RE: (RADIATOR) DBI:mysql
Yes I have tried but looking in the trace it seems that doesn't work.It's a connection problem I am using a default Linux red hat8 installation on two machines one with radiator and one with the mysql database(default installation from Linux red hat).Using the My sql control center on the radiator machine I can remotely connect to the mysql machine with no problem using the same account. I am using the test account from My SQL database that doesn't have a pasword.Is that an issue for Radiator? Thanks in advance -Original Message- From: Christian Wiedmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 6:40 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) DBI:mysql Have you tried: dbi:mysql:database=db;host=host? This worked for me. -Christian On Wed, 22 Jan 2003 [EMAIL PROTECTED] wrote: Date: Wed, 22 Jan 2003 17:48:28 +0100 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: (RADIATOR) DBI:mysql Hi everybody I am trying to connect the radiator to a Mysql database that resides on a different machine. How should be the syntax for DBsource? I have tried this but does't workDBsource dbi:mysql:database:hostname:port Thanks Kind Regards Marius Stefan #*** # # Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de # geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is # beschermd door intellectuele eigendomsrechten. Bent u niet de # geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender # en verzoeken wij u het e-mailbericht en eventuele attachments van uw # computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht # en eventuele attachments (waaronder verveelvoudiging, verspreiding of het # anderzins openbaar maken in welke vorm dan ook) door andere personen dan # de bedoelde geadresseerden is verboden. De weergegeven mening is puur # persoonlijk en hoeft niet noodzakelijk over een te komen met die van # Enertel. Enertel is niet aansprakelijk voor de inhoud van dit # e-mailbericht en eventuele attachments. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. #*** # # Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de # geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is # beschermd door intellectuele eigendomsrechten. Bent u niet de # geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender # en verzoeken wij u het e-mailbericht en eventuele attachments van uw # computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht # en eventuele attachments (waaronder verveelvoudiging, verspreiding of het # anderzins openbaar maken in welke vorm dan ook) door andere personen dan # de bedoelde geadresseerden is verboden. De weergegeven mening is puur # persoonlijk en hoeft niet noodzakelijk over een te komen met die van # Enertel. Enertel is niet aansprakelijk voor de inhoud van dit # e-mailbericht en eventuele attachments. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) accounting without authentication can't write data to postgres
Hello Dennis -
Thanks for sending the configuration file and the debug trace.
It looks to me like there is an error occuring with your SQL server due
to the contents of the attributes you are trying to record.
You should check the SQL server log to see what is happening.
regards
Hugh
On Wednesday, Jan 22, 2003, at 20:23 Australia/Melbourne, Dennis
Methelev wrote:
hi, all!
my radiator can't record accounting requests to postgres database.
in Authby SQL AuthSelect sets without 'select' statement (as seen
in reference) - authentication not need.
please help.
radiator 3.5 (test use)
[config fragment]
AuthBy SQL
Identifier SQLVOIPACCOUNTING
DBSourcedbi:Pg:dbname=radius
DBUsername ***
DBAuth ***
AuthSelect
AccountingTable VOIPACCOUNTING
#AccountingStopsOnly
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer
AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,Cisco-NAS-Port
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef CLID,Calling-Station-Id
/AuthBy
SessionDatabase SQL
Identifier SDBVOIP
DBSourcedbi:Pg:dbname=radius
DBUsername ***
DBAuth ***
AddQuery insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, \
TIME_STAMP) values ('%{User-Name}', '%N',
'%{Cisco-NAS-Port}', '%{Acct-Session-Id}',\
%{Timestamp} )
DeleteQuery delete from VOIPONLINE where USERNAME='%{User-Name}' and
NASPORT='%{Cisco-NAS-Port}'
/SessionDatabase
Handler NAS-IP-Address=(myvoipdeviceip)
AythBy SQLVOIPACCOUNTING
SessionDatabase SDBVOIP
/Handler
[log fragment]
Wed Jan 22 13:12:58 2003: DEBUG: Packet dump:
*** Received from .. port 1646
Packet length = 237
Code: Accounting-Request
Identifier: 37
Authentic:
29188025215120025141H18819135147197
Attributes:
NAS-IP-Address = ..
Cisco-NAS-Port = CAS 1/0:1:17
NAS-Port-Type = Async
User-Name = 22..
Called-Station-Id = 23..
Calling-Station-Id = 22..
