[RADIATOR] AuthBy FILE
Hello, I'm trying to get authentication set up against eDirectory via LDAP, but wanted to start by seeing if I could get AuthBy FILE to work first. When I attempt to connect with a Windows 7 laptop, I see the following in the logfile. I'm using the eap_peap.cfg file and a Trapeze MX-200 as the authenticator. Any suggestions appreciated. Dan Tue Aug 6 15:39:07 2013: DEBUG: Packet dump: *** Received from 172.16.240.2 port 20009 Code: Access-Request Identifier: 214 Authentic: an<4><249>@J<4>Zd<229>e1Z#<0>Y Attributes: NAS-Port-Id = "AP10/1" Calling-Station-Id = "64-80-99-1E-3F-FC" Called-Station-Id = "00-0B-0E-B5-8A-44:NWHSU-Test" Service-Type = Framed-User User-Name = "dprill" NAS-Port = 23410 EAP-Message = <2><6><0>&<17><1><0><24><232><209><188>2<242><218><148>`H<213><193><174><224><244><193><251><12>5<130><200><179>'<170><190>dprill NAS-Port-Type = Wireless-IEEE-802-11 NAS-IP-Address = 172.16.240.2 NAS-Identifier = "Trapeze" Message-Authenticator = 3<243><30><188>j<159><166><232><9><151><157>>2<170><194><237> Tue Aug 6 15:39:07 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Aug 6 15:39:07 2013: DEBUG: Deleting session for dprill, 172.16.240.2, 23410 Tue Aug 6 15:39:07 2013: DEBUG: Handling with Radius::AuthFILE: Tue Aug 6 15:39:07 2013: DEBUG: Handling with EAP: code 2, 6, 38, 17 Tue Aug 6 15:39:07 2013: DEBUG: Response type 17 Tue Aug 6 15:39:07 2013: DEBUG: Radius::AuthFILE looks for match with dprill [dprill] Tue Aug 6 15:39:07 2013: DEBUG: Radius::AuthFILE ACCEPT: : dprill [dprill] Tue Aug 6 15:39:07 2013: DEBUG: EAP result: 3, Wait for peer challenge Tue Aug 6 15:39:07 2013: DEBUG: AuthBy FILE result: CHALLENGE, Wait for peer challenge Tue Aug 6 15:39:07 2013: DEBUG: Access challenged for dprill: Wait for peer challenge Tue Aug 6 15:39:07 2013: DEBUG: Packet dump: *** Sending to 172.16.240.2 port 20009 Code: Access-Challenge Identifier: 214 Authentic: b<28>8<12><25><31><137>D<141><130><150>%g<10>h<185> Attributes: EAP-Message = <3><6><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator keeps restarting
Thanks Hugh, that was the help I needed. That quickly pointed out that IO-Socket-SSL somehow didn't get installed. I installed it and now everything is working great. Much appreciated!! -Dan --- On Fri, 9/17/10, Hugh Irvine wrote: > From: Hugh Irvine > Subject: Re: [RADIATOR] Radiator keeps restarting > To: "Dan Pike" > Cc: radiator@open.com.au > Date: Friday, September 17, 2010, 12:31 PM > > Hello Dan - > > You have two options - both will show you the Perl crash > message(s). > > 1. run radiusd by hand from the command line: > > cd /your/Radiator/source/directory > > perl radiusd -foreground -log_stdout > -trace 4 -config_file /your/Radiator/configuration/file > > ….. > > 2. use restartWrapper - see section 16.1 in the Radiator > 4.7 reference manual ("doc/ref.pdf"). > > regards > > Hugh > > > On 17 Sep 2010, at 14:27, Dan Pike wrote: > > > Hi, > > I've looked through the FAQ and the email archive and > haven't stumbled on an answer to a problem that I'm having. > > > > > I have radiator running on two servers. Server > #1 seems to be working without any problems. However > radiator on server #2 keeps rebooting when I try to have a > device authenticate using that server. I'm running a > patched version of radiator 4.5.1. Looking at the log > files I see the server restart at the same point every time, > right after it creates the accounting port. Here's > what I'm seeing in the logs: > > > > > > Fri Sep 17 12:06:00 2010: DEBUG: Handling with > Radius::AuthGROUP: CheckLDAPServers_Network > > Fri Sep 17 12:06:00 2010: DEBUG: Handling with > Radius::AuthLDAP2: > > Fri Sep 17 12:06:00 2010: INFO: Connecting to > x.x.acme.com x.x.acme.com:636 > > Fri Sep 17 12:06:01 2010: DEBUG: Creating StreamServer > tcp port 0.0.0.0:9048 > > Fri Sep 17 12:06:01 2010: DEBUG: Creating TACACSPLUS > port 0.0.0.0:49 > > Fri Sep 17 12:06:01 2010: DEBUG: Finished reading > configuration file '/etc/radiator/radius.cfg' > > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary > file '/etc/radiator/dictionary' > > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary > file '/etc/radiator/configs/dictionary.own' > > Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary > file '/etc/radiator/goodies/dictionary.cisco' > > Fri Sep 17 12:06:01 2010: DEBUG: Creating > authentication port 0.0.0.0:1812 > > Fri Sep 17 12:06:01 2010: DEBUG: Creating accounting > port 0.0.0.0:1813 > > Fri Sep 17 12:06:01 2010: NOTICE: Server started: > Radiator 4.5.1 on server2.x.x.acme.com > > > > > > Any thoughts on what direction I should look to fix > the problem? My hunch is that one of the > pre-requisites didn't install properly and radiator doesn't > like something that it sees, but that's just a hunch. > I'm not sure how to determine what's making it want to > restart. > > > > Any help would be much appreciated! > > > > Thanks, > > -Dan > > > > > > > > > > ___ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > > NB: > > Have you read the reference manual ("doc/ref.html")? > Have you searched the mailing list archive > (www.open.com.au/archives/radiator)? > Have you had a quick look on Google (www.google.com)? > Have you included a copy of your configuration file (no > secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable > RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > Includes support for reliable RADIUS transport (RadSec), > and DIAMETER translation agent. > - > Nets: internetwork inventory and management - graphical, > extensible, > flexible with hardware, software, platform and database > independence. > - > CATool: Private Certificate Authority for Unix and > Unix-like systems. > > > > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator keeps restarting
Hi, I've looked through the FAQ and the email archive and haven't stumbled on an answer to a problem that I'm having. I have radiator running on two servers. Server #1 seems to be working without any problems. However radiator on server #2 keeps rebooting when I try to have a device authenticate using that server. I'm running a patched version of radiator 4.5.1. Looking at the log files I see the server restart at the same point every time, right after it creates the accounting port. Here's what I'm seeing in the logs: Fri Sep 17 12:06:00 2010: DEBUG: Handling with Radius::AuthGROUP: CheckLDAPServers_Network Fri Sep 17 12:06:00 2010: DEBUG: Handling with Radius::AuthLDAP2: Fri Sep 17 12:06:00 2010: INFO: Connecting to x.x.acme.com x.x.acme.com:636 Fri Sep 17 12:06:01 2010: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048 Fri Sep 17 12:06:01 2010: DEBUG: Creating TACACSPLUS port 0.0.0.0:49 Fri Sep 17 12:06:01 2010: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary' Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file '/etc/radiator/configs/dictionary.own' Fri Sep 17 12:06:01 2010: DEBUG: Reading dictionary file '/etc/radiator/goodies/dictionary.cisco' Fri Sep 17 12:06:01 2010: DEBUG: Creating authentication port 0.0.0.0:1812 Fri Sep 17 12:06:01 2010: DEBUG: Creating accounting port 0.0.0.0:1813 Fri Sep 17 12:06:01 2010: NOTICE: Server started: Radiator 4.5.1 on server2.x.x.acme.com Any thoughts on what direction I should look to fix the problem? My hunch is that one of the pre-requisites didn't install properly and radiator doesn't like something that it sees, but that's just a hunch. I'm not sure how to determine what's making it want to restart. Any help would be much appreciated! Thanks, -Dan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
(RADIATOR) authentication
Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: ***SPAM*** (RADIATOR) How to handle CHAP/MSCHAP requests in AuthBy EXTERNAL
Holy cow! Close your open relay and maybe more people will see your questions! Anyway, you should be able to use perl to handle this, it should do just fine. Dan X-Spam-Flag: YESX-Spam-Report: Spam detection software, running on the system "relay1.firstlink.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: How Can I handle CHAP/MSCHAP requests in AuthBy EXTERNAL configuration, I know that passwords are passed encrypted. But I dont know how to encrypt the real passwords against the received ones. [...] Content analysis details: (17.3 points, 6.0 required) pts rule name description -- -- 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server [217.219.97.130 listed in dnsbl.sorbs.net] 4.3 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy [217.219.97.130 listed in opm.blitzed.org] 4.3 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org [217.219.97.130 listed in opm.blitzed.org] 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy [217.219.97.130 listed in dnsbl.njabl.org] 4.3 RCVD_IN_OPM_HTTP_POST RBL: OPM: sender is open HTTP POST proxy [217.219.97.130 listed in opm.blitzed.org] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [217.219.97.130 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org [217.219.97.130 listed in dnsbl.njabl.org] 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [<http://dsbl.org/listing?ip=217.219.97.130>] 0.1 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org [Inaccurate or missing WHOIS data] -Original Message-From: Payam Shabanian [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 07, 2003 6:39 AMTo: [EMAIL PROTECTED]Cc: Hugh IrvineSubject: ***SPAM*** (RADIATOR) How to handle CHAP/MSCHAP requests in AuthBy EXTERNAL How Can I handle CHAP/MSCHAP requests in AuthBy EXTERNAL configuration, I know that passwords are passed encrypted. But I dont know how to encrypt the real passwords against the received ones.
