Re: [RADIATOR] hotspot login portal

[Dave Kitabjian]

You might want to check out:

 

  http://www.chillispot.info/

 

which we had working with Radiator back in the day, and its newer
sibling:

 

  http://coova.org/

 

Dave

 

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of John Lodge
Sent: Monday, December 03, 2012 5:09 AM
To: radiator@open.com.au
Subject: [RADIATOR] hotspot login portal

 

Hello

I have a very simple question.

Are there any examples of html forms used as portal login forms to
authenticate against radiator in order to see how the parameters are
stored and posted to radiator for auth?

Regards
John

 


CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] searchable archive? CouchDB?

[Dave Kitabjian]

See replies...

-Original Message-
From: Heikki Vatiainen [mailto:h...@open.com.au] 
Sent: Tuesday, October 11, 2011 9:01 AM
To: Dave Kitabjian
Cc: radiator@open.com.au; Greg Evanyke
Subject: Re: [RADIATOR] searchable archive? CouchDB?

[dhk] ...

>> 2)   Is there an AuthBy that will talk to *CouchDB* or *MongoDB*?

> [dhk] Well, at this point, the main attraction to some of these No-SQL
> products is their robust replication support particularly as a
> peer-to-peer architecture (rather than Master-Slave, like LDAP). We
are
> looking for the Auth side at this point, not the Accounting side.

I took a look at Perl support and there seems not to be anything for
NoSQL that is like DBI for SQL. So not common layer for different NoSQL
DBs. This would mean the support would need to written for either or.

[dhk] Yes, I did a quick look and found the same thing, which I thought
was odd considering the growing popularity of NoSQL and the otherwise
broad range of modules at CPAN.

Can you tell which one would be more suitable for RADIUS type of AAA
use?

[dhk] We don't know enough to answer that at this point. But the point
you made earlier was the same as I was thinking: RADIUS Accounting
packets and their varying range of attributes make them a natural fit
for the "no schema" approach. And the "evenually consistent" integrity
model is fine for most applications of Accounting records. I like the
bi-directional sync with conflict resolution of CouchDB, but I'm not
sure eventual consistency is robust enough for keeping a Session table
up to date; but it would be fine for the Auth db, as in your LDAP
support. 

Dave

CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] searchable archive? CouchDB?

[Dave Kitabjian]

Thanks for the reply. See comments...

-Original Message-
From: Heikki Vatiainen [mailto:h...@open.com.au] 
Sent: Friday, October 07, 2011 5:14 AM
To: Dave Kitabjian
Cc: radiator@open.com.au; Greg Evanyke
Subject: Re: [RADIATOR] searchable archive? CouchDB?

On 10/06/2011 11:14 PM, Dave Kitabjian wrote:

> 1)   Is there a *searchable archive* for this list these days? The
only
> one I found is this zipped version:
> http://www.open.com.au/pipermail/radiator/

There is no searchable archive currently. Using google like this is very
effective for searching the list and the rest of the site too:

site:.open.com.au search terms

[dhk] Cool, thanks. I didn't realize Google was able to crawl the zip
files.

> 2)   Is there an AuthBy that will talk to *CouchDB* or *MongoDB*?

Not yet. Can you tell a little how you would want to use these?

One thing I have thought of is using a schema free database to store
accounting messages from different NASes. If there's no strict table
structure all attributes could easily be stored no matter what the NAS
sends. This is something I thought of briefly once, so this has not been
discussed further and no work has been done for this.

Please let us know of what you have in mind.

[dhk] Well, at this point, the main attraction to some of these No-SQL
products is their robust replication support particularly as a
peer-to-peer architecture (rather than Master-Slave, like LDAP). We are
looking for the Auth side at this point, not the Accounting side.

Dave



CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] searchable archive? CouchDB?

[Dave Kitabjian]

Hello, folks!

 

Two questions:

 

1)   Is there a searchable archive for this list these days? The only
one I found is this zipped version:
http://www.open.com.au/pipermail/radiator/

2)   Is there an AuthBy that will talk to CouchDB or MongoDB?

Thanks in advance!

 

Best Regards,

Dave Kitabjian
Software Manager

NetCarrier Telecom
4000 N. Cannon Ave.
North Penn Business Park
Lansdale, PA. 19446
Phone: (877) 255-7733; ; Fax: (215) 257-4916
Direct: (215) 966-3352
Email: d...@netcarrier.com  Web: www.netcarrier.com




 


CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Executing an external script from Radiator

[Dave Kitabjian]

I should clarify that the Exec-Program method is particularly useful
when you want to execute something conditionally based on (typically
database-driven) user configs.

 

Dave

 

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of Dave Kitabjian
Sent: Tuesday, June 21, 2011 5:07 PM
To: M P; radiator@open.com.au
Subject: Re: [RADIATOR] Executing an external script from Radiator

 

My favorite method is to use the special RADIUS Reply-Item,
"Exec-Program". Radiator will then shell whatever you pass in as an
argument to this attribute. Very powerful; very dangerous; very cool J

 

The only thing Radiator doesn't do is provide a way to change the user
under which the shell executes. Often it would be nice to use a
restricted access account.

 

Dave

 

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of M P
Sent: Tuesday, June 21, 2011 2:35 AM
To: radiator@open.com.au
Subject: [RADIATOR] Executing an external script from Radiator

 

Hello all,
 
How am I going to execute an external script when Radiator receives an
Access-Request? This script will actually do an HTTP API request from an
external HTTP server to get the userid then once the script have it on
the same server as where the Radiator is running, Radiator will now
respond an Access-Accept.
 
Please advice. Thank you in advance.

CONFIDENTIALITY NOTICE***The information contained in this message may
be privileged, confidential, and protected from disclosure. If the
reader of this message is not the intended recipient, or any employee or
agent responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer. Thank you.


CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Executing an external script from Radiator

[Dave Kitabjian]

My favorite method is to use the special RADIUS Reply-Item,
"Exec-Program". Radiator will then shell whatever you pass in as an
argument to this attribute. Very powerful; very dangerous; very cool J

 

The only thing Radiator doesn't do is provide a way to change the user
under which the shell executes. Often it would be nice to use a
restricted access account.

 

Dave

 

From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of M P
Sent: Tuesday, June 21, 2011 2:35 AM
To: radiator@open.com.au
Subject: [RADIATOR] Executing an external script from Radiator

 

Hello all,
 
How am I going to execute an external script when Radiator receives an
Access-Request? This script will actually do an HTTP API request from an
external HTTP server to get the userid then once the script have it on
the same server as where the Radiator is running, Radiator will now
respond an Access-Accept.
 
Please advice. Thank you in advance.


CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of 
this message is not the intended recipient, or any employee or agent 
responsible for delivering this message to the intended recipient, you are 
hereby notified that any dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer. Thank you.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Multiple radiator instances on single server?

[Dave Kitabjian]

fyi,

You can also run separate instances with all pointing to a common config
file, if that's simpler. That works if you can "override" everything
instance-specific by using different command line arguments.

A single config file can be easier to manage if they will otherwise
duplicate a lot of the same configuration details, hooks, etc.

Dave

-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of Gregory Fuller
Sent: Thursday, October 07, 2010 10:42 AM
To: radiator@open.com.au
Subject: [RADIATOR] Multiple radiator instances on single server?

I'd like to go through and separate out my authentication, accounting,
and tacacsplus radiator configurations each into its own separate
radiator instance on the same server.  One radiator process would run
just the radius authentication, one process for radius accounting, and
one process for all tacacsplus auth/accounting.  I'm running Radiator
4.5 under CentOS 5.4.

I know I can start another process from the commad line and pass my
different config files into it without any problems.  Within the
config files I have separated out the different parts of the config
for each operation and made sure only the port #'s I want to listen on
are listed in the configs.

How are most places handling the running of multiple radiator
instances on the same server using the standard RedHat/CentOS
"services" functionalty?  Did you copy and rename /etc/init.d/radiator
for each one of the services and modify each service script to load
different config files on startup?

Just trying to figure out the best way to manage this.  I'd like to be
able to do something like the following:

For radius authentication:  service radiator start
For radius accounting:  service radiator-acct start
For tacacs auth/accounting: service radiator-tacacs start

Any sample RedHat/CentOS service config files for doing this would be
appreciated also.  Thanks!

--greg


Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ClientHook sequence?

[Dave Kitabjian]

Mike, Hugh, and Heikki,

Thanks!!

Dave

-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au] 
Sent: Friday, August 20, 2010 7:03 PM
To: Heikki Vatiainen
Cc: Dave Kitabjian; radiator@open.com.au; Greg Evanyke
Subject: Re: [RADIATOR] ClientHook sequence?


Hello Heikki, Hello Dave -

Correct.

Historically we had a PreClientHook and a PreHandlerHook in the Client
clause(s), however when vendors began encrypting attributes, we needed
to provide a hook that fired after the attributes were decoded. Hence we
came up with the ClientHook that can be specified globally (for all
clients) and/or per-client.

regards

Hugh


On 21 Aug 2010, at 06:58, Heikki Vatiainen wrote:

> On 08/20/2010 11:03 PM, Dave Kitabjian wrote:
>> Does anyone know where the "ClientHook" fits in this
order-of-execution
>> sequence?
> 
> Seems to be between steps 6 and 7. The global ClientHook runs first
and
> right after that the client specific ClientHook is called.
> 
> I also noticed that at least with version 4.7, the secret is checked
> after the hooks run, so the hooks can catch even those requests where
> the authenticator check fails. So even if the request fails with "Bad
> authenticator in request from ..." log message, the request would
still
> have been available for processing with ClientHook(s).
> 
>> *http://open.com.au/radiator/ref.pdf*
>> 
>> * *
>> 
>> *1. *Server started
>> 
>> *2. **StartupHook *called
>> 
>> *3. *Request received from NAS
>> 
>> *4. *Global RewriteUsernames applied
>> 
>> *5. **PreClientHook *called
>> 
>> *6. *Client clause selected
>> 
>> *7. *Client RewriteUsernames applied
>> 
>> *8. *Duplicate detection done
>> 
>> *9. **PreHandlerHook *called
>> 
>> *10. *Handler selected
>> 
>> *11.**PreProcessingHook *called
>> 
>> *12. *Handler's RewriteUsername and RewriteFunction applied
>> 
>> *13. *Session database updated (accounting requests only)
>> 
>> *14. *Accounting log files (AcctLogFileName and WtmpFileName) written
>> 
>> *15.**PreAuthHook *called
>> 
>> *16. *AuthBy clauses invoked
>> 
>> *17.**PostAuthHook *called
>> 
>> *18. *Statistics updated
>> 
>> *19.PostProcessingHook *called (if there is a reply to be sent)
>> 
>> *Integration*
>> 
>> 
>> 
>> 
>> 
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> -- 
> Heikki Vatiainen, Arch Red Oy
> +358 44 087 6547
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] ClientHook sequence?

[Dave Kitabjian]

Does anyone know where the "ClientHook" fits in this order-of-execution
sequence?

 

Dave

 

http://open.com.au/radiator/ref.pdf

 

1. Server started

2. StartupHook called

3. Request received from NAS

4. Global RewriteUsernames applied

5. PreClientHook called

6. Client clause selected

7. Client RewriteUsernames applied

8. Duplicate detection done

9. PreHandlerHook called

10. Handler selected

11.PreProcessingHook called

12. Handler's RewriteUsername and RewriteFunction applied

13. Session database updated (accounting requests only)

14. Accounting log files (AcctLogFileName and WtmpFileName) written

15.PreAuthHook called

16. AuthBy clauses invoked

17.PostAuthHook called

18. Statistics updated

19.PostProcessingHook called (if there is a reply to be sent)

Integration

 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

RE: RE : (RADIATOR) Cisco IOS aaa ??

[Dave Kitabjian]

I don't know where my notes are, but we solved a couple of perplexing Cisco IOS Port 
Attribute related problems by issuing a configuration command into the Cisco config 
file. 

Something reminiscent of:

radius-server attribute nas-port format d

as mentioned at 
http://googleweb-1.cisco.com/search?q=cache:http://cco-rtp-1.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bfc.html+nasport+format&ie=UTF-8&site=CDC&output=xml_no_dtd&client=CDC&proxystylesheet=CDC&oe=UTF-8.
 But that's not the URL you need, though it might get you started.

Dave
:)

>-Original Message-
>From: DUFOUR Geoffrey [mailto:[EMAIL PROTECTED]
>Sent: Monday, July 28, 2003 11:00 AM
>To: Gary; [EMAIL PROTECTED]
>Subject: RE : (RADIATOR) Cisco IOS aaa ??
>
>Hi,
>
>We had the same problem with a 7200 IOS 12.2.13T.
>
>- missing port id in access-requests
>- port id = 0 in accounting requests
>- missing Class attribute in accounting requests
>
>I guess that we will have to rely on the Acct-Session-Id attribute if we
>need to handle accurate "port" usage and to limit simultaneous sessions.
>
>Geoffrey.
>
>
>-Message d'origine-
>De : Gary [mailto:[EMAIL PROTECTED]
>Envoyé : lundi 28 juillet 2003 6:18
>À : [EMAIL PROTECTED]
>Objet : (RADIATOR) Cisco IOS aaa ??
>
>Since updating a 7200 on the weekend, we are now not getting port-id
>from the cisco.
>
>anyone seen this before and maybe have a fix ?
>
>Gary
>.
>
>
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Invalid object name 'inerted'

[Dave Kitabjian]

Hmm. Do you mean other than the fact that “inserted”
is spelled wrong, presumably in a trigger attached to the ACCOUNTING table?

 

Dave

 



-Original Message-
From: Michel Bant
[mailto:[EMAIL PROTECTED] 
Sent: Friday, June
 13, 2003 10:22 AM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Invalid object
name 'inerted'

 

Hello all,

 

We try to write back
some accounting to our SQL database.

 

We receive the
following error message:

Fri Jun 13 16:16:46 2003: DEBUG: do query is: 'insert into ACCOUNTING
(USERNAME)

 values ('qwerty')':

 

DBD::ODBC::db do
failed: [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid

object name 'inerted'.
(SQL-42S02)(DBD: Execute immediate failed err=-1) at c:/P

erl/site/lib/Radius/SqlDb.pm
line 219.

Fri Jun 13 16:16:46 2003: ERR: do failed for 'insert into ACCOUNTING
(USERNAME)

values ('qwerty')':
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid objec

t name 'inerted'.
(SQL-42S02)(DBD: Execute immediate failed err=-1)

DBD::ODBC::db do
failed: [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid

object name 'inerted'.
(SQL-42S02)(DBD: Execute immediate failed err=-1) at c:/P

erl/site/lib/Radius/SqlDb.pm
line 219.

Fri Jun 13 16:16:46 2003: ERR: do failed for 'insert into ACCOUNTING
(USERNAME)

values ('qwerty')':
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid objec

t name 'inerted'.
(SQL-42S02)(DBD: Execute immediate failed err=-1)

Fri Jun 13 16:16:46 2003: DEBUG: Accounting accepted

 

Part of the script
that we use to take care of the accounting is:

 



 

  

  

  AuthSelect    select e.password, e.timeleft,
e.timelimit, e.defaultroute from users e where e.username = %0 and dialaccess=1

  DBSource dbi:ODBC: ***

  DBUsername    ***

  
DBAuth    ***

 

  

  AuthColumnDef
0, Password, check

  

  AccountingTable    ACCOUNTING

  AcctColumnDef USERNAME,User-Name

  AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type

  AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer

  AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer

  AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer

  AcctColumnDef ACCTSESSIONID,Acct-Session-Id

  AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer

  AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause

  AcctColumnDef NASIDENTIFIER,NAS-Identifier

  AcctColumnDef NASPORT,NAS-Port,integer

  AcctColumnDef NASPORTTYPE,NAS-Port-Type

  AcctColumnDef MULTILINKID,Ascend-Multilink-ID

  AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address

  AcctColumnDef CALLINGID,Calling-Station-Id

  AcctColumnDef Calledstation_ID,Called-Station-Id

  

  



 

Does anyone know what
we did wrong?

 

Kind regards,

Michel Bant

 

 

RE: (RADIATOR) ISDN fails but Analog fine

[Dave Kitabjian]

What brand NAS do you use?

We found that with Cisco NASes (5300's, eg), some ISDN people had
problems getting the PPP connection up, even after passing authenication
(I guess IPCP was failing). Strangely, it seemed that if we took out the
Idle-Timeout reply item attribute, lots of these people were able to get
on okay!? (Of course, then they had dedicated connections :-\ )

Dave

 > -Original Message-
 > From: Greg 'Rafiq' Clarkson [mailto:[EMAIL PROTECTED] 
 > Sent: Friday, April 04, 2003 2:46 AM
 > To: [EMAIL PROTECTED]
 > Subject: (RADIATOR) ISDN fails but Analog fine
 > 
 > 
 > Hi all,
 > 
 > An 'upstream' radius server is our dialup proxy and sends us 
 > access requests.  We are using radiator 3.3.1  
 > 
 > With no change to our system we are having problems with 
 > ISDN customers for the last couple of days.
 > 
 > There is no logging in Radius even at trace level 4 but 
 > TCPdump reports the following packet:
 > 
 > 17:18:54.615868 upstream.radacct > myradius_server.radacct: 
 > rad-account-req 445 [id 232] Attr[  
 > Acct_session_id{29F9} Framed_proto{#452}#196#198#255 ] (DF)
 > 
 > Can anyone decrypt the Framed_proto{#452}#196#198#255 
 > 
 > For the analogue users this is normally:
 > 17:18:53.055206 upstream.radacct > myradius_server.radacct: 
 > rad-account-req 423 [id 52] Attr[  Acct_session_id{449D} 
 > Framed_proto{#264} 
 > Framed_ipaddr{dialup-108.179.220.203.acc01-rowa-wan.comindico
.com.au}#19
 > 6#198 ] (DF) .
 > 
 > 
 > I don't know if this can help me to solve my problem or if 
 > it is a red herring.
 > 
 > 
 > Thanks
 > 
 > 
 > 
 > ===
 > Archive at http://www.open.com.au/archives/radiator/
 > Announcements on [EMAIL PROTECTED]
 > To unsubscribe, email '[EMAIL PROTECTED]' with
 > 'unsubscribe radiator' in the body of the message.
 > 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) AuthBy in an Accounting-Request

[Dave Kitabjian]

Title: Message



If 
that's truly all it does in this scenario, I would think that we can get rid of 
the AuthBy and replace it with:
 
AccountingHandled
    
    http://www.open.com.au/radiator/ref.html#pgfId=363868
 
Am I 
right?
 
Dave

  
  -Original Message-From: Matthew Trout 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 
  19, 2003 12:19 PMTo: Dave Kitabjian; 
  [EMAIL PROTECTED]Subject: RE: (RADIATOR) AuthBy in an 
  Accounting-Request
  I believe you still need something to return a packet to 
  register the logging; we just use an AuthBy TEST clause to do so. There may be 
  a cleaner way to do this (since TEST generates a line in the logfile every 
  time); if there is, would someone care to enlighten me?
  > -Original Message- > 
  From: Dave Kitabjian [mailto:[EMAIL PROTECTED]] 
  > Sent: Wednesday, February 19, 2003 4:43 PM 
  > To: [EMAIL PROTECTED] > 
  Subject: (RADIATOR) AuthBy in an Accounting-Request > > > Given 
  the following: > > 
     > >   
      ... > 
  >   
    AuthBy  LDAP_SERVER_1 > >   
   > > am 
  I correct in assuming that the AuthBy specifier would be completely 
  > ignored and irrelevant since no Access-Requests will 
  ever be handled > here? > > Dave > 
  === > Archive at http://www.open.com.au/archives/radiator/ 
  > Announcements on [EMAIL PROTECTED] 
  > To unsubscribe, email '[EMAIL PROTECTED]' 
  with > 'unsubscribe radiator' in the body of the 
  message. > 

(RADIATOR) AuthBy in an Accounting-Request

[Dave Kitabjian]

Given the following:



...

  AuthBy  LDAP_SERVER_1



am I correct in assuming that the AuthBy specifier would be completely
ignored and irrelevant since no Access-Requests will ever be handled
here?

Dave
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) hostname -s ?

[Dave Kitabjian]

Title: Message



Hello!
 
I noticed that %h returns the equivalent of our 
"hostname" command, 
 
    
rad1.domain.net
    
rad2.domain.net
    
rad3.domain.net
 
However, it would be nice if I could just have the 
host's name, as in the command "hostname -s":
 
    
rad1
    
rad2
    
rad3
 
I could probably do a regexp to get what I want, but a 
special character would be handy. In fact, I wouldn't mind if the default 
behavior of %h was changed to "hostname -s"...
 
Dave
:)

(RADIATOR) AuthLog + ContinueWhileReject behavior?

[Dave Kitabjian]

Hello!

