RE: (RADIATOR) DBI:mysql
Yes I have tried but looking in the trace it seems that doesn't work.It's a connection problem I am using a default Linux red hat8 installation on two machines one with radiator and one with the mysql database(default installation from Linux red hat).Using the My sql control center on the radiator machine I can remotely connect to the mysql machine with no problem using the same account. I am using the test account from My SQL database that doesn't have a pasword.Is that an issue for Radiator? Thanks in advance -Original Message- From: Christian Wiedmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 6:40 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) DBI:mysql Have you tried: dbi:mysql:database=db;host=host? This worked for me. -Christian On Wed, 22 Jan 2003 [EMAIL PROTECTED] wrote: Date: Wed, 22 Jan 2003 17:48:28 +0100 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: (RADIATOR) DBI:mysql Hi everybody I am trying to connect the radiator to a Mysql database that resides on a different machine. How should be the syntax for DBsource? I have tried this but does't workDBsource dbi:mysql:database:hostname:port Thanks Kind Regards Marius Stefan #*** # # Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de # geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is # beschermd door intellectuele eigendomsrechten. Bent u niet de # geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender # en verzoeken wij u het e-mailbericht en eventuele attachments van uw # computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht # en eventuele attachments (waaronder verveelvoudiging, verspreiding of het # anderzins openbaar maken in welke vorm dan ook) door andere personen dan # de bedoelde geadresseerden is verboden. De weergegeven mening is puur # persoonlijk en hoeft niet noodzakelijk over een te komen met die van # Enertel. Enertel is niet aansprakelijk voor de inhoud van dit # e-mailbericht en eventuele attachments. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. #*** # # Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de # geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is # beschermd door intellectuele eigendomsrechten. Bent u niet de # geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender # en verzoeken wij u het e-mailbericht en eventuele attachments van uw # computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht # en eventuele attachments (waaronder verveelvoudiging, verspreiding of het # anderzins openbaar maken in welke vorm dan ook) door andere personen dan # de bedoelde geadresseerden is verboden. De weergegeven mening is puur # persoonlijk en hoeft niet noodzakelijk over een te komen met die van # Enertel. Enertel is niet aansprakelijk voor de inhoud van dit # e-mailbericht en eventuele attachments. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) accounting without authentication can't write data to postgres
Hello Dennis - Thanks for sending the configuration file and the debug trace. It looks to me like there is an error occuring with your SQL server due to the contents of the attributes you are trying to record. You should check the SQL server log to see what is happening. regards Hugh On Wednesday, Jan 22, 2003, at 20:23 Australia/Melbourne, Dennis Methelev wrote: hi, all! my radiator can't record accounting requests to postgres database. in Authby SQL AuthSelect sets without 'select' statement (as seen in reference) - authentication not need. please help. radiator 3.5 (test use) [config fragment] AuthBy SQL Identifier SQLVOIPACCOUNTING DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AuthSelect AccountingTable VOIPACCOUNTING #AccountingStopsOnly AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,Cisco-NAS-Port AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CLID,Calling-Station-Id /AuthBy SessionDatabase SQL Identifier SDBVOIP DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AddQuery insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, \ ACCTSESSIONID, \ TIME_STAMP) values ('%{User-Name}', '%N', '%{Cisco-NAS-Port}', '%{Acct-Session-Id}',\ %{Timestamp} ) DeleteQuery delete from VOIPONLINE where USERNAME='%{User-Name}' and NASPORT='%{Cisco-NAS-Port}' /SessionDatabase Handler NAS-IP-Address=(myvoipdeviceip) AythBy SQLVOIPACCOUNTING SessionDatabase SDBVOIP /Handler [log fragment] Wed Jan 22 13:12:58 2003: DEBUG: Packet dump: *** Received from .. port 1646 Packet length = 237 Code: Accounting-Request Identifier: 37 Authentic: 29188025215120025141H18819135147197 Attributes: NAS-IP-Address = .. Cisco-NAS-Port = CAS 1/0:1:17 NAS-Port-Type = Async