Acct-Status-Type = Start
Service-Type = Login-User
Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22
2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C
78DA00C5 0 4F8450F
Acct-Delay-Time = 15
Wed Jan 22 13:12:58 2003: DEBUG: Handling request with Handler
'NAS-IP-Address=..'
Wed Jan 22 13:12:58 2003: DEBUG: SDBVOIP Adding session for 22..,
.., Wed Jan 22 13:12:58 2003: DEBUG: do query is: delete from
VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17'
Wed Jan 22 13:12:58 2003: DEBUG: do query is: insert into VOIPONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values
('22..', '..', 'CAS 1/0:1:17', '36/13:12:43.141 SAMT Wed Jan
22 2003/../F039911C 78DA00C5 0
4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F',1043226763 )
Wed Jan 22 13:13:00 2003: DEBUG: Packet dump:
*** Received from .. port 1646
Packet length = 528
Code: Accounting-Request
Identifier: 38
Authentic: T+23114Y'21526Jw167I26175o142
Attributes:
NAS-IP-Address = ..
Cisco-NAS-Port = CAS 1/0:1:17
NAS-Port-Type = Async
User-Name = 22..
Called-Station-Id = 23..
Calling-Station-Id = 22..
Acct-Status-Type = Stop
Service-Type = Login-User
Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22
2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/13:12:43.175
SAMT Wed Jan 22 2003/13:12:45.405 SAMT Wed Jan 22 2003/10//F039911C
78DA00C5 0 4F8450F
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 2
cisco-avpair = subscriber=Unknown
cisco-avpair = h323-ivr-out=Tariff:Unknown
cisco-avpair = pre-bytes-in=0
cisco-avpair = pre-bytes-out=0
cisco-avpair = pre-paks-in=0
cisco-avpair = pre-paks-out=0
cisco-avpair = nas-rx-speed=0
cisco-avpair = nas-tx-speed=0
Acct-Delay-Time = 15
Wed Jan 22 13:13:00 2003: DEBUG: Handling request with Handler
'NAS-IP-Address=..'
Wed Jan 22 13:13:00 2003: DEBUG: SDBVOIP Deleting session for
22.., .., Wed Jan 22 13:13:00 2003: DEBUG: do query is: delete
from VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17'
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote: Hello Emilie - If the Cisco can be configured to do group authentication with radius, then it should be possible to use Radiator to deal with the requests. If you run Radiator at trace 4 you will be able to see the incoming requests and then you can configure accordingly. The simplest way to do this sort of debugging is to run radiusd from the command line and watch the log messages: perl radiusd -foreground -log_stdout -trace 4 -config_file .. If you send me a copy of the trace 4 I will try to help. regards Hugh I was wondering if anyone had a sample Radiator config. for authenticating the group information on a Cisco 2611, and subsequently handing out DNS and WINS information? I have my Radius set up to authenticate the users, but now would like to move the group information (for the group VPNClients) to the radius as well. Here is my Radius config: # radius.cfg LogDir
Re: (RADIATOR) How does Radiator determine duplicate packets?
Hello Elias - You can adjust the DupInterval parameter in the Client clause(s). Have a look at section 6.5.4 in the Radiator 3.5 reference manual (doc/ref.html). regards Hugh On Wednesday, Jan 22, 2003, at 20:57 Australia/Melbourne, Elias wrote: Hi Hugh, How does Radiator check for duplicate packets? Is there any adjustable parameters for this? If the NAS did not receive a respond from Radiator and sends a retransmit packet, does Radiator reject this as a duplicate? TQ - Elias - - (on inetxys) email-body was scanned and no virus found email-body was scanned and no virus found - -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) accounting without authentication can't write datato postgres
Hugh Irvine wrote: Hello Dennis - Thanks for sending the configuration file and the debug trace. It looks to me like there is an error occuring with your SQL server due to the contents of the attributes you are trying to record. You should check the SQL server log to see what is happening. regards Hugh Thanx, Hugh. problem solved. config fragment following. (RTFM) Handler NAS-IP-Address=.. SessionDatabase SDBVOIP AuthBy SQL DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AuthSelect AccountingTable VOIPACCOUNTING AcctColumnDef USERNAME,User-Name . /AuthBy /Handler === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) add custom attribute or Sql Column
Hi, I want to add SQL column, or custom attribute to an accounting table, If any one send me an example of this . i will be gratefull to him. thanks in advance Imran khan _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: IPASS accouting
Hi Hugh,
As always you have been a Hugh help :-)
BTW I was trying to customise the AcctSQLStatement and get the
Acct-Session-Time to be logged
in minutes rather than seconds. I have tried various ways of dividing the
Acct-Session-Time by 60 but
with no luck (e.g., %{Acct-Session-Time}/60 :-)
Finally, I just implemented the division in the cgi script I wrote to fetch
rows from the IPASS accounting
table. The cgi scripts divides the Acct-Session-Time's column's content by
60 before displaying the result
in a webpage. My problem (now) is that I would like to know if it is
possible to restrict the number of decimal
digits in a webpage to say 1,2 or 3. The output at the moment on my HTML
pages have anything between
1 and 16 decimals digits! So Please if there is any HTML guru on the list,
help out!