Here is my config: 




   AuthBy LDAP_GROUP

   AuthLog  AUTH_LOGGER


 

   Identifier LDAP_GROUP
  
   AuthByPolicy   ContinueWhileReject
   AuthBy LDAP_AUTH_1
   AuthBy LDAP_AUTH_2



   
Identifier  AUTH_LOGGER
...


I seem to be observing the following behavior: if a user fails at
LDAP_AUTH_1 and then continues on to LDAP_AUTH_2, the only
authentication attempt logged by AUTH_LOGGER is the LAST one, not both.

Is that the correct behavior? It's presenting a problem to us. If a user
is typing the wrong password and that's why they fail at LDAP_AUTH_1,
they will move on to LDAP_AUTH_2, get "no such user", and the authby
logs, which are visible to our techs, only see "no such user". They
don't see the real reason he failed in the first place: bad password.

Am I missing something? Is there a way to capture both AuthBy attempts
in the AuthLog?

Thanks!

Dave
:)
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) What is the order?

[Dave Kitabjian]

I would think the easiest way to find out is to set your Debug level to
4 and then use radpwtst to send a few authentication/accounting requests
to Radiator. Then, check the log file, and I think it will show you most
or all of those statements right there...

Dave

> -Original Message-
> From: Sergio Gonzalez [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, November 26, 2002 3:21 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) What is the order?
> 
> 
> *This message was transferred with a trial version of 
> CommuniGate(tm) Pro* Hello everyone.
> 
> Can some one tell me what happens first when an Stop 
> Accounting-Request 
> arrives to radiator?
> 
> First the different AcctSQLStatement statements are executed, 
> then the 
> DeleteQuery statement is excuted, or
> 
> First the DeleteQuery statement is executed, then the different 
> AcctSQLStatement statements.
> 
> I need to know this because I want some info stored in the 
> RADONLINE table 
> to update another table at the Stop event, but before the 
> entry be deleted.
> 
> Thanks a lot.
> 
> 
> 
> Sergio Alejandro Gonzalez
> Director Operativo
> Network and Services Field Manager
> SkyNet de Colombia.
> Calle 100 No. 8A-55 Of. 711
> Bogota, Cundinamarca
> Colombia, South America.
> Tel: 57 (+1) 6 422 020
> Cel: 57 (+3)/(03315) 3551034
> Pager: 540, 346 Cod 2010
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Renaming cisco-avpair

[Dave Kitabjian]

This may not be worth much, but...

You might consider deleting each cisco-avpair attribute from the list after you recode 
it, and then add it back in "the right way", such as cisco-avpair-connect-progress = 
"41". That way, you'll get the next one in line the next time you call get_attr() 
because the first one will be gone.

Dave
:)

> -Original Message-
> From: GermanG [mailto:gaticag@;hotmail.com] 
> Sent: Wednesday, November 06, 2002 3:56 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Renaming cisco-avpair
> 
> 
> Hello,
> 
> I would like to save Radius accounting tickets from a Cisco 
> AS5300 in a SQL database but Cisco AS5300 is sending multiple 
> attributes cisco-avpair. I would like to save all 
> cisco-avpair so I need to rename them. For example, An 
> original cisco-avpair like this: cisco-avpair = 
> "connect-progress=41" I want it like this: 
> cisco-avpair-connect-progress = "41" or just connect-progress = "41"
> 
> I made a hook (based on /goddies/hooks.txt) for add a new 
> attribute for each cisco-avpair. But this hook only catch the 
> first cisco-avpair and I can not find the way to analize the 
> rest of cisco-avpair.
> 
> Hook code:
> 
> # -*- mode: Perl -*-
> # Converts cisco-avpair into different attributes
> #
> sub
> {
> my $p = ${$_[0]};
> my $ciscoavpair;
> my $ciscoavpair_name;
> my $ciscoavpair_value;
> if ($ciscoavpair = $p->get_attr('cisco-avpair'))
> {
> $ciscoavpair =~ /=/;
> $ciscoavpair_name = $`;
> $ciscoavpair_value = $'; 
> $p->add_attr("cisco-avpair-$ciscoavpair_name", $ciscoavpair_value)
> }
> return;
> }
> #
> 
> 
> I´ve read the "sub get_attr" from /Radius/AttrVal.pm and 
> found that if you ask for an attribute in a scalar context 
> only returns the first one (that´s my case!). How can I ask 
> for an attribute in another way? (maybe as an array but, 
> How?) Does anyboby have anything that could help on this?
> 
> I´ve tried with a "while" instead of an "if" , the result was 
> a loop with the same (first) cisco-avpair. If I add a 
> "->delete_attr" after the add, the result (as said in 
> /Radius/AttrVal.pm ) deletes all cisco-avpair.
> 
> 
> Best Regards,
> German Gatica
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) password encryption and proxying to iPass

[Dave Kitabjian]

Title: Message



I just 
observed something, but maybe someone can tell me if I'm right or 
confused...
 
I just 
noticed that foreign iPass users hitchhiking on our network (aka, "iPass 
outbound") are showing up in our Authentication Log, complete with clear text 
passwords.
 
Now, I know 
this info is MD5 encrypted between the NAS and Radiator, and then later it's 
encrypted between the local outbound iPass server and the central iPass network 
via a proprietary iPass protocol. But I guess internal to Radiator it's 
inevitable that the passwords be available in clear text? Or maybe it's only 
necessary for CHAP, but PAP can store the p/w encrypted so it's NEVER in 
cleartext?
 
Thanks 
all,
 
Dave

RE: (RADIATOR) Port-Error

[Dave Kitabjian]

We've gotten Port-Errors now and then over the years. But sadly, I
haven't been able to figure out what they mean. The RFC doesn't say
much, and I've never tracked down the manufacturer info that explains
exactly what it means.

Sorry,

Dave

> -Original Message-
> From: Mohammed AbdusSami [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, October 15, 2002 9:24 PM
> To: 'Hugh Irvine'
> Cc: [EMAIL PROTECTED]
> Subject: (RADIATOR) Port-Error
> 
> 
> Dear Hugh,
> 
> Following is the stop record of my accounting configuration. 
> The cause of termination of this is PORT-ERROR. Can you 
> please me what does it means.
> 
> 
> Mon Oct 14 04:12:16 2002
>   NAS-IP-Address = 212.26.73.240
>   NAS-Port = 132
>   NAS-Port-Type = Async
>   User-Name = "[EMAIL PROTECTED]"
>   Called-Station-Id = "3602428"
>   Calling-Station-Id = "33610711"
>   Acct-Status-Type = Stop
>   Acct-Authentic = RADIUS
>   Service-Type = Framed-User
>   Acct-Session-Id = "000DDA8A"
>   Framed-Protocol = PPP
>   Framed-IP-Address = 212.24.231.64
>   Acct-Terminate-Cause = Port-Error
>   Acct-Input-Octets = 980238
>   Acct-Output-Octets = 9946394
>   Acct-Input-Packets = 11304
>   Acct-Output-Packets = 10777
>   Acct-Session-Time = 8201
>   Acct-Delay-Time = 0
>   Timestamp = 1034557936
> 
> Regards,
> 
> AbdusSami
> 
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Mac OS X Questions

[Dave Kitabjian]

>  I have just had a quick look at the 
> ODBC Administrator application, and it looks like it should 
> do the job 
> nicely.

What is this ODBC Administrator app? Is that another OS X SERVER
specialty, or is it a 3rd party piece of software?

Dave
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Mac OS X Questions

[Dave Kitabjian]

> Mac OS X has a built-in process monitoring 
> software called watchdog. The idea seems similar to restartWrapper. 

Hey, I don't recall "watchdog". Is that unique to Mac OS X SERVER or is
it also in the consumer OS X? Is it new to Jaguar (10.2)?

Dave 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Request feature: DictionaryFileList

[Dave Kitabjian]

I like this idea. I'd much rather have all my custom dictionary entries
in a separate, concise file.

Dave

> -Original Message-
> From: Mariano Absatz [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, September 16, 2002 4:34 PM
> To: Radiator Mailinglist
> Subject: (RADIATOR) Request feature: DictionaryFileList
> 
> 
> Hi Hugh, Mike,
> 
> everytime I have a new Radiator setup, you get this awful 
> bunch of requests 
> and comments :-P
> 
> Now to business... I normally use the standard latest dictionary file 
> included in Radiator, but many times, I have to add a couple 
> of attributes 
> either from one of the other dictionaries or other 
> vendor-specific that we 
> develop for custom applications (yes we do have and use our 
> own public vendor 
> number).
> 
> It'd be nice if I could specify more than one file in 
> DictionaryFile and that 
> the actual dictionary be made from the concatenation of those 
> files like:
> 
> DictionaryFileList ./dictionary ./dictionary.local 
> ./dictionary.redback
> 
> In fact, that would allow you to decouple all the specialized 
> dictionaries 
> erasing all the "common" attributes and values...
> 
> I'll be bothering you more any time soon ;-)
> 
> --
> Mariano Absatz
> El Baby
> --
> I'm not a complete idiot, some parts are missing! 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Expiration

[Dave Kitabjian]

Title: Message



Well, 
in MS Sql Server you should be able to do something like:

   
  update USERS 
  
  set 
  EXPIRATION=DATEADD(mm, 3, '%Y-%m-%d') 
  where 
  .
 
I 
don't use SQL with Radiator, so I'm assuming that Radiator will parse hte %Y 
stuff before passing it along to the database.
 
Let me 
know!
 
Dave
:)

  
  -Original Message-From: Radius Admin 
  [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 10:11 
  AMTo: Dave Kitabjian; [EMAIL PROTECTED]Subject: Re: 
  (RADIATOR) Expiration
  Dave,
   
  I am now using this:
   
  AcctSQLStatement update USERS set 
  EXPIRATION='%Y-%m-%d' where .
   
  I would like the month to be 3 months from the 
  current date. ie. +3. How do I do this?
   
  Thanks
   
  
- Original Message ----- 
From: 
Dave 
Kitabjian 
To: Radius Admin ; [EMAIL PROTECTED] 
Sent: Tuesday, August 13, 2002 2:30 
AM
Subject: RE: (RADIATOR) 
Expiration

There are a whole mess of date formatting options in the 
manual:
 
    http://www.open.com.au/radiator/ref.html#pgfId=290952
 
Let me know how you make out!
 
Dave
 
TABLE 2. DateFormat 
special characters 

  
  

  Specifier

  Is replaced at run-time 
  by:
  

  %%

  The percent 
  character
  

  %a

  Day of the week, 
  abbreviated
  

  %A

  Day of the week
  

  %b

  Month, of the year, 
  abbreviated
  

  %B

  Month of the year
  

  %c

  ctime format: e.g. Sat Nov 
  19 21:05:57 1994
  

  %d

  Numeric day of the month 
  DD, with a leading 0 if necessary.
  

  %e

  Numeric day of the month, 
  no leading 0.
  

  %D

  MM/DD/YY
  

  %h

  Month of year, 
  abbreviated
  

  %H

  Hour, 24 hour clock, 
  leading 0
  

  %I

  Hour, 12 hour clock, 
  leading 0
  

  %j

  Day of the year
  

  %k

  Hour
  

  %l

  Hour, 12 hour 
  clock
  

  %m

  Month number (starting with 
  Jan = 1)
  

  %M

  Minute, leading 0
  

  %n

  NEWLINE character
  

  %o

  Ornate day of month e.g. 
  "1st", "2nd", "25th", ...
  

  %p

  `AM' or `PM'
  

  %r

  Time format: 09:05:57 
PM
  

  %R

  Time format: 
21:05
  

  %S

  Seconds, leading 
0
  

  %t

  TAB character
  

  %T

  time format: 
  21:05:57
  

  %U

  Week number, Sunday as 
  first day of week
  

  %w

  Day of the week, 
  numerically, Sunday == 0
  

  %W

  Week number, Monday as 
  first day of week
  

  %x

  Date format: 
  11/19/94
  

  %X

  Time format: 
  21:05:57
  

  %y

  Year (2 digits)
  

  %Y

  Year (4 digits)
  

  %Z

  Timezone in ascii. eg: 
  PST

  
  -Original Message-From: Radius Admin 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 11:32 
  AMTo: [EMAIL PROTECTED]Subject: (RADIATOR) 
  Expiration
  I am trying to update an EXPIRATION field 
  which is a date field in my users database.
   
  I am trying to use the following 
  statement.
   
  AcctSQLStatement update USERS set 
  EXPIRATION=%t+7776000 where...
   
  Is there anyway for me to format the value of 
  "%t+7776000" to a format which is acceptable to mysql date 
  format.
   
  Thanks
   

RE: (RADIATOR) Expiration

[Dave Kitabjian]

Title: Message



There 
are a whole mess of date formatting options in the manual:
 
    http://www.open.com.au/radiator/ref.html#pgfId=290952
 
Let me 
know how you make out!
 
Dave
 
TABLE 2. DateFormat 
special characters

  
  

  Specifier

  Is replaced at run-time 
  by:
  

  %%

  The percent character
  

  %a

  Day of the week, 
abbreviated
  

  %A

  Day of the week
  

  %b

  Month, of the year, 
  abbreviated
  

  %B

  Month of the year
  

  %c

  ctime format: e.g. Sat Nov 19 
  21:05:57 1994
  

  %d

  Numeric day of the month DD, 
  with a leading 0 if necessary.
  

  %e

  Numeric day of the month, no 
  leading 0.
  

  %D

  MM/DD/YY
  

  %h

  Month of year, 
abbreviated
  

  %H

  Hour, 24 hour clock, leading 
  0
  

  %I

  Hour, 12 hour clock, leading 
  0
  

  %j

  Day of the year
  

  %k

  Hour
  

  %l

  Hour, 12 hour clock
  

  %m

  Month number (starting with Jan 
  = 1)
  

  %M

  Minute, leading 0
  

  %n

  NEWLINE character
  

  %o

  Ornate day of month e.g. "1st", 
  "2nd", "25th", ...
  

  %p

  `AM' or `PM'
  

  %r

  Time format: 09:05:57 
  PM
  

  %R

  Time format: 21:05
  

  %S

  Seconds, leading 0
  

  %t

  TAB character
  

  %T

  time format: 21:05:57
  

  %U

  Week number, Sunday as first 
  day of week
  

  %w

  Day of the week, numerically, 
  Sunday == 0
  

  %W

  Week number, Monday as first 
  day of week
  

  %x

  Date format: 11/19/94
  

  %X

  Time format: 21:05:57
  

  %y

  Year (2 digits)
  

  %Y

  Year (4 digits)
  

  %Z

  Timezone in ascii. eg: 
PST

  
  -Original Message-From: Radius Admin 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 11:32 
  AMTo: [EMAIL PROTECTED]Subject: (RADIATOR) 
  Expiration
  I am trying to update an EXPIRATION field which 
  is a date field in my users database.
   
  I am trying to use the following 
  statement.
   
  AcctSQLStatement update USERS set 
  EXPIRATION=%t+7776000 where...
   
  Is there anyway for me to format the value of 
  "%t+7776000" to a format which is acceptable to mysql date 
format.
   
  Thanks
   

RE: (RADIATOR) DATE

[Dave Kitabjian]

Well, there is no one "valid DATE Type", unfortunately. Every
application has it's own standard :-\

But to get a date that Sql Server didn't reject, we had to remove the
Day of Week portion, such as "Mon", "Tue", etc. I think that was all it
took.

Dave

> -Original Message-
> From: auth admin [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, July 30, 2002 10:53 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) DATE
> 
> 
> We have made our custom windows app to access RADUSERS table, the 
> fields 
> VALIDFROM and VALIDTO are integer types. What is the formula 
> to convert 
> these fields to a valid DATE Type, so we can automatically 
> manage valid 
> dates of the accounts we create.
> 
> chris
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Timestamp attribute

[Dave Kitabjian]

Interesting question.

The question for you is, what event do you want the stamp for?

The Timestamp attribute indicates, I think, when the RADIUS packet is
actually sent by the NAS. 

The line at the top:

Wed Jul 24 12:59:01 2002
  Acct-Session-Id = "0002BAA0"
Framed-Protocol = PPP

indicates when RADIATOR generated the record. 

Your 2nd Timestamp attribute might be when RADIATOR is acting like a NAS
and proxying the packet to the next RADIUS server. In theory, that could
be minutes or hours later.

So, which of these events do you want to capture? You may want to write
a hook to throw out preexisting Timestamp attributes before you proxy
them over to the next RADIUS server...

Dave
:)

> -Original Message-
> From: Viraj Alankar [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, July 24, 2002 9:36 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Timestamp attribute
> 
> 
> Hello,
> 
> From what I can understand, the timestamp used in AuthSQL for 
> accounting is the Timestamp attribute that is created in the 
> request packet by the current time minus Acct-Delay-Time.
> 
> However, when I have one Radiator proxying to another, the 
> 2nd Radiator ends up with 2 Timestamp different attributes. 
> It isn't clear to me which one will be used by the 2nd 
> Radiator. I see get_attr in the code being called for this 
> value but wouldn't this just return the first (incorrect) 
> Timestamp value?
> 
> Would it be better for me to depend on a database function 
> for the timestamp? For example, with an insert statement similar to:
> 
> ..., now() - 0%{Acct-Delay-Time}, ...
> 
> Viraj.
> ===
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Error in AuthLog

[Dave Kitabjian]

I might be confusing the issue, but I know that we often get a Reason =
Proxied in our AuthLog.

In our case, we have a ContinueWhileReject AuthByPolicy, and if the
first AuthBy fails then the second one is an AuthBy RADIUS. So we were a
little confused at first to see the "Proxied" in the AuthLog, rather
than the the reason for the failure. But we assumed it was because it
was failing over to an AuthBy RADIUS, and it hadn't failed completely
yet...

Dave

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, July 23, 2002 6:11 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Error in AuthLog
> 
> 
> 
> Hello Miko -
> 
> I am not sure what your question is - what exactly is the problem?
> 
> regards
> 
> Hugh
> 
> On Wed, 24 Jul 2002 02:25, [EMAIL PROTECTED] wrote:
> > New to the list,,, just curious about a strange possible config 
> > problem...
> >
> > It appears that when a proxy-user fails auth radiator adds
> >
> > "Reply-Message=Proxied"
> >
> > to the response packet, and thus this error gets logged in my 
> > authlog...
> >
> > I am using the following as my FailureQuery:
> >
> > INSERT INTO RADAUTHLOG_%{GlobalVar:nwk} (USERNAME, REALM, 
> TIME_STAMP, 
> > NASID, CALLEDID, CALLINGID, REASON) VALUES ('%u', '%R', '%m/%d/%Y 
> > %H:%M:%S', '%c', '%{Called-Station-Id}', 
> '%{Calling-Station-Id}', %1)
> >
> >
> >
> > Any thoughts or ideas would be most helpful...
> >
> > -Miko
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe 
> > radiator' in the body of the message.
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence. === Archive at 
> http://www.open.com.au/archives/radiator/
> Announcements on 
> [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

[Dave Kitabjian]

Title: Message



Bernhard and Claudio, 
 
Thanks 
so much for the heads up!
 
That 
seems to have fixed it. Since I can't find specs on exactly how format 
"c" is encoding info into that port, I don't really know for sure. But the 
count of onliners has gone up rapidly as soon as I added that line to our 
configs. 
 
The 
ports being reported are all in the 7000 and 8000 ranges, for whatever reason. 
If anyone has a info about exactly how they encode the slot and 
shelf into this value, I'd be interested in checking it out.
 
Thanks 
again to all!
 
Dave 
 

  
  -Original Message-From: Bernhard 
  Conoplia [mailto:[EMAIL PROTECTED]] Sent: 
  Wednesday, July 10, 2002 7:12 PMTo: Dave 
  KitabjianSubject: RE: (RADIATOR) Cisco, non-unique NAS-Ports, 
  clobbering Online DB
  Hi 
  Dave,
   
  Have 
  a try with the IOS command "radius-server attribute nas-port format 
  c". From memory this command is designed to ensure that the NAS-port format in 
  preauth and user authentications match appropriately, ie. the id is the same 
  before and after an Async port has been assigned, so it must be based on 
  the ISDN channel.  Our 5400's present a 4 digit NAS-Port-Id, obviously 
  more granular than the 3 digit id. Cisco says that "theoretically" 
  there are still circumstances when duplicates can occur, but we've had no 
  problems with approx 150 NAS's. 
   
  Probably worth a try - let me know how you go.
   
  Regards,
   
  Bernhard
  
-Original Message-From: Dave Kitabjian 
[mailto:[EMAIL PROTECTED]]Sent: Thursday, July 11, 2002 7:25 
AMTo: [EMAIL PROTECTED]Subject: (RADIATOR) Cisco, 
non-unique NAS-Ports, clobbering Online DB
I finally tracked down the 
reason why our Online DB has been reporting a much lower count of onliners 
than are actually online.
Look at the attached sequence of 
two accounting records. tmeyers logs on to NAS 216.118.66.25 and 
Port 105. Then, 3 minutes later, while he's still online, cheezwhiz logs off 
of the same NAS and Port, clobbering tmeyers' entry in the online DB. 

