[RADIATOR] AuthBy FILE

[Dan Prill]

Hello,
I'm trying to get authentication set up against eDirectory via LDAP, but wanted 
to start by seeing if I could get AuthBy FILE to work first. When I attempt to 
connect with a Windows 7 laptop, I see the following in the logfile. I'm using 
the eap_peap.cfg file and a Trapeze MX-200 as the authenticator. Any 
suggestions appreciated.
 
Dan
 
 
Tue Aug  6 15:39:07 2013: DEBUG: Packet dump:
*** Received from 172.16.240.2 port 20009 
Code:  Access-Request
Identifier: 214
Authentic:  an<4><249>@J<4>Zd<229>e1Z#<0>Y
Attributes:
 NAS-Port-Id = "AP10/1"
 Calling-Station-Id = "64-80-99-1E-3F-FC"
 Called-Station-Id = "00-0B-0E-B5-8A-44:NWHSU-Test"
 Service-Type = Framed-User
 User-Name = "dprill"
 NAS-Port = 23410
 EAP-Message = 
<2><6><0>&<17><1><0><24><232><209><188>2<242><218><148>`H<213><193><174><224><244><193><251><12>5<130><200><179>'<170><190>dprill
 NAS-Port-Type = Wireless-IEEE-802-11
 NAS-IP-Address = 172.16.240.2
 NAS-Identifier = "Trapeze"
 Message-Authenticator = 
3<243><30><188>j<159><166><232><9><151><157>>2<170><194><237>
 
Tue Aug  6 15:39:07 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Aug  6 15:39:07 2013: DEBUG:  Deleting session for dprill, 172.16.240.2, 
23410
Tue Aug  6 15:39:07 2013: DEBUG: Handling with Radius::AuthFILE: 
Tue Aug  6 15:39:07 2013: DEBUG: Handling with EAP: code 2, 6, 38, 17
Tue Aug  6 15:39:07 2013: DEBUG: Response type 17
Tue Aug  6 15:39:07 2013: DEBUG: Radius::AuthFILE looks for match with dprill 
[dprill]
Tue Aug  6 15:39:07 2013: DEBUG: Radius::AuthFILE ACCEPT: : dprill [dprill]
Tue Aug  6 15:39:07 2013: DEBUG: EAP result: 3, Wait for peer challenge
Tue Aug  6 15:39:07 2013: DEBUG: AuthBy FILE result: CHALLENGE, Wait for peer 
challenge
Tue Aug  6 15:39:07 2013: DEBUG: Access challenged for dprill: Wait for peer 
challenge
Tue Aug  6 15:39:07 2013: DEBUG: Packet dump:
*** Sending to 172.16.240.2 port 20009 
Code:  Access-Challenge
Identifier: 214
Authentic:  b<28>8<12><25><31><137>D<141><130><150>%g<10>h<185>
Attributes:
 EAP-Message = <3><6><0><4>
 Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
 
 
 
 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator keeps restarting

[Dan Pike]

Thanks Hugh, that was the help I needed.  That quickly pointed out that 
IO-Socket-SSL somehow didn't get installed.  I installed it and now everything 
is working great.  Much appreciated!!

-Dan


--- On Fri, 9/17/10, Hugh Irvine  wrote:

> From: Hugh Irvine 
> Subject: Re: [RADIATOR] Radiator keeps restarting
> To: "Dan Pike" 
> Cc: radiator@open.com.au
> Date: Friday, September 17, 2010, 12:31 PM
> 
> Hello Dan -
> 
> You have two options - both will show you the Perl crash
> message(s).
> 
> 1. run radiusd by hand from the command line:
> 
>     cd /your/Radiator/source/directory
> 
>     perl radiusd -foreground -log_stdout
> -trace 4 -config_file /your/Radiator/configuration/file
> 
>     …..
> 
> 2. use restartWrapper - see section 16.1 in the Radiator
> 4.7 reference manual ("doc/ref.pdf").
> 
> regards
> 
> Hugh
> 
> 
> On 17 Sep 2010, at 14:27, Dan Pike wrote:
> 
> > Hi,
> > I've looked through the FAQ and the email archive and
> haven't stumbled on an answer to a problem that I'm having.
> 
> > 
> > I have radiator running on two servers.  Server
> #1 seems to be working without any problems.  However
> radiator on server #2 keeps rebooting when I try to have a
> device authenticate using that server.  I'm running a
> patched version of radiator 4.5.1.  Looking at the log
> files I see the server restart at the same point every time,
> right after it creates the accounting port.  Here's
> what I'm seeing in the logs:
> > 
> > 
> > Fri Sep 17 12:06:00 2010: DEBUG: Handling with
> Radius::AuthGROUP: CheckLDAPServers_Network
> > Fri Sep 17 12:06:00 2010: DEBUG: Handling with
> Radius::AuthLDAP2:
> > Fri Sep 17 12:06:00 2010: INFO: Connecting to
> x.x.acme.com x.x.acme.com:636
> > Fri Sep 17 12:06:01 2010: DEBUG: Creating StreamServer
> tcp port 0.0.0.0:9048
> > Fri Sep 17 12:06:01 2010: DEBUG: Creating TACACSPLUS
> port 0.0.0.0:49
> > Fri Sep 17 12:06:01 2010: DEBUG: Finished reading
> configuration file '/etc/radiator/radius.cfg'
> > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary
> file '/etc/radiator/dictionary'
> > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary
> file '/etc/radiator/configs/dictionary.own'
> > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary
> file '/etc/radiator/goodies/dictionary.cisco'
> > Fri Sep 17 12:06:01 2010: DEBUG: Creating
> authentication port 0.0.0.0:1812
> > Fri Sep 17 12:06:01 2010: DEBUG: Creating accounting
> port 0.0.0.0:1813
> > Fri Sep 17 12:06:01 2010: NOTICE: Server started:
> Radiator 4.5.1 on server2.x.x.acme.com
> > 
> > 
> > Any thoughts on what direction I should look to fix
> the problem?  My hunch is that one of the
> pre-requisites didn't install properly and radiator doesn't
> like something that it sees, but that's just a hunch. 
> I'm not sure how to determine what's making it want to
> restart.
> > 
> > Any help would be much appreciated!
> > 
> > Thanks,
> > -Dan
> > 
> > 
> > 
> > 
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no
> secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable
> RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical,
> extensible,
> flexible with hardware, software, platform and database
> independence.
> -
> CATool: Private Certificate Authority for Unix and
> Unix-like systems.
> 
> 
> 
> 


  
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Radiator keeps restarting

[Dan Pike]

Hi,
I've looked through the FAQ and the email archive and haven't stumbled on an 
answer to a problem that I'm having. 

I have radiator running on two servers.  Server #1 seems to be working without 
any problems.  However radiator on server #2 keeps rebooting when I try to have 
a device authenticate using that server.  I'm running a patched version of 
radiator 4.5.1.  Looking at the log files I see the server restart at the same 
point every time, right after it creates the accounting port.  Here's what I'm 
seeing in the logs:


Fri Sep 17 12:06:00 2010: DEBUG: Handling with Radius::AuthGROUP: 
CheckLDAPServers_Network
Fri Sep 17 12:06:00 2010: DEBUG: Handling with Radius::AuthLDAP2:
Fri Sep 17 12:06:00 2010: INFO: Connecting to x.x.acme.com x.x.acme.com:636
Fri Sep 17 12:06:01 2010: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048
Fri Sep 17 12:06:01 2010: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Fri Sep 17 12:06:01 2010: DEBUG: Finished reading configuration file 
'/etc/radiator/radius.cfg'
Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file 
'/etc/radiator/dictionary'
Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file 
'/etc/radiator/configs/dictionary.own'
Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file 
'/etc/radiator/goodies/dictionary.cisco'
Fri Sep 17 12:06:01 2010: DEBUG: Creating authentication port 0.0.0.0:1812
Fri Sep 17 12:06:01 2010: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Sep 17 12:06:01 2010: NOTICE: Server started: Radiator 4.5.1 on 
server2.x.x.acme.com


Any thoughts on what direction I should look to fix the problem?  My hunch is 
that one of the pre-requisites didn't install properly and radiator doesn't 
like something that it sees, but that's just a hunch.  I'm not sure how to 
determine what's making it want to restart.

Any help would be much appreciated!

Thanks,
-Dan



  
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

(RADIATOR) authentication

[Dan Boucaut]

Hello,

Is it possible to use different authentication methods based on username.

ie usernameA authenticates to serverA
and usernameB authenticates to serverB ??
thanks

regards
Dan
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: ***SPAM*** (RADIATOR) How to handle CHAP/MSCHAP requests in AuthBy EXTERNAL

[Dan Vande More]

Holy 
cow! Close your open relay and maybe more people will see your 
questions!
Anyway, you should be able to use perl to handle this, 
it should do just fine.
 