User-Name = 22.. Called-Station-Id = 23.. Calling-Station-Id = 22.. Acct-Status-Type = Start Service-Type = Login-User Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22 2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F Acct-Delay-Time = 15 Wed Jan 22 13:12:58 2003: DEBUG: Handling request with Handler 'NAS-IP-Address=..' Wed Jan 22 13:12:58 2003: DEBUG: SDBVOIP Adding session for 22.., .., Wed Jan 22 13:12:58 2003: DEBUG: do query is: delete from VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17' Wed Jan 22 13:12:58 2003: DEBUG: do query is: insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values ('22..', '..', 'CAS 1/0:1:17', '36/13:12:43.141 SAMT Wed Jan 22 2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F',1043226763 ) Wed Jan 22 13:13:00 2003: DEBUG: Packet dump: *** Received from .. port 1646 Packet length = 528 Code: Accounting-Request Identifier: 38 Authentic: T+23114Y'21526Jw167I26175o142 Attributes: NAS-IP-Address = .. Cisco-NAS-Port = CAS 1/0:1:17 NAS-Port-Type = Async User-Name = 22.. Called-Station-Id = 23.. Calling-Station-Id = 22.. Acct-Status-Type = Stop Service-Type = Login-User Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22 2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/13:12:43.175 SAMT Wed Jan 22 2003/13:12:45.405 SAMT Wed Jan 22 2003/10//F039911C 78DA00C5 0 4F8450F Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 2 cisco-avpair = subscriber=Unknown cisco-avpair = h323-ivr-out=Tariff:Unknown cisco-avpair = pre-bytes-in=0 cisco-avpair = pre-bytes-out=0 cisco-avpair = pre-paks-in=0 cisco-avpair = pre-paks-out=0 cisco-avpair = nas-rx-speed=0 cisco-avpair = nas-tx-speed=0 Acct-Delay-Time = 15 Wed Jan 22 13:13:00 2003: DEBUG: Handling request with Handler 'NAS-IP-Address=..' Wed Jan 22 13:13:00 2003: DEBUG: SDBVOIP Deleting session for 22.., .., Wed Jan 22 13:13:00 2003: DEBUG: do query is: delete from VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17' === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. --
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote: Hello Emilie - If the Cisco can be configured to do group authentication with radius, then it should be possible to use Radiator to deal with the requests. If you run Radiator at trace 4 you will be able to see the incoming requests and then you can configure accordingly. The simplest way to do this sort of debugging is to run radiusd from the command line and watch the log messages: perl radiusd -foreground -log_stdout -trace 4 -config_file .. If you send me a copy of the trace 4 I will try to help. regards Hugh I was wondering if anyone had a sample Radiator config. for authenticating the group information on a Cisco 2611, and subsequently handing out DNS and WINS information? I have my Radius set up to authenticate the users, but now would like to move the group information (for the group VPNClients) to the radius as well. Here is my Radius config: # radius.cfg LogDir
Re: (RADIATOR) How does Radiator determine duplicate packets?
Hello Elias - You can adjust the DupInterval parameter in the Client clause(s). Have a look at section 6.5.4 in the Radiator 3.5 reference manual (doc/ref.html). regards Hugh On Wednesday, Jan 22, 2003, at 20:57 Australia/Melbourne, Elias wrote: Hi Hugh, How does Radiator check for duplicate packets? Is there any adjustable parameters for this? If the NAS did not receive a respond from Radiator and sends a retransmit packet, does Radiator reject this as a duplicate? TQ - Elias - - (on inetxys) email-body was scanned and no virus found email-body was scanned and no virus found - -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) accounting without authentication can't write datato postgres
Hugh Irvine wrote: Hello Dennis - Thanks for sending the configuration file and the debug trace. It looks to me like there is an error occuring with your SQL server due to the contents of the attributes you are trying to record. You should check the SQL server log to see what is happening. regards Hugh Thanx, Hugh. problem solved. config fragment following. (RTFM) Handler NAS-IP-Address=.. SessionDatabase SDBVOIP AuthBy SQL DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AuthSelect AccountingTable VOIPACCOUNTING AcctColumnDef USERNAME,User-Name . /AuthBy /Handler === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) add custom attribute or Sql Column
Hi, I want to add SQL column, or custom attribute to an accounting table, If any one send me an example of this . i will be gratefull to him. thanks in advance Imran khan _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: IPASS accouting