But how can two people have been 
on the same port at the same time, you ask? The answer is that when Cisco is 
(again) lazy, it's easy to happen. If you look at the Cisco-NAS-Port 
attribute, you'll see that they are really on two distinct ports. Cisco is 
just taking a portion of the info and plopping it in NAS-Port, even though 
that means that many people can be on the same NAS-Port at once. Most 
manufacturers come up with a procedure for encoding all that 
"Async4/105*Serial7/0:25:3" stuff 
into some unique, numeric port number and then put that in NAS-Port. 

Now, if we were enforcing 
concurrency limits we'd be even more screwed. 
Has anyone else experienced 
this? How are you dealing with it? Does Radiator have any solutions? I 
wonder if using the Acct-Session-Id for deletions would be more reliable 
than matching NAS/Port combos. Comments welcome!
Dave _ 
Wed Jul 10 15:23:21 2002: DEBUG: 
Packet dump: *** 
Received from 216.118.66.25 port 1646  Code:   
Accounting-Request Identifier: 188 Authentic:  
<218><232>t<199>j<163><234><138><27><251><221><133>HsX<142> 
Attributes: 
    Acct-Session-Id = 
"87C2"     Framed-Protocol = 
PPP     Connect-Info = 
"46667/24000 V90/V42bis/LAPM"     cisco-avpair = 
"connect-progress=Call Up"     Acct-Authentic 
= RADIUS     Acct-Status-Type 
= Start     User-Name = 
"tmeyers"     Acct-Multi-Session-Id = 
"511D"     Acct-Link-Count = 
"<0><0><0><2>"     Framed-Address = 
216.118.88.4     Cisco-NAS-Port = "Async4/105*Serial7/0:25:3" 
    NAS-Port = 105     NAS-Port-Type = 
Async     Class = 
"netcarrier.com"     Service-Type = 
Framed-User     NAS-IP-Address = 216.118.66.25     Event-Timestamp = 
1026329001     Acct-Delay-Time = 
0 
Wed Jul 10 15:26:16 2002: DEBUG: 
Packet dump: *** 
Received from 216.118.66.25 port 1646  Code:   
Accounting-Request Identifier: 239 Authentic:  
<30>u<226><4><138><177><143><248><254>:<165>d<182><<200>? 
Attributes: 
    Acct-Session-Id = 
"84AB"     Framed-Protocol = 
PPP     cisco-avpair = 
"connect-progress=Call Up"     
Acct-Session-Time = 2897     Connect-Info = 
"49333/24000 V90/V42bis/LAPM"     
Acct-Input-Octets = 349671     
Acct-Output-

RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

[Dave Kitabjian]

Hugh and Frank,

Thanks for the great ideas. The included hook is nice, although I think
it assumes a single Async card, so that would have to be added to get it
to work. This would be a good solution if there wasn't a better
one...See my next email...

D

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, July 11, 2002 3:18 AM
> To: Frank Danielson; Dave Kitabjian; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Cisco, non-unique NAS-Ports, 
> clobbering Online DB
> 
> 
> 
> Hello Dave, Hello Frank -
> 
> There is an example hook that does exactly this in 
> "goodies/hooks.txt".
> 
> regards
> 
> Hugh
> 
> 
> On Thu, 11 Jul 2002 10:39, Frank Danielson wrote:
> > How about handling it with a preclient hook in the client clause to 
> > strip the number you want out of the Cisco-NAS-Port attribute and 
> > stuff it into the NAS-Port attribute.
> >
> > -Original Message-
> > From: Dave Kitabjian [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, July 10, 2002 5:25 PM
> > To: [EMAIL PROTECTED]
> > Subject: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering 
> Online DB
> >
> >
> >
> > I finally tracked down the reason why our Online DB has 
> been reporting 
> > a much lower count of onliners than are actually online.
> >
> > Look at the attached sequence of two accounting records. 
> tmeyers logs 
> > on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while 
> > he's still online, cheezwhiz logs off of the same NAS and Port, 
> > clobbering tmeyers' entry in the online DB.
> >
> > But how can two people have been on the same port at the same time, 
> > you ask? The answer is that when Cisco is (again) lazy, 
> it's easy to 
> > happen. If you look at the Cisco-NAS-Port attribute, you'll 
> see that 
> > they are really on two distinct ports. Cisco is just taking 
> a portion 
> > of the info and plopping it in NAS-Port, even though that 
> means that 
> > many people can be on the same NAS-Port at once. Most manufacturers 
> > come up with a procedure for encoding all that 
> > "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port 
> > number and then put that in NAS-Port.
> >
> > Now, if we were enforcing concurrency limits we'd be even more 
> > screwed.
> >
> > Has anyone else experienced this? How are you dealing with it? Does 
> > Radiator have any solutions? I wonder if using the 
> Acct-Session-Id for 
> > deletions would be more reliable than matching NAS/Port combos. 
> > Comments welcome!
> >
> > Dave
> > _
> >
> > Wed Jul 10 15:23:21 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 
> > Code:   Accounting-Request
> > Identifier: 188
> > Authentic:  
> > <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142>
> > Attributes:
> > Acct-Session-Id = "87C2"
> > Framed-Protocol = PPP
> > Connect-Info = "46667/24000 V90/V42bis/LAPM"
> > cisco-avpair = "connect-progress=Call Up"
> > Acct-Authentic = RADIUS
> > Acct-Status-Type = Start
> > User-Name = "tmeyers"
> > Acct-Multi-Session-Id = "511D"
> > Acct-Link-Count = "<0><0><0><2>"
> > Framed-Address = 216.118.88.4
> > Cisco-NAS-Port = "Async4/105*Serial7/0:25:3"
> > NAS-Port = 105
> > NAS-Port-Type = Async
> > Class = "netcarrier.com"
> > Service-Type = Framed-User
> > NAS-IP-Address = 216.118.66.25
> > Event-Timestamp = 1026329001
> > Acct-Delay-Time = 0
> >
> >
> > Wed Jul 10 15:26:16 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 
> > Code:   Accounting-Request
> > Identifier: 239
> > Authentic:  
> <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>?
> > Attributes:
> > Acct-Session-Id = "84AB"
> > Framed-Protocol = PPP
> > cisco-avpair = "connect-progress=Call Up"
> > Acct-Session-Time = 2897
> > Connect-Info = "49333/24000 V90/V42bis/LAPM"
> > Acct-Input-Octets = 349671
> > Acct-Output-Octets = 2362531

RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

[Dave Kitabjian]

They are 5400s. Are you sure you're not confusing the Cisco-NAS-Port
with the NAS-Port?

D

> -Original Message-
> From: Vangelis Kyriakakis [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, July 11, 2002 3:44 AM
> To: Dave Kitabjian
> Cc: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Cisco, non-unique NAS-Ports, 
> clobbering Online DB
> 
> 
> What kind of Cisco NAS are you using? We have never faced 
> such a problem with Cisco 5300 and Cisco 3640. It always 
> gives eitheir an AsyncXXX or a SerialX:XX (SerialX/XX:XX)  format
> 
>  Regards
>  Vangelis
> 
> Dave Kitabjian wrote:
> 
> > I finally tracked down the reason why our Online DB has 
> been reporting 
> > a much lower count of onliners than are actually online.
> >
> > Look at the attached sequence of two accounting records. 
> tmeyers logs 
> > on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while 
> > he's still online, cheezwhiz logs off of the same NAS and Port, 
> > clobbering tmeyers' entry in the online DB.
> >
> > But how can two people have been on the same port at the same time, 
> > you ask? The answer is that when Cisco is (again) lazy, 
> it's easy to 
> > happen. If you look at the Cisco-NAS-Port attribute, you'll 
> see that 
> > they are really on two distinct ports. Cisco is just taking 
> a portion 
> > of the info and plopping it in NAS-Port, even though that 
> means that 
> > many people can be on the same NAS-Port at once. Most manufacturers 
> > come up with a procedure for encoding all that 
> > "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port 
> > number and then put that in NAS-Port.
> >
> > Now, if we were enforcing concurrency limits we'd be even more 
> > screwed.
> >
> > Has anyone else experienced this? How are you dealing with it? Does 
> > Radiator have any solutions? I wonder if using the 
> Acct-Session-Id for 
> > deletions would be more reliable than matching NAS/Port combos. 
> > Comments welcome!
> >
> > Dave
> > _
> >
> > Wed Jul 10 15:23:21 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 
> > Code:   Accounting-Request
> > Identifier: 188
> > Authentic: 
> <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142>
> > Attributes:
> > Acct-Session-Id = "87C2"
> > Framed-Protocol = PPP
> > Connect-Info = "46667/24000 V90/V42bis/LAPM"
> > cisco-avpair = "connect-progress=Call Up"
> > Acct-Authentic = RADIUS
> > Acct-Status-Type = Start
> > User-Name = "tmeyers"
> > Acct-Multi-Session-Id = "511D"
> > Acct-Link-Count = "<0><0><0><2>"
> > Framed-Address = 216.118.88.4
> > Cisco-NAS-Port = "Async4/105*Serial7/0:25:3"
> > NAS-Port = 105
> > NAS-Port-Type = Async
> > Class = "netcarrier.com"
> > Service-Type = Framed-User
> > NAS-IP-Address = 216.118.66.25
> > Event-Timestamp = 1026329001
> > Acct-Delay-Time = 0
> >
> > Wed Jul 10 15:26:16 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 
> > Code:   Accounting-Request
> > Identifier: 239
> > Authentic:  
> <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>?
> > Attributes:
> > Acct-Session-Id = "84AB"
> > Framed-Protocol = PPP
> > cisco-avpair = "connect-progress=Call Up"
> > Acct-Session-Time = 2897
> > Connect-Info = "49333/24000 V90/V42bis/LAPM"
> > Acct-Input-Octets = 349671
> > Acct-Output-Octets = 2362531
> > Acct-Input-Packets = 3246
> > Acct-Output-Packets = 2835
> > Acct-Terminate-Cause = User-Request
> > cisco-avpair = "disc-cause-ext=PPP Receive Term"
> > Acct-Authentic = RADIUS
> > Acct-Status-Type = Stop
> > User-Name = "cheezwhiz"
> > Acct-Multi-Session-Id = "4F51"
> > Acct-Link-Count = "<0><0><0><1>"
> > Framed-Address = 216.118.90.220
> > Cisco-NAS-Port = "Async3/105*Serial7/0:18:21"
> > NAS-Port = 105
> > NAS-Port-Type = Async
> > Class = "netcarrier.com"
> > Service-Type = Framed-User
> > NAS-IP-Address = 216.118.66.25
> > Event-Timestamp = 1026329176
> > Acct-Delay-Time = 0
> 
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

[Dave Kitabjian]

Title: Cisco, non-unique NAS-Ports, clobbering Online DB






I finally tracked down the reason why our Online DB has been reporting a much lower count of onliners than are actually online.

Look at the attached sequence of two accounting records. tmeyers logs on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while he's still online, cheezwhiz logs off of the same NAS and Port, clobbering tmeyers' entry in the online DB. 

But how can two people have been on the same port at the same time, you ask? The answer is that when Cisco is (again) lazy, it's easy to happen. If you look at the Cisco-NAS-Port attribute, you'll see that they are really on two distinct ports. Cisco is just taking a portion of the info and plopping it in NAS-Port, even though that means that many people can be on the same NAS-Port at once. Most manufacturers come up with a procedure for encoding all that "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port number and then put that in NAS-Port. 

Now, if we were enforcing concurrency limits we'd be even more screwed.


Has anyone else experienced this? How are you dealing with it? Does Radiator have any solutions? I wonder if using the Acct-Session-Id for deletions would be more reliable than matching NAS/Port combos. Comments welcome!

Dave

_


Wed Jul 10 15:23:21 2002: DEBUG: Packet dump:

*** Received from 216.118.66.25 port 1646 

Code:   Accounting-Request

Identifier: 188

Authentic:  <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142>

Attributes:

    Acct-Session-Id = "87C2"

    Framed-Protocol = PPP

    Connect-Info = "46667/24000 V90/V42bis/LAPM"

    cisco-avpair = "connect-progress=Call Up"

    Acct-Authentic = RADIUS

    Acct-Status-Type = Start

    User-Name = "tmeyers"

    Acct-Multi-Session-Id = "511D"

    Acct-Link-Count = "<0><0><0><2>"

    Framed-Address = 216.118.88.4

    Cisco-NAS-Port = "Async4/105*Serial7/0:25:3"

    NAS-Port = 105

    NAS-Port-Type = Async

    Class = "netcarrier.com"

    Service-Type = Framed-User

    NAS-IP-Address = 216.118.66.25

    Event-Timestamp = 1026329001

    Acct-Delay-Time = 0



Wed Jul 10 15:26:16 2002: DEBUG: Packet dump:

*** Received from 216.118.66.25 port 1646 

Code:   Accounting-Request

Identifier: 239

Authentic:  <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>?

Attributes:

    Acct-Session-Id = "84AB"

    Framed-Protocol = PPP

    cisco-avpair = "connect-progress=Call Up"

    Acct-Session-Time = 2897

    Connect-Info = "49333/24000 V90/V42bis/LAPM"

    Acct-Input-Octets = 349671

    Acct-Output-Octets = 2362531

    Acct-Input-Packets = 3246

    Acct-Output-Packets = 2835

    Acct-Terminate-Cause = User-Request

    cisco-avpair = "disc-cause-ext=PPP Receive Term"

    Acct-Authentic = RADIUS

    Acct-Status-Type = Stop

    User-Name = "cheezwhiz"

    Acct-Multi-Session-Id = "4F51"

    Acct-Link-Count = "<0><0><0><1>"

    Framed-Address = 216.118.90.220

    Cisco-NAS-Port = "Async3/105*Serial7/0:18:21"

    NAS-Port = 105

    NAS-Port-Type = Async

    Class = "netcarrier.com"

    Service-Type = Framed-User

    NAS-IP-Address = 216.118.66.25

    Event-Timestamp = 1026329176

    Acct-Delay-Time = 0

(RADIATOR) Duplicate request id: ignored

[Dave Kitabjian]

"Wed Jun 26 16:03:16 2002: INFO: Duplicate request id 87
received from 10.52.0.1(1026): ignored"

This message was logged for an Accounting request that was clearly
retransmitted since it had a large Acct-Delay-Time value.

But if Radiator keeps ignoring the request, the NAS will keep
retransmitting, and the circle of life will go on and on and on...

Does the RFC say to ignore dups? Wouldn't it make more sense to Reject
them somehow? Or, if the original one was already processed
successfully, it could simply send back an Accept and then discard it as
a dup?

Dave

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Help for the DBM-Impaired

[Dave Kitabjian]

I think what you want to do is get the radwho.cgi script (included with
Radiator) set up and running under Apache. Then, when you access it in
your web browser, you can click "Delete" to remove individual rows from
the DBM.

Dave

> -Original Message-
> From: Scott Rothgaber [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, June 18, 2002 7:06 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Help for the DBM-Impaired
> 
> 
> [Radiator 3.0 on FreeBSD 4.4]
> 
> Users are occasionally getting "stuck" in my session database. I 
> know what is causing this problem, but that's another topic. Is 
> there a command that will remove a single entry? I've been using 
> `echo -n > database' but that's like killing a fly with a 
> shotgun.  ;-)
> 
> Thanks!
> Scott
> 
> --
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> *   *
> *  Easley Internet Solutions  864.859.2400  *
> *  Easley, SC  USA   Fax: 864.855.7167  *
> *  http://www.easley.net/AIM: ExCavSGT  *
> *   *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) MacOSX Users

[Dave Kitabjian]

I'm kinda interested, too :)

If I had a lot more time, I'd set it up on my Mac at home and give it a
whirl...

Dave

> -Original Message-
> From: Bennie Warren [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, June 18, 2002 2:28 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) MacOSX Users
> 
> 
> I am still interested in MacOSX users to see what they think 
> of Radiator. Also to see if they use Radar and Radmin.
> 
> Thanks
> Bennie
> 
> -- 
> **
> Bennie Warren 
> LemooreNet 
> 320 West D Street  
> Lemoore, CA  93245 
> Phone:  559.924.5909
> Fax  559.924.9578  
> [EMAIL PROTECTED]
> http://www.lemoorenet.com
> **
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) RE:PrePaid for Voip

[Dave Kitabjian]

Sadly, our attempt to do this with the AS5300 confirmed that the
Session-Timeout attribute was not honored (and I think Cisco
acknowledged this).

That other post about the h323-credit-time sounds interesting, though.
We'll have to look into that sometime.

Dave

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, June 17, 2002 4:48 AM
> To: Chiao Liang; 'neil d. quiogue'; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) RE:PrePaid for Voip
> 
> 
> 
> Hello Chan -
> 
> The Session-Timeout radius reply attribute tells the access 
> server how many 
> seconds to allow a connection to continue, after which the 
> call will be 
> dropped. If this is not happening, ie. the Session-Timeout is 
> not being 
> honoured by the access server, then you will have to check 
> with the vendor to 
> find out why (additional configuration required or software bug).
> 
> BTW - could you please tell me the name of the registered 
> company that has 
> purchased this copy of Radiator?
> 
> regards
> 
> Hugh
> 
> 
> On Mon, 17 Jun 2002 17:42, Chiao Liang wrote:
> > Hi Neil,
> >
> > I'm using Cisco AS5300 VOIP GW, the session-timeout do work. But it 
> > only will cut off when the call is finish, it would cut off 
> the call 
> > half way when the credit is used up. Therefore I would like 
> to know is 
> > there a way do it, as I might not configure the Radiator correctly.
> >
> > Thanks
> >
> > Chan
> >
> > -Original Message-
> > From: neil d. quiogue [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, June 17, 2002 2:24 PM
> > To: Chiao Liang; [EMAIL PROTECTED]
> > Subject: Re: (RADIATOR) RE:PrePaid for Voip
> >
> > Hello,
> >
> > Since your email didn't contain much details, check your 
> VoIP gateway 
> > (or the system that provides call control).  Your VoIP gateway or 
> > system should understand the Session-Timeout RADIUS attribute and 
> > implement session termination.  Check with your vendor on it.
> >
> > Regards,
> >
> > Neil D. Quiogue
> >
> > "Information and attachments herein are intended for the named 
> > recipients only.  It may contain attorney-client privileged or 
> > confidential matter. If you have received this message in error, 
> > please notify the sender immediately, and destroy the original 
> > message.  Do not disclose the contents to anyone.  Thank you."
> > - Original Message -
> > From: Chiao   Liang
> > To: [EMAIL PROTECTED]
> > Sent: Monday, June 17, 2002 12:42 PM
> > Subject: (RADIATOR) RE:PrePaid for Voip
> >
> > Hi All
> >
> > I'm using Radiator for pre-paid solution, I have an issue 
> with it. As 
> > it will not cut-off the session instantaneously when the pre-paid 
> > credit is using up, it will only cut off the account till the use 
> > finish the session. Is the a way to cut off the user 
> session once the 
> > database credit is use up, needed it for real-time usage.
> >
> > Thanks, with regards
> > Chan
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence. === Archive at 
> http://www.open.com.au/archives/radiator/
> Announcements on 
> [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Making Exec-Program safe

[Dave Kitabjian]

Title: Message



First 
of all, thanks for the Exec-Program special reply item! It works like a 
charm!
 
Here 
are two related requests or questions.
 
1) It 
would be nice if Radiator DEBUG logged that the program was run and perhaps the 
return value.
 
2) Is 
there any way to lock down this feature? We love that our Call Center folks can 
implement these advanced features now by just adding this reply item in our GUI. 
But what's to prevent them from entering a value "reboot" or "fdisk"? I was 
wondering if a global parameter called ExecSetUid could be added which would be 
used when shelling the Exec-Program command. That should give us all the power 
we need to keep things under control.
 
Thanks!
 
Dave

(RADIATOR) perl sanity check

[Dave Kitabjian]

I need some basic perl help here from y'all.

Given the clip of Radiator perl code below, does this mean that 

$self is a reference 
to an object
which is an array
of references
to arrays
which contain 2 elements each, attribute and value?

Dave



# AttrVal.pm
#
# Heres a little class for holding attribute value pairs
# Handles multiple instances of the same attribute.
# Author: Mike McCauley ([EMAIL PROTECTED])
# Copyright (C) 1997 Open System Consultants
# $Id: AttrVal.pm,v 1.17 2001/04/25 23:47:13 mikem Exp $

package Radius::AttrVal;

#
sub new
{
my ($class) = @_;

my $self = {};
bless $self, $class;

@{$self->{Attributes}} = (); # Define an empty array

return $self;
}

#
sub add_attr
{
my ($self, $name, $value) = @_;
push(@{$self->{Attributes}}, [ $name, $value ]);
}

#
...
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) RE: RADIUS going in circles

[Dave Kitabjian]

Oh no! Someone already stole my idea!


http://www.wheatstone.net/whatwedo/Portal/Standards/radius_diameter.htm

Dave
:)

> -Original Message-
> From: Dave Kitabjian 
> Sent: Wednesday, February 06, 2002 5:05 PM
> To: [EMAIL PROTECTED]
> Subject: RADIUS going in circles
> Importance: Low
> 
> 
> FYI, have you heard that RADIUS is doubling its number of attributes?
> 
> Yea, the new protocol is called DIAMETER...
> 
> Dave
> ;)
> 
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Need help

[Dave Kitabjian]

Title: Message



I 
guess the solution would be something like:
 

    AuthBy IPASS_AUTH

 

    AuthBy GRIC_AUTH

 

    #default catch-all

#---

    Identifier    IPASS_AUTH
    Host ...
    