Dan
 
 
X-Spam-Flag: YESX-Spam-Report: 
Spam detection software, running on the system "relay1.firstlink.com", 
has identified this incoming email as possible spam.  The original 
message has been attached to this so you can view it (if it isn't spam) 
or block similar future email.  If you have any questions, 
see [EMAIL PROTECTED] for 
details. Content preview:  How Can I handle CHAP/MSCHAP requests 
in AuthBy  EXTERNAL configuration, I know that passwords are passed 
encrypted. But  I dont know how to encrypt the real passwords against 
the received  ones. [...]  Content analysis details:   
(17.3 points, 6.0 required) pts rule 
name  
description  -- 
-- 0.8 
HTML_30_40 
BODY: Message is 30% to 40% HTML 0.0 
HTML_MESSAGE   BODY: 
HTML included in message 1.1 RCVD_IN_SORBS_HTTP 
RBL: SORBS: sender is open HTTP proxy 
server    
[217.219.97.130 listed in dnsbl.sorbs.net] 4.3 
RCVD_IN_OPM_HTTP   RBL: OPM: sender is open 
HTTP CONNECT 
proxy    
[217.219.97.130 listed in opm.blitzed.org] 4.3 
RCVD_IN_OPM    
RBL: Received via a relay in 
opm.blitzed.org    
[217.219.97.130 listed in opm.blitzed.org] 1.1 
RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open 
proxy    
[217.219.97.130 listed in dnsbl.njabl.org] 4.3 
RCVD_IN_OPM_HTTP_POST  RBL: OPM: sender is open HTTP POST 
proxy    
[217.219.97.130 listed in opm.blitzed.org] 0.1 
RCVD_IN_SORBS  RBL: SORBS: 
sender is listed in 
SORBS    
[217.219.97.130 listed in dnsbl.sorbs.net] 0.1 
RCVD_IN_NJABL  RBL: 
Received via a relay in 
dnsbl.njabl.org    
[217.219.97.130 listed in dnsbl.njabl.org] 1.1 
RCVD_IN_DSBL   RBL: 
Received via a relay in 
list.dsbl.org    
[<http://dsbl.org/listing?ip=217.219.97.130>] 0.1 
RCVD_IN_RFCI   RBL: 
Sent via a relay in 
ipwhois.rfc-ignorant.org    
[Inaccurate or missing WHOIS data]

  -Original Message-From: Payam Shabanian 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 07, 2003 
  6:39 AMTo: [EMAIL PROTECTED]Cc: Hugh 
  IrvineSubject: ***SPAM*** (RADIATOR) How to handle CHAP/MSCHAP 
  requests in AuthBy EXTERNAL 
  
  How Can I handle CHAP/MSCHAP requests in AuthBy EXTERNAL 
  configuration,
  I know that passwords are passed encrypted. But I dont 
  know how to encrypt the real passwords  against 
  the received  ones.
   

RE: (RADIATOR) allowing logon for fixed hours

[Dan Vande More]

Hugh, I don't mean to challenge, but isn't this what she wants?

 Ascend-Maximum-Time="28800"

Thanks!

Dan Vande More

-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 23, 2003 4:01 PM
To: Mukesh Karna
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) allowing logon for fixed hours



Hello Mukesh -

You should send a Session-Timeout =  reply attribute:

AddToReply Session-Timeout = nnn

where nnn is the number of seconds the session should last.

Note that it is the NAS that must support this attribute so you should 
do some testing to verify correct operation.

regards

Hugh


On Tuesday, Sep 23, 2003, at 21:22 Australia/Melbourne, Mukesh Karna 
wrote:

> Hi all,
>
> How do I restrict my clients from surfing for not more than x hours in 
> one session and they have to re-logon after every x hours.
>
> rgds,
>
> Mukesh Karna
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) How does SQL Fallover work?

[Dan Vande More]

If the radius server cannot make a establish an application level(or below) connection 
to the database server, for whatever reason, it will try an alternative, or try again.
If the database gives an error, it seems to me radiator denies the authentication 
request but does not assume anything is wrong with the database.
This is the observed behavior of 3.3.1.
I understand the reasoning for your question, and hope this helps.
If you need something to monitor hardware failure, application failure, etc., I 
suggest trying Big Brother/Nagios, or any number of snmp applications.

Dan Vande More

-Original Message-
From: William Hernandez [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003 9:53 AM
To: 'Radiator'
Subject: (RADIATOR) How does SQL Fallover work?


Hello everyone,

The Radiator 3.3.1 manual states in Section 6.28 

"AuthBy SQL is tolerant of database failures. If your database
server goes down, Radiator will try to reconnect to a database as
described above, starting again at the first database you
specified."

What does "server goes down" mean? Does it refer to a hardware
failure? Does it mean the SQL Server application goes down? Does
it mean that the particular database for some reason becomes
unavailable and a connection is not possible although the SQL
Server is still running? Does it mean that a connection was made,
but there was an error/problem with the SQL query? All of the
above?

Thanks in advance,

William Hernández

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Radiator and Mysql under load

[Dan Vande More]

You should be just fine with mysql, yahoo finance runs everything under mysql.
I route 2 million messages a day using mysql, (Includes spam preference lookups for 
everyone, destinations, routing, auth, pop3 and IMAP, radiator auth/acct) on one mysql 
(w/ a hot backup of course) 2x Xeon 500Mhz.
You may get even better luck turning on query caching, which can improve speed 
substantially.
http://www.eweek.com/article2/0,3959,293,00.asp
http://www.mysql.com/information/benchmarks.html


-Dan


Queries per second avg: 40.143 


-Original Message-
From: DUFOUR Geoffrey [mailto:[EMAIL PROTECTED]
Sent: Monday, August 18, 2003 9:16 AM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Radiator and Mysql under load


Hello,
 
We plan to run RADIATOR on RH Linux and authenticate users from a mysql database 
(accounting information will be stored in the same database). We have to work with a 
data model that allows us to handle "group attributes" (reply and check),  "user 
attributes" (reply and check), and a few other things, meaning that the AuthSelect 
query will deal with several tables.
 
We should have up to 50.000 users in the database and 1000 realms in the config file 
(150 CDRs a month).
 
1st question : Knowing all this, do you see any problems running RADIATOR with mysql 
(performance problems, ...). It seems a lot of people are working with MSSQL or Oracle 
databases to authenticate users. 
 
2nd question : Is it a problem for RADIATOR to handle a lot of realms, knowing all the 
information is kept in memory ?

I am concerned about performance.
 
Thanks for your help.
 
Regards.
 
Geoffrey Dufour
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Subdomain problem [FIXED]

[Dan Vande More]

Hugh,

Your solution did not work for the second problem (ISDN static/dynamic IP), but it 
surprisingly DID work for the dsl subdomains.
I'm not really good at radius but should be done reading the rfc by tonight.
This should help in situations like these.
I have another router I'm going to try on this circuit before I do any more radius 
troubleshooting.
In the meantime I will research as to why this may have fixed the subdomain problem.

For those who didn't catch on:

I tried authenticating subdomains (IE dsl.mydomain.com) through a sql database via 
radiator.
Radiator authentication went fine. I have the default recommended table structure (To 
eliminate variables), and switching from authby file to sql broke only certain clients 
in one domain.

Although the records looked complete and radiator debug showed the correct information 
returned, the router did not appear to accept it until I threw these lines into my 
authby sql realm dsl.mydomain.com:


.
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP
    


Thanks!

Dan Vande More

-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 10:51 AM
To: Dan Vande More
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Subdomain problem



Hello Dan -

It is quite possible that this is due to "Service-Type = Framed-User,  
Framed-Protocol = PPP" not being included in the reply attributes  
(Cisco's especially are very picky about this).

BTW - for common sets of reply attributes you can use an "AddToReply  
" in the AuthBy clause rather than replicating all of the reply  
attributes for every user.