Hi Hugh, As always you have been a Hugh help :-) BTW I was trying to customise the AcctSQLStatement and get the Acct-Session-Time to be logged in minutes rather than seconds. I have tried various ways of dividing the Acct-Session-Time by 60 but with no luck (e.g., %{Acct-Session-Time}/60 :-) Finally, I just implemented the division in the cgi script I wrote to fetch rows from the IPASS accounting table. The cgi scripts divides the Acct-Session-Time's column's content by 60 before displaying the result in a webpage. My problem (now) is that I would like to know if it is possible to restrict the number of decimal digits in a webpage to say 1,2 or 3. The output at the moment on my HTML pages have anything between 1 and 16 decimals digits! So Please if there is any HTML guru on the list, help out! Alternatively, I could go back to altering that AcctSQLStatement and putting in the code to generate results in 2 decimals places to start with :-) Thanks. Radiator looks radiant! Regards, Tunde Itayemi. - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Ayotunde Itayemi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, January 22, 2003 1:36 AM Subject: (RADIATOR) Re: IPASS accouting Hello Tunde - The radius accounting stop records should already contain an Acct-Session-Time attribute containing the duration of the session. So you just need to add the corresponding column to your database and alter the AcctColumnDef's accordingly. AuthBy SQL Identifier IPASSSQLAccounting DBSource dbi:Oracle:radius00 DBUsername radiusgold DBAuth radiusgold HandleAcctStatusTypes Start, Stop AuthSelect AccountingTable IPASSACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type AcctColumnDef TIME, Timestamp, integer-date AcctColumnDef NASIDENTIFIER, NAS-Identifier AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address AcctColumnDef TIMESTAMP, Timestamp AcctColumnDef SESSIONTIME, Acct-Session-Time /AuthBy regards Hugh On Tuesday, Jan 21, 2003, at 19:57 Australia/Melbourne, Ayotunde Itayemi wrote: Hi Hugh, Thanks for your help. I have a table that looks like (below) now. USERNAME ACCTSTYPETIME NAS-IDENTIFIERFRAMED-IP-ADDRESSTIMESTAMP [EMAIL PROTECTED] Start Jan 21, 2003 07:02 viruse180.247.158.69 1043136137 [EMAIL PROTECTED] Stop Jan 21, 2003 08:51 viruse180.247.158.69 1043142670 [EMAIL PROTECTED] StartJan 16, 2003 22:58 viruse180.247.158.68 1042761506 [EMAIL PROTECTED] StopJan 16, 2003 23:12 viruse180.247.158.68 1042762372 Now, is there a way I can generate accounting records that show how long the particular IPASS user was logged on? I guess such a record would have to be logged when the accounting stop packet is sent to radiator. So that I have a table such as: USERNAME ACCTSTYPETIME NAS-IDENTIFIERFRAMED-IP-ADDRESS [EMAIL PROTECTED] Stop 30:00 viruse180.247.158.69 [EMAIL PROTECTED] Stop 15:00 viruse180.247.158.69 [EMAIL PROTECTED] Stop17:23 viruse180.247.158.68 [EMAIL PROTECTED] Stop1:12:02 viruse180.247.158.68 where the TIME column is the length of time the user spemt online. (I don't really need the ACCTSTYPE column) My config at the moment is as below: AuthBy SQL Identifier IPASSSQLAccounting DBSource dbi:Oracle:radius00 DBUsername radiusgold DBAuth radiusgold HandleAcctStatusTypes Start, Stop AuthSelect AccountingTable IPASSACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type AcctColumnDef TIME, Timestamp, integer-date AcctColumnDef NASIDENTIFIER, NAS-Identifier AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address AcctColumnDef TIMESTAMP, Timestamp /AuthBy AuthBy DYNADDRESS Identifier myIPADDRESSauth Allocator mySQLallocator PoolHint %{Client:Identifier} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6 AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key DefaultSimultaneousUse 1 /AuthBy AuthBy DYNADDRESS Identifier
Re: (RADIATOR) accounting without authentication can't write data to postgres
Hi, You may want to check ALL (ALL!) the column names you have defined in radiator's config file to be sure that they match what you have in your REAL database. Also, make sure the column format supports what you intend to put into them. From my own experience: I had a column called TIME in an Oracle table and defined the same column in one of my AuthBy SQL sections. Later I decided the proper name for the column should be SESSIONTIME, so I changed it in the radius config file but forgot to alter the actual Oracle table's definition. I then discovered that radiator wasn't logging my accounting records - to make matters worse, radiator was logging accounting-start records which does not containg a value for the Acct-Session-Time attribute which is what