 


    Identifier    GRIC_AUTH
    Host ...
    

 
Let me 
know if that works!
Dave

  
  -Original Message-From: Suttiphol 
  Warangrit [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 
  5:47 AMTo: [EMAIL PROTECTED]Subject: (RADIATOR) Need 
  help
  
  Dear 
  sir,
      
  Now I’m using radiator. I want to know how to customize radiator 
  configuration file to rely radius packet of user whose login is  [EMAIL PROTECTED] to my 
  IPASS NETSERVER and [EMAIL PROTECTED] to my GRIC 
  Aimtraveler.
   
  thank and 
  regards,
  Suttiphol 
  Warangrit
   

RE: (RADIATOR) unknown ports

[Dave Kitabjian]

Ah, thanks for the note.

My thoughts are that, although there might be times when it might be
useful to know the SOURCE port, I think that the large majority of times
it's much more useful to know the local (server's) port where the
requests are coming into. This is particularly true for those of us who
have Radiator configurations that are listening on ALL of
1645/1646/1812/1813 (multiple instances) in order to support older
Livingston gear, while they're all logging to the same logfile.

Dave
:)

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, March 08, 2002 5:41 PM
> To: Dave Kitabjian; Jim Liebgott
> Cc: Ronan Eckelberry; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) unknown ports
> 
> 
> 
> Hello Dave -
> 
> Here is the message:
> 
> Sat Mar  9 09:37:10 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33555 
> 
> and yes - it is telling you the *source* IP address and UDP 
> port number from 
> which this request was received. 
> 
> I have been thinking about adding the *destination* IP 
> address and port 
> number to the message just to make it clearer what is going on.
> 
> Thoughts?
> 
> regards
> 
> Hugh
>  
> 
> On Sat, 9 Mar 2002 00:37, Dave Kitabjian wrote:
> > Just one thought:
> >
> > I haven't been reading this thread in all its detail, but 
> this might 
> > be of some value. Some time back, I believe when we 
> transitioned from 
> > USR to Cisco NASes, we started getting log entries such as:
> >
> > *** Received from X.X.X.X on port 1645
> >
> > when we were definitely only listening on ports 1812/1813. I posted 
> > this to the list back then, so you might find it in the archive. I 
> > think Hugh might have said something to the effect that the 
> 1645 might 
> > be the OUTGOING port from the client rather than the server's 
> > listening port, but that doesn't sound right to me. I'm 
> still curious 
> > about why this happens.
> >
> > Dave
> >
> > > -Original Message-
> > > From: Jim Liebgott [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, March 07, 2002 6:33 PM
> > > To: [EMAIL PROTECTED]
> > > Cc: Ronan Eckelberry; [EMAIL PROTECTED]
> > > Subject: Re: (RADIATOR) unknown ports
> > >
> > > Hugh Irvine wrote:
> > > > Thanks for sending the configuration file.
> > > >
> > > > Each AuthBy RADIUS clause opens a port at initialisation
> > >
> > > time to send
> > >
> > > > and receive requests to the target proxy host. The 
> portnumber is 
> > > > allocated by the OS unless overridden with the OutPort
> > >
> > > parameter, and
> > >
> > > > the port is held open during the whole time that Radiator
> > >
> > > is running.
> > >
> > > > Have a look at the code in "Radius/AuthRADIUS.pm".
> > >
> > > I see.  That makes sense to me.  Thanks for explaining.  I had 
> > > assumed that each new request opened a new socket to the 
> proxy host 
> > > and closed it when a reply was received.  I imagine that you have 
> > > reduced per-request overhead with your implementation.
> > >
> > > > On Fri, 8 Mar 2002 09:58, you wrote:
> > > > > Hugh Irvine wrote:
> > > > > > The only ports that Radiator opens by default are the 
> > > > > > authentication and accounting ports. Any other ports
> > >
> > > that you see
> > >
> > > > > > will be the result of your configuration file.
> > > > > >
> > > > > > As Ronan says, if you send me a copy of your configuration 
> > > > > > file (no
> > > > > > secrets) I will take a look.
> > > > >
> > > > > I have attached my config file.  It uses an "include"
> > >
> > > directive to
> > >
> > > > > run a program to generate more config, so I have 
> attached that 
> > > > > program as well.  The config info generated by the 
> program only 
> > > > > contains  directives.
> > > > >
> > > > > > On Fri, 8 Mar 2002 07:35, Ronan Eckelberry wrote:
> > > > > > > Really?  What does your config look like?  I'm 
> not sure what 
> > > > > > > time it is in Australia probably between 3-5am, but when 
> > > > > > > Hugh gets in he will probably have th

RE: (RADIATOR) unknown ports

[Dave Kitabjian]

Just one thought:

I haven't been reading this thread in all its detail, but this might be
of some value. Some time back, I believe when we transitioned from USR
to Cisco NASes, we started getting log entries such as:

*** Received from X.X.X.X on port 1645

when we were definitely only listening on ports 1812/1813. I posted this
to the list back then, so you might find it in the archive. I think Hugh
might have said something to the effect that the 1645 might be the
OUTGOING port from the client rather than the server's listening port,
but that doesn't sound right to me. I'm still curious about why this
happens.

Dave


> -Original Message-
> From: Jim Liebgott [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, March 07, 2002 6:33 PM
> To: [EMAIL PROTECTED]
> Cc: Ronan Eckelberry; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) unknown ports
> 
> 
> Hugh Irvine wrote:
> > 
> > Thanks for sending the configuration file.
> > 
> > Each AuthBy RADIUS clause opens a port at initialisation 
> time to send 
> > and receive requests to the target proxy host. The portnumber is 
> > allocated by the OS unless overridden with the OutPort 
> parameter, and 
> > the port is held open during the whole time that Radiator 
> is running.
> > 
> > Have a look at the code in "Radius/AuthRADIUS.pm".
> 
> I see.  That makes sense to me.  Thanks for explaining.  I 
> had assumed that each new request opened a new socket to the 
> proxy host and closed it when a reply was received.  I 
> imagine that you have reduced per-request overhead with your 
> implementation.
> 
> > On Fri, 8 Mar 2002 09:58, you wrote:
> > > Hugh Irvine wrote:
> > > > The only ports that Radiator opens by default are the 
> > > > authentication and accounting ports. Any other ports 
> that you see 
> > > > will be the result of your configuration file.
> > > >
> > > > As Ronan says, if you send me a copy of your configuration file 
> > > > (no
> > > > secrets) I will take a look.
> > >
> > > I have attached my config file.  It uses an "include" 
> directive to 
> > > run a program to generate more config, so I have attached that 
> > > program as well.  The config info generated by the program only 
> > > contains  directives.
> > >
> > > > On Fri, 8 Mar 2002 07:35, Ronan Eckelberry wrote:
> > > > > Really?  What does your config look like?  I'm not sure what 
> > > > > time it is in Australia probably between 3-5am, but when Hugh 
> > > > > gets in he will probably have the answer.  Hugh 
> usually has the 
> > > > > answers.  He will probably ask for a copy of your config (no 
> > > > > secrets) and a Trace 5 debug from you log.
> > > > >
> > > > >   That's weird.  You may have something in your 
> config that 
> > > > > is opening those ports.
> > > > >
> > > > > -Ronan
> > > > >
> > > > >
> > > > > -Original Message-
> > > > > From: Jim Liebgott [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Thursday, 07 March, 2002 15:03
> > > > > To: Ronan Eckelberry
> > > > > Cc: [EMAIL PROTECTED]
> > > > > Subject: Re: (RADIATOR) unknown ports
> > > > > Importance: High
> > > > >
> > > > > Ronan Eckelberry wrote:
> > > > > > And you only see these ports open when you 
> are running
> > > > >
> > > > > Radiator.
> > > > >
> > > > > > If you kill radiusd, the ports are no longer open?
> > > > >
> > > > > indeed.  Furthermore, I use the "-p" option to netstat, which 
> > > > > displays the process ID that has bound a given port, 
> and those 
> > > > > ports are conclusively bound by the radiusd daemon process.
> > > > >
> > > > > As an update, it looks like the socket bindings are more 
> > > > > persistent than I thought.  They don't change after a 
> day; I was 
> > > > > mistaken when I said that earlier.  I haven't seen 
> these sockets 
> > > > > close and re-open like I previously indicated, I was 
> confusing 
> > > > > the port numbers from two different servers.  On each server, 
> > > > > the sockets bindings haven't changed.
> > > > >
> > > > > > -Original Message-
> > > > > > From: Jim Liebgott [mailto:[EMAIL PROTECTED]]
> > > > > > Sent: Thursday, 07 March, 2002 14:30
> > > > > > To: Ronan Eckelberry
> > > > > > Cc: [EMAIL PROTECTED]
> > > > > > Subject: Re: (RADIATOR) unknown ports
> > > > > >
> > > > > > Ronan Eckelberry wrote:
> > > > > > > Most likely those ports are opened to communicate 
> > > > > > > with the
> > > > > >
> > > > > > other
> > > > > >
> > > > > > > RADIUS and/or SQL servers that you are proxying to.  Do a 
> > > > > > > netstat to
> > > > > >
> > > > > > see
> > > > > >
> > > > > > > what addresses that they are connected to.  You will 
> > > > > > > probably see
> > > > >
> > > > > that
> > > > >
> > > > > > > it is the other servers.  RADIUS RECEIVES 
> Authentication and
> > > > > >
> > > > > > Accounting
> > > > > >
> > > > > > > requests on 1645 and 1646 (Or whatever ports you 
> configure 
> > > > > > > in your
> > > > >
> > > > > cfg
> > > > >
> > > > > > > file), but for it to proxy the inf

RE: (RADIATOR) 2 copies of User-Name attribute

[Dave Kitabjian]

Follow up:

I did some more digging in the RFC:

   Some attributes MAY be included more than once.  The effect of this
   is attribute specific, and is specified in each attribute
   description.

   5.13.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in Accounting-Request packets.  No attributes should be found in
   Accounting-Response packets except Proxy-State and possibly Vendor-
   Specific.


  # Attribute
  0-1   User-Name

In other words, the accounting record may contain 0 or 1 copies of the
User-Name. That means it's out of spec to send 2 copies. I'll take this
up with Cisco. Meanwhile, I'm still open to feedback on the Radiator
side (since Cisco notoriously drags its feet on our bug reports).

Dave

> -Original Message-
> From: Dave Kitabjian 
> Sent: Thursday, February 28, 2002 9:34 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) 2 copies of User-Name attribute
> 
> 
> Recently I've been noticing that the Radius Accounting 
> packets coming from some of our Cisco gear has been sending 
> some attributes in duplicate; in particular, we get two 
> copies each of User-Name and Nas-Port.
> 
> Fortunately, the two copies have identical values. But it 
> still causes a problem. We have lots of logic that rewrites 
> usernames, parses out the realm, adds in custom attributes, 
> etc. The problem is that Radiator's RewriteUserName appears 
> to be only acting on the FIRST instance of the User-Name 
> attribute, and the 2nd instance remains unrewritten. Down the 
> line, our post-processing software doesn't know how to tell 
> which one is the "right one", and so we get messed up results.
> 
> I've asked our networking people to look into why we're 
> getting dups of some attributes. But meanwhile, I checked out 
> the Radius Accounting RFC 
> (http://www.ietf.org/rfc/rfc2866.txt?> number=2866), and I noticed
this:
> 
>Attributes
> 
>   Attributes may have multiple instances, in such a case the order
>   of attributes of the same type SHOULD be preserved.  
> The order of
>   attributes of different types is not required to be preserved.
> 
> So this makes me wonder if Radiator should not be able to 
> support this. Without looking deep into the code, my guess is 
> that the attributes are stored in a hash, and much of the 
> logic depends on assuming the key is unique, which would make 
> support for this difficult to add. But perhaps at least 
> supporting it for RewriteUserName would be sensible?
> 
> Your thoughts are welcome...
> 
> Dave
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) 2 copies of User-Name attribute

[Dave Kitabjian]

Recently I've been noticing that the Radius Accounting packets coming
from some of our Cisco gear has been sending some attributes in
duplicate; in particular, we get two copies each of User-Name and
Nas-Port.

Fortunately, the two copies have identical values. But it still causes a
problem. We have lots of logic that rewrites usernames, parses out the
realm, adds in custom attributes, etc. The problem is that Radiator's
RewriteUserName appears to be only acting on the FIRST instance of the
User-Name attribute, and the 2nd instance remains unrewritten. Down the
line, our post-processing software doesn't know how to tell which one is
the "right one", and so we get messed up results.

I've asked our networking people to look into why we're getting dups of
some attributes. But meanwhile, I checked out the Radius Accounting RFC
(http://www.ietf.org/rfc/rfc2866.txt?number=2866), and I noticed this:

   Attributes

  Attributes may have multiple instances, in such a case the order
  of attributes of the same type SHOULD be preserved.  The order of
  attributes of different types is not required to be preserved.

So this makes me wonder if Radiator should not be able to support this.
Without looking deep into the code, my guess is that the attributes are
stored in a hash, and much of the logic depends on assuming the key is
unique, which would make support for this difficult to add. But perhaps
at least supporting it for RewriteUserName would be sensible?

Your thoughts are welcome...

Dave
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Logging failed authentication attempts

[Dave Kitabjian]

As a bonus, here's what we do:

#


Identifier  AUTH_LOGGER
Filename%D/Authentication/%R-%h
LogSuccess  1
LogFailure  1
# Note the literal tab characters:
SuccessFormat   %l%r\
User-Name = %U%r\
Pass = 1%r  \
CallerId = %{Calling-Station-Id}%r  \
Typed-Password = %P%r   \  
Severity = %0%r \
Reason = %1%r%r
FailureFormat   %l%r\
User-Name = %U%r\
Pass = 0%r  \
CallerId = %{Calling-Station-Id}%r  \
Typed-Password = %P%r   \
Severity = %0%r \
Reason = %1%r%r


#

This formats it exactly like a Radius accounting packet! Then we use the
same process to import this info in near real-time to our SQL database
as we do for Accounting data. The CallerId is immeasurably handy when
they're mistyping the username and password or if the username comes in
all garbled due to line noise.

Tech support LOVES it :)

Dave

p.s. Before those \ characters are supposed to be literal tabs, not
spaces.

> -Original Message-
> From: Ronan Eckelberry [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, February 15, 2002 1:18 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: (RADIATOR) Logging failed authentication attempts
> 
> 
> Terry,
> 
> Check out Section 6.47 in the Radiator manual.  It is on 
> AuthLog.  That should be what you are looking for.
> 
> -Ronan
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On > Behalf Of 
> [EMAIL PROTECTED]
> Sent: Friday, 15 February, 2002 12:26
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Logging failed authentication attempts
> 
> 
> Hi. I looked through the archives, and it appears that 
> logging failed authentication attempts has been a "wish-list" 
> item for a while, I'm curious if there is a method in the 
> newer versions of radiator.
> 
> Thanks,
> Terry Ryan
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) ERR: Unknown keyword 'AddToRequest'

[Dave Kitabjian]

Title: ERR: Unknown keyword 'AddToRequest' 






I'm getting:


    ERR: Unknown keyword 'AddToRequest' in /usr/radiator/nc.cfg line 772


in my Handler:





    AuthBy IPASS

 

    AddToRequest NC-Ipass-Flag = 1

    AcctLogFileName %D/Accounting/IPASS_OUTBOUND-%h


    AuthLog AUTH_LOGGER

    PasswordLogFileName %L/password.log





We're running 2.18. Does anyone know if this keyword was new to Handlers since 2.18? I didn't remember reading about it...

_


Dave Kitabjian

NetCarrier, Software Engineering 

(RADIATOR) RADIUS going in circles

[Dave Kitabjian]

FYI, have you heard that RADIUS is doubling its number of attributes?

Yea, the new protocol is called DIAMETER...

Dave
;)

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Content filtering

[Dave Kitabjian]

We're getting ready to do this too.

Two approaches we have so far are:

1) Use the Filter-Id reply item. When the NAS sees this, it will load a
filter by that name that you must have already configured on that NAS
and saved. The filter is a series of rules based on protocol, IP address
block, and port. That filter will then apply to that user for the
duration of his session.

2) Tunnel. I'm just looking into this now. We might tunnel the user to a
specific box. This box will then pass all traffic besides port 80 to the
outside. But port 80 will be redirected to Squid. I think there are
Tunnel RADIUS attributes we can use to invoke this on a per-user
basis...

Dave

> -Original Message-
> From: Rolando Riley [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, February 05, 2002 8:45 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Content filtering
> 
> 
> Hi list:
>   This is not probably a radius question although radius 
> is involved as one of the main elements. Our goal is make 
> content filtering with a software like ( smartfilter, 
> websense or squidguard) under the following scenario.
> 
> 1) A customer dials in to our ISP.
> 2) Our radius auths and accounts the user connection.
> 3) Our radius forward the user info to squid ( or any other Cache).
> 4) Squid verify the user policies for http requests against 
> SmartFilter .
> 
> 5) If SmartFilter has any matching against the user it 
> applies the filter.
> else it lets the user browse any site.
> 
> 
>   Does anyone have an idea or an experience  on how to 
> make this work?
> 
>   We basically want to do content filtering as a customer service.
> 
> 
> best regards,
> 
> 
> ---
> Ing. Rolando Riley
> Administrador de Sistemas Unix
> (Unix System Administrator)
> AYAYAI.COM S.A.
> Tel: (507) 265-2424 ext. 408
> ---
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) CDB format ?

[Dave Kitabjian]

Hugh,

Are you sure you're not confusing DBM-style databases with CDB?

Pascal,

The Radiator manual says: "The CDB is indexed by username and the value
is the check items followed by a newline followed by the reply items."
So a typical entry might look like this:

+6,145:corey1->Password="jack", Expiration="May 6 2002"
Idle-Timeout = 1200, Framed-Address = 116.152.169.219, Service-Type =
Framed-User, Framed-Protocol = PPP

or if you use default reply items, someone might have an entry like:

+7,41:blinsto->Password="2dogs", Expiration="May 3 2002"

The actual job of formatting and building the CDB is up to you. The
specs are at:

http://cr.yp.to/cdb/cdbmake.html

Don't forget the extra newline at the end! 

Dave

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, February 04, 2002 5:43 PM
> To: Pascal Robert; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) CDB format ?
> 
> 
> 
> Salut Pascal -
> 
> You should use the "builddbm" utility included in the 
> Radiator distribution 
> top level directory. It is supplied in source form so you can 
> modify it if 
> you need to.
> 
> Also have a look at section 9 in the Radiator 2.19 reference 
> manual ("doc/ref.html").
> 
> regards
> 
> Hugh
> 
> On Tue, 5 Feb 2002 06:38, Pascal Robert wrote:
> > Hi list,
> >
> > I'm working on a project for a former employer.  One of 
> their brands 
> > is on BSDi servers with the BSDi password database as 
> authentication.  
> > I installed Radiator and everything is working fine.  But now, they 
> > want to support CHAP (UUNet), so we need a separate users database 
> > with the clear text passwords.
> >
> > We already sniff passwords with Radiator fantastic sniffer 
> so this is 
> > not the problem.  I wanted to export the passwd file made 
> by Radiator 
> > in CDB (with a Perl script) but after the documentation, I 
> just don't 
> > know what I should put in the "database".
> >
> > So after all those words, what is the CDB format I should 
> use ???  For 
> > the record, it's a old PC with BSDi 4.01 and MySQL won't compile on 
> > it.  If someone have other suggestions, I'm open to 
> anything that can 
> > support CHAP
> >
> > :-)
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe 
> > radiator' in the body of the message.
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence. === Archive at 
> http://www.open.com.au/archives/radiator/
> Announcements on 
> [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Radiator Startup + daemontools

[Dave Kitabjian]

You can read more about daemontools here:

http://cr.yp.to/daemontools.html

In particular, I think you're talking about supervise:

http://cr.yp.to/daemontools/supervise.html

Unfortunately, I'm not a whiz at supervise. But there's a mailing list
you should consult:

http://cr.yp.to/lists.html#log

Dave
:)

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, January 04, 2002 4:18 PM
> To: Gilbert T. Gutierrez, Jr.; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Radiator Startup
> 
> 
> 
> Hello Gilbert -
> 
> As mentioned previously, I don't know anything about daemon 
> tools on FreeBSD, 
> so you will have to check the FreeBSD documentation or 
> consult a local 
> systems administrator.
> 
> Perhaps someone else on the list can help?
> 
> regards
> 
> Hugh
> 
> 
> On Sat, 5 Jan 2002 03:30, Gilbert T. Gutierrez, Jr. wrote:
> > I saw the restartWrapper script.  The reason I was not using it was 
> > that it used send mail.  I have send mail disabled on the 
> test machine 
> > that I am working on as well as the two servers already in service 
> > that I will be installing on.  I did not know if there was some 
> > configuration file for Radiator that allowed me to run this 
> > application from startup without running it as root.  The 
> daemon tools 
> > configuration file that I included should have ran Radiator as user 
> > "radius" but I am showing it as running as root.  I have 
> very limited 
> > shell scripting skills or Perl programming skills.
> >
> > Thanks,
> > Gilbert
> >
> > At 10:58 AM 1/4/2002 +1100, you wrote:
> > >Hello Gilbert -
> > >
> > >I am afraid I don't know anything about daemon tools on FreeBSD, 
> > >however there is a tool called restartWrapper included 
> with Radiator 
> > >that can be  used for this in conjunction with the su command.
> > >
> > > restartWrapper . "su -c . ."
> > >
> > >You will have to check the exact syntax for su in the FreeBSD docs.
> > >
> > >You will find restartWrapper in the file 
> "goodies/restartWrapper" and  
> > >there is a section on its use in the Radiator manual.
> > >
> > >regards
> > >
> > >Hugh
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence. === Archive at 
> http://www.open.com.au/archives/radiator/
> Announcements on 
> [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Authenticaton Problems

[Dave Kitabjian]

Hmm, not sure why it's not working. Here are two things to try:

1) Restart Radiator completely (you can't always trust the HUP)

2) Try changing


...


to


...