Ie:


.
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP


regards

Hugh


On Friday, Aug 8, 2003, at 01:15 Australia/Melbourne, Dan Vande More  
wrote:

> Well this is what I have after making this change.
>
> It appears to keep re-authenticating, over and over again every 7-10  
> seconds.
> Although it appears to give an access accepted, the modem doesn't  
> accept it.
>
> Keep in mind, that this works perfectly on AuthBy File, and dies on  
> SQL.
>
> Maybe I have something wrong in the db conversion, but I used the  
> default table structure included with Radiator, and here is a sample  
> record:
>
> INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]",  
> "mycorrectpassword", NULL, "Service-Type=Framed-User",  
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.132.52,Framed-IP- 
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed- 
> Compression=Van-Jacobson-TCP-IP", "999");
>
> Debug info below.
>
> Additionally out of a large amount of ISDN subscribers, I have one  
> particular one I cannot seem to give a static IP to. And if I do, it  
> still takes a dynamic.
> It's db record is seen below:
>
> INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]",  
> "password", NULL, "Service-Type=Framed-User",  
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.207,Framed-IP- 
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Session- 
> Timeout=14400,Idle-Timeout=600,Framed-Compression=Van-Jacobson-TCP- 
> IP", "999");
>
> Here's a sample of an ISDN record that does keep the static IP every  
> time:
>
> INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]",  
> "password", NULL, "Service-Type=Framed-User",  
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.132,Framed-IP- 
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed- 
> Compression=Van-Jacobson-TCP-IP,Session-Timeout=14400,Idle- 
> Timeout=600", "999");
>
> I'm debating the fact that it is their router. It seems they have a  
> Cisco 803, and though there are bugs, none of them point to this  
> issue. Nor was I able to find anything close.
>
> Hints? Suggestions?
>
> Thanks!
>
> Dan Vande More
>
> Debug info from issue #1:
>
>
> Mon Aug  4 14:43:45 2003: DEBUG: Packet dump:
> *** Received from 200.200.143.2 port 1645 
> Code:   Access-Request
> Identifier: 48
> Authentic:  he^<205>]<173><3><213><231>v<130><7>p<239><211>T
> Attributes:
> NAS-IP-Address = 200.200.143.2
> NAS-Port = 28
> NAS-Port-Type = Virtual
> User-Name = "[EMAIL PROTECTED]"
> User-Password =  
> "<229><162><139><236>I<225><225><181><150><13>W<249><155>'W

(RADIATOR) Acct-Session-Time Questions

[Dan Vande More]

I have a few questions related to Acct-Session-Time. I seem to have answered most of 
them, but some I'm second guessing myself on.

First I see this in my session logs for a distinct user:

Acct-Session-Time = 710920
Acct-Session-Time = 711733
Acct-Session-Time = 712554
Acct-Session-Time = 713450
Acct-Session-Time = 714335
Acct-Session-Time = 715209
Acct-Session-Time = 716083
Acct-Session-Time = 716903
Acct-Session-Time = 717728
Acct-Session-Time = 718596
Acct-Session-Time = 719435
Acct-Session-Time = 720306

So, I'm assuming the Acct-Session-Time is cumulative. 
These numbers descend all the way down to 15, in (random) increments. 

Are these numbers calculated on the fly, by radiator, from the detail file? So If i 
rotate the logfile every month, it starts over on a new log file?

Additionally, are these numbers in seconds (Another assumption I'm making)?

If so, then my math(bc 1.06) shows:

720306/60
12005
12005/60
200

So this user has had 200 hours of active session time?

Thanks!

Dan Vande More

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Subdomain problem

[Dan Vande More]

Well this is what I have after making this change.

It appears to keep re-authenticating, over and over again every 7-10 seconds.
Although it appears to give an access accepted, the modem doesn't accept it.

Keep in mind, that this works perfectly on AuthBy File, and dies on SQL.

Maybe I have something wrong in the db conversion, but I used the default table 
structure included with Radiator, and here is a sample record:

INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "mycorrectpassword", NULL, 
"Service-Type=Framed-User", 
"Framed-Protocol=PPP,Framed-IP-Address=200.200.132.52,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP",
 "999");

Debug info below.

Additionally out of a large amount of ISDN subscribers, I have one particular one I 
cannot seem to give a static IP to. And if I do, it still takes a dynamic.
It's db record is seen below:

INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "password", NULL, 
"Service-Type=Framed-User", 
"Framed-Protocol=PPP,Framed-IP-Address=200.200.139.207,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Session-Timeout=14400,Idle-Timeout=600,Framed-Compression=Van-Jacobson-TCP-IP",
 "999");

Here's a sample of an ISDN record that does keep the static IP every time:

INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "password", NULL, 
"Service-Type=Framed-User", 
"Framed-Protocol=PPP,Framed-IP-Address=200.200.139.132,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP,Session-Timeout=14400,Idle-Timeout=600",
 "999");

I'm debating the fact that it is their router. It seems they have a Cisco 803, and 
though there are bugs, none of them point to this issue. Nor was I able to find 
anything close.

Hints? Suggestions?

Thanks!

Dan Vande More

Debug info from issue #1:


Mon Aug  4 14:43:45 2003: DEBUG: Packet dump:
*** Received from 200.200.143.2 port 1645 
Code:   Access-Request
Identifier: 48
Authentic:  he^<205>]<173><3><213><231>v<130><7>p<239><211>T
Attributes:
NAS-IP-Address = 200.200.143.2
NAS-Port = 28
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
User-Password = "<229><162><139><236>I<225><225><181><150><13>W<249><155>'W<6>"
Service-Type = Framed-User
Framed-Protocol = PPP

Mon Aug  4 14:43:45 2003: DEBUG: Handling request with Handler 'Realm=dsl.mydomain.com'
Mon Aug  4 14:43:45 2003: DEBUG:  Deleting session for [EMAIL PROTECTED], 
200.200.143.2, 2
8
Mon Aug  4 14:43:45 2003: DEBUG: do query is: 'delete from RADONLINE where 
NASIDENTIFIER='200.200.143
.2' and NASPORT=028':

Mon Aug  4 14:43:45 2003: DEBUG: Query is: 'select NASIDENTIFIER, NASPORT, 
ACCTSESSIONID, FRAMEDIPA
DDRESS from RADONLINE where USERNAME='[EMAIL PROTECTED]'':

Mon Aug  4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL
Mon Aug  4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL:
Mon Aug  4 14:43:45 2003: DEBUG: Query is: 'select PASSWORD, CHECKATTR, REPLYATTR from 
SUBSCRIBERS
where USERNAME = '[EMAIL PROTECTED]'':

Mon Aug  4 14:43:45 2003: DEBUG: Radius::AuthSQL looks for match with [EMAIL PROTECTED]
Mon Aug  4 14:43:45 2003: DEBUG: Radius::AuthSQL ACCEPT:
Mon Aug  4 14:43:45 2003: DEBUG: Access accepted for [EMAIL PROTECTED]
Mon Aug  4 14:43:45 2003: DEBUG: Packet dump:
*** Sending to 200.200.143.2 port 1645 
Code:   Access-Accept
Identifier: 48
Authentic:  he^<205>]<173><3><213><231>v<130><7>p<239><211>T
Attributes:
Framed-IP-Address = 200.200.132.52
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Mon Aug  4 14:43:52 2003: DEBUG: Packet dump:
*** Received from 200.200.143.2 port 1645 
Code:   Access-Request
Identifier: 50
Authentic:  <163>0<206>I<209><251><7><159>.<166><183><143><230><173>b7
Attributes:
NAS-IP-Address = 200.200.143.2
NAS-Port = 28
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
User-Password = "rE<255><144><186>|>n<26>A<173><133>c<253>g<189>"
Service-Type = Framed-User
Framed-Protocol = PPP

Mon Aug  4 14:43:52 2003: DEBUG: Handling request with Handler 'Realm=dsl.mydomain.com'
Mon Aug  4 14:43:52 2003: DEBUG:  Deleting session

(RADIATOR) Subdomain problem

[Dan Vande More]

Greetings!

I seem to to be having a problem with authenticating certain types of usernames using 
radiator and authby sql.
I finished the upgrade to 3.6 without a hitch, and I am trying to move away from the 
flat file and towards sql.

I've attempted a switch on a certain test segment, and here are my results, as well as 
other data.

I give the test client a login name of [EMAIL PROTECTED] (service could be dsl, isdn, 
etc)

Under Authby file, it works great:

[EMAIL PROTECTED] User-Password = "password"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address =  255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP

I then imported everything to a sql database (mysql):

INSERT INTO SUBSCRIBERS (USERNAME, PASSWORD, ENCRYPTEDPASSWORD, CHECKATTR, REPLYATTR, 
TIMELEFT) VALUES("[EMAIL PROTECTED]", "password", NULL, "Service-Type=Framed-User", 
"Framed-Protocol=PPP,Framed-IP-Address=255.255.255.254,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP",
 "999");

And I get the request, by my logfile shows:

Fri Aug  1 00:09:33 2003: INFO: Access rejected for [EMAIL PROTECTED]

So is it because I am using subdomains?
Why is it appending @mydefaultrealm.com?
Radiator works fine for everything else, as long as I don't use subdomains.

Any suggestions?
Of course, I am expecting "don't use subdomains" as a response from a few of the 
creative people.

Thanks!

Dan Vande More


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Radiator + Oracle Bug?

