on an off problem.
Rgds
TDN
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: 09-07-2002 11:43 PM
Subject: Re: (RADIATOR) Garbage in log files
Hello -
In this case the problem is probably incorrect shared secrets.
regards
Hugh
On Tue, 9 Jul 2002 21:15, [EMAIL PROTECTED] wrote:
This looks a lot like modem noise, usually caused by modems that have
not
synced properly.
Well, I had a configuration whereby the NAS talks to a proxy radius
server,
and based on the called_station_id, your request is sent to the
appropriate
radius server.
The interesting thing is that, whenever I bypass the proxy, the problem
disappears.
I now have the NAS sending requests directly to the radius server (not
via the proxy), and this looks OK.
My proxy radius server is Radiator 3.1 running on FreeBSD 4.6, while the
level-2 radius server is Radiator 2.19
running on Solaris 2.7.
What could the problem be?, as I need to have the proxy radius server
back again.
Thanks
TDN
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: 09-07-2002 1:40 PM
Subject: Re: (RADIATOR) Garbage in log files
Hello -
This looks a lot like modem noise, usually caused by modems that have
not
synced properly.
regards
Hugh
On Tue, 9 Jul 2002 17:21, [EMAIL PROTECTED] wrote:
Hi
A few of ous users have been complaining that they occassionaly
get access denied on login, but most of the times they go through.
I decided to log the passwords and see if they send the wrong
password,
but i notice that the password field in the log files is in some
funny characters
eg,
Tue Jul 9 10:18:21
2002:1026209901:test:p¦®øÈG¯õ8_ÊÝ:{crypt}LkoZD.iESAHtg:FAIL
Any ideas what would cause this.
Rgds
TDN
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator - Probs with Authby SQL
Hi there, I'm actually testing Radiator 3.1 DEMO Version for different kind of AccessAuthentications for different Services on Cisco Routers. When i tested Radiator by a flat-file Authentication everything went well. Actually i am using Mysql as DB and it works fine for Login and Administrative Services, but only the Dial-IN connections with PPP doesn't work. The Debug on my Cisco-Router tells me Authorization errors. ( I am sure that the Cisco Config is fine, 'coz it works with Radiator-Flat-File-Authentication) My Radiator config looks like this: ClientListSQL DBSourcedbi:mysql:radius DBUsername [snip] DBAuth [snip] /ClientListSQL Realm DEFAULT AuthBy SQL DBSourcedbi:mysql:radius DBUsername [snip] DBAuth [snip] AuthSelect select password, checkattr, replyattr from SUBSCRIBERS where USERNAME='%U' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply --- The Radiator Log trace 5 looks like this. The User Authentication seems going well, but after that in the Section of Reply-Attributes the log acruptly ends without any reason. I'd like to thank you just in advance for your help, and if anyone needs any other information, please don't hesitate to contact me. Thankyou and kind regards, Chris Log-File Radiator (trace5) Code: Access-Request Identifier: 131 Authentic: 185152Mw15613227h;179160c62339 Attributes: NAS-IP-Address = [snip] NAS-Port = 74 NAS-Port-Type = Async User-Name = test Called-Station-Id = [snip] Calling-Station-Id = [snip] User-Password = [snip] Service-Type = Framed-User Framed-Protocol = PPP Wed Jul 10 15:51:36 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jul 10 15:51:36 2002: DEBUG: Deleting session for test, IP-ADDRESS[snip], 74 Wed Jul 10 15:51:36 2002: DEBUG: Handling with Radius::AuthSQL Wed Jul 10 15:51:36 2002: DEBUG: Handling with Radius::AuthSQL: Wed Jul 10 15:51:36 2002: DEBUG: Query is: select password, checkattr, replyattr from SUBSCRIBERS where USERNAME='test' Wed Jul 10 15:51:36 2002: DEBUG: Radius::AuthSQL looks for match with bcomtest Wed Jul 10 15:51:36 2002: DEBUG: Radius::AuthSQL ACCEPT: Wed Jul 10 15:51:36 2002: DEBUG: Access accepted for test Wed Jul 10 15:51:36 2002: DEBUG: Packet dump: *** Sending to IP[snip] port 1645 Packet length = 20 02 83 00 14 9a 9e 5d 4b 4f 70 91 b2 73 7f f1 dc a1 6e 2b 7b Code: Access-Accept Identifier: 131 Authentic: 185152Mw15613227h;179160c62339 Attributes: === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) User auths if in the users file only?