If that doesn't catch everything, I don't know what will. Let us know.

Dave

> -Original Message-
> From: Eric Johnson [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, January 02, 2002 4:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: (RADIATOR) Authenticaton Problems
> 
> 
> I just tried changing the realm and I am still getting the same 
> error.  Only now instead of 127.0.0.1 it shows the realm as default
> 
> At 03:42 PM 1/2/02 -0500, Dave Kitabjian wrote:
> >The problem is that "127.0.0.1" is not a realm, it's a Client.
> >
> >Try changing
> >
> > 
> >
> >to
> >
> > 
> >
> >and let us know if it works.
> >
> >Dave
> >
> > > -Original Message-
> > > From: Eric Johnson [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, January 02, 2002 11:21 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: (RADIATOR) Authenticaton Problems
> > >
> > >
> > > When I run radpwtst I get three no reply errors in a row. The 
> > > default user is in the test database.  In the log file 
> the error is 
> > > a bad authenticator.  Here is the log file and the config 
> file that 
> > > I am using.  Could someone tell me what I am doing wrong and 
> > > possibly how to fix it?
> > >
> > > Wed Jan  2 10:05:56 2002: DEBUG: Packet dump:
> > > *** Received from 127.0.0.1 port 1528 
> > > Code:   Access-Request
> > > Identifier: 131
> > > Authentic:  1234567890123456
> > > Attributes:
> > >   User-Name = "mikem"
> > >   Service-Type = Framed-User
> > >   NAS-IP-Address = 203.63.154.1
> > >   NAS-Port = 1234
> > >   Called-Station-Id = "123456789"
> > >   Calling-Station-Id = "987654321"
> > >   NAS-Port-Type = Async
> > >   User-Password = 
> > > "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
> > >
> > > Wed Jan  2 10:05:56 2002: DEBUG: Check if Handler Realm=127.0.0.1 
> > > should be used to handle this request Wed Jan  2 10:05:56 2002: 
> > > WARNING: Could not find a handler for
> > > mikem: request is ignored Wed Jan  2 10:06:01 2002: DEBUG: Packet 
> > > dump:
> > > *** Received from 127.0.0.1 port 1528 
> > > Code:   Accounting-Request
> > > Identifier: 132
> > > Authentic:  
> <156>,{*<190><151><218><249><183><15>Y<127><146><128><6>
> > > Attributes:
> > >   User-Name = "mikem"
> > >   Service-Type = Framed-User
> > >   NAS-IP-Address = 203.63.154.1
> > >   NAS-Port = 1234
> > >   NAS-Port-Type = Async
> > >   Acct-Session-Id = "1234"
> > >   Acct-Status-Type = Start
> > >   Called-Station-Id = "123456789"
> > >   Calling-Station-Id = "987654321"
> > >
> > > Wed Jan  2 10:06:01 2002: WARNING: Bad authenticator in 
> request from 
> > > 127.0.0.1 (203.63.154.1) Wed Jan  2 10:06:06
> > > 2002: DEBUG: Packet dump:
> > > *** Received from 127.0.0.1 port 1528 
> > > Code:   Accounting-Request
> > > Identifier: 133
> > > Authentic:  
> > > <193><187><186><190><186><181><21><228><23>V<253>a+2I<133>
> > > Attributes:
> > >   User-Name = "mikem"
> > >   Service-Type = Framed-User
> > >   NAS-IP-Address = 203.63.154.1
> > >   NAS-Port = 1234
> > >   NAS-Port-Type = Async
> > >   Acct-Session-Id = "1234"
> > >   Acct-Status-Type = Stop
> > >   Called-Station-Id = "123456789"
> > >   Calling-Station-Id = "987654321"
> > >   Acct-Delay-Time = 0
> > >   Acct-Session-Time = 1000
> > >   Acct-Input-Octets = 2
> > >   Acct-Output-Octets = 3
> > >
> > > Wed Jan  2 10:06:06 2002: WARNING: Bad authenticator in 
> request from 
> > > 127.0.0.1 (203.63.154.1)
> &g

RE: (RADIATOR) Authenticaton Problems

[Dave Kitabjian]

The problem is that "127.0.0.1" is not a realm, it's a Client.

Try changing

 

to

 

and let us know if it works.

Dave

> -Original Message-
> From: Eric Johnson [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, January 02, 2002 11:21 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Authenticaton Problems
> 
> 
> When I run radpwtst I get three no reply errors in a row.  
> The default user is in the test database.  In the log file 
> the error is a bad authenticator.  Here is the log file and 
> the config file that I am using.  Could someone tell me what 
> I am doing wrong and possibly how to fix it?
> 
> Wed Jan  2 10:05:56 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1528 
> Code:   Access-Request
> Identifier: 131
> Authentic:  1234567890123456
> Attributes:
>   User-Name = "mikem"
>   Service-Type = Framed-User
>   NAS-IP-Address = 203.63.154.1
>   NAS-Port = 1234
>   Called-Station-Id = "123456789"
>   Calling-Station-Id = "987654321"
>   NAS-Port-Type = Async
>   User-Password = 
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
> 
> Wed Jan  2 10:05:56 2002: DEBUG: Check if Handler 
> Realm=127.0.0.1 should be used to handle this request Wed Jan 
>  2 10:05:56 2002: WARNING: Could not find a handler for 
> mikem: request is ignored Wed Jan  2 10:06:01 2002: DEBUG: 
> Packet dump:
> *** Received from 127.0.0.1 port 1528 
> Code:   Accounting-Request
> Identifier: 132
> Authentic:  <156>,{*<190><151><218><249><183><15>Y<127><146><128><6> 
> Attributes:
>   User-Name = "mikem"
>   Service-Type = Framed-User
>   NAS-IP-Address = 203.63.154.1
>   NAS-Port = 1234
>   NAS-Port-Type = Async
>   Acct-Session-Id = "1234"
>   Acct-Status-Type = Start
>   Called-Station-Id = "123456789"
>   Calling-Station-Id = "987654321"
> 
> Wed Jan  2 10:06:01 2002: WARNING: Bad authenticator in 
> request from 127.0.0.1 (203.63.154.1) Wed Jan  2 10:06:06 
> 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1528 
> Code:   Accounting-Request
> Identifier: 133
> Authentic:  <193><187><186><190><186><181><21><228><23>V<253>a+2I<133>
> Attributes:
>   User-Name = "mikem"
>   Service-Type = Framed-User
>   NAS-IP-Address = 203.63.154.1
>   NAS-Port = 1234
>   NAS-Port-Type = Async
>   Acct-Session-Id = "1234"
>   Acct-Status-Type = Stop
>   Called-Station-Id = "123456789"
>   Calling-Station-Id = "987654321"
>   Acct-Delay-Time = 0
>   Acct-Session-Time = 1000
>   Acct-Input-Octets = 2
>   Acct-Output-Octets = 3
> 
> Wed Jan  2 10:06:06 2002: WARNING: Bad authenticator in 
> request from 127.0.0.1 (203.63.154.1)
> 
> Foreground 
> LogStdout 
> LogDir  /Radiator/log 
> #Dictionary File is in current dir 
> DictionaryFile ./dictionary 
> Trace 4 
> 
>  
>Secret  dogcat 
>  DupInterval 0 
>  
>   
> 
>  Identifier CheckSQL 
> 
>  DBSourcedbi:mysql:ISP 
>  DBUsername  admin 
>  DBAuth lifter 
>  AccountingTable ACCOUNTING 
>  AcctColumnDef   USERNAME,User-Name 
>  AcctColumnDef   TIME_STAMP,Timestamp,integer 
>  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type 
>  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer 
>  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer 
>  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer 
>  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id 
>  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer 
>  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause 
>  AcctColumnDef   NASIDENTIFIER,NAS-Identifier 
>  AcctColumnDef   NASPORT,NAS-Port,integer 
>   
> 
> 
> 
>  
> 
>  Identifier CheckNT 
> 
>  # You must set the domain name here to suit 
> your site 
>  Domain ETHERNET1 
> 
>  # ON NT, optionally specify the name of the 
>  # Primary Domain Controller, including the leading 
>  # \\ slashes, to override the default domain 
> controller 
>  # for the domain you specified above 
>  DomainController \\FEZZIK 
> 
>  # On Unix, you MUST specify the Domain Controller 
>  # name as the NT host name of the domain controller 
>  # its not optional. This needs to be set to the NT 
>  # name of the Primary Domain Controller, and further 
>  # the NT name must be in the Unix hosts or DNS 
>  DomainController FEZZIK 
> 
>  # On NT, you can optionally check the 
>  # "Grant dialin permission to user" flag in the 
>  # user manager. Requires the 
>  # Win32-RasAdmin Perl package to be installed first 
>  # H

RE: (RADIATOR) Authentication Question..

[Dave Kitabjian]

Remember that the Authentication requests can be sent to a different
place than the Accounting requests, via separate lines in your Cisco
config file. Perhaps the AUTH line is not correct...

Dave

> -Original Message-
> From: GwangHee Yi [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, December 12, 2001 1:37 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Authentication Question..
> 
> 
> Dear All,
> 
> I am using Cisco2600 Gatekeeper.
> 
> I want to authenticate with Radiator.
> I got exact accouting attributes. It's working very well.
> But Cisco Router do not send me an Access-Request.
> Therefore, I can not authenticate with my MySql DB.
> 
> Is this Cisco Configuration problem or Radiator Configuration 
> problem..
> 
> Below is configuration and Debug...
> 
> Thanks,
> 
> Configuration.
> ==
> Trace 4
> Foreground
> LogStdout
> LogDir  .
> DbDir   .
> 
> 
> AuthPort1712
> AcctPort1713
> 
> 
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSourcedbi:mysql:
> DBUsername  
> DBAuth  *
> 
> # Auth Statements
> 
> AuthSelect SELECT password,replyattr FROM subscribers 
> WHERE username = '%n'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, reply
> 
> # You may want to tailor these for your ACCOUNTING table
> AccountingTable ACCOUNTING
> AcctColumnDef   USERNAME,User-Name
> AcctColumnDef   TIME_STAMP,Timestamp,integer
> AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,inter
> 
> AcctLogFileName /var/radius/radius.log
> 
> 
> Debug
> =
> Code:   Accounting-Request
> Identifier: 76
> Authentic:  0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
> NAS-IP-Address = *
> NAS-Port-Type = Async
> User-Name = "***"
> Called-Station-Id = "***"
> Calling-Station-Id = "***"
> Acct-Status-Type = Stop
> Service-Type = Login-User
> Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//"
> Acct-Input-Octets = 0
> Acct-Output-Octets = 0
> Acct-Input-Packets = 0
> Acct-Output-Packets = 0
> Acct-Session-Time = 11
> cisco-avpair = "pre-bytes-in=0"
> cisco-avpair = "pre-bytes-out=0"
> cisco-avpair = "pre-paks-in=0"
> cisco-avpair = "pre-paks-out=0"
> cisco-avpair = "nas-rx-speed=0"
> cisco-avpair = "nas-tx-speed=0"
> Acct-Delay-Time = 0
> 
> Tue Dec 11 17:04:58 2001: DEBUG: Handling request with 
> Handler 'Realm=DEFAULT' Tue Dec 11 17:04:58 2001: DEBUG: 
> Deleting session for **, *, Tue Dec 11 17:04:58 
> 2001: DEBUG: Handling with Radius::AuthSQL Tue Dec 11 
> 17:04:58 2001: DEBUG: Handling accounting with 
> Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: do query is: 
> insert into ACCOUNTING
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, 
> ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, 
> ACCTSESSIONID, ACCTSESSIONTIME)
> values
> ('**', 1008119098, 'Stop', 0, 0, 0, 
> '56///0 B8E9C61F 4050007 EA25B92//', 11)
> 
> Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted
> Tue Dec 11 17:04:58 2001: DEBUG: Packet dump:
> *** Sending to *** port 1646 
> Code:   Accounting-Response
> Identifier: 76
> Authentic:  0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) IpassPerl still lingering around?

[Dave Kitabjian]

Title: Message



To 
attempt to answer my own question, it appears that the below quote may be the 
only part of the appendix that is "deprecated". Using the "new" approach, only 
Outbound is affected; Inbound is still the same.
 
So 
perhaps IPASS' VNAS server originally only handled Inbound requests, but then 
later they upgraded it to also handle Outbound as well?
 
Dave

  
  -Original Message-From: Dave Kitabjian 
  Sent: Thursday, December 06, 2001 3:11 PMTo: 
  [EMAIL PROTECTED]Subject: (RADIATOR) IpassPerl still lingering 
  around?
  Regarding this clip from the current 
  manual, "If you wish to do outbound 
  authentication with the iPASS network, you will also need the IpassPerl 
  software from Open System Consultants. See http://www.open.com.au for contact details."
  Isn't IpassPerl part of what 
  was deprecated along with  way back? In general, how 
  accurate is the rest of the iPass appendix of the manual?
  Thanks! 
  _ 
  Dave Kitabjian NetCarrier, Software Engineering 

(RADIATOR) IpassPerl still lingering around?

[Dave Kitabjian]

Title: IpassPerl still lingering around?






Regarding this clip from the current manual,

"If you wish to do outbound authentication with the iPASS network, you will also need the IpassPerl software from Open System Consultants. See http://www.open.com.au for contact details."

Isn't IpassPerl part of what was deprecated along with  way back? In general, how accurate is the rest of the iPass appendix of the manual?

Thanks!


_


Dave Kitabjian

NetCarrier, Software Engineering 

RE: (RADIATOR) AuthLog question/requests

[Dave Kitabjian]

Well, I'm not going to complain. The  tool is a great tool. By
configuring it as follows:

SuccessFormat   %l%r\
User-Name = %U%r\
Pass = 1%r  \
CallerId = %{Calling-Station-Id}%r  \
Typed-Password = %P%r   \
Severity = %0%r \
Reason = %1%r%r
FailureFormat   %l%r\
User-Name = %U%r\
Pass = 0%r  \
CallerId = %{Calling-Station-Id}%r  \
Typed-Password = %P%r   \
Severity = %0%r \
Reason = %1%r%r

(ie, as a Radius-style record; note the literal tabs before the \) we
are able to use the same software we use for accounting data to import
the data into our system and provide our techs with near real-time
authentication info.

Perhaps the solution, since PasswordLogFileName and  appear to
fit into the object model differently, could be to offer the
SuccessFormat and FailureFormat options in the PasswordLogFileName
feature, rather than try to get the actual password in ...

Dave

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, December 05, 2001 6:44 PM
> To: Dave Kitabjian; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) AuthLog question/requests
> 
> 
> 
> Hello Dave -
> 
> On Thu, 6 Dec 2001 02:05, Dave Kitabjian wrote:
> > Hello!
> >
> > Comparing  to Handler.PasswordLogFileName, I have a 
> > couple of questions:
> >
> > 1) Does AuthLog FILE have an option for ExcludeFromPasswordLog?
> >
> 
> No it doesn't.
> 
> > 2) Can I get access to the correct_password, like 
> PasswordLogFileName 
> > does, in  ? That would be a big help, 
> especially since 
> > the whole purpose of this logfile for us is to debug password 
> > problems.
> >
> 
> The logging only has access to the special characters defined 
> in section 6.2 
> of the manual.
> 
> regards
> 
> Hugh
> 
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) AuthLog question/requests

[Dave Kitabjian]

Title: AuthLog question/requests






Hello!


Comparing  to Handler.PasswordLogFileName, I have a couple of questions:


1) Does AuthLog FILE have an option for ExcludeFromPasswordLog?


2) Can I get access to the correct_password, like PasswordLogFileName does, in  ? That would be a big help, especially since the whole purpose of this logfile for us is to debug password problems.

Thanks!!


_


Dave Kitabjian

NetCarrier, Software Engineering 

(RADIATOR) 2.18: FailureFormat not reread on HUP

[Dave Kitabjian]

Title: 2.18: FailureFormat not reread on HUP






Just as an FYI,


The AuthLog.FailureFormat does not appear to be reread after a HUP to Radiator 2.18. Perhaps it was fixed it 2.19, but I don't remember reading about it in the fixlist.

Thanks!


_____


Dave Kitabjian

NetCarrier, Software Engineering 

RE: (RADIATOR) RADIATOR (freebsd install)

[Dave Kitabjian]

Are you sure you are root when you run "make install"?

Dave

> -Original Message-
> From: Rick Ross [mailto:[EMAIL PROTECTED]] 
> Sent: Sunday, December 02, 2001 1:54 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) RADIATOR (freebsd install)
> 
> 
> ok  Im trying to install 2.19 on freebsd 4.4
> perl Makefile works ok  make test is all ok
> when  I do make install it makes all the perl stuff fine
> but it doesnt make the raddb or move the radiusd into any of 
> the lebexec
> directories  (build dir   /usr/local/src/Radiator-2.19)
> am I missing somthing ?
> 
> newbie to Radiator
> 
> Rick Ross
> Insight Systems ltd
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) can snmpget query NAS w/ Cisco-NAS-Port?

[Dave Kitabjian]

Oh, I see. You just mean renaming the attribute, but keeping its value
the same:

sub
{
my $p = ${$_[0]};

my $nasport;

if ($nasport = $p->get_attr('Cisco-NAS-Port'))
{
&main::log($main::LOG_DEBUG,
"Cisco-NAS-Port = $nasport");
$p->change_attr('NAS-Port', $nasport);
#   $p->delete_attr('Cisco-NAS-Port');
}
return;
}

That's fine with me, but will snmpget know what to do with as Nas-Port
that looks like "Async5/94", "Serial7/0:21:17", or "Virtual-Access25"
when it goes to see if the user is still online? That's my main
concern...

Dave

> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, November 16, 2001 8:09 PM
> To: Dave Kitabjian; Radiator List
> Subject: Re: (RADIATOR) can snmpget query NAS w/ Cisco-NAS-Port?
> 
> 
> 
> Hello Dave -
> 
> On Saturday 17 November 2001 01:48, Dave Kitabjian wrote:
> > Problem: we want to query Cisco 5400's for simultaneous 
> use, but for 
> > VoIP, there is no Nas-Port in the Access-Request, only 
> Cisco-Nas-Port.
> >
> > My understanding is that, to double check the Session DB's 
> accuracy, 
> > snmpget will do a lookup based on NAS-Identifier, NAS-Port, and 
> > Username, and a few other things (see Nas.pm, isOnline()):
> >
> > ($name, $nas_id, $nas_port, $session_id, $client,
> > $framed_ip_address)
> >
> > For the Ciscos in particular, it appears to use:
> >
> > ($nas_id,
> >  $client->{SNMPCommunity},
> >  
> > "$Radius::Nas::CiscoMIB.2.9.2.1.18.$nas_port")
> >
> > and it's all looking under the MIB:
> >
> > .iso.org.dod.internet.private.enterprises.9
> >
> > (See also SessSQL.pm). Obviously, we can modify the 
> SessionDatabase's 
> > AddQuery to insert the Cisco-NAS-Port rather than the Nas-Port. But 
> > how do we get snmpget to query that info in the Cisco MIB?
> >
> 
> It is probably easier to use a PreClientHook to take the 
> Cisco-NAS-Port value 
> and add a NAS-Port attribute to the incoming request. There 
> is an example 
> hook that does this in the file "goodies/hooks.txt".
> 
> regards
> 
> Hugh
> 
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) can snmpget query NAS w/ Cisco-NAS-Port?