Alternatively, I could go back to altering that AcctSQLStatement and putting
in the code to generate results
in 2 decimals places to start with :-)
Thanks.
Radiator looks radiant!
Regards,
Tunde Itayemi.
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Ayotunde Itayemi [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 22, 2003 1:36 AM
Subject: (RADIATOR) Re: IPASS accouting
Hello Tunde -
The radius accounting stop records should already contain an
Acct-Session-Time attribute containing the duration of the session.
So you just need to add the corresponding column to your database and
alter the AcctColumnDef's accordingly.
AuthBy SQL
Identifier IPASSSQLAccounting
DBSource dbi:Oracle:radius00
DBUsername radiusgold
DBAuth radiusgold
HandleAcctStatusTypes Start, Stop
AuthSelect
AccountingTable IPASSACCOUNTING
AcctColumnDef USERNAME, User-Name
AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
AcctColumnDef TIME, Timestamp, integer-date
AcctColumnDef NASIDENTIFIER, NAS-Identifier
AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
AcctColumnDef TIMESTAMP, Timestamp
AcctColumnDef SESSIONTIME, Acct-Session-Time
/AuthBy
regards
Hugh
On Tuesday, Jan 21, 2003, at 19:57 Australia/Melbourne, Ayotunde
Itayemi wrote:
Hi Hugh,
Thanks for your help.
I have a table that looks like (below) now.
USERNAME ACCTSTYPETIME
NAS-IDENTIFIERFRAMED-IP-ADDRESSTIMESTAMP
[EMAIL PROTECTED] Start
Jan
21, 2003 07:02 viruse180.247.158.69
1043136137
[EMAIL PROTECTED] Stop
Jan 21,
2003 08:51 viruse180.247.158.69
1043142670
[EMAIL PROTECTED] StartJan
16,
2003 22:58 viruse180.247.158.68
1042761506
[EMAIL PROTECTED] StopJan
16, 2003
23:12 viruse180.247.158.68
1042762372
Now, is there a way I can generate accounting records that show how
long the
particular IPASS user was logged on? I guess such a
record would have to be logged when the accounting stop packet is sent
to
radiator. So that I have a table such as:
USERNAME ACCTSTYPETIME
NAS-IDENTIFIERFRAMED-IP-ADDRESS
[EMAIL PROTECTED] Stop
30:00
viruse180.247.158.69
[EMAIL PROTECTED] Stop
15:00
viruse180.247.158.69
[EMAIL PROTECTED] Stop17:23
viruse180.247.158.68
[EMAIL PROTECTED] Stop1:12:02
viruse180.247.158.68
where the TIME column is the length of time the user spemt online. (I
don't really need the ACCTSTYPE column)
My config at the moment is as below:
AuthBy SQL
Identifier IPASSSQLAccounting
DBSource dbi:Oracle:radius00
DBUsername radiusgold
DBAuth radiusgold
HandleAcctStatusTypes Start, Stop
AuthSelect
AccountingTable IPASSACCOUNTING
AcctColumnDef USERNAME, User-Name
AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
AcctColumnDef TIME, Timestamp, integer-date
AcctColumnDef NASIDENTIFIER, NAS-Identifier
AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
AcctColumnDef TIMESTAMP, Timestamp
/AuthBy
AuthBy DYNADDRESS
Identifier myIPADDRESSauth
Allocator mySQLallocator
PoolHint %{Client:Identifier}
MapAttribute yiaddr, Framed-IP-Address
MapAttribute subnetmask, Framed-IP-Netmask
StripFromReply PoolHint
AddToReply MS-MPPE-Encryption-Policy = 1,
MS-MPPE-Encryption-Types
= 6
AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key
DefaultSimultaneousUse 1
/AuthBy
AuthBy DYNADDRESS
Identifier
Re: (RADIATOR) accounting without authentication can't write data to postgres
Hi,
You may want to check ALL (ALL!) the column names you have defined in
radiator's config file to be sure that they match what you have in your REAL
database.