RE: (RADIATOR) allowing logon for fixed hours
Hugh, I don't mean to challenge, but isn't this what she wants? Ascend-Maximum-Time="28800" Thanks! Dan Vande More -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 4:01 PM To: Mukesh Karna Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) allowing logon for fixed hours Hello Mukesh - You should send a Session-Timeout = reply attribute: AddToReply Session-Timeout = nnn where nnn is the number of seconds the session should last. Note that it is the NAS that must support this attribute so you should do some testing to verify correct operation. regards Hugh On Tuesday, Sep 23, 2003, at 21:22 Australia/Melbourne, Mukesh Karna wrote: > Hi all, > > How do I restrict my clients from surfing for not more than x hours in > one session and they have to re-logon after every x hours. > > rgds, > > Mukesh Karna > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) How does SQL Fallover work?
If the radius server cannot make a establish an application level(or below) connection to the database server, for whatever reason, it will try an alternative, or try again. If the database gives an error, it seems to me radiator denies the authentication request but does not assume anything is wrong with the database. This is the observed behavior of 3.3.1. I understand the reasoning for your question, and hope this helps. If you need something to monitor hardware failure, application failure, etc., I suggest trying Big Brother/Nagios, or any number of snmp applications. Dan Vande More -Original Message- From: William Hernandez [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 9:53 AM To: 'Radiator' Subject: (RADIATOR) How does SQL Fallover work? Hello everyone, The Radiator 3.3.1 manual states in Section 6.28 "AuthBy SQL is tolerant of database failures. If your database server goes down, Radiator will try to reconnect to a database as described above, starting again at the first database you specified." What does "server goes down" mean? Does it refer to a hardware failure? Does it mean the SQL Server application goes down? Does it mean that the particular database for some reason becomes unavailable and a connection is not possible although the SQL Server is still running? Does it mean that a connection was made, but there was an error/problem with the SQL query? All of the above? Thanks in advance, William Hernández === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Radiator and Mysql under load
You should be just fine with mysql, yahoo finance runs everything under mysql. I route 2 million messages a day using mysql, (Includes spam preference lookups for everyone, destinations, routing, auth, pop3 and IMAP, radiator auth/acct) on one mysql (w/ a hot backup of course) 2x Xeon 500Mhz. You may get even better luck turning on query caching, which can improve speed substantially. http://www.eweek.com/article2/0,3959,293,00.asp http://www.mysql.com/information/benchmarks.html -Dan Queries per second avg: 40.143 -Original Message- From: DUFOUR Geoffrey [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 9:16 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Radiator and Mysql under load Hello, We plan to run RADIATOR on RH Linux and authenticate users from a mysql database (accounting information will be stored in the same database). We have to work with a data model that allows us to handle "group attributes" (reply and check), "user attributes" (reply and check), and a few other things, meaning that the AuthSelect query will deal with several tables. We should have up to 50.000 users in the database and 1000 realms in the config file (150 CDRs a month). 1st question : Knowing all this, do you see any problems running RADIATOR with mysql (performance problems, ...). It seems a lot of people are working with MSSQL or Oracle databases to authenticate users. 2nd question : Is it a problem for RADIATOR to handle a lot of realms, knowing all the information is kept in memory ? I am concerned about performance. Thanks for your help. Regards. Geoffrey Dufour === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Subdomain problem [FIXED]
Hugh, Your solution did not work for the second problem (ISDN static/dynamic IP), but it surprisingly DID work for the dsl subdomains. I'm not really good at radius but should be done reading the rfc by tonight. This should help in situations like these. I have another router I'm going to try on this circuit before I do any more radius troubleshooting. In the meantime I will research as to why this may have fixed the subdomain problem. For those who didn't catch on: I tried authenticating subdomains (IE dsl.mydomain.com) through a sql database via radiator. Radiator authentication went fine. I have the default recommended table structure (To eliminate variables), and switching from authby file to sql broke only certain clients in one domain. Although the records looked complete and radiator debug showed the correct information returned, the router did not appear to accept it until I threw these lines into my authby sql realm dsl.mydomain.com: . AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP Thanks! Dan Vande More -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:51 AM To: Dan Vande More Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Subdomain problem Hello Dan - It is quite possible that this is due to "Service-Type = Framed-User, Framed-Protocol = PPP" not being included in the reply attributes (Cisco's especially are very picky about this). BTW - for common sets of reply attributes you can use an "AddToReply " in the AuthBy clause rather than replicating all of the reply attributes for every user. Ie: . AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP regards Hugh On Friday, Aug 8, 2003, at 01:15 Australia/Melbourne, Dan Vande More wrote: > Well this is what I have after making this change. > > It appears to keep re-authenticating, over and over again every 7-10 > seconds. > Although it appears to give an access accepted, the modem doesn't > accept it. > > Keep in mind, that this works perfectly on AuthBy File, and dies on > SQL. > > Maybe I have something wrong in the db conversion, but I used the > default table structure included with Radiator, and here is a sample > record: > > INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", > "mycorrectpassword", NULL, "Service-Type=Framed-User", > "Framed-Protocol=PPP,Framed-IP-Address=200.200.132.52,Framed-IP- > Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed- > Compression=Van-Jacobson-TCP-IP", "999"); > > Debug info below. > > Additionally out of a large amount of ISDN subscribers, I have one > particular one I cannot seem to give a static IP to. And if I do, it > still takes a dynamic. > It's db record is seen below: > > INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", > "password", NULL, "Service-Type=Framed-User", > "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.207,Framed-IP- > Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Session- > Timeout=14400,Idle-Timeout=600,Framed-Compression=Van-Jacobson-TCP- > IP", "999"); > > Here's a sample of an ISDN record that does keep the static IP every > time: > > INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", > "password", NULL, "Service-Type=Framed-User", > "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.132,Framed-IP- > Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed- > Compression=Van-Jacobson-TCP-IP,Session-Timeout=14400,Idle- > Timeout=600", "999"); > > I'm debating the fact that it is their router. It seems they have a > Cisco 803, and though there are bugs, none of them point to this > issue. Nor was I able to find anything close. > > Hints? Suggestions? > > Thanks! > > Dan Vande More > > Debug info from issue #1: > > > Mon Aug 4 14:43:45 2003: DEBUG: Packet dump: > *** Received from 200.200.143.2 port 1645 > Code: Access-Request > Identifier: 48 > Authentic: he^<205>]<173><3><213><231>v<130><7>p<239><211>T > Attributes: > NAS-IP-Address = 200.200.143.2 > NAS-Port = 28 > NAS-Port-Type = Virtual > User-Name = "[EMAIL PROTECTED]" > User-Password = > "<229><162><139><236>I<225><225><181><150><13>W<249><155>'W