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Wesley -
> 
> If the SQL database access times out, Radiator by default will wait 10 
> minutes before trying again.
> 
> You can adjust the Timeout and FailureBackoffTime parameters in the 
> AuthBy SQL clause.
> 
> See sections 6.28.4 and 6.28.5 in the Radiator 3.6 reference manual.
> 
> regards
> 
> Hugh
> 
> 
> On Sunday, Jul 20, 2003, at 19:11 Australia/Melbourne, Wesley Hof wrote:

This shouldn't stop/freeze the perl process though?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Database support fault tolerance

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Dan -
> 
> It would be fairly simple to have Radiator write to a flat file for 
> accounting, and then have a cron job or similar load the data into the 
> database periodically. You will find a simple utility to do this in the 
> file "goodies/radimportacct".
> 
> regards
> 
> Hugh

A cron job is too dirty of a hack, some other trigger would be better.
What to do about sessions though? They need to find a way to the
database too, unless someone has some specialized (network) session
service written (which I would love to use instead of an SQL DB anyway).
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Fwd: Re: (RADIATOR) Database support fault tolerance

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Dan -
> 
> It would be fairly simple to have Radiator write to a flat file for 
> accounting, and then have a cron job or similar load the data into the 
> database periodically. You will find a simple utility to do this in the 
> file "goodies/radimportacct".

I was hoping more for something like this included in Radiator's design.
Would benefit many, really.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Database support fault tolerance

[Dan Melomedman]

Our users are getting sick and tired due to RADIUS service
unavailability every time something happens to the network where the
database server sits, or the database server itself. To remind, we use
LDAP for authentication, and SQL Server for sessions/logging. LDAP has
been great, where database connectivity has been problematic, and a
major pain in the arse in general. In some cases, Radiator would hang if
there are database connection failures. A failure with the unixODBC client
translates into Radiator process failure.

Right now Radiator's availability is directly dependent on the quality
of the Perl libraries, including the database libraries/clients.
Our service could be much more available if SQL was handled by an outside
process with a queue in the middle. If something happens to this SQL
helper process, the network, or the database server, then the queue simply
grows in size, and Radiator continues running happily, authenticating users.
When the problems are fixed, the queue is relayed to the SQL server, and
no logging records are lost. If we want to be fancy, this extra process
may even be temporarily handling sessions in place of RADONLINE (instead of
simply ignoring them returning OK back to Radiator), and notifying
system administrators when it can't talk to the SQL database. This
system is not only a more resilient design, but more scalable too since
Radiator will return as soon as it writes to the queue, not waiting for
the database server.

Please let me know your thoughts; let's discuss this idea further. Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Session Database and MaxSessions

[Dan]

Frank, List,
 
Here is a snippet of my clients.cfg file 
(attached). All of my client entries look like what i attached.
 
Dan

  - Original Message - 
  From: 
  Frank 
  Danielson 
  To: Dan ; [EMAIL PROTECTED] 
  Sent: Monday, March 03, 2003 1:31 
PM
  Subject: RE: (RADIATOR) Session Database 
  and MaxSessions
  
  Dan-
   
  could you also send the clients.cfg (no secrets)?
  
-Original Message-From: Dan 
[mailto:[EMAIL PROTECTED]Sent: Monday, March 03, 2003 12:23 
PMTo: [EMAIL PROTECTED]Subject: 
(RADIATOR) Session Database and MaxSessions
I have a existing session database. I am now to 
the point where I need to control MaxSessions.
 
When i add the MaxSessions 1 to my conf. file I 
get ALOT of people that can't login because it believes the user is still 
online or maxsession is exceeded. I know for a fact that these users are not 
online. Why is it not letting them online?
 
 
Is there any other way or Proper way to set 
radiator up to control maxsessions when I'm getting my auth's from wholesale 
provider which does not support snmp to the nas's...? How do other people on 
the list control simultaneous usage with Networks like Uunet,Qwest,Megapop 
etc
 
I have included the log file (Trace 
4) with the errors I get when I add MaxSessions 1 these errors are 
occurring even when the user is not trying to do simultaneous 
connections.  I have also attached my conf file.
 
Mon Mar  3 08:06:00 2003: DEBUG: Packet 
dump:*** Received from 216.127.139.10 port 3800 
Code:   
Access-RequestIdentifier: 171Authentic:  
U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: User-Name 
= "[EMAIL PROTECTED]" CHAP-Password = 
<1>#<134><194><141>c(<29>;<243><168><143>D<168>V<213><172> NAS-IP-Address 
= 67.193.160.36 NAS-Port = 2052 NAS-Port-Type = 
Async Service-Type = Framed-User Framed-Protocol = 
PPP State = "" Called-Station-Id = 
"" Acct-Session-Id = 
"388570715" Ascend-Data-Rate = 26400 Ascend-Xmit-Rate = 
50667 network = "u2"
 
Mon Mar  3 08:06:00 2003: DEBUG: Handling 
request with Handler 'Realm=DEFAULT'Mon Mar  3 08:06:00 2003: 
DEBUG:  Deleting session for [EMAIL PROTECTED], 67.193.160.36, 2052Mon 
Mar  3 08:06:00 2003: DEBUG: do query is: delete from RADONLINE where 
NASIDENTIFIER='67.193.160.36' and NASPORT=02052
 
Mon Mar  3 08:06:00 2003: DEBUG: Query is: 
select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE 
where [EMAIL PROTECTED]
 
Mon Mar  3 08:06:01 2003: DEBUG: Checking 
if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 13, 
388532462  
67.193.119.193    Mon Mar  3 
08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 3203, 
388529606  
67.193.119.73 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.36 
, 2121, 
388518728  
67.193.119.57 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.36 
, 2244, 
388501182  
67.193.119.57 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.36 
, 111, 
388543128  
67.193.119.187    Mon Mar  3 
08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.47 
, 17, 
376236234  
67.193.170.23 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.36 
, 2065, 
388528348  
67.193.119.93 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.47 
, 2059, 
376233805  
67.193.170.77 Mon 
Mar  3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, 
[EMAIL PROTECTED], 
67.193.160.47 
, 209, 
376233644  
67.193.170.4

(RADIATOR) Session Database and MaxSessions

[Dan]

I have a existing session database. I am now to the 
point where I need to control MaxSessions.
 
When i add the MaxSessions 1 to my conf. file I get 
ALOT of people that can't login because it believes the user is still online or 
maxsession is exceeded. I know for a fact that these users are not online. Why 
is it not letting them online?
 
 
Is there any other way or Proper way to set 
radiator up to control maxsessions when I'm getting my auth's from wholesale 
provider which does not support snmp to the nas's...? How do other people on the 
list control simultaneous usage with Networks like Uunet,Qwest,Megapop 
etc
 
I have included the log file (Trace 4) with 
the errors I get when I add MaxSessions 1 these errors are occurring even when 
the user is not trying to do simultaneous connections.  I have also 
attached my conf file.
 
Mon Mar  3 08:06:00 2003: DEBUG: Packet 
dump:*** Received from 216.127.139.10 port 3800 
Code:   Access-RequestIdentifier: 
171Authentic:  
U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: User-Name 
= "[EMAIL PROTECTED]" CHAP-Password = 
<1>#<134><194><141>c(<29>;<243><168><143>D<168>V<213><172> NAS-IP-Address 
= 67.193.160.36 NAS-Port = 2052 NAS-Port-Type = 
Async Service-Type = Framed-User Framed-Protocol = 
PPP State = "" Called-Station-Id = 
"" Acct-Session-Id = "388570715" Ascend-Data-Rate 
= 26400 Ascend-Xmit-Rate = 50667 network = "u2"
 
Mon Mar  3 08:06:00 2003: DEBUG: Handling 
request with Handler 'Realm=DEFAULT'Mon Mar  3 08:06:00 2003: 
DEBUG:  Deleting session for [EMAIL PROTECTED], 67.193.160.36, 2052Mon 
Mar  3 08:06:00 2003: DEBUG: do query is: delete from RADONLINE where 
NASIDENTIFIER='67.193.160.36' and NASPORT=02052
 
Mon Mar  3 08:06:00 2003: DEBUG: Query is: 
select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE 
where [EMAIL PROTECTED]
 
Mon Mar  3 08:06:01 2003: DEBUG: Checking if 
user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 13, 
388532462  
67.193.119.193    Mon Mar  3 
08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 3203, 
388529606  
67.193.119.73 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 2121, 
388518728  
67.193.119.57 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 2244, 
388501182  
67.193.119.57 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 111, 
388543128  
67.193.119.187    Mon Mar  3 
08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.47 
, 17, 
376236234  
67.193.170.23 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.36 
, 2065, 
388528348  
67.193.119.93 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.47 
, 2059, 
376233805  
67.193.170.77 Mon Mar  
3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 
67.193.160.47 
, 209, 
376233644  
67.193.170.44 Mon Mar  
3 08:06:01 2003: INFO: Access rejected for [EMAIL PROTECTED]: MaxSessions exceededMon 
Mar  3 08:06:01 2003: DEBUG: Packet dump:*** Sending to 216.127.139.10 
port 3800 Code:   
Access-RejectIdentifier: 171Authentic:  
U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: Reply-Message 
= "Request Denied"
# common-sql.cfg
#
# Example Radiator configuration file that allows you to
# authenticate from an SQL database.
# With Radiator you can interface with almost any databse schema,
# and there are many more configurable parameters that allow you
# to control database fallback, select statements, column names
# and arrangements etc etc etc.
# See the reference manual for more details.
# This is a very simple exmaple to get you started. It will
# work with the tables created by the goodies/*.sql scripts.
#
# You should consider this file to be a starting point only
# $Id: sql.cfg,v 1.5 2000/11/07 21:18:05 mikem Exp $

Foreground
LogStdout
LogDir  .
DbDir   .
Trace   4
DictionaryFile %D/dictionary.ascend2
include %D/clients.cfg


# This will authenticate users from SUBSCRIBERS


MaxSessions 1


# Adjust DBSource, DB

(RADIATOR) Radius Stalls

[Dan V]

We are running radius on a separate box than our sql db.