I intended to put in the SESSIONTIME column! But no accounting-stop records were being logged - strange eh? One would have thought the SQL statement would fail altogether ! Regards, Tunde Itayemi. - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Dennis Methelev [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, January 23, 2003 11:07 AM Subject: Re: (RADIATOR) accounting without authentication can't write data to postgres Hello Dennis - Thanks for sending the configuration file and the debug trace. It looks to me like there is an error occuring with your SQL server due to the contents of the attributes you are trying to record. You should check the SQL server log to see what is happening. regards Hugh On Wednesday, Jan 22, 2003, at 20:23 Australia/Melbourne, Dennis Methelev wrote: hi, all! my radiator can't record accounting requests to postgres database. in Authby SQL AuthSelect sets without 'select' statement (as seen in reference) - authentication not need. please help. radiator 3.5 (test use) [config fragment] AuthBy SQL Identifier SQLVOIPACCOUNTING DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AuthSelect AccountingTable VOIPACCOUNTING #AccountingStopsOnly AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,Cisco-NAS-Port AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CLID,Calling-Station-Id /AuthBy SessionDatabase SQL Identifier SDBVOIP DBSourcedbi:Pg:dbname=radius DBUsername *** DBAuth *** AddQuery insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, \ ACCTSESSIONID, \ TIME_STAMP) values ('%{User-Name}', '%N', '%{Cisco-NAS-Port}', '%{Acct-Session-Id}',\ %{Timestamp} ) DeleteQuery delete from VOIPONLINE where USERNAME='%{User-Name}' and NASPORT='%{Cisco-NAS-Port}' /SessionDatabase Handler NAS-IP-Address=(myvoipdeviceip) AythBy SQLVOIPACCOUNTING SessionDatabase SDBVOIP /Handler [log fragment] Wed Jan 22 13:12:58 2003: DEBUG: Packet dump: *** Received from .. port 1646 Packet length = 237 Code: Accounting-Request Identifier: 37 Authentic: 29188025215120025141H18819135147197 Attributes: NAS-IP-Address = .. Cisco-NAS-Port = CAS 1/0:1:17 NAS-Port-Type = Async User-Name = 22.. Called-Station-Id = 23.. Calling-Station-Id = 22.. Acct-Status-Type = Start Service-Type = Login-User Acct-Session-Id = 36/13:12:43.141 SAMT Wed Jan 22 2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F Acct-Delay-Time = 15 Wed Jan 22 13:12:58 2003: DEBUG: Handling request with Handler 'NAS-IP-Address=..' Wed Jan 22 13:12:58 2003: DEBUG: SDBVOIP Adding session for 22.., .., Wed Jan 22 13:12:58 2003: DEBUG: do query is: delete from VOIPONLINE where USERNAME='22..' and NASPORT='CAS 1/0:1:17' Wed Jan 22 13:12:58 2003: DEBUG: do query is: insert into VOIPONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values ('22..', '..', 'CAS 1/0:1:17', '36/13:12:43.141 SAMT Wed Jan 22 2003/../F039911C 78DA00C5 0 4F8450F/answer/Telephony/F039911C 78DA00C5 0 4F8450F',1043226763 ) Wed Jan 22 13:13:00 2003: DEBUG: Packet dump: *** Received from .. port 1646 Packet length = 528 Code: Accounting-Request
(RADIATOR) Adding an attribute Post Handler
How would one go about adding an attribute in the Handler section. Say this for example: Handler Called-Station-Id=123456$ RewriteUsername s/^([^@]+).*/$1/ AddAttribute Customer-Identity=Widget Co AuthBy Widget /Handler This way when I use the Realm DEFAULT that writes all accounting records to a database it would include a column Customer-Identity which is easier to produce reports on. This is possible? I know the AddAttribute only works pre-handlers. Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Billing Downloads
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [José Costa Preto [EMAIL PROTECTED]] Date: Thu, 23 Jan 2003 00:57:08 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Thu Jan 23 00:57:08 2003 Received: from mail.edinet.pt (milou.edinet.pt [195.245.128.7] (may be forged)) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0N6v7x19636 for [EMAIL PROTECTED]; Thu, 23 Jan 2003 00:57:07 -0600 Received: from excmat01.oni.pt ([195.245.189.137]) by mail.edinet.pt with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 23 Jan 2003 11:39:23 + Received: from excrep01.oni.pt ([172.26.252.30]) by excmat01.oni.pt with Microsoft SMTPSVC(5.0.2195.5329); Thu, 23 Jan 2003 11:56:06 + content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C2C2D6.68F0B3F2 Subject: Billing Downloads X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Thu, 23 Jan 2003 11:56:05 - Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Billing Downloads Thread-Index: AcLC1mjLhhYmHPpZStS7kish4P9trg== From: =?iso-8859-1?Q?Jos=E9_Costa_Preto?