(RADIATOR) Acct-Session-Time Questions
I have a few questions related to Acct-Session-Time. I seem to have answered most of them, but some I'm second guessing myself on. First I see this in my session logs for a distinct user: Acct-Session-Time = 710920 Acct-Session-Time = 711733 Acct-Session-Time = 712554 Acct-Session-Time = 713450 Acct-Session-Time = 714335 Acct-Session-Time = 715209 Acct-Session-Time = 716083 Acct-Session-Time = 716903 Acct-Session-Time = 717728 Acct-Session-Time = 718596 Acct-Session-Time = 719435 Acct-Session-Time = 720306 So, I'm assuming the Acct-Session-Time is cumulative. These numbers descend all the way down to 15, in (random) increments. Are these numbers calculated on the fly, by radiator, from the detail file? So If i rotate the logfile every month, it starts over on a new log file? Additionally, are these numbers in seconds (Another assumption I'm making)? If so, then my math(bc 1.06) shows: 720306/60 12005 12005/60 200 So this user has had 200 hours of active session time? Thanks! Dan Vande More === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Subdomain problem
Well this is what I have after making this change. It appears to keep re-authenticating, over and over again every 7-10 seconds. Although it appears to give an access accepted, the modem doesn't accept it. Keep in mind, that this works perfectly on AuthBy File, and dies on SQL. Maybe I have something wrong in the db conversion, but I used the default table structure included with Radiator, and here is a sample record: INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "mycorrectpassword", NULL, "Service-Type=Framed-User", "Framed-Protocol=PPP,Framed-IP-Address=200.200.132.52,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP", "999"); Debug info below. Additionally out of a large amount of ISDN subscribers, I have one particular one I cannot seem to give a static IP to. And if I do, it still takes a dynamic. It's db record is seen below: INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "password", NULL, "Service-Type=Framed-User", "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.207,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Session-Timeout=14400,Idle-Timeout=600,Framed-Compression=Van-Jacobson-TCP-IP", "999"); Here's a sample of an ISDN record that does keep the static IP every time: INSERT INTO `SUBSCRIBERS` VALUES("[EMAIL PROTECTED]", "password", NULL, "Service-Type=Framed-User", "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.132,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP,Session-Timeout=14400,Idle-Timeout=600", "999"); I'm debating the fact that it is their router. It seems they have a Cisco 803, and though there are bugs, none of them point to this issue. Nor was I able to find anything close. Hints? Suggestions? Thanks! Dan Vande More Debug info from issue #1: Mon Aug 4 14:43:45 2003: DEBUG: Packet dump: *** Received from 200.200.143.2 port 1645 Code: Access-Request Identifier: 48 Authentic: he^<205>]<173><3><213><231>v<130><7>p<239><211>T Attributes: NAS-IP-Address = 200.200.143.2 NAS-Port = 28 NAS-Port-Type = Virtual User-Name = "[EMAIL PROTECTED]" User-Password = "<229><162><139><236>I<225><225><181><150><13>W<249><155>'W<6>" Service-Type = Framed-User Framed-Protocol = PPP Mon Aug 4 14:43:45 2003: DEBUG: Handling request with Handler 'Realm=dsl.mydomain.com' Mon Aug 4 14:43:45 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 200.200.143.2, 2 8 Mon Aug 4 14:43:45 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='200.200.143 .2' and NASPORT=028': Mon Aug 4 14:43:45 2003: DEBUG: Query is: 'select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPA DDRESS from RADONLINE where USERNAME='[EMAIL PROTECTED]'': Mon Aug 4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL Mon Aug 4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL: Mon Aug 4 14:43:45 2003: DEBUG: Query is: 'select PASSWORD, CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME = '[EMAIL PROTECTED]'': Mon Aug 4 14:43:45 2003: DEBUG: Radius::AuthSQL looks for match with [EMAIL PROTECTED] Mon Aug 4 14:43:45 2003: DEBUG: Radius::AuthSQL ACCEPT: Mon Aug 4 14:43:45 2003: DEBUG: Access accepted for [EMAIL PROTECTED] Mon Aug 4 14:43:45 2003: DEBUG: Packet dump: *** Sending to 200.200.143.2 port 1645 Code: Access-Accept Identifier: 48 Authentic: he^<205>]<173><3><213><231>v<130><7>p<239><211>T Attributes: Framed-IP-Address = 200.200.132.52 Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Mon Aug 4 14:43:52 2003: DEBUG: Packet dump: *** Received from 200.200.143.2 port 1645 Code: Access-Request Identifier: 50 Authentic: <163>0<206>I<209><251><7><159>.<166><183><143><230><173>b7 Attributes: NAS-IP-Address = 200.200.143.2 NAS-Port = 28 NAS-Port-Type = Virtual User-Name = "[EMAIL PROTECTED]" User-Password = "rE<255><144><186>|>n<26>A<173><133>c<253>g<189>" Service-Type = Framed-User Framed-Protocol = PPP Mon Aug 4 14:43:52 2003: DEBUG: Handling request with Handler 'Realm=dsl.mydomain.com' Mon Aug 4 14:43:52 2003: DEBUG: Deleting session
(RADIATOR) Subdomain problem
Greetings! I seem to to be having a problem with authenticating certain types of usernames using radiator and authby sql. I finished the upgrade to 3.6 without a hitch, and I am trying to move away from the flat file and towards sql. I've attempted a switch on a certain test segment, and here are my results, as well as other data. I give the test client a login name of [EMAIL PROTECTED] (service could be dsl, isdn, etc) Under Authby file, it works great: [EMAIL PROTECTED] User-Password = "password" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I then imported everything to a sql database (mysql): INSERT INTO SUBSCRIBERS (USERNAME, PASSWORD, ENCRYPTEDPASSWORD, CHECKATTR, REPLYATTR, TIMELEFT) VALUES("[EMAIL PROTECTED]", "password", NULL, "Service-Type=Framed-User", "Framed-Protocol=PPP,Framed-IP-Address=255.255.255.254,Framed-IP-Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-Compression=Van-Jacobson-TCP-IP", "999"); And I get the request, by my logfile shows: Fri Aug 1 00:09:33 2003: INFO: Access rejected for [EMAIL PROTECTED] So is it because I am using subdomains? Why is it appending @mydefaultrealm.com? Radiator works fine for everything else, as long as I don't use subdomains. Any suggestions? Of course, I am expecting "don't use subdomains" as a response from a few of the creative people. Thanks! Dan Vande More === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator + Oracle Bug?