I'm having a weird problem with radiator when i restart radiusd for conf file 
changes. It starts up and appears to be taking requests but i get ALOT of 
server time-outs doing local tests and end users also have a problem getting 
authenticated. When doing local tests it authenticates every say 10th-15th 
request. 

OK...now the real weird thing..I can stop and start the radiusd continusily 
say 100 times and 'voila' radiator starts taking requests again beautifully 
and the way it's suppose too.

The radiator server and the sql server are robust machines showing little 
load.

What would cause this?
Why would it work after stop/starting it numerous times?

Dan

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Two miniscule timestamp patches

[Dan Melomedman]

I need to log to stdout without the timestamp (because I use multilog
for automatic rotation and TAI timestamps), so here is NoTimestamp. Hope
it's okay to send to the mailing list, and it's useful to someone.

--- Log.pm  Wed May 22 22:03:18 2002
+++ /usr/local/lib/perl5/site_perl/5.8.0/Radius/Log.pm  Thu Feb 13 18:10:12 2003
@@ -52,8 +52,13 @@
 my ($priority, $s, $p) = @_;
 
 # Print to stdout as well, if required
-print scalar localtime(time) . ': ' 
-   . $Radius::Log::priorityToString[$priority] . ': ' . $s . "\n"
+if (!$main::config->{NoTimestamp}) 
+{
+  print scalar localtime(time) . ': ' ;
+
+}
+
+   print $Radius::Log::priorityToString[$priority] . ': ' . $s . "\n"
if $main::config->{LogStdout} 
&& ($priority <= $main::config->{Trace} 
   || ($p && $p->{PacketTrace}));

--- ServerConfig.pm Fri Nov 29 01:10:02 2002
+++ /usr/local/lib/perl5/site_perl/5.8.0/Radius/ServerConfig.pm Thu Feb 13 18:03:05 
+2003
@@ -22,6 +22,7 @@
  'DictionaryFile' => 'string',
  'PidFile'=> 'string',
  'LogStdout'  => 'flag',
+ 'NoTimestamp'=> 'flag',
  'SnmpgetProg'=> 'string',
  'SnmpsetProg'=> 'string',
  'SnmpwalkProg'   => 'string',

Re: (RADIATOR) Concurrent access in SessDBM.

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Dan -
> 
> DBM locking is not supported and we find that most Radiator users have 
> an SQL database for billing and customer management already, so an SQL 
> session database (which supports locking, multiple access, etc.) tends 
> to make more sense.

Hi Hugh.

We use LDAP for customer management (much better). Also RDBMS is not
a requirement for either sessions, or accounting. We are using RDBMS for
accounting records, but the _only_ reason why we're using RDBMS for
sessions is lack of concurrent access in SessDBM.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Concurrent access in SessDBM.

[Dan Melomedman]

Would it be feasable to add locking to SessDBM such that we have
multiple readers and one writer to the DBM file? The session
database doesn't need any relational features, and the related bloat and
bugs. Look at what it takes just to set up a reliable database connection.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Rodopi & Radiator

[Dan Melomedman]

Tim Jung wrote:
> I am still stuck if anyone has any suggestions.

First, you need to be asking these questions on the FreeTDS mailing
list. Other than that, I would compile sqsh against the FreeTDS library,
and use sqsh to log in with the SQL Server account and database to
verify access. You can also log error messages with SQL Server itself,
and then view them with NT event viewer. Make sure the FreeTDS library
is not compiled with pthread support.

Another option may be compiling DBD:Sybase against Sybase's OpenClient
libarries. May cost money. So far my experience with database
connectivity from Perl on Unix to Windows has been very bad.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) FreeTDS & DBD-Sybase Install

[Dan Melomedman]

Tim Jung wrote:
> I found this out from the author of the DBD::Sybase module. He posted this
> to the FreeTDS mailing list back in October 2002. He is specifically
> talking about the errors that are generated when you run the 'make test'
> option on the DBD::Sybase module using FreeTDS.
> 
> So it would look like that until more work is done on FreeTDS that it
> doesn't support 100% of everything that MS-SQL is capable of doing. Thus

Exactly. However, everything Radiator needs by default is supported. The
reason why we dropped FreeTDS is because it didn't know how to handle
broken connections, and hung perl. We still use FreeTDS with PHP. It's
quirky, but we got it to work for what we need it to do.

> the DBD::Sybase won't pass all the 'make test' tests using FreeTDS v0.60 or
> the CVS version v0.61 as of today. I guess it is possible that the release
> version of v0.61 might up the level of support though. Although it would
> seem than 85%-86% support isn't too bad for an Open Source package talking
> to a commercial closed source database. :)

Knowing that they don't have specs and need to reverse engineer, it's an
achievement, however they had problems such as memory leaks and buffer
overflows/segfaults in FreeTDS, which suggests they put features first, and
stability/quality second. Not good.

> So the question that remains is which version of the TDS protocol is needed
> to talk with MS-SQL 7.0 SP3 so Radiator can talk to the Rodopi databases?
> Should I use the 4.2 protocol or the 7.0 protocol? Specifically I am
> interested in using the "Auth Rodopi" stuff in Radiator. Anyone here know
> for sure?

If you read their documentation you'd know it's TDS 7.0. Have fun.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Different NASes, same realms

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Dan -
> 
> The best way to do this sort of thing is like this:
> 
> # define Client clauses
> 
> 
>   Identifier Ascend-Type-A
>   .
> 

> 
>   AuthBy Auth-Ascend-Type-A
>   ..
> 

Ouch, I missed client identifiers in the documentation.
Are there any plans to reorganize documentation into multiple 
HTML pages?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Different NASes, same realms

[Dan Melomedman]

We are getting into compatibility problems with different Ascend NASes
from our providers, which requires us to run different AuthBy for each.
Since we use them with the same realms, what is the best way to 
differentiate NASes? Rewrite realms to something weird like
realm.com-provider in the s? Any other way? Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stops ...

['Dan Melomedman']

> 
> Hmm ... I guess the answer is YMMV, then.
> 
> To anyone looking for solutions like this, I would say that Easysoft were
> very helpful getting their stuff up and running, and your best bet is
> probably to try both. It was certainly better than Openlink, and I believe
> their pricing is more competitive as well.
> 
> But I'll stick with FreeTDS myself, thanks.

Their support is very good indeed. There was a bug in UnixODBC dropped
connection handling, which was fixed right after I reported it.

My gripe is it takes so much bloat just to access databases. ODBC
manager, ODBC driver, perl ODBC modules.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stops ...

['Dan Melomedman']

Matthew Trout wrote:
> > Of course Easysoft OOB is even better as far as
> > compatibility/reliability are concerned, albeit at a higher cost.
> 
> You're kidding, right?
> 
> In production use, Easysoft is absolutely lovely bar for one minor 'feature'
> (at least in the version I had) - if the NT side of the Easysoft bridge hits
> the full number of permitted threads it then refuses to accept any further
> connections without a stop/start on the service. I got bored of trying to

We didn't have problems you had with it. In fact we switched from
FreeTDS to OOB becasue FreeTDS was too flaky for us.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stops ...

[Dan Melomedman]

Matthew Trout wrote:
> I'd suggest dumping openlink as well; it's overpriced and the windows side
> (last time I had to suffer it) was far from production-grade reliability. If
> you're trying to connect to an MS SQL Server from *n?x, I've found FreeTDS
> (www.freetds.org) to be far superior, and a lot faster since TDS has a lot
> less overhead than ODBC. DBD::Sybase will build quite happily against
> FreeTDS, at which point you could use it with Radiator quite happily.