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-OriginalArrivalTime: 23 Jan 2003 11:56:06.0821 (UTC) FILETIME=[697A5550:01C2C2D6] This is a multi-part message in MIME format. --_=_NextPart_001_01C2C2D6.68F0B3F2 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi, I would like to obtain a confirmation on fields Acct-Input-Octets and = Acct-Input-Octets. Which one shall be billed to our customers as = downloads. Many thanks Jos=E9Preto ONI.SI / MIB =20 --_=_NextPart_001_01C2C2D6.68F0B3F2 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN HTML HEAD META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; = charset=3Diso-8859-1 META NAME=3DGenerator CONTENT=3DMS Exchange Server version = 6.0.6249.1 TITLEBilling Downloads/TITLE /HEAD BODY !-- Converted from text/rtf format -- P ALIGN=3DLEFTSPAN LANG=3DptFONT SIZE=3D2 = FACE=3DArialHi,/FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialI = would like to obtain a confirmation/FONT/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Dpt/SPANSPAN LANG=3Den-us FONT = SIZE=3D2 FACE=3DArialon fields Acct-Input-Octets and = Acct-Input-Octets./FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-us FONT SIZE=3D2 = FACE=3DArialWhich one shall be billed to our customers as = downloads./FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialMany = thanks/FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-us/SPAN/P P ALIGN=3DLEFTBSPAN LANG=3Den-us/SPAN/BA NAME=3DBSPAN = LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialJos=E9/FONT/SPAN/B/ASPAN = LANG=3Dpt/SPANSPAN LANG=3Dpt/SPANSPAN LANG=3Den-usFONT = SIZE=3D2 FACE=3DArialPreto/FONT/SPAN/P P ALIGN=3DLEFTBSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialONI/FONT/SPAN/BSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArial./FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 FACE=3DArialSI = //FONT/SPANSPAN LANG=3DptB/B/SPANSPAN = LANG=3DptB/B/SPANBSPAN LANG=3Den-us FONT SIZE=3D2 = FACE=3DArialM/FONT/SPAN/BSPAN LANG=3Dpt/SPANSPAN = LANG=3Dpt/SPANSPAN LANG=3Den-usFONT SIZE=3D2 = FACE=3DArialIB/FONT/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Den-usFONT = FACE=3DArial=A0/FONT/SPANSPAN LANG=3Dpt/SPANSPAN = LANG=3Den-us/SPAN/P P ALIGN=3DLEFTSPAN LANG=3Dpt/SPAN/P /BODY /HTML --_=_NextPart_001_01C2C2D6.68F0B3F2-- --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2611 VPN group authentication
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Emilie Shoop [EMAIL PROTECTED]] Date: Thu, 23 Jan 2003 04:17:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Thu Jan 23 04:17:19 2003 Received: from mail.ncsa.uiuc.edu (mail.ncsa.uiuc.edu [141.142.2.28]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0NAHJx20486; Thu, 23 Jan 2003 04:17:19 -0600 X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: from D7YKZ021.ncsa.uiuc.edu (cab-wireless-127.ncsa.uiuc.edu [141.142.102.127]) by mail.ncsa.uiuc.edu (8.11.6/8.11.6) with ESMTP id h0NFGRk25289; Thu, 23 Jan 2003 09:16:27 -0600 Message-Id: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 23 Jan 2003 09:15:50 -0600 To: Hugh Irvine [EMAIL PROTECTED] From: Emilie Shoop [EMAIL PROTECTED] Subject: Re: (RADIATOR) Cisco 2611 VPN group authentication Cc: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_exampl e09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64
(RADIATOR) Accounting Question
Question I have is this I am wanting to know if there is a hook or something that could be made to ignore account from a certain NAS-IP With a supplier I have accounting records coming from the NAS and a Proxy, I would just like to keep the accounting records from the Proxy.. So if IP address does not equal XXX.XXX.XXX.XXX I would like it to ignore accounting records only Can this be done - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) add custom attribute or Sql Column
Hello Imran - Could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh On Friday, Jan 24, 2003, at 01:28 Australia/Melbourne, Imran Khan wrote: Hi, I want to add SQL column, or custom attribute to an accounting table, If any one send me an example of this . i will be gratefull to him. thanks in advance Imran khan _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting Question
Hello Chris - The simplest way to do this is with Handlers: Handler NAS-IP-Address = XXX.XXX.XXX.XXX . /Handler Handler . . /Handler Note that you should not mix Realms and Handlers in the same configuration file. regards Hugh On Friday, Jan 24, 2003, at 13:12 Australia/Melbourne, Chris Kay wrote: Question I have is this I am wanting to know if there is a hook or something that could be made to ignore account from a certain NAS-IP With a supplier I have accounting records coming from the NAS and a Proxy, I would just like to keep the accounting records from the Proxy.. So if IP address does not equal XXX.XXX.XXX.XXX I would like it to ignore accounting records only Can this be done - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Adding an attribute Post Handler