This was where the problem was.thier setup did not follow this standard and was trying to assign 255.255.255.254 as the IP *sigh* This leads me to a questions. I have a mix of nas servers that I need to use on the same radius server. One needs the Framed-IP-Address = 255.255.255.254 attribute and one needs *nothing* sent. I have each nas setup seperate in client clauses. How can I choose to send the attribute out to only the nas servers that need it? -Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) User auths if in the users file only?
You could use identifiers in your client clauses like so- Client 1.2.3.4 Identifier noip /Client Client 1.2.3.5 Identifier send254 /Client Client 1.2.4.6 Identifier noip /Client Client 1.2.3.7 Identifier send254 /Client Handler Client-Identifier=noip Do auth and send no Framed-IP-Address /Handler Handler Client-Identifier=send254 Do auth and send 255.255.255.254 /Handler -Original Message- From: chris [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 12:32 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) User auths if in the users file only? This was where the problem was.thier setup did not follow this standard and was trying to assign 255.255.255.254 as the IP *sigh* This leads me to a questions. I have a mix of nas servers that I need to use on the same radius server. One needs the Framed-IP-Address = 255.255.255.254 attribute and one needs *nothing* sent. I have each nas setup seperate in client clauses. How can I choose to send the attribute out to only the nas servers that need it? -Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) MS Encryption attributes
Hi Hugh, I extracted the following from the dictionary file that came with radiator 3.0 Please can you have Mike take a look at it? Is it correct? I have tried to implement encryption on a Windows 2000 RAS server but I have had no success - I sent a mail to the mailing list some time ago. Please it would be nice if you can check the attribute values, and the data type also. #VALUE MS-MPPE-Encryption-Policy Encryption-Allowed 1#VALUE MS-MPPE-Encryption-Policy Encryption-Required 2# Is this correct?:#VALUE MS-MPPE-Encryption-Types Encryption-40 4#VALUE MS-MPPE-Encryption-Types Encryption-128 2#VALUE MS-MPPE-Encryption-Types Encryption-Any 6# RcryptKey Regards, Tunde I.
Re: (RADIATOR) User auths if in the users file only?
Hi Chris, chris schrieb: This was where the problem was.thier setup did not follow this standard and was trying to assign 255.255.255.254 as the IP *sigh* This leads me to a questions. I have a mix of nas servers that I need to use on the same radius server. One needs the Framed-IP-Address = 255.255.255.254 attribute and one needs *nothing* sent. what NAS's do you have? Are they not able to configure them with dynamic ip address pools and you specify in the reply items just from which ip pool they shall spent an ip address? See the following axample for my ascends (in the users file): pools-foo Password = ascend, Service-Type = Outbound-User Ascend-IP-Pool-Definition = 1 10.0.0.1 254 ... ... DEFAULT Service-Type = Framed-User, Auth-Type = System Framed-Protocol = MP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Session-Timeout = 43200, Ascend-Assign-IP-Pool = 1, Ascend-Source-IP-Check = Source-IP-Check-Yes, Ascend-Link-Compression = Link-Comp-MS-Stac here you see Ascend-Assign-IP-Pool = 1, as defined in the same users file and the Ascend NAS fetches this after reboot or with a special remote config refresh. Anyway, you should spent an Idenifier in the Client Clause like: Client foo.bar.baz Identifier foo Secret mysecret /Client Client yep.bar.baz Identifier yep Secret mysecret /Client and then you can sezup different handlers for the different Clients with different users file: Handler Client-Identifier=foo AuthBy FILE Filenamefoo-users /AuthBy /Handler Handler Client-Identifier=yep AuthBy FILE Filenameyep-users /AuthBy /Handler or you use just one handler and fifferntiate in teh single users file like: DEFAULT Service-Type = Framed-User, Auth-Type = System, Client-Identifier = foo foo reply items DEFAULT Service-Type = Framed-User, Auth-Type = System, Client-Identifier = yep yep reply items Hope this helps Regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB
Title: Cisco, non-unique NAS-Ports, clobbering Online DB I finally tracked down the reason why our Online DB has been reporting a much lower count of onliners than are actually online. Look at the attached sequence of two accounting records. tmeyers logs on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while he's still online, cheezwhiz logs off of the same NAS and Port, clobbering tmeyers' entry in the online DB. But how can two people have been on the same port at the same time, you ask? The answer is that when Cisco is (again) lazy, it's easy to happen. If you look at the Cisco-NAS-Port attribute, you'll see that they are really on two distinct ports. Cisco is just taking a portion of the info and plopping it in NAS-Port, even though that means that many people can be on the same NAS-Port at once. Most manufacturers come up with a procedure for encoding all that Async4/105*Serial7/0:25:3 stuff into some unique, numeric port number and then put that in NAS-Port. Now, if we were enforcing concurrency limits we'd be even more screwed. Has anyone else experienced this? How are you dealing with it? Does Radiator have any solutions? I wonder if using the Acct-Session-Id for deletions would be more reliable than matching NAS/Port combos. Comments welcome! Dave _ Wed Jul 10 15:23:21 2002: DEBUG: Packet dump: *** Received from 216.118.66.25 port 1646 Code: Accounting-Request Identifier: 188 Authentic: 218232t199j16323413827251221133HsX142 Attributes: Acct-Session-Id = 87C2 Framed-Protocol = PPP Connect-Info = 46667/24000 V90/V42bis/LAPM cisco-avpair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start User-Name = tmeyers Acct-Multi-Session-Id = 511D Acct-Link-Count = 0002 Framed-Address = 216.118.88.4 Cisco-NAS-Port = Async4/105*Serial7/0:25:3 NAS-Port = 105 NAS-Port-Type = Async Class = netcarrier.com Service-Type = Framed-User NAS-IP-Address = 216.118.66.25 Event-Timestamp = 1026329001 Acct-Delay-Time = 0 Wed Jul 10 15:26:16 2002: DEBUG: Packet dump: *** Received from 216.118.66.25 port 1646 Code: Accounting-Request Identifier: 239 Authentic: 30u2264138177143248254:165d182200? Attributes: Acct-Session-Id = 84AB Framed-Protocol = PPP cisco-avpair = connect-progress=Call Up Acct-Session-Time = 2897 Connect-Info = 49333/24000 V90/V42bis/LAPM Acct-Input-Octets = 349671 Acct-Output-Octets = 2362531 Acct-Input-Packets = 3246 Acct-Output-Packets = 2835 Acct-Terminate-Cause = User-Request cisco-avpair = disc-cause-ext=PPP Receive Term Acct-Authentic = RADIUS Acct-Status-Type = Stop User-Name = cheezwhiz Acct-Multi-Session-Id = 4F51 Acct-Link-Count = 0001 Framed-Address = 216.118.90.220 Cisco-NAS-Port = Async3/105*Serial7/0:18:21 NAS-Port = 105 NAS-Port-Type = Async Class = netcarrier.com Service-Type = Framed-User NAS-IP-Address = 216.118.66.25 Event-Timestamp = 1026329176 Acct-Delay-Time = 0
Re: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB
Hello Dave, Has anyone else experienced this? How are you dealing with it? Does Radiator have any solutions? I wonder if using the Acct-Session-Id for deletions would be more reliable than matching NAS/Port combos. You might want to take a look at the global configuration command radius-server attribute nas-port format c (or b, or d, or whatever you need). Right now I don't have the exact URL at hand, but search for that string in Cisco's web, you'll find it easily. regards, cl. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB
Title: Cisco, non-unique NAS-Ports, clobbering Online DB How about handling it with a preclient hook in the client clauseto strip the number you want out of the Cisco-NAS-Port attribute and stuff it into the NAS-Port attribute. -Original Message-From: Dave Kitabjian [mailto:[EMAIL PROTECTED]]Sent: Wednesday, July 10, 2002 5:25 PMTo: [EMAIL PROTECTED]Subject: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB I finally tracked down the reason why our Online DB has been reporting a much lower count of onliners than are actually online. Look at the attached sequence of two accounting records. tmeyers logs on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while he's still online, cheezwhiz logs off of the same NAS and Port, clobbering tmeyers' entry in the online DB. But how can two people have been on the same port at the same time, you ask? The answer is that when Cisco is (again) lazy, it's easy to happen. If you look at the Cisco-NAS-Port attribute, you'll see that they are really on two distinct ports. Cisco is just taking a portion of the info and plopping it in NAS-Port, even though that means that many people can be on the same NAS-Port at once. Most manufacturers come up with a procedure for encoding all that "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port number and then put that in NAS-Port. Now, if we were enforcing concurrency limits we'd be even more screwed. Has anyone else experienced this? How are you dealing with it? Does Radiator have any solutions? I wonder if using the Acct-Session-Id for deletions would be more reliable than matching NAS/Port combos. Comments welcome! Dave _ Wed Jul 10 15:23:21 2002: DEBUG: Packet dump: *** Received from 216.118.66.25 port 1646 Code: Accounting-Request Identifier: 188 Authentic: 218232t199j16323413827251221133HsX142 Attributes: Acct-Session-Id = "87C2" Framed-Protocol = PPP Connect-Info = "46667/24000 V90/V42bis/LAPM" cisco-avpair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start User-Name = "tmeyers" Acct-Multi-Session-Id = "511D" Acct-Link-Count = "0002" Framed-Address = 216.118.88.4 Cisco-NAS-Port = "Async4/105*Serial7/0:25:3" NAS-Port = 105 NAS-Port-Type = Async Class = "netcarrier.com" Service-Type = Framed-User NAS-IP-Address = 216.118.66.25 Event-Timestamp = 1026329001 Acct-Delay-Time = 0 Wed Jul 10 15:26:16 2002: DEBUG: Packet dump: *** Received from 216.118.66.25 port 1646 Code: Accounting-Request Identifier: 239 Authentic: 30u2264138177143248254:165d182200? Attributes: Acct-Session-Id = "84AB" Framed-Protocol = PPP cisco-avpair = "connect-progress=Call Up" Acct-Session-Time = 2897 Connect-Info = "49333/24000 V90/V42bis/LAPM" Acct-Input-Octets = 349671 Acct-Output-Octets = 2362531 Acct-Input-Packets = 3246 Acct-Output-Packets = 2835 Acct-Terminate-Cause = User-Request cisco-avpair = "disc-cause-ext=PPP Receive Term" Acct-Authentic = RADIUS Acct-Status-Type = Stop User-Name = "cheezwhiz" Acct-Multi-Session-Id = "4F51" Acct-Link-Count = "0001" Framed-Address = 216.118.90.220 Cisco-NAS-Port = "Async3/105*Serial7/0:18:21" NAS-Port = 105 NAS-Port-Type = Async Class = "netcarrier.com" Service-Type = Framed-User NAS-IP-Address = 216.118.66.25 Event-Timestamp = 1026329176 Acct-Delay-Time = 0
(RADIATOR) Simultaneous Request handling
Hugh, I'm wondering if Radiator can handle simultaneous requests without forking, in the same way that squid does. (i.e. one process - no multithreading). I know that it has been mentioned before on the list that the best way to do this was with multithreading but perl multithreading is non- production. Can this be done with a select loop? My problem is that if a request starts to block for an unexpected amount of time I would like to be able to handle other incoming requests. Naturally loadbalancing can minimize this problem but it does not solve it. Cheers, Chris -- +Chris Myers ~ [EMAIL PROTECTED] . Information Technology Services - Software Infrastructure . Ph: +61 7 3365 4017 - Mobile: 0413-009-482 - Room: 42-412 . The Prentice Building - The University of Queensland 4072 + PGP Public key available @ http://www.uq.edu.au/~uqcmyers === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy RADIUS and Session Database
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [[EMAIL PROTECTED]] Date: Wed, 10 Jul 2002 23:57:13 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Wed Jul 10 23:57:12 2002 Received: from inboxmaster.g4.net (inboxmaster.g4.Net [216.177.0.27]) by server1.open.com.au (8.11.0/8.11.0) with SMTP id g6B4vC322928 for [EMAIL PROTECTED]; Wed, 10 Jul 2002 23:57:12 -0500 Received: from Boston.G4.NET (216.177.0.15 [216.177.0.15]) by INBOXMASTER (inboxmaster.g4.net [216.177.0.27]) for [EMAIL PROTECTED] from [EMAIL PROTECTED] ;Thu, 11 Jul 2002 00:56:10 -0500 X-InboxMaster: Accepted Message - Recipient Not Configured For Protection Date: Thu, 11 Jul 2002 00:56:43 -0400 (EDT) From: [EMAIL PROTECTED] X-X-Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: AuthBy RADIUS and Session Database Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, I am running Radiator-2.18.4 on two boxes that are talking to a centrally located mySQL server that contains our Session Database. We are using ClientType TotalControlSNMP and AscendSNMP to query our NAS boxes. We are using these radius boxes as proxy servers for our Wholesales Dialup service offering, so we have many realms communicating back to many AuthBy RADIUS clauses. We are enforcing a DefaultSimultaneous 1 in the AuthBy RADIUS clause. Responses coming back from the Proxied Radius Servers do not include a Simultaneous-Use=1 statement. There is a Port-Limit=4 statement. Having said that, it is my belief that a user that is logged in, and shown in the session database, should not be permitted to log in. This is not the case here. The user recieves an access accept. A level 4 trace showed me that we do not do a SELECT against the Session Database or a SNMPGET to the NASes to see if the user is online. Is this the behavior of AuthBy RADIUS? Is there a way to fix this so simultaneous use will be enforced? Suggestions? Thanks, Tom Daly -- Tom Daly Network Operations / Systems Administrator G4 Communications Corp. V: 603.296.4413 / F: 603.647.7576 E: [EMAIL PROTECTED] / W3: www.g4.net --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Simultaneous Request handling
Trying to disconnect a user using radpwtst. Does anyone have a sample command that could show me how to do this Michael Saunders - Original Message - From: Chris Myers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 1:06 PM Subject: (RADIATOR) Simultaneous Request handling Hugh, I'm wondering if Radiator can handle simultaneous requests without forking, in the same way that squid does. (i.e. one process - no multithreading). I know that it has been mentioned before on the list that the best way to do this was with multithreading but perl multithreading is non- production. Can this be done with a select loop? My problem is that if a request starts to block for an unexpected amount of time I would like to be able to handle other incoming requests. Naturally loadbalancing can minimize this problem but it does not solve it. Cheers, Chris -- +Chris Myers ~ [EMAIL PROTECTED] . Information Technology Services - Software Infrastructure . Ph: +61 7 3365 4017 - Mobile: 0413-009-482 - Room: 42-412 . The Prentice Building - The University of Queensland 4072 + PGP Public key available @ http://www.uq.edu.au/~uqcmyers === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