Hugh Irvine wrote: > > Hello Wesley - > > If the SQL database access times out, Radiator by default will wait 10 > minutes before trying again. > > You can adjust the Timeout and FailureBackoffTime parameters in the > AuthBy SQL clause. > > See sections 6.28.4 and 6.28.5 in the Radiator 3.6 reference manual. > > regards > > Hugh > > > On Sunday, Jul 20, 2003, at 19:11 Australia/Melbourne, Wesley Hof wrote: This shouldn't stop/freeze the perl process though? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Database support fault tolerance
Hugh Irvine wrote: > > Hello Dan - > > It would be fairly simple to have Radiator write to a flat file for > accounting, and then have a cron job or similar load the data into the > database periodically. You will find a simple utility to do this in the > file "goodies/radimportacct". > > regards > > Hugh A cron job is too dirty of a hack, some other trigger would be better. What to do about sessions though? They need to find a way to the database too, unless someone has some specialized (network) session service written (which I would love to use instead of an SQL DB anyway). === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Fwd: Re: (RADIATOR) Database support fault tolerance
Hugh Irvine wrote: > > Hello Dan - > > It would be fairly simple to have Radiator write to a flat file for > accounting, and then have a cron job or similar load the data into the > database periodically. You will find a simple utility to do this in the > file "goodies/radimportacct". I was hoping more for something like this included in Radiator's design. Would benefit many, really. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Database support fault tolerance
Our users are getting sick and tired due to RADIUS service unavailability every time something happens to the network where the database server sits, or the database server itself. To remind, we use LDAP for authentication, and SQL Server for sessions/logging. LDAP has been great, where database connectivity has been problematic, and a major pain in the arse in general. In some cases, Radiator would hang if there are database connection failures. A failure with the unixODBC client translates into Radiator process failure. Right now Radiator's availability is directly dependent on the quality of the Perl libraries, including the database libraries/clients. Our service could be much more available if SQL was handled by an outside process with a queue in the middle. If something happens to this SQL helper process, the network, or the database server, then the queue simply grows in size, and Radiator continues running happily, authenticating users. When the problems are fixed, the queue is relayed to the SQL server, and no logging records are lost. If we want to be fancy, this extra process may even be temporarily handling sessions in place of RADONLINE (instead of simply ignoring them returning OK back to Radiator), and notifying system administrators when it can't talk to the SQL database. This system is not only a more resilient design, but more scalable too since Radiator will return as soon as it writes to the queue, not waiting for the database server. Please let me know your thoughts; let's discuss this idea further. Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Session Database and MaxSessions
Frank, List, Here is a snippet of my clients.cfg file (attached). All of my client entries look like what i attached. Dan - Original Message - From: Frank Danielson To: Dan ; [EMAIL PROTECTED] Sent: Monday, March 03, 2003 1:31 PM Subject: RE: (RADIATOR) Session Database and MaxSessions Dan- could you also send the clients.cfg (no secrets)? -Original Message-From: Dan [mailto:[EMAIL PROTECTED]Sent: Monday, March 03, 2003 12:23 PMTo: [EMAIL PROTECTED]Subject: (RADIATOR) Session Database and MaxSessions I have a existing session database. I am now to the point where I need to control MaxSessions. When i add the MaxSessions 1 to my conf. file I get ALOT of people that can't login because it believes the user is still online or maxsession is exceeded. I know for a fact that these users are not online. Why is it not letting them online? Is there any other way or Proper way to set radiator up to control maxsessions when I'm getting my auth's from wholesale provider which does not support snmp to the nas's...? How do other people on the list control simultaneous usage with Networks like Uunet,Qwest,Megapop etc I have included the log file (Trace 4) with the errors I get when I add MaxSessions 1 these errors are occurring even when the user is not trying to do simultaneous connections. I have also attached my conf file. Mon Mar 3 08:06:00 2003: DEBUG: Packet dump:*** Received from 216.127.139.10 port 3800 Code: Access-RequestIdentifier: 171Authentic: U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: User-Name = "[EMAIL PROTECTED]" CHAP-Password = <1>#<134><194><141>c(<29>;<243><168><143>D<168>V<213><172> NAS-IP-Address = 67.193.160.36 NAS-Port = 2052 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP State = "" Called-Station-Id = "" Acct-Session-Id = "388570715" Ascend-Data-Rate = 26400 Ascend-Xmit-Rate = 50667 network = "u2" Mon Mar 3 08:06:00 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'Mon Mar 3 08:06:00 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 67.193.160.36, 2052Mon Mar 3 08:06:00 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='67.193.160.36' and NASPORT=02052 Mon Mar 3 08:06:00 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where [EMAIL PROTECTED] Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 13, 388532462 67.193.119.193 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 3203, 388529606 67.193.119.73 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2121, 388518728 67.193.119.57 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2244, 388501182 67.193.119.57 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 111, 388543128 67.193.119.187 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 17, 376236234 67.193.170.23 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2065, 388528348 67.193.119.93 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 2059, 376233805 67.193.170.77 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 209, 376233644 67.193.170.4
(RADIATOR) Session Database and MaxSessions
I have a existing session database. I am now to the point where I need to control MaxSessions. When i add the MaxSessions 1 to my conf. file I get ALOT of people that can't login because it believes the user is still online or maxsession is exceeded. I know for a fact that these users are not online. Why is it not letting them online? Is there any other way or Proper way to set radiator up to control maxsessions when I'm getting my auth's from wholesale provider which does not support snmp to the nas's...? How do other people on the list control simultaneous usage with Networks like Uunet,Qwest,Megapop etc I have included the log file (Trace 4) with the errors I get when I add MaxSessions 1 these errors are occurring even when the user is not trying to do simultaneous connections. I have also attached my conf file. Mon Mar 3 08:06:00 2003: DEBUG: Packet dump:*** Received from 216.127.139.10 port 3800 Code: Access-RequestIdentifier: 171Authentic: U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: User-Name = "[EMAIL PROTECTED]" CHAP-Password = <1>#<134><194><141>c(<29>;<243><168><143>D<168>V<213><172> NAS-IP-Address = 67.193.160.36 NAS-Port = 2052 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP State = "" Called-Station-Id = "" Acct-Session-Id = "388570715" Ascend-Data-Rate = 26400 Ascend-Xmit-Rate = 50667 network = "u2" Mon Mar 3 08:06:00 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'Mon Mar 3 08:06:00 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 67.193.160.36, 2052Mon Mar 3 08:06:00 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='67.193.160.36' and NASPORT=02052 Mon Mar 3 08:06:00 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where [EMAIL PROTECTED] Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 13, 388532462 67.193.119.193 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 3203, 388529606 67.193.119.73 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2121, 388518728 67.193.119.57 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2244, 388501182 67.193.119.57 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 111, 388543128 67.193.119.187 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 17, 376236234 67.193.170.23 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.36 , 2065, 388528348 67.193.119.93 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 2059, 376233805 67.193.170.77 Mon Mar 3 08:06:01 2003: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 67.193.160.47 , 209, 376233644 67.193.170.44 Mon Mar 3 08:06:01 2003: INFO: Access rejected for [EMAIL PROTECTED]: MaxSessions exceededMon Mar 3 08:06:01 2003: DEBUG: Packet dump:*** Sending to 216.127.139.10 port 3800 Code: Access-RejectIdentifier: 171Authentic: U<143><8><233><171><129><22><252><26>7<148><157>b<21><216>MAttributes: Reply-Message = "Request Denied" # common-sql.cfg # # Example Radiator configuration file that allows you to # authenticate from an SQL database. # With Radiator you can interface with almost any databse schema, # and there are many more configurable parameters that allow you # to control database fallback, select statements, column names # and arrangements etc etc etc. # See the reference manual for more details. # This is a very simple exmaple to get you started. It will # work with the tables created by the goodies/*.sql scripts. # # You should consider this file to be a starting point only # $Id: sql.cfg,v 1.5 2000/11/07 21:18:05 mikem Exp $ Foreground LogStdout LogDir . DbDir . Trace 4 DictionaryFile %D/dictionary.ascend2 include %D/clients.cfg # This will authenticate users from SUBSCRIBERS MaxSessions 1 # Adjust DBSource, DB
(RADIATOR) Radius Stalls
We are running radius on a separate box than our sql db. I'm having a weird problem with radiator when i restart radiusd for conf file changes. It starts up and appears to be taking requests but i get ALOT of server time-outs doing local tests and end users also have a problem getting authenticated. When doing local tests it authenticates every say 10th-15th request. OK...now the real weird thing..I can stop and start the radiusd continusily say 100 times and 'voila' radiator starts taking requests again beautifully and the way it's suppose too. The radiator server and the sql server are robust machines showing little load. What would cause this? Why would it work after stop/starting it numerous times? Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Two miniscule timestamp patches
I need to log to stdout without the timestamp (because I use multilog for automatic rotation and TAI timestamps), so here is NoTimestamp. Hope it's okay to send to the mailing list, and it's useful to someone. --- Log.pm Wed May 22 22:03:18 2002 +++ /usr/local/lib/perl5/site_perl/5.8.0/Radius/Log.pm Thu Feb 13 18:10:12 2003 @@ -52,8 +52,13 @@ my ($priority, $s, $p) = @_; # Print to stdout as well, if required -print scalar localtime(time) . ': ' - . $Radius::Log::priorityToString[$priority] . ': ' . $s . "\n" +if (!$main::config->{NoTimestamp}) +{ + print scalar localtime(time) . ': ' ; + +} + + print $Radius::Log::priorityToString[$priority] . ': ' . $s . "\n" if $main::config->{LogStdout} && ($priority <= $main::config->{Trace} || ($p && $p->{PacketTrace})); --- ServerConfig.pm Fri Nov 29 01:10:02 2002 +++ /usr/local/lib/perl5/site_perl/5.8.0/Radius/ServerConfig.pm Thu Feb 13 18:03:05 +2003 @@ -22,6 +22,7 @@ 'DictionaryFile' => 'string', 'PidFile'=> 'string', 'LogStdout' => 'flag', + 'NoTimestamp'=> 'flag', 'SnmpgetProg'=> 'string', 'SnmpsetProg'=> 'string', 'SnmpwalkProg' => 'string',
Re: (RADIATOR) Concurrent access in SessDBM.
Hugh Irvine wrote: > > Hello Dan - > > DBM locking is not supported and we find that most Radiator users have > an SQL database for billing and customer management already, so an SQL > session database (which supports locking, multiple access, etc.) tends > to make more sense. Hi Hugh. We use LDAP for customer management (much better). Also RDBMS is not a requirement for either sessions, or accounting. We are using RDBMS for accounting records, but the _only_ reason why we're using RDBMS for sessions is lack of concurrent access in SessDBM. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Concurrent access in SessDBM.
Would it be feasable to add locking to SessDBM such that we have multiple readers and one writer to the DBM file? The session database doesn't need any relational features, and the related bloat and bugs. Look at what it takes just to set up a reliable database connection. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Rodopi & Radiator
Tim Jung wrote: > I am still stuck if anyone has any suggestions. First, you need to be asking these questions on the FreeTDS mailing list. Other than that, I would compile sqsh against the FreeTDS library, and use sqsh to log in with the SQL Server account and database to verify access. You can also log error messages with SQL Server itself, and then view them with NT event viewer. Make sure the FreeTDS library is not compiled with pthread support. Another option may be compiling DBD:Sybase against Sybase's OpenClient libarries. May cost money. So far my experience with database connectivity from Perl on Unix to Windows has been very bad. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) FreeTDS & DBD-Sybase Install
Tim Jung wrote: > I found this out from the author of the DBD::Sybase module. He posted this > to the FreeTDS mailing list back in October 2002. He is specifically > talking about the errors that are generated when you run the 'make test' > option on the DBD::Sybase module using FreeTDS. > > So it would look like that until more work is done on FreeTDS that it > doesn't support 100% of everything that MS-SQL is capable of doing. Thus Exactly. However, everything Radiator needs by default is supported. The reason why we dropped FreeTDS is because it didn't know how to handle broken connections, and hung perl. We still use FreeTDS with PHP. It's quirky, but we got it to work for what we need it to do. > the DBD::Sybase won't pass all the 'make test' tests using FreeTDS v0.60 or > the CVS version v0.61 as of today. I guess it is possible that the release > version of v0.61 might up the level of support though. Although it would > seem than 85%-86% support isn't too bad for an Open Source package talking > to a commercial closed source database. :) Knowing that they don't have specs and need to reverse engineer, it's an achievement, however they had problems such as memory leaks and buffer overflows/segfaults in FreeTDS, which suggests they put features first, and stability/quality second. Not good. > So the question that remains is which version of the TDS protocol is needed > to talk with MS-SQL 7.0 SP3 so Radiator can talk to the Rodopi databases? > Should I use the 4.2 protocol or the 7.0 protocol? Specifically I am > interested in using the "Auth Rodopi" stuff in Radiator. Anyone here know > for sure? If you read their documentation you'd know it's TDS 7.0. Have fun. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different NASes, same realms
Hugh Irvine wrote: > > Hello Dan - > > The best way to do this sort of thing is like this: > > # define Client clauses > > > Identifier Ascend-Type-A > . > > > AuthBy Auth-Ascend-Type-A > .. > Ouch, I missed client identifiers in the documentation. Are there any plans to reorganize documentation into multiple HTML pages? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Different NASes, same realms
We are getting into compatibility problems with different Ascend NASes from our providers, which requires us to run different AuthBy for each. Since we use them with the same realms, what is the best way to differentiate NASes? Rewrite realms to something weird like realm.com-provider in the s? Any other way? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stops ...
> > Hmm ... I guess the answer is YMMV, then. > > To anyone looking for solutions like this, I would say that Easysoft were > very helpful getting their stuff up and running, and your best bet is > probably to try both. It was certainly better than Openlink, and I believe > their pricing is more competitive as well. > > But I'll stick with FreeTDS myself, thanks. Their support is very good indeed. There was a bug in UnixODBC dropped connection handling, which was fixed right after I reported it. My gripe is it takes so much bloat just to access databases. ODBC manager, ODBC driver, perl ODBC modules. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stops ...
Matthew Trout wrote: > > Of course Easysoft OOB is even better as far as > > compatibility/reliability are concerned, albeit at a higher cost. > > You're kidding, right? > > In production use, Easysoft is absolutely lovely bar for one minor 'feature' > (at least in the version I had) - if the NT side of the Easysoft bridge hits > the full number of permitted threads it then refuses to accept any further > connections without a stop/start on the service. I got bored of trying to We didn't have problems you had with it. In fact we switched from FreeTDS to OOB becasue FreeTDS was too flaky for us. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stops ...
Matthew Trout wrote: > I'd suggest dumping openlink as well; it's overpriced and the windows side > (last time I had to suffer it) was far from production-grade reliability. If > you're trying to connect to an MS SQL Server from *n?x, I've found FreeTDS > (www.freetds.org) to be far superior, and a lot faster since TDS has a lot > less overhead than ODBC. DBD::Sybase will build quite happily against > FreeTDS, at which point you could use it with Radiator quite happily. Of course Easysoft OOB is even better as far as compatibility/reliability are concerned, albeit at a higher cost. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) GlobalVar
I am tidying up my configuration files, and I find that GlobalVars don't work everywhere. I look at the documentation, and it doesn't tell me where they do not work. Variables like LDAP passwords and filters that I found by trial and error do not work. LDAP host does work, but then, in the log file the variable name is reported instead of the variable value. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Auth-Type and LDAP
Enrique Diez wrote: > Hi All, > I would like to know if there is an LDAP-Attribute (customized or > standarized) in order to define the kind of authentication required for an > user entry. > For example, a user LDAP entry can be validated by the Radiator Radius > Server via /etc/unix/password or a remote radius or ACE/SERVER according to > the value of an "Auth-type" LDAP attribute. We use objectClass. If a user's LDAP entry allows dial-up authentication, then his objectclass attribute will include 'dialUpUser' value. The Radiator LDAP filters are set accordingly. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Connecting from linux to SQL 2000
Matthew Hobbs wrote: > Currently I'm using DBI:Sybase on Mandrake 8.2 to connect to MS SQL 6.5 > All works well > Looking at FreeTDS (0.6) its says it can connect to SQL 2000 using DBI::Sybase > is this true ? This is a question for the FreeTDS list. I just tried FreeTDS 0.53, with TDS version set to 7.0 with MS SQL 2000. Seems to work. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) MySQL + Radiator = Hang
Tony Bunce wrote: > We have radiator setup on two servers using a MS SQL server for user > authentication and mysql for accounting. If you're using unixODBC 2.2.3 or earlier, upgrade. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: (RADAR) RADAR without X
> StatsLog clause. And if you want a tool to restart Radiator > automatically and let you know why it did so, you should use the > "restartWrapper" utility provided in the goodies directory for this > purpose. See the relevant sections of the Radiator 3.4 reference manual. Another (very convenient) way to automatically restart Radiator is to use daemontools. One more way is on systems which init supports it, specify radiusd should be started on boot and restarted on exit in /etc/inittab. Autorestart is important especially if you use ODBC since perl process likes to segfault with some ODBC drivers (especially when an idle connection is dropped by the ODBC server or a firewall). This leads me to ask this question. Could any subscribed users comment on Easysoft's OOB? We went from FreeTDS to OOB, and perl still segfaults on dropped connections from the OOB server. Dropped connections should result in graceful reconnects, not given up on with a segfault (note this is not a Radiator issue, the DBD-ODBC, DBI, unixODBC, and OOB driver are suspects here. But where to start looking for the bug?). === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Sessions
Hi. Our Radiator needs to authenticate more that one service from the same realm. We need to guarantee that a user can get one session per each service with the same account, but only one session. For example, once a user has authenticated for dial-up, he wants to use a VPN client - one more session, but for a different service. The trick is a user must not be allowed to get more than one session for either service. What needs to be done? A separate session DB for each handler? Anything else? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) mssql and config file
Im running into a problem with not being to authenticate via test utilty. Here is my config file... Im wanting to authenticate and do accounting out of the MSSQL db. I can start up radiusd with no problems and no errors until i try running a testuser through test utility..I get "bad authenticator" from the test utility...but accounting works fine...and from the log i get "Bad attribute =value pair". What am i missing? I'm pretty sure i have everything in the DB correctly. Heck i dunno...thats why im asking. DBSourcedbi:ODBC:radiusdb DBUsername sa DBAuth dbpassword AuthSelect select radiusname, password, checkattr, replyattr from RADIUSCUSTOMERTEST where radiusname= %0 AccountingTable RAD_ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctFailedLogFileName %D/missedaccounting === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Mac OS X Questions
Marcel Brown wrote: > A few more questions regarding Mac OS X and MS SQL access > > If connecting to MS SQL from ODBC on UNIX requires an ODBC driver, > where can I get a driver? Do people here have experience with this on > Mac OS X? > > I keep reading that DBD-Sybase is compatible with MS-SQL. If I were > to use DBD-Sybase instead of DBD-ODBC, do I still need an additional > driver? Anyone here have experience using DBD-Sybase for MS SQL with > any UNIX, not just Mac OS X? > > Thanks! > Marcel > Try FreeTDS first. We had more success with ODBC-ODBC bridge. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stop without a reason
Paulo Sousa wrote: > > Dan > > I'm currently use libdbd-sybase-perl (that depends freetds), running > debian GNU/Linux woody 3.0 :) > Do u know how i can resolve that??? Not yet. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL Server Connection Handling
Patrick Muldoon(NOC) wrote: > We use DBD::Sybase with FreeTDS to connect to MSSQL Server 2000 from > FreeBSD, and it works great, have never had any trouble. > > What version of FreeTDS are you using? > > You can also do some debugging with FreeTDS to see if it is the one > hanging. > http://www.freetds.org/userguide/x1873.htm#AEN1877 > > Hope this helps, > > -Patrick I am happy for you. We are using MSSQL 7.0, with service pack 2. We also use FreeTDS with PHP, and had some minor problems, but nothing major. There are/were many really screwy problems with FreeTDS like memory leaks and segfaults, and part of the problem is the reverse engineering, but it's a good suspect. We're always using the latest version of FreeTDS, and AFAIK it's been 0.53 for quite a while. This server hang problem is very irritating, and ambiguity of it really sucks. Where to look? DBD:Sybase? FreeTDS? MSSQL? So many layers. Does anyone on this list use MSSQL with Sybase client libraries by any chance? UnixODBC or iODBC with a commercial ODBC driver? What are your results? I've used Sybase client libraries with MSSQL 6.5 in the past with good results. Had more problems with 7.0. BTW, FreeTDS have a very early version of an ODBC driver. They're willing to finish it if you sponsor them. If FreeTDS makes you a profit, may as well support the developers :) === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL Server Connection Handling
Mike McCauley wrote: > Hi Dan, > > OK, > > here is a new version of SqlDb.pm that implements a new DisconnectAfterQuery > flag. This will cause AuthBy SQL and other SQL users to disconnect after > every SQL 'do' and after every 'getOneRow'. > > Let me know how you go. > > Cheers. > Thanks for all your effort, Mike. The problem didn't go away, however. I am suspecting a FreeTDS problem now. Server just hangs. 'top' shows it's in 'sbwait' state. 'netstat' shows an open connection to the MS SQL machine. Paulo Souso's Radiator also hangs, by the way. They use MS SQL too. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stop without a reason
Paulo Sousa wrote: > > > Hi Dan > > I'm using a linux box that auths on M$ SQL Server. :) > > Paulo Sousa > We have exactly the same problem. You are using FreeTDS? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator stop without a reason
Hugh Irvine wrote: > > Hello Paul - > > I will need to know what hardware/sorftware platform you are using and I > will need to see a copy of your configuration file (no secrets) together > with a trace 4 debug showing what is happening. I will also need to know > what version of Radiator you are running. > > regards > > Hugh > > > On Thursday, September 5, 2002, at 03:36 AM, Paulo Sousa wrote: > Are you using MSSQL by any chance? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL Server Connection Handling
Mike McCauley wrote: > On Wed, 28 Aug 2002 08:32, Hugh Irvine wrote: > > Hello Dan - > > > > I would have to suggest that you use a more sensible database. > > Of course that there might be other reasons that prevent you from doing that. > > I am a bit puzzled though: I would normally expect Radiator to attempt to > reconnect and have another go after failing to execute that query the first > time? > > Perhaps if you send more the the trace file we might see if that is happening? > > Cheers. > Here's what happens: 1) If the server has been writing to MSSQL server frequently, no problems. 2) If the server has not written anything over TCP connection to MSSQL in quite a long while, the server is blocked. Any subsequent requests to the server fail. This is the last thing in the log before a block: Wed Aug 28 18:58:52 2002 707093: DEBUG: do query is: insert into failedattempts (LoggedAt,User_Name,NAS_IP_Address,Caller_ID,NAS_Port,Failure_Message, Active_Handler) values ('2002-08-28 18:58:52.000','dan','203.63.154.1','987654321','1234','''Bad Password''', 'prodnetilla') . I suspect a problem may be with FreeTDS libraries, DBD::Sybase, or MSSQL server itself. Unfortunately I can't use a different database for logging for beauraucratical reasons. A connect-log-disconnect feature would be a quick fix for this. It would also allow some people simple load balancing with round-robin DNS to boot. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL Server Connection Handling
Mike McCauley wrote: > Its a first for me too. > I could conceive of a 'DisconnectAfterQuery' flag that would disconnect after > every SQL query was finished, but Im reluctant to add it since I dont think > it would be widely useful, and when it was used it would significantly slow > things down. Performance is not an issue for us right now, since we barely get a few dozen authentications per day. > Do I understand from the below that you are connecting to MS-SQL from Radiator > running on a FreeBSD box? > > We havent heard of similar behaviour, even from FreeBSD to MS-SQL. It is > possible that using keep-alives or similar might alleviate the problem? > > Cheers. The problem is our MS SQL Server 7.0 (yuck!), service pack 2 drops connections if they're idle for a long enough time: Tue Aug 13 09:39:24 2002: ERR: do failed for 'insert into failedattempts (LoggedAt,User_Name,NAS_IP_Address,Caller_ID,NAS_Port,Failure_Message, Active_Handler) values ('2002-08-13 09:39:24.000','soconnell','10.0.2.201','', '29374','''Bad Password''','prodnetilla')': Server message number=10018 severity=9 state=0 line=0 server=OpenClient text=The connection was closed I am just looking for a a quick work-around. MS' site actually has a blurb about configuring time-outs for DB connections, but we couldn't find such an option at least for our service pack. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL Server Connection Handling
Hugh Irvine wrote: > > Hello Dan - > > Can you please tell me what database you are using and what platform? > > thanks > > Hugh I thought SQL Server implied MS SQL Server :). This is FreeBSD. Anyway, we need connect-log-disconnect behavior instead of the current implementation. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SQL Server Connection Handling
Hi. Is it possible to quickly disable persistent connections for SQL logging? Persistent connections do not work well with our SQL Server, since they time out. Short failure backoff times do not help either since I think any DB connection failure trips the RADIUS authentication code on the devices we authenticate (they stop talking to Radiator). === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Memory leak in one of the modules or perl executable.
Hugh Irvine writes: > > Hello Dan - > > Mike is travelling this week, but he will look at this when he returns. > > In the meantime, can you please tell me how you are testing? And could you > also send me the details of how you are testing and the outputs of "ps", > "top" or whatever you are using to measure the memory usage? Also please > include anything else that might be useful in tracing the problem. > > thanks and regards > > Hugh I am running radpwtst on the same machine recursively with a simple bash script, which does a correct query. Radiator authenticates using AuthBy TEST. Until I stop it. This is before the script is run: ps auxw | egrep 'CPU|radiusd' USERPID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND radiusd 2202 0.1 0.6 8156 7760 p0 S+6:34PM 0:01.08 /usr/local/bin/perl /usr/local/bin/radiusd -config_file ./test.cfg And after the script is finished (a few hundred querys): radiusd 2202 0.7 0.7 10196 9756 p0 S+6:34PM 0:07.74 /usr/local/bin/perl /usr/local/bin/radiusd -config_file ./test.cf Note the difference in size and resident set size values. If the server and client are left to run longer, it will be so large that it will need to be restarted. I can do this automatically with daemontools, but it is not a fix. This is not due a to a module load, since even on the first query, the process does not jump megabytes in size. Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Memory leak in one of the modules or perl executable.
I noticed the perl process is growing linearly as the requests come in. Grows in size quite rapidly, eventually needs to be restarted. I suspected FreeTDS or OpenLDAP libraries (and these may too have leaks and probably do, but that testing is later). To see if it could be something else, I created a simple config file with just AuthByTEST. Still leaks. This is on FreeBSD 4.5-STABLE and Perl 5.6.1. Perl 5.8.0 also leaks when running Radiator. Time::Hires is also installed. No other modules were used for this test. Here's my config (with fake system-related data): LogStdout PidFile /tmp/testradiusd.pid AuthPort1898 AcctPort1899 BindAddress ip.add.re.ss LogDir /tmp DbDir /tmp DictionaryFile /blah/blah/dictionary NoIgnoreDuplicates Access-Request #for testing only Secret test RewriteUsername s/^(.*)\-(.*)/$1\@$2/ #user-org to user@org DefaultRealm test Identifier test Identifier test AuthBy test === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP and CHAP
Ayotunde Itayemi writes: > Hi, > > Depending on your patience, number of clients and time, you could get Mobius > Freeware's > w32crack - run it continuously for a few days after extracting the username > and encrypted This cannot help us, since we do not use NT user database. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP and CHAP
Hugh Irvine writes: > > Hello Dan - > > You can use CHAP with any database, however the password stored therein > *must* be in cleartext, as you can only use cleartext passwords with CHAP. > > regards > > Hugh The problem is all our dial-ups have hashed passwords, and returning them to clear text would be impossible. The problem is Broadwing now requires CHAP for some of the POPs, and doesn't for others. Are there any work-arounds for this? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP and CHAP
Does Radiator allow CHAP passwords with LDAP databases? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Our Interesting Requirement for Radiator
Hi. Here's what required by our installation. We have our account entries in the LDAP directory. Every account can be authenticated using RADIUS for several services like VPN tunnels, dial-up etc. There needs to be an expirattion date for each type of service. IOW there's a different expiration date attribute for each RADIUS-authenticated service. From what I've read in the docs, Radiator only supports one expiration attribute per directory entry natively. We need an ability to configure a separate expiration date attribute for each sevice an LDAP entry could authenticate. Is there any way we can achieve what I've described above? Thanks much. -- Excessive functionality is a root to security disasters. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Logging Active Handler
Hi. I need to log active handler identifier to the SQL table. In other words, the handler where the failure occurs should be logged. What do I need to do? I read documentation, but it's not exactly clear to me as how to do it. -- History has shown that the road to injustice is frequently lit with the light of good intention === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Failed Attempts, Time::HiRes
Hi. A few questions: How to log failed attempts to an SQL database? The table will look something like this: Column_nameType Length Nullable -- - --- --- LoggedAt datetime 8yes User_Name varchar 255 yes NAS_IP_Address varchar 255 yes Authen_Failure_Reason varchar 255 yes Author_Failure_Reason varchar 255 yes Caller_ID varchar 255 yes NAS_Port varchar 255 yes Source_NAS varchar 255 yes Descriptionvarchar 255 yes I also installed the Time::HiRes module, but Radiator refuses to log with microseconds without any warning messages. Yes, I restarted the server completely, instead of SIGHUP. Also, some attributes are not found in the dictionary, I am using 'ascend2' in addition to 'dictionary'. I suspect these are proprietary Cisco attributes which are in the packet trace. Should I worry about this, or what's a quick and dirty method of disabling these error messages so they do not fill up the log? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Logging Accounting to SQL without SQL authentication
Hugh Irvine writes: > > Identifier SQLAccounting > .. > AuthSelect > AccountingTable ACCOUNTING > AcctColumnDef . > .. > > > AuthByPolicy ContinueAlways > AuthBy SQLAccounting > AuthBy CheckLDAP > . > Thanks. It's great it works, but it's a work around. SQL accounting should be independent of AuthBy SQL. Next version maybe? :) === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Logging Accounting to SQL without SQL authentication
Hi. We want to log accounting to our SQL DB, but we are using LDAP DB for authentication. What can we do? doesn't mention AccountingTable functionality from . Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) mikem user possible hack attempt?
Hello, I have pulled the following output from my logfile. As you can see there is a user called mikem which says he is coming from open.com.au ( which I believe is spoofed). I believe this is an attempt to get through with default radius user settings. has anyone else seen this? any way to find out where the packets are coming from? thanks Dan Boucaut Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 43066 Code: Access-Request Identifier: 193 Authentic: 1234567890123456 Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT Tue Mar 26 08:52:43 2002: INFO: Access rejected for mikem: NT Authentication failed: Logon Error (3) Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 43066 Code: Access-Reject Identifier: 193 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied" Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 43066 Code: Accounting-Request Identifier: 194 Authentic: <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145> Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Mar 26 08:52:43 2002: DEBUG: Adding session for mikem, 203.63.154.1, 1234 Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 43066 Code: Accounting-Response Identifier: 194 Authentic: <253><229>D<154><222><211>0<210>O<19><244><233><207><226><167><145> Attributes: Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 43066 Code: Accounting-Request Identifier: 195 Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127> Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Tue Mar 26 08:52:43 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Mar 26 08:52:43 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Tue Mar 26 08:52:43 2002: DEBUG: Handling with NT Tue Mar 26 08:52:43 2002: DEBUG: Accounting accepted Tue Mar 26 08:52:43 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 43066 Code: Accounting-Response Identifier: 195 Authentic: <6><249><144><217><195>O<3><139><211>V<127>n<212><30>Q<127> Attributes: Tue Mar 26 08:52:52 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 43067 Code: Access-Request Identifier: 201 Authentic: 1234567890123456 Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" Tue Mar 26 08:52:52 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Mar 26 08:52:52 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Tue Mar 26 08:52:52 2002: DEBUG: Handling with NT Tue Mar 26 08:52:52 2002: INFO: Access rejected for mikem: NT Authentication failed: Logo
Re: (RADIATOR) radiator hanging itself...
Check if it's blocked by a disk or a database. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Weird realms
Hugh Irvine writes: > > Hello Dan - > > You can either do what you describe (probably with a single global > RewriteUsername), or you can use Handlers with regular expressions. > > Ie. > > Which is more efficient rewrite and , or ? Thanks. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Weird realms
We have a few realms like m_devn and devn. So they're prefixes, not suffixes after "@", but with ".". For example m_devn.dan. What's the best way to handle something like this? Rewrite them in the client interface config to something @m_devn?, then handle with later? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Logging to MSSQL 7.0
Hugh Irvine writes: > BTW - you say that Radiator is *almost* perfect - we would be keen to hear > any suggestions for improvements. > > regards > > Hugh Hi Hugh, : I'd like to be able to fork an external program, and pipe the log data to it for logging, instead of logging directly to a file. I'd like to use the daemontools' 'multilog' since it does nice log rotation and TAI timestamping. Is there some way to rotate logs in Radiator? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Logging to MSSQL 7.0
First, let me add my praise about this product to the already long list. We're evaluating Radiator. This is the best commercial server product I have ever dealt with, great job! Finally a RADIUS server that's almost, if not, perfect. Rock on! Anyway, we use FreeTDS for PHP scripts, and some things work, some break and cause segfaults depending on the features we're trying to use through FreeTDS. As much as I hate logging to the database, some of our existing reporting scripts (VB Script) require it anyway, so this is a part of evaluation as well. Do any of you on this list log to an MSSQL database from a Unix variant with FreeTDS library? Any caveats? Thanks much. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) auth by NT with solairs
Hello, I am trying to setup the following configuration. Radius 2.19 running on a Sun solaris unix box. I want users to dial in and authenticate to a window NT domain. Is this possible using authby NT ? or is there another way to do it ? or isn't it possible with radius running on unix? I am hoping to get single signon to the windows domain. thanks dan boucaut === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
[no subject]
Radiator is an amazing program - fast, reliable, and powerful. It appears to handle just about anything that is thrown at it. However, I'm getting an error that I have been unable to find a solution for in any of the email archives. It is: ERR: Attribute number 9 (vendor 2233623) is not defined in your dictionary I am using the standard dictionary. However, I am unable to find any reference to this vendor number is another of the other dictionaries that are provided with Radiator. Is there a dictionary reference that you might recommend that I copy into to the main dictionary to accommodate this? Thanks in advance for your help. Dan Lee Dimke Future-World.com Irving, TX USA === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authattrdef and ldap
On Tue, 27 Jun 2000, Hugh Irvine wrote: > Hello Dan - > > On Sun, 25 Jun 2000, [EMAIL PROTECTED] wrote: > > This seems odd to me. > > > > 1- > > Manual 6.31.11 CheckAttr checkitems > > Radiator Config:CheckAttr dialup > > LDAP: dialup: Auth-Type=Reject > > Test: Rejected > > > > 2- > > Manual 6.31.13 AuthattrDef ldapattributename, radiusatributename, type > > Radiator Config:AuthAttrDef dialup,Auth-Type,check > > LDAP: dialup: Reject > > Test: OK > > > > 3- > > Manual 6.31.13 AuthattrDef ldapattributename, radiusatributename, type > > Radiator Config:AuthAttrDef Auth-Type,Auth-Type,check > > LDAP: auth-type: Reject > > Test: Rejected > > > > > > Erm. Seems to me that 1 and 2 are the same thing and should both reject. > > 3 I just something silly I did before sleep, but it worked. Broken? > > > > Is there a better way for me to be denying mailbox only/web only accounts > > from dialup? I was just giving them the Auth-Type: Reject check. Any > > suggestions on my method or the above strangeness would be appreciated. > > > > Auth-Type is an internal reference to some other authentication type. > > See section 13.1.5 in the Radiator 2.16.1 reference manual. > Yes, I know that. In section 13.1.5 it says: "Auth-Type triggers special behavior for authentication the user. The possible values are: * Reject. Any access request will always be rejected. This is useful for temporarily disabling logins for a given user." Which is just what I want to do. That's not the point though. The point is, the tests above do not go along with what is stated in section 6.31.13 but seems to work with the to "be discontinued" section 6.31.11. Above, test 1 and 2 should work and 3 shouldn't as per the manual. I'm a little confused by your answer to a question I didn't ask. Dan Network Systems Engineer === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authattrdef and ldap
This seems odd to me. 1- Radiator Config:CheckAttr dialup LDAP: dialup: Auth-Type=Reject Test: Rejected 1- Radiator Config:AuthAttrDef dialup,Auth-Type,check LDAP: dialup: Reject Test: OK 3- Radiator Config:AuthAttrDef Auth-Type,Auth-Type,check LDAP: auth-type: Reject Test: Rejected Erm. Seems to me that 1 and 2 are the same thing and should both reject. 3 I just something silly I did before sleep, but it worked. Broken? Is there a better way for me to be denying mailbox only/web only accounts from dialup? I was just giving them the Auth-Type: Reject check. Any suggestions on my method or the above strangeness would be appreciated. Dan <[EMAIL PROTECTED]> Network Systems Engineer === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP
Has anyone developed a quick and painless method of configuring Radiator for use with Netscape Directory Server on Solaris 2.6? Once LDAP is a requirement, the complexity of the install increases a bunch due to the need for a c compiler and other dependency packages. Has anyone developed an install script or figured out a good "install tree" method. Thanx, Dan Sherwood Adelphia Communications Lead Product Network Engineer Phone - (716)433-1336 Pager - (800) 804-9998 e-mail - [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) 3Com TC
I recently purchased Radiator for use with 3Com Total Control. I read in the revision history that you no longer need to use pmwho to limit sessions. Instead, the Nas-Type of TotalControlSNMP can be used. How is this configured? Do I just add this to and I'm done? Thank You, Dan Sherwood Adelphia Communications Lead Product Network Engineer === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.