Hello Cliff - Could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh On Friday, Jan 24, 2003, at 06:06 Australia/Melbourne, Cliff Daniel wrote: How would one go about adding an attribute in the Handler section. Say this for example: Handler Called-Station-Id=123456$ RewriteUsername s/^([^@]+).*/$1/ AddAttribute Customer-Identity=Widget Co AuthBy Widget /Handler This way when I use the Realm DEFAULT that writes all accounting records to a database it would include a column Customer-Identity which is easier to produce reports on. This is possible? I know the AddAttribute only works pre-handlers. Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Billing Downloads
Hello Jose - I don't understand your question, sorry. Could you explain the problem in more detail please? BTW - could you please send me the name of the registered company that has purchased this copy of Radiator? regards Hugh Hi, I would like to obtain a confirmation on fields Acct-Input-Octets and = Acct-Input-Octets. Which one shall be billed to our customers as = downloads. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radius and Wireless APs
Hi, Thanks hugh for info. I am trying to configure Cisco AP with Radiator. Radius server has started with default eap_multi.cfg file and in cisco AP the IP address of Radius Server, EAP Authentication and Network-EAP has been enabled. 1. Cisco AP is not able to connect Radius, i don't where i am doing wrong. I used tcpdump and enabled Cisco Debug, i didn't see any request going to Radius Server. 2. if any one has configured Radiator with AP, plz send the configuration file 3. I have configured Cicso AP with NoCat software, After client connects to AP, it popup with Login Page and allots the IP address using DHCP, Now how should i get Radiator server to popup tht page, and how should allot the Static IP address if needed. Thanks Rgds Jai - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: jai [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 17, 2003 4:04 AM Subject: Re: (RADIATOR) Radius and Wireless APs Hello Jai - A Wireless AP looks to Radiator the same as any other NAS, therefore you will need to configure a Client ... clause for each one. You may also need to configure additional Handlers or Realms, depending on what else you are doing in your configuration file. When a user moves from one access point to another, there will be a new authentication, just like if the user had hung up a modem call and dialled again. You should configure the AP's for radius authentication and then watch a trace 4 debug from Radiator to see what is contained in the authentication and acounting requests, then configure Radiator accordingly. You should probably read the AP vendors' documentation first of all to see what radius support is implemented in the AP software. There has also been quite a lot of discussion on this topic on the mailing list, so you should check teh archive site too. www.open.com.au/archives/radiator regards Hugh On Thursday, Jan 16, 2003, at 22:56 Australia/Melbourne, jai wrote: Hi, I have two APs one from cisco and other one D-link, APs Configuration has Radius Server Authentication option, As i am new to Wireless, i am having following questions 1. How can use Radiator or radius server to authenticate like the normal Dialup ?? 2. If the User moves from one Access Point i.e from cisco to another one i.e D-Link ..is it needed to authenticate again. if not what are the changes need in radiator server or wireless. I think these questions might be irrelevant in this mailing list !!... but could someone guide me links which might help Thanks. Rgds Jai -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emily - Thanks for sending the URL. As far as I can see, you will need to use the Cisco VPN client to make the connection which will first ask you for the group and the group password, then the username and the username password. You should configure both the name of the group with its password and corresponding reply attributes, and the username and password with its reply attributes. If you have any other questions, don't hesitate to ask. regards Hugh On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop wrote: Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine