(RADIATOR) Internal Session Database
Hello, When working with an internal session database, how can I : - clear an active session for a user in case of lost Accounting-Stop (I don't know the Nas-Port value) - clear all active sessions for a NAS Remark : I don't want to use the NAS querying feature of Radiator. If not possible : Knowing that an Internal Session DB is faster than a SQL Session DB, it would be great to have some kind of CLI allowing to view the content of the internal session db (or to dump it to a file), to clear an active session for a user and to clear all active sessions for a NAS. But I guess I am not the first one to ask for this feature. Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy accept all authentication
Hello Steven, Try to add : AuthColumnDef 0, User-Password, check AuthSelect select NULL to your clause. Regards. Geoffrey > > > > > Hi: Is there a easy trick to making an , specifically an , clause always return an authentication accept? I can't seem to find a built in configuration parameter to do this. I need something sort of like "IgnoreAuthentication", but accept instead of ignore. I want to create an that only does stuff for accounting requests, but I can't use "IgnoreAuthentication" because I need to have the AuthByPolicy in the handlers set to "ContinueWhileAccept". I am using Radiator 3.6. Thanks for any advice. Steve -- -- Steven Saner <[EMAIL PROTECTED]> === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Failure Messages
Hello, We need to keep authentication failure information in our database. This can of course be done with . To make it simple, let's say that we have to handle things like an account status (Active or Blocked) in the authentication process. This can be easily done by : AuthSelect select ... from ACCOUNT where USERNAME=%0 and STATUS = 'Active' But if someone with correct Usr/Psw but blocked RADIUS account tries to connect, it will of course result in the "No such user" failure message instead of some dedicated failure message such as "Account Blocked". We could handle the Account Status check using check items and AddToRequest parameter instead of using AuthSelect and then get "dedicated" failure messages, but for other cases it is not that simple. Ex.: - For one account (usr/psw), multiple service subscriptions based on the NAS-Port-Type attribute of the Access-Request and resulting in different reply attributes. - Accounts should be bound to several Access Servers (RADIUS clients). We can handle this with proper data model and AuthSelect parameter but we need dedicated authentication failure messages (ex : "No subscription for this service" and "Not allowed from this NAS") in case of correct Usr/Psw. I don't know much about PostAuthHook but I guess it may be the solution. Any suggestions ? Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Getting problems with new Cisoc IOS NAS
Hello Hugh, I'm not sure but I think that the "extended NAS-Port" commands are only related to authentication (not to accounting). We had the same problem with 7200 IOS 12.2.13T. Regards. Geoffrey -Message d'origine- De : Hugh Irvine [mailto:[EMAIL PROTECTED] Envoyé : jeudi 4 septembre 2003 1:52 À : Craig Gittens Cc : Radiator Objet : Re: (RADIATOR) Getting problems with new Cisoc IOS NAS Hello Craig - I seem to remember there are some "aaa ..." commands to send extended NAS-Port information (there may be others). I also noticed on the latest 12.2 IOS release some new commands - so you might want to check what version you are running. You should ask your Cisco engineer or check the Cisco web site. And you should also check the mailing list archive: www.open.com.au/archives/radiator BTW - we do not have any Cisco gear ourselves. regards Hugh On Thursday, Sep 4, 2003, at 07:27 Australia/Melbourne, Craig Gittens wrote: > Hey guys I can't update my sessions table cause it gets an error since > there > is no NAS-Port present in stop and start recordscan anyone give me > an > idea if there is a command on Cisco VDPN LNS L2TP to get it to send > over > NAS-Port info? > > Thanks, > > Craig. > > Wed Sep 3 16:26:07 2003: DEBUG: Packet dump: > *** Received from 205.214.223.130 port 21738 > Code: Accounting-Request > Identifier: 151 > Authentic: z%<218><4><131><142><140><3>t0<186>j<220>x<178>y > Attributes: > Acct-Session-Id = "3DBF" > Tunnel-Server-Endpoint = 192.168.255.20 > Tunnel-Client-Endpoint = 10.193.5.9 > Tunnel-Assignment-ID = 1 > Tunnel-Type = 0:L2TP > Tunnel-ID = 238499 > Tunnel-Client-Auth-ID = sunbeachrout > Tunnel-Server-Auth-ID = lnsbios3 > Framed-Protocol = PPP > Framed-IP-Address = 66.205.14.199 > Acct-Authentic = RADIUS > Acct-Session-Time = 8318 > Acct-Input-Octets = 1170527 > Acct-Output-Octets = 26796558 > Acct-Input-Packets = 39652 > Acct-Output-Packets = 50692 > Acct-Terminate-Cause = User-Request > User-Name = "u" > Acct-Status-Type = Stop > NAS-Port-Type = Async > Calling-Station-Id = "2464235849" > Called-Station-Id = "2929700" > Service-Type = Framed-User > NAS-IP-Address = 205.214.223.130 > Acct-Delay-Time = 0 > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) downloadable ACL
Hi Denis, Maybe something like : Cisco-AV-Pair=ip:inacl#1=,Cisco-AV-Pair=ip:inacl#2= Regards. Geoffrey -Message d'origine- De : Denis Pavani [mailto:[EMAIL PROTECTED] Envoyé : mardi 2 septembre 2003 12:07 À : [EMAIL PROTECTED] Objet : (RADIATOR) downloadable ACL Hi all. Does anyone know the correct sintax to configure on Radiator downloadable Cisco Pix ACL? I tried to put in a profile: cisco-avpair="ip:inacl=, ip:inacl=" but it seems to be ignored. Thanks in advance. -- Denis Pavani CINECA-Comunicazioni e Sistemi Distribuiti NOC - Network Operations Center phone:+39 0516171953 / fax:+39 0516132198 http://www.cineca.it "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo" -- Gunny Highway === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy ADSI configuration
Hello Hugh, Christian, Ingvar, It seems to work when I set the AuthFlags parameter to 1. Configuration : SearchAttribute SAMAccountName BindString LDAP://myserver/DC=staff,DC=mycompany,DC=com AuthUser %0 AuthFlags 1 Now it should be easy to implement it with VPDN. However, I'm still getting the following error in the logfile : OLE exception from "ADODB.Command": Object or provider is not capable of performing requested operation. Win32::OLE(0.1601) error 0x800a0cb3 Can I ignore it ? Thanks for your help. Regards. Geoffrey -Message d'origine- De : Hugh Irvine [mailto:[EMAIL PROTECTED] Envoyé : jeudi 28 août 2003 5:26 À : DUFOUR Geoffrey Cc : [EMAIL PROTECTED] Objet : Re: (RADIATOR) AuthBy ADSI configuration Hello Geoffrey - To do what you describe you should change "CN=%0" to "samaccountname=%0". I am not quite sure what your requirements are for VPDN users - can you clarify? For a detailed description of the AuthBy ADSI clause please see section 6.40 in the Radiator 3.6 reference manual ("doc/ref.html"). regards Hugh On Wednesday, Aug 27, 2003, at 23:44 Australia/Melbourne, DUFOUR Geoffrey wrote: > Hello, > > I would like to authenticate users using . It works fine > with the following configuration : > > BindString > LDAP://myserver/ > CN=%0,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC= > com > AuthUser %0 > AuthFlags 0 > > This configuration sample shows that the username is bound to the CN > (common name). I need the username to be bound to the attribute > samaccountname. > > In fact I need to allow VPDN users to use the same parameters (username > and password) both to log on the domain and for VPDN access. > > How can I handle this ? > > I am quite new to AD, could you please clarify the difference between > BindString parameter and AuthUser parameter. > > Regards. > > Geoffrey > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy ADSI configuration
Hello Hugh, It does not work (I get an Access-Reject). You will find hereafter DEBUG information for several configurations : With the "BindString LDAP://myserver/SAMAccountName=%0,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC=com ..." parameter : DEBUG== Thu Aug 28 10:38:08 2003: DEBUG: BindString converted to LDAP://myserver/SAMAccountName=geoffrey,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC=com Thu Aug 28 10:38:08 2003: DEBUG: AuthUser converted to geoffrey Thu Aug 28 10:38:08 2003: DEBUG: Connecting to namespace: LDAP: Thu Aug 28 10:38:09 2003: DEBUG: Running OpenDSObject on LDAP://myserver/SAMAccountName=geoffrey,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC=com Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or bad password" in METHOD/PROPERTYGET "OpenDSObject" at C:/Perl/site/lib/Radius/AuthADSI.pm line 133 Thu Aug 28 10:38:09 2003: DEBUG: Could not get user object: Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or bad password" in METHOD/PROPERTYGET "OpenDSObject" Thu Aug 28 10:38:09 2003: INFO: Access rejected for geoffrey: Could not find user /DEBUG= With : SearchAttribute SAMAccountName BindString LDAP://myserver/DC=staff,DC=mycompany,DC=com AuthUser %0 AuthFlags 0 DEBUG== Thu Aug 28 10:47:43 2003: DEBUG: Handling with ASDI Thu Aug 28 10:47:43 2003: DEBUG: BindString converted to LDAP://myserver/DC=staff,DC=mycompany,DC=com Thu Aug 28 10:47:43 2003: DEBUG: AuthUser converted to geoffrey Thu Aug 28 10:47:43 2003: DEBUG: Starting ADODB search for SAMAccountName = geoffrey OLE exception from "ADODB.Command": Object or provider is not capable of performing requested operation. Win32::OLE(0.1601) error 0x800a0cb3in METHOD/PROPERTYGET "" at C:/Perl/site/lib/Radius/AuthADSI.pm line 372 Thu Aug 28 10:47:44 2003: DEBUG: User found at LDAP://CN=DUFOUR Geoffrey, OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC=com Thu Aug 28 10:47:44 2003: DEBUG: Connecting to namespace: LDAP: Thu Aug 28 10:47:44 2003: DEBUG: Running OpenDSObject on LDAP://CN=DUFOUR Geoffrey,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC=com Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or bad password" in METHOD/PROPERTYGET "OpenDSObject" at C:/Perl/site/lib/Radius/AuthADSI.pm line 133 Thu Aug 28 10:47:44 2003: DEBUG: Could not get user object: Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or bad password" in METHOD/PROPERTYGET "OpenDSObject" Thu Aug 28 10:47:44 2003: INFO: Access rejected for geoffrey: Could not find user /DEBUG== Any ideas ? Btw, I can't find any information related to the SearchAttribute parameter in the reference manual. Does that mean that some additional documents are available ? Thanks for your help. Regards. Geoffrey -Message d'origine- De : Hugh Irvine [mailto:[EMAIL PROTECTED] Envoyé : jeudi 28 août 2003 5:26 À : DUFOUR Geoffrey Cc : [EMAIL PROTECTED] Objet : Re: (RADIATOR) AuthBy ADSI configuration Hello Geoffrey - To do what you describe you should change "CN=%0" to "samaccountname=%0". I am not quite sure what your requirements are for VPDN users - can you clarify? For a detailed description of the AuthBy ADSI clause please see section 6.40 in the Radiator 3.6 reference manual ("doc/ref.html"). regards Hugh On Wednesday, Aug 27, 2003, at 23:44 Australia/Melbourne, DUFOUR Geoffrey wrote: > Hello, > > I would like to authenticate users using . It works fine > with the following configuration : > > BindString > LDAP://myserver/ > CN=%0,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC= > com > AuthUser %0 > AuthFlags 0 > > This configuration sample shows that the username is bound to the CN > (common name). I need the username to be bound to the attribute > samaccountname. > > In fact I need to allow VPDN users to use the same parameters (username > and password) both to log on the domain and for VPDN access. > > How can I handle this ? > > I am quite new to AD, could you please clarify the difference between > BindString parameter and AuthUser parameter. > > Regards. > > Geoffrey > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and manageme
(RADIATOR) AuthBy ADSI configuration
Hello, I would like to authenticate users using . It works fine with the following configuration : BindString LDAP://myserver/CN=%0,OU=Marketing,OU=Employee,DC=staff,DC=mycompany,DC= com AuthUser %0 AuthFlags 0 This configuration sample shows that the username is bound to the CN (common name). I need the username to be bound to the attribute samaccountname. In fact I need to allow VPDN users to use the same parameters (username and password) both to log on the domain and for VPDN access. How can I handle this ? I am quite new to AD, could you please clarify the difference between BindString parameter and AuthUser parameter. Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator and Mysql under load
I don't know much about InnoDB. Does it require a commercial license ? It seems InnoDB is enabled by default in Mysql 4.0. Correct ? Regards. Geoffrey -Message d'origine- De : Matthew Trout [mailto:[EMAIL PROTECTED] Envoyé : mercredi 20 août 2003 10:29 À : 'Hugh Irvine'; DUFOUR Geoffrey Cc : [EMAIL PROTECTED] Objet : RE: (RADIATOR) Radiator and Mysql under load I'd also *strongly* recommend using InnoDB for the MySQL table handler - I sincerely doubt MyISAM will perform well in the environment you're looking at. Plus make full use of mysql's 'EXPLAIN' keyword to optimise your table indexes based on the queries radiator's performing. > -Original Message- > From: Hugh Irvine [mailto:[EMAIL PROTECTED] > Sent: 18 August 2003 23:49 > To: DUFOUR Geoffrey > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Radiator and Mysql under load > > > > Hello Geoffrey - > > You shouldn't have any problems with the numbers you indicate below. > > In answer to your questions: > > 1. I would say that most of our customers use MySQL, with both Oracle > and MSSQL used less often. > > 2. At startup the Radiator configuration file is parsed and a variety > of memory structures are built including a list of Realms. > 1000 Realms > will not use much memory at all - less than a megabyte I would say. > > BTW - if the Realms are being used for proxying, you might > consider the > AuthBy SQLRADIUS clause as an alternative which allows you to manage > the list of Realms in the database as well. See section 6.45 in the > Radiator 3.6 reference manual ("doc/ref.html"). > > Of course you should also set up a test environment so you > can see how > your configuration performs. > > regards > > Hugh > > > On Tuesday, Aug 19, 2003, at 01:16 Australia/Melbourne, > DUFOUR Geoffrey > wrote: > > > Hello, > > > > We plan to run RADIATOR on RH Linux and authenticate users from a > > mysql database (accounting information will be stored in the same > > database). We have to work with a data model that allows us > to handle > > "group attributes" (reply and check), "user attributes" (reply and > > check), and a few other things, meaning that the AuthSelect > query will > > deal with several tables. > > > > We should have up to 50.000 users in the database and 1000 > realms in > > the config file (150 CDRs a month). > > > > 1st question : Knowing all this, do you see any problems running > > RADIATOR with mysql (performance problems, ...). It seems a lot of > > people are working with MSSQL or Oracle databases to authenticate > > users. > > > > 2nd question : Is it a problem for RADIATOR to handle a lot > of realms, > > knowing all the information is kept in memory ? > > > > I am concerned about performance. > > > > Thanks for your help. > > > > Regards. > > > > Geoffrey Dufour > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > NB: have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication result codes list?
Hi, You will find all the information in RFC 2865. This document will help you to understand the protocol. Don't forget to take a look at rfc 2866 (RADIUS Accounting). Regards. Geoffrey -Message d'origine- De : John McFadden [mailto:[EMAIL PROTECTED] Envoyé : mardi 19 août 2003 21:29 À : [EMAIL PROTECTED] Objet : (RADIATOR) Authentication result codes list? I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator and Mysql under load
Hello, We plan to run RADIATOR on RH Linux and authenticate users from a mysql database (accounting information will be stored in the same database). We have to work with a data model that allows us to handle "group attributes" (reply and check), "user attributes" (reply and check), and a few other things, meaning that the AuthSelect query will deal with several tables. We should have up to 50.000 users in the database and 1000 realms in the config file (150 CDRs a month). 1st question : Knowing all this, do you see any problems running RADIATOR with mysql (performance problems, ...). It seems a lot of people are working with MSSQL or Oracle databases to authenticate users. 2nd question : Is it a problem for RADIATOR to handle a lot of realms, knowing all the information is kept in memory ? I am concerned about performance. Thanks for your help. Regards. Geoffrey Dufour === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE : (RADIATOR) Cisco IOS aaa ??
Hi, We had the same problem with a 7200 IOS 12.2.13T. - missing port id in access-requests - port id = 0 in accounting requests - missing Class attribute in accounting requests I guess that we will have to rely on the Acct-Session-Id attribute if we need to handle accurate "port" usage and to limit simultaneous sessions. Geoffrey. -Message d'origine- De : Gary [mailto:[EMAIL PROTECTED] Envoyé : lundi 28 juillet 2003 6:18 À : [EMAIL PROTECTED] Objet : (RADIATOR) Cisco IOS aaa ?? Since updating a 7200 on the weekend, we are now not getting port-id from the cisco. anyone seen this before and maybe have a fix ? Gary . === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question about configuration file
Hello, As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ? Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, …) without restarting it ? I would also like to know if it is possible to store realms/handlers configuration information in a SQL database instead of in a flat file (the same way you can do it for RADIUS clients with ClientListSQL). Regards. Geoffrey