[Dave Kitabjian]

Title: can snmpget query NAS w/ Cisco-NAS-Port?






Problem: we want to query Cisco 5400's for simultaneous use, but for VoIP, there is no Nas-Port in the Access-Request, only Cisco-Nas-Port.

My understanding is that, to double check the Session DB's accuracy, snmpget will do a lookup based on NAS-Identifier, NAS-Port, and Username, and a few other things (see Nas.pm, isOnline()):

    ($name, $nas_id, $nas_port, $session_id, $client, $framed_ip_address)


For the Ciscos in particular, it appears to use:


    ($nas_id,

 $client->{SNMPCommunity},

 "$Radius::Nas::CiscoMIB.2.9.2.1.18.$nas_port")


and it's all looking under the MIB:


    .iso.org.dod.internet.private.enterprises.9


(See also SessSQL.pm). Obviously, we can modify the SessionDatabase's AddQuery to insert the Cisco-NAS-Port rather than the Nas-Port. But how do we get snmpget to query that info in the Cisco MIB?

Thanks in advance!!


_


Dave Kitabjian

NetCarrier, Software Engineering 

RE: (RADIATOR) after year 2037

[Dave Kitabjian]

Yea, but what if the customer has already paid for 40 years up front and
so his expriation date is 2040?

Dave
:) sorry, couldn't resist

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, November 14, 2001 9:37 AM
> To: ISMAIL,IRWAN (HP-Malaysia,ex1)
> Cc: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) after year 2037
> 
> 
> On Wed, 14 Nov 2001, ISMAIL,IRWAN (HP-Malaysia,ex1) wrote:
> 
> > Hi,
> >
> > I tried switching the date on my NT server (which is 
> running radiator) 
> > to a date that is after year 2037 and I would get a "no reply" if I 
> > tried to authenticate. Is this a limitation of Radiator? 
> The logfile 
> > would also be saved as 1900-MM-DD, instead of 20XX-MM-DD.
> 
> How far after 2037 were you trying to go?  32-bit systems 
> using signed 32-bit int's to store "unix time" as seconds 
> since 1970 have a problem trying to deal with times after Jan 
> 18, 2038.  Hopefully, by that time, there won't be any 32-bit 
> CPU's kicking around.
> 
> -- 
> --
>  Jon Lewis *[EMAIL PROTECTED]*|  I route
>  System Administrator|  therefore you are
>  Atlantic Net|
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Questions about PPPoE

[Dave Kitabjian]

You may not need any changes whatsoever.

We just turned on an Apartment Complex for full-time Internet access to all
the dwelling units. They use WinPOET and MacPOET as their PPPoE clients.
Currently, we use a PPPoE server running on FreeBSD, whose IP we list in our
 clause. We have configured that PPPoE server to report the standard
Radius accounting attributes. So as far as Radiator is concerned, it's just
another NAS, and no custom configuration is necessary at all.

Dave
:)

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Rich Barnes
> Sent: Monday, December 04, 2000 3:59 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Questions about PPPoE
>
>
> I'm just starting to look into offering PPPoE for our xDSL
> customers.  I'll
> warn everyone here that other than knowing what PPPoE stands
> for, and the
> basic idea behind it, I don't know much else about it (I was
> just given the
> project this morning).
>
> Since I use radiator for my dial-up authentication, and I
> know PPPoE uses
> authentication of some kind, I'm wondering if RADIATOR
> supports PPPoE, and
> what is involved in implementing it...
>
> thanks
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Radiator/LDAP hangs on binary username! (repost, upon request)

[Dave Kitabjian]

> From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
>
> Hello Dave -
>
> At 11:11 -0500 30/11/00, Dave Kitabjian wrote:
> >I believe it's a BUG.
> >
> >Please see my post from last week:
> >
> > "Radiator/LDAP hangs on binary username!"
>
>
> I don't believe I have seen this - can you repost?
>

Attached is a repost.

>As I have said may times, you are much better off just rejecting
>usernames that contain rubbish. This topic has been discussed on the
>list several times and I have posted examples. Have a look at the
>archive:

I'm sorry, I had searched the archive for "binary username" and other
things, but I couldn't find anything. I'll take another look.

Thanks again!

Dave

_

We have been using  for about a year without any problems. We
are now trying to cutover all our systems to . Twice now since
Friday, since we have gone live with LDAP, Radiator has hung, causing me
great grief. This never happened before with CDB. Here are the details:

- Authentication and Accounting are being handled by separate Radiator
procs; the one that hangs is Authentication.
- the perl (Radiator) process was stuck in RUN state, and using close to
100% cpu.
- we're using Radiator 2.16.3 and OpenLdap 1.2.9(?)
- OpenLdap is running on the same server (localhost) as Radiator

The Radiator and OpenLdap log clips are shown below, as well as a section of
our config file. Notice that Radiator shows:

"Connecting to localhost, port 389"

and that's it; it hung at that point. However, the OpenLdap log appears to
have processed the request and sent a reply (but I'm not an expert at
reading the OpenLdap logs).

The apparently binary Username and Password are interesting. We've had
requests like this when we used , and it worked fine: it
returned an Access-Reject. But I'm wondering if this is why Radiator is
hanging using ? If so, how do we fix it? If not, then what
caused Radiator to hang?

Thanks very much for any and all help. This is a true show-stopper.

Dave



RADIATOR:

*** Received from 209.163.72.14 port 1812 
Code:   Access-Request
Identifier: 7
Authentic:  <6><209><240>4<175><224><222><3>q<154>k<134><8>3<205>-
Attributes:
User-Name =
"<253><169><165>W<163><151><141>?<138><29><132><232><223>f<2
12><128><229><213><138>QT<128><2>id<210><240><172>5<252>]<14><207><190><178>
<10>
<11><187>}<22>U<236>2<242>f~<132><147>Gsg<157><156><165>3<136><208><169>(`<2
49><
166><152>X<251>3<24>YT<148><137>t,!<18><134>*<17><252><253><242><188><187>8<
170>
<1>^<20><161><139><205><18>J<222><129>D<159>KqzB<238><140><147>:<239>O<142><
225>
KX<16><251>Lp<30>&<252><16>k/<236>p<9>9^<253><183><208><214>O\<182><228>"<20
4>|<
201><252><139><17><240><147><149>!<253><249><30><200><151><152><15>l:v<133><
227>
<183><14>e<216>vv<175><134>u<165>{<134><134>i<180><22><223>
<215><194><195><20><
231><224>K<167><225><212><253><158>{<243>M<217><162><217><161>r<14><183>7<16
><24
1>Q<137><217><29>hU<248>t<239><132>q"
User-Password =
"<157>j<246>.j<151><148><168>K!n\x|Q<151>1<194><225>W<25
0><152>2(<254><3>(<192>b<13><171>><250>Y;<176><6>)x<19>>Ti|!<17>*<222> <246>
{.<
185>=<224><215>l<5>=<213><185><21><138>M<223><229>Jg7)<4><205><253>r5J<178>J
Je<2
02><253><16><157><237>.<144><167>:<146>;E<128>L<185>RS3-<189>H<26>l<193>#$<1
64><
210><138>E<193>"
NAS-IP-Address = 209.163.72.14
NAS-Port = 9232
Acct-Session-Id = "000f0910090910"
USR-Interface-Index = 3577
Service-Type = Login-User
USR-Chassis-Call-Slot = 10
USR-Chassis-Call-Span = 1
USR-Chassis-Call-Chan

RE: (RADIATOR) What is this? A bug, a DOS attack?

[Dave Kitabjian]

I believe it's a BUG.

Please see my post from last week:

"Radiator/LDAP hangs on binary username!"

to which no one has replied yet, where I described a similar experience.
Again, AuthBy CDB never misbehaved with these binary usernames, but AuthBy
LDAP2 will hang Radiator completely.

It's pretty easy to reproduce: telnet to your NAS IP, and when it asks for
username or login, enter something like:

ÀÛþpZ_S^ØG*Õ_ÉøgÑ_´ -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Luis Alves
> Sent: Thursday, November 30, 2000 9:03 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) What is this? A bug, a DOS attack?
>
>
>
> Hi,
>
> Something strange  happened with my Radiator Servers. The
> servers freezed,
> ignoring all the requests that were made by the NAS.
>
> Although, the process of Radiator was alive and taking the
> usual resources
> from the server.
>
> When I checked the log messages in SQL, I saw this strange
> message (where
> XXX.XXX.XXX.XXX is the NAS IP address and YYY the port):
>
> Deleting session for
> ÁYZp}+µÀÛþpZ_S^ØG*Õ_ÉøgÑ_´ l¾Ù_]_"à×£^-""
> T²...H_¶V_(Æ-DÅoeëÆ{_Ý ö:°_ DGÕe¸ôÄû»z÷#_ú :, XXX.XXX.XXX.XXX, YYY
>
> I use Radiator-2.16.3 with authentication in LDAP and loging is MYSQL
>
> What is this? A bug, a DOS attack?
>
> Thank's in advance
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) packet dumps: how to analyze them?

[Dave Kitabjian]

Hey guys,

Thanks very much for the feedback!

Dave
:)

___

Have a copy of the rfc alongside the packet dump and check the attribute
definitions to do the translation.

Otherwise, use something like this:



regards

Hugh


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) packet dumps: how to analyze them?

[Dave Kitabjian]

With Trace level 5 enabled, here is a sample packet dump using radpwtst:


Tue Nov 28 12:53:15 2000: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1101 

Packet length = 67
04 5b 00 43 bb d7 4c 1d 80 3e 3b 4f 5e 51 80 cf
bb f6 79 a6 01 07 6d 69 6b 65 6d 06 06 00 00 00
02 04 06 cb 3f 9a 01 05 06 00 00 04 d2 3d 06 00
00 00 00 2c 0a 30 30 30 30 31 32 33 34 28 06 00
00 00 01
Code:   Accounting-Request
Identifier: 91
Authentic:  <187><215>L<29><128>>;O^Q<128><207><187><246>y<166>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start


I can see that "mikem" = "6d 69 6b 65 6d" and that "1234" = "30 30 30 30
31 32 33 34", but most of the rest is pretty unintelligible. Does anyone
have any pointers on how to read this info?

Thanks,

Dave


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Radiator/LDAP hangs on binary username!

[Dave Kitabjian]

We have been using  for about a year without any problems. We
are now trying to cutover all our systems to . Twice now since
Friday, since we have gone live with LDAP, Radiator has hung, causing me
great grief. This never happened before with CDB. Here are the details:

- Authentication and Accounting are being handled by separate Radiator
procs; the one that hangs is Authentication.
- the perl (Radiator) process was stuck in RUN state, and using close to
100% cpu.
- we're using Radiator 2.16.3 and OpenLdap 1.2.9(?)
- OpenLdap is running on the same server (localhost) as Radiator

The Radiator and OpenLdap log clips are shown below, as well as a section of
our config file. Notice that Radiator shows:

"Connecting to localhost, port 389"

and that's it; it hung at that point. However, the OpenLdap log appears to
have processed the request and sent a reply (but I'm not an expert at
reading the OpenLdap logs).

The apparently binary Username and Password are interesting. We've had
requests like this when we used , and it worked fine: it
returned an Access-Reject. But I'm wondering if this is why Radiator is
hanging using ? If so, how do we fix it? If not, then what
caused Radiator to hang?

Thanks very much for any and all help. This is a true show-stopper.

Dave



RADIATOR:

*** Received from 209.163.72.14 port 1812 
Code:   Access-Request
Identifier: 7
Authentic:  <6><209><240>4<175><224><222><3>q<154>k<134><8>3<205>-
Attributes:
User-Name =
"<253><169><165>W<163><151><141>?<138><29><132><232><223>f<2
12><128><229><213><138>QT<128><2>id<210><240><172>5<252>]<14><207><190><178>
<10>
<11><187>}<22>U<236>2<242>f~<132><147>Gsg<157><156><165>3<136><208><169>(`<2
49><
166><152>X<251>3<24>YT<148><137>t,!<18><134>*<17><252><253><242><188><187>8<
170>
<1>^<20><161><139><205><18>J<222><129>D<159>KqzB<238><140><147>:<239>O<142><
225>
KX<16><251>Lp<30>&<252><16>k/<236>p<9>9^<253><183><208><214>O\<182><228>"<20
4>|<
201><252><139><17><240><147><149>!<253><249><30><200><151><152><15>l:v<133><
227>
<183><14>e<216>vv<175><134>u<165>{<134><134>i<180><22><223>
<215><194><195><20><
231><224>K<167><225><212><253><158>{<243>M<217><162><217><161>r<14><183>7<16
><24
1>Q<137><217><29>hU<248>t<239><132>q"
User-Password =
"<157>j<246>.j<151><148><168>K!n\x|Q<151>1<194><225>W<25
0><152>2(<254><3>(<192>b<13><171>><250>Y;<176><6>)x<19>>Ti|!<17>*<222> <246>
{.<
185>=<224><215>l<5>=<213><185><21><138>M<223><229>Jg7)<4><205><253>r5J<178>J
Je<2
02><253><16><157><237>.<144><167>:<146>;E<128>L<185>RS3-<189>H<26>l<193>#$<1
64><
210><138>E<193>"
NAS-IP-Address = 209.163.72.14
NAS-Port = 9232
Acct-Session-Id = "000f0910090910"
USR-Interface-Index = 3577
Service-Type = Login-User
USR-Chassis-Call-Slot = 10
USR-Chassis-Call-Span = 1
USR-Chassis-Call-Channel = 17
USR-Connect-Speed = NONE
Calling-Station-Id = "6102878105"
Called-Station-Id = "3613526"
Ascend-Xmit-Rate = 0
NAS-Port-Type = Async

Wed Nov 22 12:50:12 2000: DEBUG: Handling request with Handler 'Realm='
Wed Nov 22 12:50:12 2000: DEBUG: Rewrote user name to
^}^i^ew^c^W^M?^J^]^D^h^_f
^T^@^e^U^Jqt^@^Bid^R^p^l5^|]^N^O^~^r
^K^{}^Vu^l2^rf~^D^Sgsg^]^\^e3^H^P^i(`^y^f^Xx^{3^Xyt^T^It,!^R^F*^Q^|^}^r^|^{8
^j^A
^^T^a^K^M^Rj^^^Ad^_kqzb^n^L^S:^oo^N^akx^P^{lp^^&^|^Pk/^lp
9^^}^w^P^Vo\^v^d
"^L|^I^|^K^Q^p^S^U!^}^y^^^H^W^X^Ol:v^E^c^w^Ne^Xvv^o^Fu^e{^F^Fi^t^V^_
^W^B^C^T^g
^`k^g^a^T^}^^{^sm^Y^b^Y^ar^N^w7^P^qq^I^Y^]hu^xt^o^Dq
Wed Nov 22 12:50:12 2000: DEBUG: Rewrote user name to
^}^i^ew^c^W^M?^J^]^D^h^_f
^T^@^e^U^Jqt^@^Bid^R^p^l5^|]^N^O^~^r^K^{}^Vu^l2^rf~^D^Sgsg^]^\^e3^H^P^i(`^y^
f^Xx
^{3^Xyt^T^It,!^R^F*^Q^|^}^r^|^{8^j^A^^T^a^K^M^Rj^^^Ad^_kqzb^n^L^S:^oo^N^akx^
P^{l
p^^&^|^Pk/^lp9^^}^w^P^Vo\^v^d"^L|^I^|^K^Q^p^S^U!^}^y^^^H^W^X^Ol:v^E^c^w^Ne^X
vv^o
^Fu^e{^F^Fi^t^V^_^W^B^C^T^g^`k^g^a^T^}^^{^sm^Y^b^Y^ar^N^w7^P^qq^I^Y^]hu^xt^o
^Dq
Wed Nov 22 12:50:12 2000: DEBUG: SDB1 Deleting session for
^}^i^eW^c^W^M?^J^]^D
^h^_f^T^@^e^U^JQT^@^Bid^R^p^l5^|]^N^O^~^r
^K^{}^VU^l2^rf~^D^SGsg^]^\^e3^H^P^i(`^y^f^XX^{3^XYT^T^It,!^R^F*^Q^|^}^r^|^{8
^j^A
^^T^a^K^M^RJ^^^AD^_KqzB^n^L^S:^oO^N^aKX^P^{Lp^^&^|^Pk/^lp
9^^}^w^P^VO\^v^d
"^L|^I^|^K^Q^p^S^U!^}^y^^^H^W^X^Ol:v^E^c^w^Ne^Xvv^o^Fu^e{^F^Fi^t^V^_
^W^B^C^T^g
^`K^g^a^T^}^^{^sM^Y^b^Y^ar^N^w7^P^qQ^I^Y^]hU^xt^o^Dq, 209.141.72.14, 9232
Wed Nov 22 12:50:12 2000: DEBUG: Handling with Radius::AuthLDAP2
Wed Nov 22 12:50:12 2000: DEBUG: Connecting to localhost, port 389
__

OPENLDAP:

Nov 22 12:50:12 rad1 slapd[144]: do_bind
Nov 22 12:50:12 rad1 slapd[144]: do_bind: version 2 dn
(dc=ppp,dc=netcarrier,dc=
com) method 128
Nov 22 12:50:12 rad1 slapd[144]: dn2entry_r: dn:
"DC=PPP,DC=NETCARRIER,DC=COM"
Nov 22 12:50:12 rad1 slapd[144]: => dn2id( "DC=PPP,DC=NETCARRIER,DC=COM" )
Nov 22 12:50:12 rad1 slapd[144]: > cache_find_entry_dn2id: found dn:
DC=PPP,
DC=NETCARRIER,DC=COM
Nov 22 12:50:12 rad1 slapd[144]: <= dn2id 2 

RE: (RADIATOR) NoDefault and NoDefaultIfFound

[Dave Kitabjian]

Okay, thanks! This is all very clear now.

I think the only thing I might suggest is a small change in the
documentation wording...

From: 6.16.11 NoDefault
Normally if Radiator searches for a user in the database and finds one, but
the users check items fail, Radiator will then consult the DEFAULT user
entry.

To: 6.16.11 NoDefault
Normally if Radiator searches for a user in the database and either does not
find one, or finds one, but the users check items fail, Radiator will then
consult the DEFAULT user entry.

Thanks again for the clarification!!

Dave

> No. NoDefaultIfFound means that if a user entry is found and
> fails, then don't
> do a DEFAULT lookup. This is the opposite to the standard
> behaviour, which is
> to do a DEFAULT lookup either if the user is not found, or if
> the user is found
> but fails.


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) NoDefault and NoDefaultIfFound

[Dave Kitabjian]

(See the official definitions from the manual below.)

I find these definitions confusing. For NoDefaultIfFound, it says "Radiator
will only look for a DEFAULT if there were no entries found in the user
database for the user". In that case, shouldn't this be called
DefaultIfNotFound?

The reason this came up is that our  was doing the latter even
WITHOUT specifying NoDefaultIfFound: any time a username did not exist, it
looked again for DEFAULT, wasting time (since we don't use a DEFAULT user).
Is NoDefaultIfFound supposed to be on by default for LDAP2? Anyway, we
appear to have gotten around this by specifying NoDefault. But note that
this explanation is also incomplete; it says that it consults DEFAULT when
it "finds [a user], but the users check items fail". However, at least for
LDAP2, it ALSO consults DEFAULT when the user doesn't exist at all.

If I am confused, I'll be glad if someone can clear this up. But hopefully
this is a clarification that will help someone else out there. Thanks for
listening!

Dave

___
6.16.11 NoDefault
Normally if Radiator searches for a user in the database and finds one, but
the users check items fail, Radiator will then consult the DEFAULT user
entry. However, if the NoDefault parameter is set, Radiator will never look
for a DEFAULT.

# Save time by never looking for a default
NoDefault
6.16.12 NoDefaultIfFound
Normally if Radiator searches for a user in the database and finds one, but
the users check items fail, Radiator will then consult the DEFAULT user
entry. However, if the NoDefaultIfFound parameter is set, Radiator will only
look for a DEFAULT if there were no entries found in the user database for
the user.

# don't fall through to DEFAULT if a users check item failed
NoDefaultIfFound



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Radiator,MS SQL & Cisco AS5300 for VoIP

[Dave Kitabjian]

I'm looking forward to seeing any replies to this, since we will be doing
the exact same thing in just a couple weeks.

Meanwhile, do you have the AS5300 dictionary that includes the VSA's for
VoIP? I haven't been able to find that anywhere.

Thanks!

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Primoz Jeroncic
> Sent: Friday, November 17, 2000 9:56 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Radiator,MS SQL & Cisco AS5300 for VoIP
>
>
> Hi
>
> I'm totaly new to this thing since we have only evaluation version
> of Radiator. I have to test Radiator to see if it works as we would
> like it in our configuration. So here's my config: We have Cisco
> AS5300 as VoIP gateway, PC with Microsoft SQL and Radiator
> currently running on same PC as SQL. We need to get attributes
> cisco-h323-credit-time and cisco-h323-credit-amount back from
> Radiator to AS5300. It works nice when I use text user file,
> but when I tried to use SQL database it doesn't really work.
> I made SQL database called radius based on ansiCreate.sql
> script which comes with Radiator distribution. Then I added
> my user with password, leaving ENCRYPTEDPASSWORD field and
> CHECKATTR field empty but added next line in REPLYATTR field:
> cisco-h323-credit-amount =
> "h323-credit-amount=100.00",cisco-h323-credit-time =
> "h323-credit-time=1000"
> I copied those two lines from userfile where it worked when I
> had it done like this:
> 1234  Password = "5678"
>   cisco-h323-credit-amount = "h323-credit-amount=100.00",
>   cisco-h323-credit-time = "h323-credit-time=1000"
>
> Now caller manage to authenticate on Radiator, it even puts
> data to table ACCOUNTING but Radiator doesn't send REPLYATTR
> back to AS5300. My radius config file looks like this:
>
> 
>   Secret test
>   DupInterval 0
> 
> # I also added this client to SQL.
> 
>   DBSourcedbi:ODBC:radius_odb
>   DBUsername: sa
>   DBAuth
> 
> 
>  
>   DBSourcedbi:ODBC:radius_odb
> DBUsername: sa
> DBAuth
>   AcctColumnDef   START_TIME,cisco-h323-setup-time
>  
> 
>
> Did I miss something? Because when I was trying before with txt
> database AS5300 gave me at least "invalid AVPair" if I put wrong
> syntax for "cisco-h323-credit-time". Now it doesn't complain
> at all because it looks like it doesn't get anything back from
> Radiator. Also debugging on Radiator doesn't show anything about
> sending something back to Cisco.
>
> Any idea what I could do to get those things back to Cisco from
> Radiator?
>
> Thanks for all help in advance.
>
> Have nice weekend.
>
> stay tuned,
> Primoz
> Tech support - ULTRASERVIS #1 :)
> ---
> Primoz Jeroncic tel:  +386 1 562 31 40   |The label said:
> Blatnica 8  fax:  +386 1 562 18 55   |  Windows 95 or better
> 1236 Trzin  mailto:[EMAIL PROTECTED] |   So we bought a SGI
> Slovenija   http://www.softnet.si/people/primoz
> ---
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Reject vs. Ignore when no Handler?

[Dave Kitabjian]

Here is a sample log entry:

Mon Oct 30 19:03:42 2000: WARNING: Could not find a handler for
krussell@joeh
arnesscable.com: request is ignored

Since there is no Handler for the Realm "joeharnesscable.com", the request
is ignored. Because the request is ignored, the log shows that it is being
sent over and over. I think it would be more productive if it sent an
explicit Reject instead of ignoring the request.

How do I configure this?

Thanks!

Dave


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) What does "Pty" stands for in "Open System Consultants Pty. Ltd."?

[Dave Kitabjian]

Anyone know? It must be one of those British things. To me, "pty" sounds
like some type of virtual terminal ;)

Dave


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Problem with Cisco NAS

[Dave Kitabjian]

Yes, 
I'd like to reinforce one of Gildas' points:
 
    'Service-Type = Framed-User',  
'Framed-Protocol = PPP' 
 
While 
our USR/3Com NASes will work fine if these "standard" Reply items are omitted, 
our Cisco NAS does not, so we had to state them explicitly.
 
Dave
:)

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On Behalf Of Gildas 
  PERROTSent: Thursday, September 14, 2000 5:03 AMTo: 
  Arslan Saeed; [EMAIL PROTECTED]Subject: RE: (RADIATOR) Problem 
  with Cisco NAS
  Hi 
  Arslan,
   
  I 
  succeeded to make Cisco 5300 working with Radiator. You need the following 
  lines on Cisco to make IP address reservation :
   
  aaa 
  new-modelaaa authentication ppp wap group radiusaaa authorization 
  network default group radiusaaa accounting update newinfoaaa 
  accounting network wap start-stop group radius
   
  interface Group-Async0 ip unnumbered Ethernet0 no ip 
  directed-broadcast encapsulation ppp async dynamic 
  address async mode interactive ppp authentication chap pap 
  wap ppp accounting wap group-range 1 60 hold-queue 
  10 in
   
  radius-server host  auth-port 1645 acct-port 1646 key 
  
  user 
  profile should returned 'Service-Type = Framed-User',  'Framed-Protocol = 
  PPP' and 'Framed-IP-Address' attributes.
   
  Good 
  luck.    
  Gildas.
  
-Message d'origine-De : 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part 
de Arslan SaeedEnvoyé : jeudi 14 septembre 2000 
08:25À : [EMAIL PROTECTED]Objet : 
(RADIATOR) Problem with Cisco NAS
Hi,
 
We are facing problem in radiator 
implementation with Cisco AS5300 NAS. It seems that Cisco NAS is really 
picky in understanding attributes replied by radiator; like IP address 
reservation , session-timeout etc. I have checked the configuration of both 
NAS and radiator and all look good. Radiator is correctly replying 
attrbutes but NAS somehow does not implement them. We were 
using Tacacs+ earlier and it worked fine with Cisco. If anyone of you 
have implemented radiator with Cisco , please suggest some 
solution.
 
 
kind regards,
arslan.

RE: (RADIATOR) Check Attribute in LDAP

[Dave Kitabjian]

So Stephen,

If I understand you correctly, this "patch" basically implements the
Check Item with NEGATIVE LOGIC, correct? Rather than having Radiator
check for a MATCH, it checks for a MISMATCH to allow authentication?

If so, this is similar to what we're looking for. We want to define 2
types of customer:
A - these can call regular phone #s (only)
B - these can call regular phone #s AS WELL AS an 800#

Is this something that we would screen with a Check attribute or a Reply
attribute? That continues to puzzle me. Ideally, we'd like to configure
it with a single Reply attribute for those in group B, and have some
type of logic in the Radiator .cfg file implement the above logic.

Can your patch handle this? Can any of you comment on the proper way to
implement this? I'm going to be required to put some rules on our 800#
very soon...

Thanks in advance!

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Felicetti, Stephen A.
> Sent: Tuesday, August 08, 2000 4:20 PM
> To: 'Robin Gruyters'; [EMAIL PROTECTED]
> Subject: RE: (RADIATOR) Check Attribute in LDAP
> 
> 
> Robin,
> 
> I'm not sure if I follow exactly what you want to do. But 
> I'll give it a
> shot.
> I have this line in my config file under :
> 
> AuthAttrDef altmail5,NAS-Port-Type,check
> 
> It allows me to compare the LDAP attribute 'altmail5' against 
> the radius
> attribute 'NAS-Port-Type'. If they don't match, it rejects the
> authentication. If altmail5 does not exist for that user, 
> then it isn't
> checked, and authentication goes through.
> 
> With code written by Hugh and Mike, I've also implemented a 
> new LDAP search
> feature that allows me to query the user's LDAP entry for the 
> existance of a
> specific attribute. If the attribute does not exist, it rejects the
> authentication. Is this closer to what you want to do? If so, 
> it'll require
> 2.16.1, plus new code and patches.
> 
> As far as I know (Hugh can confirm this) this new feature is still in
> testing mode, and hasn't been added to the general release. 
> I've been using
> it here for 1 week now without a problem.
> 
> Let me know if I can help!
> 
> Steve
> 
> 
> -Original Message-
> From: Robin Gruyters [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 08, 2000 12:21 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Check Attribute in LDAP
> 
> 
> HI,
> 
> Just one question. Is it possible to check an attribute like:
> 
> if "AccountStatus" exists on the LDAP do Access-Type=Reject
> 
> So no ocheck on attribute from the NAS, only on de LDAP.
> -- 
> Regards,
> 
>  Robin Gruyters - [EMAIL PROTECTED] - WISH BV - nic-hdl: RG3771-RIPE
>  http://www.wish.net - tel: +31(0)413242500 - fax. +31(0)208762628
>  PGP key ID DEB8C991 - Head Engineering / Web Designer / B.O.F.H.
>  BOFH excuse: Incorrect time syncronization
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) How to log Access-Request packets?

[Dave Kitabjian]

As an ISP, Accounting Packets are not enough to assist our Techs with
diagnosing customer login problems, since they only appear on success.
Far more useful would be the ability to see every Access-Request packet
(and possibly also the Access-Accept/Reject replies).

Is there any way to get Radiator to log this information?

I realize the packets appear in the log at Trace=4, but in order to
parse this data and make it available to our techs, it would be much
nicer in a dedicated, "detail-style" file. If it's not available, would
it be much trouble to include an "auth-detail" logging option in
Radiator?

Thanks!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) TCP/IP problems -> "no such user" ??

[Dave Kitabjian]

We've been having some problems with what may be an overload on
Radiator's ability to process authentication requests. I'm NOT asking
for ideas in this regard (this time); I'm familiar with the suggestions
under High Availability and Performance. 

My question is this:

Is it possible to get a "no such user" reply from Radiator because of
some type of TCP/IP or traffic overload?

Another way of phrasing the question is, what ARE the symptoms of TCP/IP
or traffic overloads?

The reason I ask is this. I was working with a customer this week, and
confirmed from the logs that she was logging in as "jane", and that
Radiator was returning "no such user". (The log showed no extraneous
space or control characters). When I went to test the CDB itself:

$ cdbget http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) SocketQueueLength, kern.ipc.somaxconn, and units

[Dave Kitabjian]

> > So are these apples and apples, or are they two unrelated 
> quantities?
> > 
> > Also, what are the units on SocketQueueLength: bytes or requests?
> > 
> 
> Yes, these are the same thing. You need to configure the 
> kernel before you can
> tell Radiator to use the extra queue space. The units are 
> bytes, as the packets
> can be different lengths.
...
> 
> hth
> 
> Hugh

Hey, thanks very much for the feedback!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) SocketQueueLength, kern.ipc.somaxconn, and units

[Dave Kitabjian]

I might have better luck on a Unix newsgroup, but I'll proceed anyway...

Regarding the SocketQueueLength global, does this pertain to the same
setting as the kern.ipc.somaxconn MIB variable? On my system, I get:

# sysctl kern.ipc.somaxconn
kern.ipc.somaxconn: 128

According to "man listen":

"...The backlog parameter defines the maximum length the queue of
pending
connections may grow to.  If a connection request arrives with the queue
full the client may receive an error with an indication of ECONNREFUSED,
or, if the underlying protocol supports retransmission, the request may
be ignored so that retries may succeed.

The sysctl(3) MIB variable ``kern.ipc.somaxconn'' specifies a hard limit
on backlog; if a  value greater than kern.ipc.somaxconn or less than
zero
is specified, backlog is silently forced to kern.ipc.somaxconn"

So are these apples and apples, or are they two unrelated quantities?

Also, what are the units on SocketQueueLength: bytes or requests?

Thanks for the help, and all comments are welcome!!

Dave
__

See also:
http://www.thesite.com.au/~radiator/21/msg00259.html


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: [(RADIATOR) Multithreaded radiator.]

[Dave Kitabjian]

Robin,

You appear to have just saved the day. Thanks very much!

To offer something that may be helpful back to y'all, check this out:

Rather than maintaining two config files (which I've been avoiding like
the plague), I got the command line syntax to work by using blank quotes
for the unneeded port:

perl /usr/bin/radiusd -auth_port 1812 -acct_port '' \
  -config_file /usr/nc.cfg \
  -pid_file /usr/nc_auth.pid &

perl /usr/bin/radiusd -auth_port '' -acct_port 1813 \
  -config_file /usr/nc.cfg \
  -pid_file /usr/nc_acct.pid &

Dave

> -Original Message-
> From: Robin Gruyters [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 12, 2000 1:16 PM
> To: Dave Kitabjian
> Subject: Re: [(RADIATOR) Multithreaded radiator.]
> 
> 
> On Mon, Jun 12, 2000 at 01:03:41PM -0400, Dave Kitabjian wrote:
> > Thanks, all, for your suggestions.
> > 
> > This looks like it will be exactly what we need. Only problem is, I
> > can't get it to work. The only difference I see is that we are using
> > ports 1812/1813, not 1645/1646. 
> > 
> > I changed my config file to:
> >   AuthPort  1812
> >   AcctPort  
> > 
> > Then I HUPped radiator. According to the logfile, it did, 
> indeed, appear
> > to ignore accounting requests. However, it showed the 
> following in the
> > log file right after the HUP:
> > 
> > Mon Jun 12 12:47:43 2000: WARNING: Unknown service name
> > 
> > Furthermore, when I attempt to start a second instance of 
> Radiator with:
> >   AuthPort  
> >   AcctPort  1813
> > 
> > it fails to start with a message: 
> > 
> > # perl /usr/bin/radiusd -config_file /usr/nc_acct.cfg
> > Could not bind accounting socket: Address already in use at
> > /usr/bin/radiusd line 386.  
> > 
> > Can someone offer further assistance? This IS supposed to 
> work on the
> > same server, correct? Do I need to wait a while for the 
> Accounting port
> > to free up?
> > 
> > Thanks.
> > 
> > Dave
> What i had found out is that you can't HUP it. you have to 
> kill the process to
> get the correct port binds working...
> 
> (kill -9  && /usr/bin/radiusd 
> -config_file /usr/nc_acct.cfg)
> 
> -- 
> Regards,
> 
>  Robin Gruyters - [EMAIL PROTECTED] - WISH BV - nic-hdl: RG3771-RIPE
>  http://www.wish.net - tel: +31(0)413242500 - fax. +31(0)208762628
>  PGP key ID DEB8C991 - Head Engineering / Web Designer / B.O.F.H.
>  BOFH excuse: Failure to adjust for daylight savings time.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: [(RADIATOR) Multithreaded radiator.]

[Dave Kitabjian]

Thanks, all, for your suggestions.

This looks like it will be exactly what we need. Only problem is, I
can't get it to work. The only difference I see is that we are using
ports 1812/1813, not 1645/1646. 

I changed my config file to:
  AuthPort  1812
  AcctPort  

Then I HUPped radiator. According to the logfile, it did, indeed, appear
to ignore accounting requests. However, it showed the following in the
log file right after the HUP:

Mon Jun 12 12:47:43 2000: WARNING: Unknown service name

Furthermore, when I attempt to start a second instance of Radiator with:
  AuthPort  
  AcctPort  1813

it fails to start with a message: 

# perl /usr/bin/radiusd -config_file /usr/nc_acct.cfg
Could not bind accounting socket: Address already in use at
/usr/bin/radiusd line 386.  

Can someone offer further assistance? This IS supposed to work on the
same server, correct? Do I need to wait a while for the Accounting port
to free up?

Thanks.

Dave

p.s. I need to have this online by this evening since Monday nights are
our heaviest use!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Hugh Irvine
> Sent: Wednesday, June 07, 2000 6:41 PM
> To: Robin Gruyters; [EMAIL PROTECTED]
> Subject: Re: [[EMAIL PROTECTED]: Re: (RADIATOR) Multithreaded 
> radiator.]
> 
> 
> 
> Hello Robin -
> 
> On Thu, 08 Jun 2000, Robin Gruyters wrote:
> > Does someone have a example for splitting the auth. and the 
> accounting?
> > 
> 
> This has been discussed on the list before, but here is what to do.
> 
> Run two copies of Radiator, one listening on the 
> authentication port and the
> other listening on the accounting port. The configuration 
> files would include
> the following:
> 
> 
> # first copy of Radiator 
> 
> AuthPort  1645
> AcctPort  
> 
> .
> 
> 
> # second copy of Radiator
> 
> AuthPort
> AcctPort  1646
> 
> .
> 
> Note that this support appears in Radiator 2.15 and later.
> 
> regards
> 
> Hugh
> 
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
> 
> 
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Accounting

[Dave Kitabjian]

Hey Robin,

It needs the dictionary b/c the attributes and "values" come numerically
from Radiator:

#1 = #2

So to be friendly, Radiator looks them up in the dictionary and logs the
"friendly" values in the detail (accounting) file instead of the number:

Framed-Protocol = PPP

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Robin Gruyters
> Sent: Thursday, June 08, 2000 7:45 AM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Accounting
> 
> 
> Hi,
> 
> Got a question, i got a problem with the accounting to SQL. 
> Not a problem to
> log to the SQL server but with the dictionaries. We use two 
> different companies
> for dail-in, one company uses the Nortel (dictionary) and the 
> otherone the USR
> (dictionary.usr).
> 
> First i've set it up for the Nortel, ok works fine! *great* 
> But now I want the
> USR also log to the same machine on the same SQL system. But 
> is i'm trying to
> start it, I get error messages like:
> 
> Thu Jun  8 12:52:12 2000: ERR: Attribute number 39000 (vendor 
> 429) is not
> defined in your dictionary
> Thu Jun  8 12:52:12 2000: ERR: Attribute number 39001 (vendor 
> 429) is not
> defined in your dictionary
> Thu Jun  8 12:52:12 2000: ERR: Attribute number 39051 (vendor 
> 429) is not
> defined in your dictionary
> Thu Jun  8 12:52:12 2000: ERR: Attribute number 38998 (vendor 
> 429) is not
> defined in your dictionary
> 
> Why does the Accounting need the dictionary?
> 
> -- 
> Regards,
> 
>  Robin Gruyters - [EMAIL PROTECTED] - WISH BV - nic-hdl: RG3771-RIPE
>  http://www.wish.net - tel: +31(0)413242500 - fax. +31(0)208762628
>  PGP key ID DEB8C991 - Head Engineering / Web Designer / B.O.F.H.
>  BOFH excuse: monitor resolution too high
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: [hugh@open.com.au: Re: (RADIATOR) Multithreaded radiator.]

[Dave Kitabjian]

I, too, would like to see an example of splitting accounting and
authentication. 

Do you need two different config files? If so, what is the AcctPort in
the authentication config file, and vice versa? Etc...

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Robin Gruyters
> Sent: Wednesday, June 07, 2000 11:15 AM
> To: [EMAIL PROTECTED]
> Subject: [[EMAIL PROTECTED]: Re: (RADIATOR) Multithreaded radiator.]
> 
> 
> Does someone have a example for splitting the auth. and the 
> accounting?
> 
> - Forwarded message from Hugh Irvine <[EMAIL PROTECTED]> -
> 
> Delivered-To: [EMAIL PROTECTED]
> >Received: from entoo.connect.com.au (entoo.connect.com.au 
> [192.189.54.8]) by perki.connect.com.au with ESMTP id IAA02376
>   (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Fri, 24 Mar 
> 2000 08:48:08 +1100 (EST)
> From: Hugh Irvine <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Organization: Open System Consultants
> To: Paul van der Zwan <[EMAIL PROTECTED]>, 
> [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Multithreaded radiator.
> Date: Fri, 24 Mar 2000 08:35:21 +1100
> X-Mailer: KMail [version 1.0.28]
> In-Reply-To: <[EMAIL PROTECTED]>
> Precedence: bulk
> 
> 
> Hello Paul -
> 
> On Fri, 24 Mar 2000, Paul van der Zwan wrote:
> > Is there any chance of a multi-threaded Radiator ?? We are 
> running into
> > performance
> > issues without running out of CPU cycles . Multi-threading 
> might give us
> > some more
> > performance out of the same boxes.
> > 
> 
> Its not so much about Radiator as it is about Perl and the 
> various Perl modules
> that Radiator uses. However, there are some things you can do 
> to improve at
> least perceived performance:
> 
> 1. Configure two copies of Radiator - one listening only on 
> the authentication
> port and only doing authentication, and the other listening 
> only on the
> accounting port and only doing accounting. This makes the 
> authentication much
> more responsive and lets accounting take as much time as it needs.
> 
> 2. Add additional machines to do some preprocessing - if you 
> are doing lots of
> proxy requests, you can add a machine in front of your local 
> machine to handle
> all the proxy requests (and of course proxy your local 
> requests to the local
> machine).
> 
> 3. Add multiple parallel Radiator hosts, configured 
> identically, and put a UDP
> redirector in front of them to spread the load.
> 
> 4. Refer to section 23 in the Radiator 2.15 reference manual for more
> suggestions.
> 
> hth
> 
> Hugh
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
> 
> 
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 
> - End forwarded message -
> 
> -- 
> Regards,
> 
>  Robin Gruyters - [EMAIL PROTECTED] - WISH BV - nic-hdl: RG3771-RIPE
>  http://www.wish.net - tel: +31(0)413242500 - fax. +31(0)208762628
>  PGP key ID DEB8C991 - Head Engineering / Web Designer / B.O.F.H.
>  BOFH excuse: Virus due to computers having unsafe sex.
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Logging attributes by integer..

[Dave Kitabjian]

I never found an easy solution to this, so I have a translation routine.

However, I never really tried one idea which was suggested, and I'm
still curious whether it would work: I would think that if you remove
the "VALUE" entries from you dictionary corresponding to the data you
want in integer form (rather than string), maybe Radiator will just log
the integer.

I'd like to know if this works! :)

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Hugh Irvine
> Sent: Friday, May 19, 2000 7:40 PM
> To: Mike Nerone; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Logging attributes by integer..
> 
> 
> 
> Hello Mike -
> 
> On Sat, 20 May 2000, Mike Nerone wrote:
> > 
> > When using AcctColumnDef, you can tell Radiator to log a particular
> > attribute by its integer value, which is what I want to do. 
> Unfortunately,
> > I'm not using AcctColumnDef, I'm using my own 
> AcctSQLStatement for more
> > flexibility. Specifically, I'm using the following:
> > AcctSQLStatement\   
>insert into
> > accounting set\mailbox  
>   = '%U',
> > \domain = '%R',  \  
>   timestamp
> > = from_unixtime(%{Timestamp}),   \statustype =
> > '%{Acct-Status-Type}', \ipaddress  =
> > '%{Framed-IP-Address}',\inputoctets=
> > '%{Acct-Input-Octets}',\outputoctets   =
> > '%{Acct-Output-Octets}',   \sessionid  =
> > '%{Acct-Session-Id}',  \terminatecause =
> > '%{Acct-Terminate-Cause}', \ascendcause=
> > '%{Ascend-Disconnect-Cause}',  \nasipaddress   = '%N',
> > \nasport= '%{NAS-Port}', \
> > nasporttype= '%{NAS-Port-Type}',\
> servicetype=
> > '%{Service-Type}', \callednumber   =
> > '%{Called-Station-Id}',\callingnumber  =
> > '%{Calling-Station-Id}'
> > I've omitted the rest of the config...it all works fine. 
> Note that 1)
> > from_unixtime is a mysql function, so don't go looking for 
> it, and 2) this
> > "insert into table SET" syntax is not standard SQL, but 
> mysql supports it,
> > and this syntax works fine.
> > 
> > My question is, how can I make certain attributes 
> (specifically Status-Type,
> > Terminate-Cause, and Ascend-Disconnect-Cause) log as 
> integers instead of
> > strings. Is there a corresponding %-substitution that would 
> give me the
> > integer?
> > 
> > If there's is no such %-substitution, then it occurred to 
> me to use a
> > PreClientHook to add a pseudo-attribute containing the 
> integer, and then log
> > that in the SQL statement (or with AcctColumnDef, for that 
> matter), so that
> > no translation is done, with something like:
> >   $request->changeattr('Acct-Terminate-Cause-Int',  
> \
> > $request->getAttrByNum($Radius::Radius::ACCT_TERMINATE_CAUSE));
> > I believe this would work fine for the well-known 
> attributes, but one of the
> > attributes I want to do this with is vendor-specific
> > (Ascend-Disconnect-Cause), and being the neophyte perl 
> programmer I am, I
> > don't see a way to get to the integer information. Come to 
> think of it, i
> > would PREFER this solution, because I'm then free to 
> massage the data a bit
> > more and store either Acct-Terminate-Cause or 
> Ascend-Disconnect-Cause in a
> > single field in the database, since each NAS only sends one 
> or the other. To
> > tell them apart, I'd add 1000 to the value if its an
> > Ascend-Disconnect-Cause.
> > 
> > So my question becomes: Within a hook, how do I get the 
> integer value of a
> > vendor-specific-attribute instead of its string value from 
> the dictionary?
> > 
> 
> Have a look at this and let me know how you get on:
> 
>   "goodies/extendedMacros.patch"
> 
> This is in the "goodies" directory in the distribution.
> 
> There was also a discussion about this same topic on the list 
> about six months
> ago from memory - check the archive site and do a search:
> 
>   http://www.starport.net/~radiator
> 
> On the topic of hooks, there is some example code here:
> 
>   http://www.open.com.au/radiator/downloads/patches-2.15/hooks.txt
> hth
> 
> Hugh
> 
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
> 
> 
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in 

(RADIATOR) LDAP: new "AuthAttrDef" attribute?

[Dave Kitabjian]

Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888

and the new AuthAttrDef attribute for LDAP...

This looks like a nice feature. However, to make AuthAttrDef entries as:

AuthAttrDef ldapattributename, radiusattributename, type

you would need to anticipate and list in your .cfg file every Reply item
(and Check item) that any of your users might need, right? That doesn't
seem to make sense. (Am I missing something?)

On the other hand, with CheckAttr and ReplyAttr you don't have to worry
about that; just list whatever you want in your LDAP db, and Radiator
will pick them up. But CheckAttr/ReplyAttr are being deprecated. So...

Can I accomplish the equivalent functionality by doing:

AuthAttrDef GENERIC, ???, check
AuthAttrDef GENERIC, ???, reply

What do I put for ??? Perhaps you could list an example using GENERIC in
the docs?

Thanks very much!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?

[Dave Kitabjian]

Excellent. Thanks for the feedback!

Now for a follow-up question, if I may. We want to merge the LDAP
database for our Mail System with this LDAP db for Radiator, so that
they exist in the same database. 

* Are the Radiator LDAP entries able to coexist inside an LDAP database
along with other entries of a completely different type (such as mail
entries)? *

If so, how would such a schema look?

Thanks again, in advance!

Dave

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]]On Behalf
> Of Joost Stegeman
> Sent: Monday, May 01, 2000 11:06 AM
> To: Dave Kitabjian
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
> 
> 
> Dave,
> 
> It works perfectly with OpenLDAP. OpenLDAP is based on the U 
> of M code.
> 
> - Joost.
> 
> Dave Kitabjian wrote:
> > 
> > Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888
> > 
> > The docs say:
> > 
> > "AuthBy LDAP2 works with the newer Net::LDAP module 
> version in
> > perl-ldap-0.09 or better (Available from CPAN). It is implemented in
> > AuthLDAP2.pm. The Net::LDAP will work with both University 
> of Michigan
> > LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted
> > connections to the LDAP server."
> > 
> > There is no mention of OpenLDAP, which is what we plan to 
> use. However,
> > there is a mention of it on:
> > 
> > http://www.open.com.au/radiator/details.html
> > 
> > So I assume that's just an omission? Does anyone have it 
> running with
> > OpenLDAP?
> > 
> > Thanks for your input!
> > 
> > Dave
> > 
> > ===
> > Archive at http://www.starport.net/~radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
> 
> -- 
> 
>Joost Stegeman
>Service Developer Integration Services
>KPN 
>OVN BBT/IP Integration Services
>tel.  070 - 371 37 83
>fax.  070 - 371 26 38
>E-mail: [EMAIL PROTECTED]
> 
> 

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) AuthBy LDAP2: support for OpenLDAP?

[Dave Kitabjian]

Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888

The docs say: 

"AuthBy LDAP2 works with the newer Net::LDAP module version in
perl-ldap-0.09 or better (Available from CPAN). It is implemented in
AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan
LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted
connections to the LDAP server."

There is no mention of OpenLDAP, which is what we plan to use. However,
there is a mention of it on:

http://www.open.com.au/radiator/details.html

So I assume that's just an omission? Does anyone have it running with
OpenLDAP?

Thanks for your input!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) AuthByLDAP: sample LDIF file?

[Dave Kitabjian]

I've seen the sample file, goodies/ldap.cfg. However, I'd be very
greatful to anyone who could post for me examples of their:

- ldap.cfg file being used in production

- LDIF of a section of your LDAP db

I want to see *real examples* of what kind of schema people are using in
real applications (I'm new to LDAP in general, but I've read much of the
stuff on the web, books, lists, etc). No secrets/passwords, please. 

As a bonus, it would be extra nice if you could share what tools you use
or have written (I already know about the APIs) to automate
additions/deletions/modifications to the LDAP db.

Thanks very much in advance!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Accounting for Realms?

[Dave Kitabjian]

Thanks for the note.

My servers (one in C, the other VB) which parse and upload the detail
records are expecting a standard Livingston-style accounting record, one
attribute per line. They get mapped one-to-one with SQL Columns, and
then get inserted.

Attaching special treatment for the attribute named "Username" would be
a hack, and would spoil the elegance and flexibility of this approach :(

Since Radiator is so flexible, I was hoping that something this
straightforward and common would be doable from within Radiator. If not,
then I may end up putting in the hack. 

Dave

-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 25, 2000 6:22 PM
To: Dave Kitabjian; ''
Subject: RE: (RADIATOR) Accounting for Realms?


On Tue, 25 Apr 2000, Dave Kitabjian wrote:
> Thanks for the tip.
> 
> From a Radiator point of view, we are simply logging to a standard
> "detail" file. (However, from our *system's* point of view, we parse
> that file and upload it into a Sql database. Don't worry about this;
> I'll handle those details.)
> 
> So I just need the detail file to appear correct. Yes, I would rather
> log "UserName and Realm". What I'm asking is *how*? Username doesn't
> appear to strip off the Realm for accounting, even after a Rewrite;
and
> the Realm doesn't appear anywhere else in the accounting record. How
can
> I split them apart from within Radiator ?
> 

Why not just split into UserName and Realm when you parse the file?

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Accounting for Realms?

[Dave Kitabjian]

Thanks for the tip.

>From a Radiator point of view, we are simply logging to a standard
"detail" file. (However, from our *system's* point of view, we parse
that file and upload it into a Sql database. Don't worry about this;
I'll handle those details.)

So I just need the detail file to appear correct. Yes, I would rather
log "UserName and Realm". What I'm asking is *how*? Username doesn't
appear to strip off the Realm for accounting, even after a Rewrite; and
the Realm doesn't appear anywhere else in the accounting record. How can
I split them apart from within Radiator ?

Also, I'm still curious how the rest of you handle logging realms?

Thanks!

Dave

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Hugh Irvine
Sent: Monday, April 24, 2000 8:12 PM
To: Dave Kitabjian; '[EMAIL PROTECTED]'
Subject: Re: (RADIATOR) Accounting for Realms?



Hello Dave -

On Tue, 25 Apr 2000, Dave Kitabjian wrote:
> What is the proper or best way to handle Accounting for Realms?
> 
> It appears that, by default, regardless of whether the Username is
> rewritten, the Realm is just tagged onto the Username for Accounting:
> 
>   [EMAIL PROTECTED]
> 
> and that's what gets exported to the Accounting record (and inserted
> into our database) as Username. This raises a few questions for me:
> 
> 1) Since I'm performing RewriteUserName in the GLOBAL section,
shouldn't
> this affect what is saved as the Accounting record's Username
attribute,
> so that only "joe" gets logged, rather than "[EMAIL PROTECTED]"?
> 
> 2) How does the "rest of the world" log realm info? I could have sworn
> that at one point earlier in my development, that I saw this info
broken
> down into "User-Id" and "User-Realm". It seems more logical to me to
> store this info into two db columns:
> 
>   UserName   Realm
>   -- 
> 
> but that's not practical unless the Accounting record breaks it up
> accordingly. If I strip off the Realm with:
> 
>   # Strip off the realm:
>   RewriteUsername s/^([^@]+).*/$1/
> 
> can I add it to the Accounting attribute list somehow?
> 

If you are using an SQL database, you can write whatever
AcctSQLStatements are
appropriate for your installation. If you would rather log UserName and
Realm
as you show above, that's fine.

hth

Hugh

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Accounting for Realms?

[Dave Kitabjian]

What is the proper or best way to handle Accounting for Realms?

It appears that, by default, regardless of whether the Username is
rewritten, the Realm is just tagged onto the Username for Accounting:

[EMAIL PROTECTED]

and that's what gets exported to the Accounting record (and inserted
into our database) as Username. This raises a few questions for me:

1) Since I'm performing RewriteUserName in the GLOBAL section, shouldn't
this affect what is saved as the Accounting record's Username attribute,
so that only "joe" gets logged, rather than "[EMAIL PROTECTED]"?

2) How does the "rest of the world" log realm info? I could have sworn
that at one point earlier in my development, that I saw this info broken
down into "User-Id" and "User-Realm". It seems more logical to me to
store this info into two db columns:

UserName   Realm
  -- 

but that's not practical unless the Accounting record breaks it up
accordingly. If I strip off the Realm with:

# Strip off the realm:
RewriteUsername s/^([^@]+).*/$1/

can I add it to the Accounting attribute list somehow?

What do the rest of you do? Do you just jam the whole "[EMAIL PROTECTED]"
into the Username field?

Thanks!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Coordinating multiple radiator instances

[Dave Kitabjian]

We will be bringing a couple more Radiators online to work in parallel
to our main one. I could use some guidance here:

1) logfile - Since they all write atomically, could they all share the
same logfile if it resides on a common NFS volume? Is there a non-NFS
way to do this?

2) SessionDatabase - To have them all share the same SessionDatabase
(which is the only useful scenario, right?), the DB would also have to
sit on something in common like NFS? Other options?


I believe my boss will not want the NFS option because it will create a
single point-of-failure, defeating much of our purpose behind having
multiple servers. Any comments?

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) stripping spaces off username

[Dave Kitabjian]

We have a surprising number of "No such user" failures which appear to be 
caused by leading or trailing spaces around the username. In Unix, I would 
fix this as:

echo "  dave   " | sed -e 's/^ *//' -e 's/ *$//'

Since I don't know perl, I'm not sure how to test this without going live, 
so I was wondering if someone could confirm the proper perl/radiator 
syntax. My guess is:

RewriteUsername  s/^ *//
RewriteUsername  s/ *$//

Is this correct? Thanks all! (Btw, how *would* I test this with perl?)

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Restricting 800# usage?

[Dave Kitabjian]

On Friday, March 10, 2000 2:06 AM, Hugh Irvine [SMTP:[EMAIL PROTECTED]] 
wrote:
>
> Hello Dave -
>
> On Fri, 10 Mar 2000, Dave Kitabjian wrote:
> > This is partly a Radiator question and partly a generic Radius 
question.
> >
> > It's rather simple, we want to make our 800# available only to certain
> > customers. My guess is that this would be controlled by some type of 
radius
> > Reply Attribute. So the first question is, what attribute do I use?
> >
> > Then, when calls come into that 800#, I guess I would intercept them 
with
> > something like:
> >
> > 
> >
> > 
> >
> > So the next question is, how do I Reject their Access-Request at this
> > point?
>
> I think you will want to check the Called-Station-Id when you do your 
database
> lookup, and if it is not available to the user, simply reject them at 
that
> point.

Thanks for the reply. Yes, this is what I want to do, but what I'm asking 
is, *how* do I do it? Does it involve giving certain customers a Reply 
Attribute of Called-Station-Id = "800YOUWISH" (is that allowed?)? And if 
so, how do I block everyone else from using this 800 number?

I'm a bit new to Radius as well as Radiator, so pardon me if there is 
something basic here that I'm missing.

Dave

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Restricting 800# usage?

[Dave Kitabjian]

This is partly a Radiator question and partly a generic Radius question.

It's rather simple, we want to make our 800# available only to certain 
customers. My guess is that this would be controlled by some type of radius 
Reply Attribute. So the first question is, what attribute do I use?

Then, when calls come into that 800#, I guess I would intercept them with 
something like:





So the next question is, how do I Reject their Access-Request at this 
point?

One thing to note: I don't want to use a separate AuthBy for the 800# 
users; they will all exist in the same database with all our other users.

Thanks in advance for the help!

Dave

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) How to make username case-INsensitive? - DECISION

[Dave Kitabjian]

> > We're using CDB (for maximum speed and huge username count). That's why 
SQL tricks are not an option :(
> >
>
> So when you build the CDB file, why not lowercase (or UPPERCASE) the 
usernames
> then? And how many is "huge username count"? We have some customers up 
around
> the million mark running off SQL.

You know, that is probably the best solution. I'll lowercase it when I add 
the entry to the CDB, and then just do the RewriteUsername tr/A-Z/a-z/ 
thing. That's the cleanest, simplest solution.

As far as "huge", we're trying to design the system for future, anticipated 
capacity of around 1M. I'm glad some folks can do that capacity with SQL; 
that just means our CDB is going to be that much faster! :)

Thanks Hugh, and everyone else, for the tips!

Dave

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) How to make username case-INsensitive?

[Dave Kitabjian]

> On Thu, 09 Mar 2000, Dave Kitabjian wrote:
> > Thank you both for your replies.
> > 
> > RewriteUsername would work fine except for one major problem: I don't know 
> > the case of the username as stored in the database. Names are entered 
> > automatically by customer request software (ie, the CD our ISP ships out).
> > 
> > Regarding that it would be "impossible", I'm not convinced of that yet. I'm 
> > not sure how the various AuthBy algorithms work, but in SQL, for example, 
> > you'd simply do:
> > 
> > SELECT username
> > FROM Accounts
> > WHERE LOWER(username) = LOWER(User-Name)
> > 
> > In otherwords, compare the lower (or upper) case variety of each for 
> > matches. That is the functionality that I'm seeking. Otherwise, I'm going 
> > to have to clean all our existing data, and then implement some code to 
> > intercept all db entries and convert them to lower case. I was hoping to 
> > avoid that mess.
> > 
> 
> What are you using for a database currently? If it is SQL, then why can't you
> just do what you describe above with an AuthSelect? Alternatively, use a stored
> procedure on the backend.

We're using CDB (for maximum speed and huge username count). That's why SQL tricks are 
not an option :(

Dave

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) How to make username case-INsensitive?

[Dave Kitabjian]

Thank you both for your replies.

RewriteUsername would work fine except for one major problem: I don't know 
the case of the username as stored in the database. Names are entered 
automatically by customer request software (ie, the CD our ISP ships out).

Regarding that it would be "impossible", I'm not convinced of that yet. I'm 
not sure how the various AuthBy algorithms work, but in SQL, for example, 
you'd simply do:

SELECT username
FROM Accounts
WHERE LOWER(username) = LOWER(User-Name)

In otherwords, compare the lower (or upper) case variety of each for 
matches. That is the functionality that I'm seeking. Otherwise, I'm going 
to have to clean all our existing data, and then implement some code to 
intercept all db entries and convert them to lower case. I was hoping to 
avoid that mess.

Dave

On Wednesday, March 08, 2000 3:30 PM, Mike Nerone 
[SMTP:[EMAIL PROTECTED]] wrote:
> All you need is to add a line to your config file, such as:
>
> RewriteUsername tr/A-Z/a-z/
>
> This example is given in the Radiator docs. As far as the 
IgnorePasswordCase
> thing, that would be really tough (read "impossible") to do in a 
consistent
> way, because, for example, when authorizing by the Unix passwd file, you
> don't know how the case of the stored, encrypted password. You'd have to
> literally try every possible upper/lowercase combination exhaustively 
before
> giving up. Besides, as an security-concious admin, I would say that
> passwords SHOULD be case-sensitive.
>
> Mike Nerone <mailto:[EMAIL PROTECTED]>
> Network Operations Manager
> Internet Direct, Inc. <http://www.idworld.net/>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> > Behalf Of Dave Kitabjian
> > Sent: Wednesday, March 08, 2000 12:22 PM
> > To: [EMAIL PROTECTED]
> > Subject: (RADIATOR) How to make username case-INsensitive?
> >
> >
> > I thought this would be a FAQ, but I can't seem to find it addressed
> > anywhere.
> >
> > The subject says it all. I'm using AuthBy=CDB, and I want to simply 
allow
> > case-errors in the username (not the password) to be permitted. We are
> > about to switch it live, and since our current radius, RadiusNT, is
> > case-insensitive for the username, I'm afraid I will anger lots of
> > customers when I switch over to Radiator.
> >
> > I assumed there would be a common AuthBy setting such as
> > IgnoreUsernameCase
> > and IgnorePasswordCase, but I didn't see any.
> >
> > Thanks in advance for the help!
> >
> > Dave
> >
> > ===
> > Archive at http://www.starport.net/~radiator/
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
> >
> 

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) How to make username case-INsensitive?

[Dave Kitabjian]

I thought this would be a FAQ, but I can't seem to find it addressed 
anywhere.

The subject says it all. I'm using AuthBy=CDB, and I want to simply allow 
case-errors in the username (not the password) to be permitted. We are 
about to switch it live, and since our current radius, RadiusNT, is 
case-insensitive for the username, I'm afraid I will anger lots of 
customers when I switch over to Radiator.

I assumed there would be a common AuthBy setting such as IgnoreUsernameCase 
and IgnorePasswordCase, but I didn't see any.

Thanks in advance for the help!

Dave

===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) RE:

[Dave Kitabjian]

I'm not a Radiator whiz, but look at:

http://www.open.com.au/radiator/ref.html#pgfId=363701

section 6.4.5 NasType. 

If you group your  clauses somehow by NasType, you might be able to handle the 
two groups in this fashion.

Dave

On Friday, February 25, 2000 2:50 PM, Jeff Baldwin [SMTP:[EMAIL PROTECTED]] 
wrote:
> Is it possible to have diferent dictionary files userd for diferent clients
> and have atributes asigned by the client insted of by the realm?
> I am using multiple backbone providers that i would like to clear radius for
> on one machine with flat user files.  One backbone is using acsend and the
> others are not so i need the acsend dictionary for them and the default for
> the others?
> Jeff Baldwin
> 
> 
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.