Of course Easysoft OOB is even better as far as
compatibility/reliability are concerned, albeit at a higher cost.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) GlobalVar

[Dan Melomedman]

I am tidying up my configuration files, and I find that GlobalVars don't
work everywhere. I look at the documentation, and it doesn't tell me
where they do not work. Variables like LDAP passwords and filters
that I found by trial and error do not work. LDAP host does work, but
then, in the log file the variable name is reported instead of the
variable value.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Auth-Type and LDAP

[Dan Melomedman]

Enrique Diez wrote:
> Hi All,
> I would like to know if there is an LDAP-Attribute (customized or
> standarized) in order to define the kind of authentication required for an
> user entry.
> For example, a user LDAP entry can be validated by the Radiator Radius
> Server via /etc/unix/password or a remote radius or ACE/SERVER according to
> the value of an "Auth-type" LDAP attribute.

We use objectClass. If a user's LDAP entry allows dial-up
authentication, then his objectclass attribute will include
'dialUpUser' value. The Radiator LDAP filters are set accordingly.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Connecting from linux to SQL 2000

[Dan Melomedman]

Matthew Hobbs wrote:
> Currently I'm using DBI:Sybase on Mandrake 8.2 to connect to MS SQL 6.5
> All works well
> Looking at FreeTDS (0.6) its says it can connect to SQL 2000 using DBI::Sybase
> is this true ?

This is a question for the FreeTDS list. I just tried FreeTDS 0.53, with
TDS version set to 7.0 with MS SQL 2000. Seems to work.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) MySQL + Radiator = Hang

[Dan Melomedman]

Tony Bunce wrote:
> We have radiator setup on two servers using a MS SQL server for user
> authentication and mysql for accounting.

If you're using unixODBC 2.2.3 or earlier, upgrade.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Re: (RADAR) RADAR without X

[Dan Melomedman]

> StatsLog clause. And if you want a tool to restart Radiator 
> automatically and let you know why it did so, you should use the 
> "restartWrapper" utility provided in the goodies directory for this 
> purpose. See the relevant sections of the Radiator 3.4 reference manual.

Another (very convenient) way to automatically restart Radiator is to
use daemontools. One more way is on systems which init supports it,
specify radiusd should be started on boot and restarted on exit in
/etc/inittab. Autorestart is important especially if you use ODBC since perl
process likes to segfault with some ODBC drivers (especially when an
idle connection is dropped by the ODBC server or a firewall).

This leads me to ask this question. Could any subscribed users comment
on Easysoft's OOB? We went from FreeTDS to OOB, and perl still segfaults
on dropped connections from the OOB server. Dropped connections should
result in graceful reconnects, not given up on with a segfault (note this 
is not a Radiator issue, the DBD-ODBC, DBI, unixODBC, and OOB driver are
suspects  here. But where to start looking for the bug?).
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Sessions

[Dan Melomedman]

Hi. Our Radiator needs to authenticate more that one service from the same
realm. We need to guarantee that a user can get one session per each
service with the same account, but only one session. For example, once a
user has authenticated for dial-up, he wants to use a VPN client - one
more session, but for a different service. The trick is a user must not
be allowed to get more than one session for either service. What needs
to be done? A separate session DB for each handler? Anything else?
Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) mssql and config file

[Dan V]

Im running into a problem with not being to authenticate via test utilty.
Here is my config file... Im wanting to authenticate and do accounting out of 
the MSSQL db. I can start up radiusd with no problems and no errors until i 
try running a testuser through test utility..I get "bad authenticator" from 
the test utility...but accounting works fine...and from the log i get "Bad 
attribute =value pair". What am i missing? I'm pretty sure i have everything 
in the DB correctly. Heck i dunno...thats why im asking.
 


DBSourcedbi:ODBC:radiusdb
DBUsername  sa
DBAuth  dbpassword
AuthSelect select radiusname, password, checkattr, replyattr from
RADIUSCUSTOMERTEST where radiusname= %0

AccountingTable RAD_ACCOUNTING
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef   NASIDENTIFIER,NAS-Identifier
AcctColumnDef   NASPORT,NAS-Port,integer
AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address

AcctFailedLogFileName %D/missedaccounting



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Mac OS X Questions

[Dan Melomedman]

Marcel Brown wrote:
> A few more questions regarding Mac OS X and MS SQL access
> 
> If connecting to MS SQL from ODBC on UNIX requires an ODBC driver, 
> where can I get a driver? Do people here have experience with this on 
> Mac OS X?
> 
> I keep reading that DBD-Sybase is compatible with MS-SQL. If I were 
> to use DBD-Sybase instead of DBD-ODBC, do I still need an additional 
> driver? Anyone here have experience using DBD-Sybase for MS SQL with 
> any UNIX, not just Mac OS X?
> 
> Thanks!
> Marcel
> 

Try FreeTDS first. We had more success with ODBC-ODBC bridge.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stop without a reason

[Dan Melomedman]

Paulo Sousa wrote:
> 
> Dan
> 
> I'm currently use libdbd-sybase-perl (that depends freetds), running
> debian GNU/Linux woody 3.0 :)
> Do u know how i can resolve that???

Not yet.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SQL Server Connection Handling

['Dan Melomedman']

Patrick Muldoon(NOC) wrote:
> We use DBD::Sybase with FreeTDS to connect to MSSQL Server 2000 from
> FreeBSD, and it works great, have never had any trouble. 
> 
> What version of FreeTDS are you using?
> 
> You can also do some debugging with FreeTDS to see if it is the one
> hanging. 
> http://www.freetds.org/userguide/x1873.htm#AEN1877
> 
> Hope this helps,
> 
> -Patrick

I am happy for you. We are using MSSQL 7.0, with service pack 2. We also
use FreeTDS with PHP, and had some minor problems, but nothing major.
There are/were many really screwy problems with FreeTDS like memory leaks
and segfaults, and part of the problem is the reverse engineering, but
it's a good suspect.

We're always using the latest version of FreeTDS, and AFAIK it's been
0.53 for quite a while. This server hang problem is very irritating, and
ambiguity of it really sucks. Where to look? DBD:Sybase? FreeTDS? MSSQL?
So many layers.

Does anyone on this list use MSSQL with Sybase client libraries by any
chance? UnixODBC or iODBC with a commercial ODBC driver? What are your
results? I've used Sybase client libraries with MSSQL 6.5 in the past
with good results. Had more problems with 7.0. BTW, FreeTDS have a 
very early version of an ODBC driver. They're willing to finish it
if you sponsor them. If FreeTDS makes you a profit, may as well
support the developers :)
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SQL Server Connection Handling

[Dan Melomedman]

Mike McCauley wrote:
> Hi Dan,
> 
> OK,
> 
> here is a new version of SqlDb.pm that implements a new DisconnectAfterQuery 
> flag. This will cause AuthBy SQL and other SQL users to disconnect after 
> every SQL 'do' and after every 'getOneRow'.
> 
> Let me know how you go.
> 
> Cheers.
> 

Thanks for all your effort, Mike. The problem didn't go away, however.
I am suspecting a FreeTDS problem now. Server just hangs. 'top' shows
it's in 'sbwait' state. 'netstat' shows an open connection to the MS SQL
machine.

Paulo Souso's Radiator also hangs, by the way. They use MS SQL too.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stop without a reason

[Dan Melomedman]

Paulo Sousa wrote:
> 
> 
> Hi Dan
> 
> I'm using a linux box that auths on M$ SQL Server. :)
> 
> Paulo Sousa
> 

We have exactly the same problem. You are using FreeTDS?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) radiator stop without a reason

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Paul -
> 
> I will need to know what hardware/sorftware platform you are using and I 
> will need to see a copy of your configuration file (no secrets) together 
> with a trace 4 debug showing what is happening. I will also need to know 
> what version of Radiator you are running.
> 
> regards
> 
> Hugh
> 
> 
> On Thursday, September 5, 2002, at 03:36 AM, Paulo Sousa wrote:
> 

Are you using MSSQL by any chance?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SQL Server Connection Handling

[Dan Melomedman]

Mike McCauley wrote:
> On Wed, 28 Aug 2002 08:32, Hugh Irvine wrote:
> > Hello Dan -
> >
> > I would have to suggest that you use a more sensible database.
> 
> Of course that there might be other reasons that prevent you from doing that.
> 
> I am a bit puzzled though: I would normally expect Radiator to attempt to 
> reconnect and have another go after failing to execute that query the first 
> time?
> 
> Perhaps if you send more the the trace file we might see if that is happening?
> 
> Cheers.
> 
Here's what happens:

1) If the server has been writing to MSSQL server frequently, no problems.
2) If the server has not written anything over TCP connection to MSSQL
in quite a long while, the server is blocked. Any subsequent
requests to the server fail. This is the last thing in the log before a
block:

Wed Aug 28 18:58:52 2002 707093: DEBUG: do query is: insert into
failedattempts
(LoggedAt,User_Name,NAS_IP_Address,Caller_ID,NAS_Port,Failure_Message,
Active_Handler) values ('2002-08-28
18:58:52.000','dan','203.63.154.1','987654321','1234','''Bad
Password''', 'prodnetilla') .

I suspect a problem may be with FreeTDS libraries, DBD::Sybase, or MSSQL
server itself. Unfortunately I can't use a different database for
logging for beauraucratical reasons.

A connect-log-disconnect feature would be a quick fix for this. It would
also allow some people simple load balancing with round-robin DNS to
boot.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SQL Server Connection Handling

[Dan Melomedman]

Mike McCauley wrote:
> Its a first for me too.
> I could conceive of a 'DisconnectAfterQuery' flag that would disconnect after 
> every SQL query was finished, but Im reluctant to add it since I dont think 
> it would be widely useful, and when it was used it would significantly slow 
> things down.

Performance is not an issue for us right now, since we barely get a few
dozen authentications per day.

> Do I understand from the below that you are connecting to MS-SQL from Radiator 
> running on a FreeBSD box?
> 
> We havent heard of similar behaviour, even from FreeBSD to MS-SQL. It is 
> possible that using keep-alives or similar might alleviate the problem?
> 
> Cheers.

The problem is our MS SQL Server 7.0 (yuck!), service pack 2 drops connections if
they're idle for a long enough time:

Tue Aug 13 09:39:24 2002: ERR: do failed for 'insert into failedattempts
(LoggedAt,User_Name,NAS_IP_Address,Caller_ID,NAS_Port,Failure_Message,
Active_Handler) values ('2002-08-13 09:39:24.000','soconnell','10.0.2.201','',
'29374','''Bad Password''','prodnetilla')': Server message number=10018 severity=9 
state=0 line=0
server=OpenClient text=The connection was closed

I am just looking for a a quick work-around. MS' site actually has a blurb about 
configuring time-outs
for DB connections, but we couldn't find such an option at least for our
service pack.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SQL Server Connection Handling

[Dan Melomedman]

Hugh Irvine wrote:
> 
> Hello Dan -
> 
> Can you please tell me what database you are using and what platform?
> 
> thanks
> 
> Hugh

I thought SQL Server implied MS SQL Server :). This is FreeBSD. Anyway,
we need connect-log-disconnect behavior instead of the current
implementation.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) SQL Server Connection Handling

[Dan Melomedman]

Hi. Is it possible to quickly disable persistent connections for SQL
logging? Persistent connections do not work well with our SQL Server,
since they time out. Short failure backoff times do not help either
since I think any DB connection failure trips the RADIUS authentication code
on the devices we authenticate (they stop talking to Radiator).
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Memory leak in one of the modules or perl executable.

[Dan Melomedman]

Hugh Irvine writes: 

> 
> Hello Dan - 
> 
> Mike is travelling this week, but he will look at this when he returns. 
> 
> In the meantime, can you please tell me how you are testing? And could you 
> also send me the details of how you are testing and the outputs of "ps", 
> "top" or whatever you are using to measure the memory usage? Also please 
> include anything else that might be useful in tracing the problem. 
> 
> thanks and regards 
> 
> Hugh
 

I am running radpwtst on the same machine recursively with a simple bash 
script, which does a correct query. Radiator authenticates using AuthBy 
TEST. Until I stop it. 

 

This is before the script is run: 

ps auxw | egrep 'CPU|radiusd' 

USERPID  %CPU  %MEM  VSZ  RSS  TT  STAT  STARTED  TIME COMMAND 

radiusd 2202  0.1  0.6  8156 7760  p0  S+6:34PM   0:01.08 

/usr/local/bin/perl /usr/local/bin/radiusd -config_file ./test.cfg 

 

And after the script is finished (a few hundred querys): 

radiusd 2202  0.7  0.7 10196 9756  p0  S+6:34PM   0:07.74 
/usr/local/bin/perl /usr/local/bin/radiusd -config_file ./test.cf 

Note the difference in size and resident set size values. If the server and 
client are left to run longer, it will be so large that it will need to be 
restarted. I can do this automatically with daemontools, but it is not a 
fix. 

This is not due a to a module load, since even on the first query, the 
process does not jump megabytes in size. 

Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Memory leak in one of the modules or perl executable.

[Dan Melomedman]

I noticed the perl process is growing linearly as the requests come in. 
Grows in size quite rapidly, eventually needs to be restarted. I suspected 
FreeTDS or OpenLDAP libraries (and these may too have leaks and probably do, 
but that testing is  later). 

To see if it could be something else, I created a simple config file with 
just AuthByTEST. Still leaks. This is on FreeBSD 4.5-STABLE and Perl 5.6.1. 
Perl 5.8.0 also leaks when running Radiator. Time::Hires is also installed. 
No other modules were used for this test. 

Here's my config (with fake system-related data): 

LogStdout
PidFile /tmp/testradiusd.pid
AuthPort1898
AcctPort1899
BindAddress ip.add.re.ss
LogDir  /tmp
DbDir   /tmp
DictionaryFile /blah/blah/dictionary 


   NoIgnoreDuplicates Access-Request #for testing only
   Secret  test
   RewriteUsername s/^(.*)\-(.*)/$1\@$2/ #user-org to user@org
   DefaultRealm test
 


   Identifier test
 


   Identifier test
   AuthBy test
 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

[Dan Melomedman]

Ayotunde Itayemi writes: 

> Hi, 
> 
> Depending on your patience, number of clients and time, you could get Mobius
> Freeware's
> w32crack - run it continuously for a few days after extracting the username
> and encrypted

This cannot help us, since we do not use NT user database. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

[Dan Melomedman]

Hugh Irvine writes: 

> 
> Hello Dan - 
> 
> You can use CHAP with any database, however the password stored therein 
> *must* be in cleartext, as you can only use cleartext passwords with CHAP. 
> 
> regards 
> 
> Hugh

The problem is all our dial-ups have hashed passwords, and returning them to 
clear text would be impossible. 

The problem is Broadwing now requires CHAP for some of the POPs, and doesn't 
for others. Are there any work-arounds for this? Thanks. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) LDAP and CHAP

[Dan Melomedman]

Does Radiator allow CHAP passwords with LDAP databases? Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Our Interesting Requirement for Radiator

[Dan Melomedman]

Hi. Here's what required by our installation. We have our account entries in 
the LDAP directory. Every account can be authenticated using RADIUS for 
several services like VPN tunnels, dial-up etc. There needs to be an 
expirattion date for each type of service. IOW there's a different 
expiration date attribute for each RADIUS-authenticated service. From what 
I've read in the docs, Radiator only supports one expiration attribute per 
directory entry natively. We need an ability to configure a separate 
expiration date attribute for each sevice an LDAP entry could authenticate. 
Is there any way we can achieve what I've described above? Thanks much. 

-- 
Excessive functionality is a root to security disasters. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Logging Active Handler

[Dan Melomedman]

Hi. 

I need to log active handler identifier to the SQL table. In other words, 
the handler where the failure occurs should be logged. What do I need to do? 
I read documentation, but it's not exactly clear to me as how to do it. 

-- 
History has shown that the road to injustice is frequently lit with the 
light of good intention 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Failed Attempts, Time::HiRes

[Dan Melomedman]

Hi. 

A few questions: 

How to log failed attempts to an SQL database?
The table will look something like this: 

Column_nameType  Length   Nullable
 -- - ---  ---
LoggedAt   datetime  8yes
User_Name  varchar   255  yes
NAS_IP_Address varchar   255  yes
Authen_Failure_Reason  varchar   255  yes
Author_Failure_Reason  varchar   255  yes
Caller_ID  varchar   255  yes
NAS_Port   varchar   255  yes
Source_NAS varchar   255  yes
Descriptionvarchar   255  yes 


I also installed the Time::HiRes module, but Radiator refuses to log with 
microseconds without any warning messages. Yes, I restarted the server 
completely, instead of SIGHUP. 

Also, some attributes are not found in the dictionary, I am using 'ascend2' 
in addition to 'dictionary'. I suspect these are proprietary Cisco 
attributes which are in the packet trace. Should I worry about this, or 
what's a quick and dirty method of disabling these error messages so they do 
not fill up the log? Thanks. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Logging Accounting to SQL without SQL authentication

[Dan Melomedman]

Hugh Irvine writes: 

> 
>   Identifier SQLAccounting
>   ..
>   AuthSelect
>   AccountingTable ACCOUNTING
>   AcctColumnDef .
>   ..
> 

> 
>   AuthByPolicy ContinueAlways
>   AuthBy SQLAccounting
>   AuthBy CheckLDAP
>   .
> 
 

Thanks. It's  great it works, but it's a work around. SQL accounting should 
be independent of AuthBy SQL. Next version maybe? :)
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Logging Accounting to SQL without SQL authentication

[Dan Melomedman]

Hi. We want to log accounting to our SQL DB, but we are using LDAP DB for 
authentication. What can we do?  doesn't mention 
AccountingTable functionality from . Thanks.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) mikem user possible hack attempt?

[Dan Boucaut]

Hello,

I have pulled the following output from my logfile. As you can see there 
is a user called mikem which says he is coming from open.com.au ( which 
I believe is spoofed). I believe this is an attempt to get through with 
default radius user settings.

has anyone else seen this? any way to find out where the packets are 
coming from?


thanks
Dan Boucaut


Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 
Code:   Access-Request
Identifier: 193
Authentic:  1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = 
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: INFO: Access rejected for mikem: NT 
Authentication failed: Logon Error (3)
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 
Code:   Access-Reject
Identifier: 193
Authentic:  1234567890123456
Attributes:
Reply-Message = "Request Denied"

Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 
Code:   Accounting-Request
Identifier: 194
Authentic:  
<253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Adding session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 
Code:   Accounting-Response
Identifier: 194
Authentic:  
<253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145>
Attributes:

Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43066 
Code:   Accounting-Request
Identifier: 195
Authentic:  <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 2
Acct-Output-Octets = 3

Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:43 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted
Tue Mar 26 08:52:43 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 43066 
Code:   Accounting-Response
Identifier: 195
Authentic:  <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127>
Attributes:

Tue Mar 26 08:52:52 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 43067 
Code:   Access-Request
Identifier: 201
Authentic:  1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = 
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Mar 26 08:52:52 2002: DEBUG:  Deleting session for mikem, 
203.63.154.1, 1234
Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT
Tue Mar 26 08:52:52 2002: INFO: Access rejected for mikem: NT 
Authentication failed: Logo

Re: (RADIATOR) radiator hanging itself...

[Dan Melomedman]

Check if it's blocked by a disk or a database. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Weird realms

[Dan Melomedman]

Hugh Irvine writes: 

> 
> Hello Dan - 
> 
> You can either do what you describe (probably with a single global 
> RewriteUsername), or you can use Handlers with regular expressions. 
> 
> Ie. 
> 
> 

Which is more efficient rewrite and , or ? Thanks. 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Weird realms

[Dan Melomedman]

We have a few realms like m_devn and devn. So they're prefixes, not suffixes 
after "@", but with ".". For example m_devn.dan. What's the best way to 
handle something like this? Rewrite them in the client interface config to 
something @m_devn?, then handle with  later? 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Logging to MSSQL 7.0

[Dan Melomedman]

Hugh Irvine writes: 

> BTW - you say that Radiator is *almost* perfect - we would be keen to hear 
> any suggestions for improvements. 
> 
> regards 
> 
> Hugh

Hi Hugh, 

: I'd like to be able to fork an external program, and pipe 
the log data to it for logging, instead of logging directly to a file. I'd 
like to use the daemontools' 'multilog' since it does nice log rotation and 
TAI timestamping. 

Is there some way to rotate logs in Radiator?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Logging to MSSQL 7.0

[Dan Melomedman]

First, let me add my praise about this product to the already long list. 
We're evaluating Radiator. This is the best commercial server product I have 
ever dealt with, great job! Finally a RADIUS server that's almost, if not, 
perfect. Rock on! 

Anyway, we use FreeTDS for PHP scripts, and some things work, some break and 
cause segfaults depending on the features we're trying to use through 
FreeTDS. As much as I hate logging to the database, some of our existing 
reporting scripts (VB Script) require it anyway, so this is a part of 
evaluation as well. Do any of you on this list log to an MSSQL database from 
a Unix variant with FreeTDS library? Any caveats? Thanks much. 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) auth by NT with solairs

[Dan Boucaut]

Hello,

I am trying to setup the following configuration.

Radius 2.19 running on a Sun solaris unix box. I want users to dial in 
and authenticate to a window NT domain.
Is this possible using authby NT ? or is there another way to do it ? or 
isn't it possible with radius running on unix?


I am hoping to get single signon to the windows domain.


thanks
dan boucaut


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

[no subject]

[Dan Lee Dimke, Ph.D.]

Radiator is an amazing program - fast, reliable, and powerful. It appears to
handle just about anything that is thrown at it.

However, I'm getting an error that I have been unable to find a solution for
in any of the email archives. It is:


 ERR: Attribute number 9 (vendor 2233623) is not defined in your dictionary


I am using the standard dictionary. However, I am unable to find any
reference to this vendor number is another of the other dictionaries that
are provided with Radiator. Is there a dictionary reference that you might
recommend that I copy into to the main dictionary to accommodate this?

Thanks in advance for your help.

Dan Lee Dimke
Future-World.com
Irving, TX USA





===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authattrdef and ldap

[dan]

On Tue, 27 Jun 2000, Hugh Irvine wrote:

> Hello Dan -
> 
> On Sun, 25 Jun 2000, [EMAIL PROTECTED] wrote:
> > This seems odd to me.
> > 
> > 1-
> > Manual 6.31.11  CheckAttr checkitems
> > Radiator Config:CheckAttr dialup
> > LDAP:   dialup: Auth-Type=Reject
> > Test:   Rejected
> > 
> > 2-
> > Manual 6.31.13  AuthattrDef ldapattributename, radiusatributename, type
> > Radiator Config:AuthAttrDef dialup,Auth-Type,check
> > LDAP:   dialup: Reject
> > Test:   OK
> > 
> > 3-
> > Manual 6.31.13  AuthattrDef ldapattributename, radiusatributename, type
> > Radiator Config:AuthAttrDef Auth-Type,Auth-Type,check
> > LDAP:   auth-type: Reject
> > Test:   Rejected
> > 
> > 
> > Erm.  Seems to me that 1 and 2 are the same thing and should both reject.
> > 3 I just something silly I did before sleep, but it worked.  Broken?
> > 
> > Is there a better way for me to be denying mailbox only/web only accounts
> > from dialup?  I was just giving them the Auth-Type: Reject check.  Any
> > suggestions on my method or the above strangeness would be appreciated.
> > 
> 
> Auth-Type is an internal reference to some other authentication type.
> 
> See section 13.1.5 in the Radiator 2.16.1 reference manual.
> 

Yes, I know that.  In section 13.1.5 it says:

  "Auth-Type triggers special behavior for authentication the user.
   The possible values are: 

  * Reject.  Any access request will always be rejected.  This is
useful for temporarily disabling logins for a given user." 

Which is just what I want to do.  That's not the point though.  The point
is, the tests above do not go along with what is stated in section 6.31.13
but seems to work with the to "be discontinued" section 6.31.11.

Above, test 1 and 2 should work and 3 shouldn't as per the manual.  I'm a
little confused by your answer to a question I didn't ask.

Dan  
Network Systems Engineer




===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) authattrdef and ldap

[dan]

This seems odd to me.

1-
Radiator Config:CheckAttr dialup
LDAP:   dialup: Auth-Type=Reject
Test:   Rejected

1-
Radiator Config:AuthAttrDef dialup,Auth-Type,check
LDAP:   dialup: Reject
Test:   OK

3-
Radiator Config:AuthAttrDef Auth-Type,Auth-Type,check
LDAP:   auth-type: Reject
Test:   Rejected


Erm.  Seems to me that 1 and 2 are the same thing and should both reject.
3 I just something silly I did before sleep, but it worked.  Broken?

Is there a better way for me to be denying mailbox only/web only accounts
from dialup?  I was just giving them the Auth-Type: Reject check.  Any
suggestions on my method or the above strangeness would be appreciated.



Dan  <[EMAIL PROTECTED]>
Network Systems Engineer   


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) LDAP

[Dan Sherwood]

Has anyone developed a quick and painless method of configuring Radiator 
for use with Netscape Directory Server on Solaris 2.6?  Once LDAP is a 
requirement, the complexity of the install increases a bunch due to the 
need for a c compiler and other dependency packages.  Has anyone developed 
an install script or figured out a good "install tree" method.

Thanx,
Dan Sherwood
Adelphia Communications
Lead Product Network Engineer
Phone - (716)433-1336
Pager - (800) 804-9998
e-mail - [EMAIL PROTECTED]


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) 3Com TC

[Dan Sherwood]

I recently purchased Radiator for use with 3Com Total Control.  I read in 
the revision history that you no longer need to use pmwho to limit 
sessions.  Instead, the Nas-Type of TotalControlSNMP can be used.  How is 
this configured?  Do I just add this to  and I'm done?
Thank You,
Dan Sherwood
Adelphia Communications
Lead Product Network Engineer


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.