Also, make sure the column format supports what you intend to put into them.
From my own experience:
I had a column called TIME in an Oracle table and defined the same column in
one of
my AuthBy SQL sections. Later I decided the proper name for the column
should be
SESSIONTIME, so I changed it in the radius config file but forgot to alter
the actual
Oracle table's definition.
I then discovered that radiator wasn't logging my accounting records - to
make matters
worse, radiator was logging accounting-start records which does not containg
a value
for the Acct-Session-Time attribute which is what I intended to put in the
SESSIONTIME
column! But no accounting-stop records were being logged - strange eh? One
would have
thought the SQL statement would fail altogether !
Regards,
Tunde Itayemi.
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Dennis Methelev [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, January 23, 2003 11:07 AM
Subject: Re: (RADIATOR) accounting without authentication can't write data
to postgres
Hello Dennis -
Thanks for sending the configuration file and the debug trace.
It looks to me like there is an error occuring with your SQL server due
to the contents of the attributes you are trying to record.
You should check the SQL server log to see what is happening.
regards
Hugh
On Wednesday, Jan 22, 2003, at 20:23 Australia/Melbourne, Dennis
Methelev wrote:
hi, all!
my radiator can't record accounting requests to postgres database.
in Authby SQL AuthSelect sets without 'select' statement (as seen
in reference) - authentication not need.
please help.
radiator 3.5 (test use)
[config fragment]
AuthBy SQL
Identifier SQLVOIPACCOUNTING
DBSourcedbi:Pg:dbname=radius
DBUsername ***
DBAuth ***
AuthSelect
AccountingTable VOIPACCOUNTING
#AccountingStopsOnly
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer
AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,Cisco-NAS-Port
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef CLID,Calling-Station-Id
/AuthBy
SessionDatabase SQL
Identifier SDBVOIP
DBSourcedbi:Pg:dbname=radius
DBUsername ***
DBAuth ***
AddQuery insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, \
TIME_STAMP) values ('%{User-Name}', '%N',
'%{Cisco-NAS-Port}', '%{Acct-Session-Id}',\
%{Timestamp} )
DeleteQuery delete from VOIPONLINE where USERNAME='%{User-Name}' and
NASPORT='%{Cisco-NAS-Port}'
/SessionDatabase
Handler NAS-IP-Address=(myvoipdeviceip)
AythBy SQLVOIPACCOUNTING
SessionDatabase SDBVOIP
/Handler
[log fragment]
Wed Jan 22 13:12:58 2003: DEBUG: Packet dump:
*** Received from .. port 1646
Packet length = 237
Code: Accounting-Request
Identifier: 37
Authentic:
29188025215120025141H18819135147197
Attributes:
NAS-IP-Address = ..
Cisco-NAS-Port = CAS 1/0:1:17
NAS-Port-Type = Async
User-Name = 22..
Called-Station-Id = 23..
Calling-Station-Id = 22..
Acct-Status-Type = Start
Service-Type = Login-User
Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22
2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C
78DA00C5 0 4F8450F
Acct-Delay-Time = 15
Wed Jan 22 13:12:58 2003: DEBUG: Handling request with Handler
'NAS-IP-Address=..'
Wed Jan 22 13:12:58 2003: DEBUG: SDBVOIP Adding session for 22..,
.., Wed Jan 22 13:12:58 2003: DEBUG: do query is: delete from
VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17'
Wed Jan 22 13:12:58 2003: DEBUG: do query is: insert into VOIPONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values
('22..', '..', 'CAS 1/0:1:17', '36/13:12:43.141 SAMT Wed Jan
22 2003/../F039911C 78DA00C5 0
4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F',1043226763 )
Wed Jan 22 13:13:00 2003: DEBUG: Packet dump:
*** Received from .. port 1646
Packet length = 528
Code: Accounting-Request
(RADIATOR) Adding an attribute Post Handler
How would one go about adding an attribute in the Handler section. Say this for example: Handler Called-Station-Id=123456$ RewriteUsername s/^([^@]+).*/$1/ AddAttribute Customer-Identity=Widget Co AuthBy Widget /Handler This way when I use the Realm DEFAULT that writes all accounting records to a database it would include a column Customer-Identity which is easier to produce reports on. This is possible? I know the AddAttribute only works pre-handlers. Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Billing Downloads
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [José Costa Preto [EMAIL PROTECTED]] Date: Thu, 23 Jan 2003 00:57:08 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Thu Jan 23 00:57:08 2003 Received: from mail.edinet.pt (milou.edinet.pt [195.245.128.7] (may be forged)) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0N6v7x19636 for [EMAIL PROTECTED]; Thu, 23 Jan 2003 00:57:07 -0600 Received: from excmat01.oni.pt ([195.245.189.137]) by mail.edinet.pt with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 23 Jan 2003 11:39:23 + Received: from excrep01.oni.pt ([172.26.252.30]) by excmat01.oni.pt with Microsoft SMTPSVC(5.0.2195.5329); Thu, 23 Jan 2003 11:56:06 + content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C2C2D6.68F0B3F2 Subject: Billing Downloads X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Thu, 23 Jan 2003 11:56:05 - Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Billing Downloads Thread-Index: AcLC1mjLhhYmHPpZStS7kish4P9trg== From: =?iso-8859-1?Q?Jos=E9_Costa_Preto?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-OriginalArrivalTime: 23 Jan 2003 11:56:06.0821 (UTC) FILETIME=[697A5550:01C2C2D6] This is a multi-part message in MIME format. --_=_NextPart_001_01C2C2D6.68F0B3F2 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi, I would like to obtain a confirmation on fields Acct-Input-Octets and = Acct-Input-Octets. Which one shall be billed to our customers as = downloads. Many thanks Jos=E9Preto ONI.SI / MIB =20 --_=_NextPart_001_01C2C2D6.68F0B3F2 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN HTML HEAD META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; = charset=3Diso-8859-1 META NAME=3DGenerator CONTENT=3DMS Exchange Server version = 6.0.6249.1 TITLEBilling Downloads/TITLE /HEAD BODY !-- Converted from text/rtf format -- P ALIGN=3DLEFTSPAN LANG=3DptFONT SIZE=3D2 = FACE=3DArialHi,/FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialI = would like to obtain a confirmation/FONT/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Dpt/SPANSPAN LANG=3Den-us FONT = SIZE=3D2 FACE=3DArialon fields Acct-Input-Octets and = Acct-Input-Octets./FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-us FONT SIZE=3D2 = FACE=3DArialWhich one shall be billed to our customers as = downloads./FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialMany = thanks/FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-us/SPAN/P P ALIGN=3DLEFTBSPAN LANG=3Den-us/SPAN/BA NAME=3DBSPAN = LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialJos=E9/FONT/SPAN/B/ASPAN = LANG=3Dpt/SPANSPAN LANG=3Dpt/SPANSPAN LANG=3Den-usFONT = SIZE=3D2 FACE=3DArialPreto/FONT/SPAN/P P ALIGN=3DLEFTBSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialONI/FONT/SPAN/BSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArial./FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialSI = //FONT/SPANSPAN LANG=3DptB/B/SPANSPAN = LANG=3DptB/B/SPANBSPAN LANG=3Den-us FONT SIZE=3D2 = FACE=3DArialM/FONT/SPAN/BSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialIB/FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT = FACE=3DArial=A0/FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Den-us/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Dpt/SPAN/P /BODY /HTML --_=_NextPart_001_01C2C2D6.68F0B3F2-- --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2611 VPN group authentication
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Emilie Shoop [EMAIL PROTECTED]] Date: Thu, 23 Jan 2003 04:17:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Thu Jan 23 04:17:19 2003 Received: from mail.ncsa.uiuc.edu (mail.ncsa.uiuc.edu [141.142.2.28]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0NAHJx20486; Thu, 23 Jan 2003 04:17:19 -0600 X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: from D7YKZ021.ncsa.uiuc.edu (cab-wireless-127.ncsa.uiuc.edu [141.142.102.127]) by mail.ncsa.uiuc.edu (8.11.6/8.11.6) with ESMTP id h0NFGRk25289; Thu, 23 Jan 2003 09:16:27 -0600 Message-Id: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 23 Jan 2003 09:15:50 -0600 To: Hugh Irvine [EMAIL PROTECTED] From: Emilie Shoop [EMAIL PROTECTED] Subject: Re: (RADIATOR) Cisco 2611 VPN group authentication Cc: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_exampl e09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64
(RADIATOR) Accounting Question
Question I have is this I am wanting to know if there is a hook or something that could be made to ignore account from a certain NAS-IP With a supplier I have accounting records coming from the NAS and a Proxy, I would just like to keep the accounting records from the Proxy.. So if IP address does not equal XXX.XXX.XXX.XXX I would like it to ignore accounting records only Can this be done - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) add custom attribute or Sql Column
Hello Imran - Could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh On Friday, Jan 24, 2003, at 01:28 Australia/Melbourne, Imran Khan wrote: Hi, I want to add SQL column, or custom attribute to an accounting table, If any one send me an example of this . i will be gratefull to him. thanks in advance Imran khan _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting Question
Hello Chris - The simplest way to do this is with Handlers: Handler NAS-IP-Address = XXX.XXX.XXX.XXX . /Handler Handler . . /Handler Note that you should not mix Realms and Handlers in the same configuration file. regards Hugh On Friday, Jan 24, 2003, at 13:12 Australia/Melbourne, Chris Kay wrote: Question I have is this I am wanting to know if there is a hook or something that could be made to ignore account from a certain NAS-IP With a supplier I have accounting records coming from the NAS and a Proxy, I would just like to keep the accounting records from the Proxy.. So if IP address does not equal XXX.XXX.XXX.XXX I would like it to ignore accounting records only Can this be done - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Adding an attribute Post Handler
Hello Cliff - Could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh On Friday, Jan 24, 2003, at 06:06 Australia/Melbourne, Cliff Daniel wrote: How would one go about adding an attribute in the Handler section. Say this for example: Handler Called-Station-Id=123456$ RewriteUsername s/^([^@]+).*/$1/ AddAttribute Customer-Identity=Widget Co AuthBy Widget /Handler This way when I use the Realm DEFAULT that writes all accounting records to a database it would include a column Customer-Identity which is easier to produce reports on. This is possible? I know the AddAttribute only works pre-handlers. Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Billing Downloads
Hello Jose - I don't understand your question, sorry. Could you explain the problem in more detail please? BTW - could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh Hi, I would like to obtain a confirmation on fields Acct-Input-Octets and = Acct-Input-Octets. Which one shall be billed to our customers as = downloads. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radius and Wireless APs
Hi, Thanks hugh for info. I am trying to configure Cisco AP with Radiator. Radius server has started with default eap_multi.cfg file and in cisco AP the IP address of Radius Server, EAP Authentication and Network-EAP has been enabled. 1. Cisco AP is not able to connect Radius, i don't where i am doing wrong. I used tcpdump and enabled Cisco Debug, i didn't see any request going to Radius Server. 2. if any one has configured Radiator with AP, plz send the configuration file 3. I have configured Cicso AP with NoCat software, After client connects to AP, it popup with Login Page and allots the IP address using DHCP, Now how should i get Radiator server to popup tht page, and how should allot the Static IP address if needed. Thanks Rgds Jai - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: jai [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 17, 2003 4:04 AM Subject: Re: (RADIATOR) Radius and Wireless APs Hello Jai - A Wireless AP looks to Radiator the same as any other NAS, therefore you will need to configure a Client ... clause for each one. You may also need to configure additional Handlers or Realms, depending on what else you are doing in your configuration file. When a user moves from one access point to another, there will be a new authentication, just like if the user had hung up a modem call and dialled again. You should configure the AP's for radius authentication and then watch a trace 4 debug from Radiator to see what is contained in the authentication and acounting requests, then configure Radiator accordingly. You should probably read the AP vendors' documentation first of all to see what radius support is implemented in the AP software. There has also been quite a lot of discussion on this topic on the mailing list, so you should check teh archive site too. www.open.com.au/archives/radiator regards Hugh On Thursday, Jan 16, 2003, at 22:56 Australia/Melbourne, jai wrote: Hi, I have two APs one from cisco and other one D-link, APs Configuration has Radius Server Authentication option, As i am new to Wireless, i am having following questions 1. How can use Radiator or radius server to authenticate like the normal Dialup ?? 2. If the User moves from one Access Point i.e from cisco to another one i.e D-Link ..is it needed to authenticate again. if not what are the changes need in radiator server or wireless. I think these questions might be irrelevant in this mailing list !!... but could someone guide me links which might help Thanks. Rgds Jai -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emily - Thanks for sending the URL. As far as I can see, you will need to use the Cisco VPN client to make the connection which will first ask you for the group and the group password, then the username and the username password. You should configure both the name of the group with its password and corresponding reply attributes, and the username and password with its reply attributes. If you have any other questions, don't hesitate to ask. regards Hugh On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop wrote: Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine
