Re: [RADIATOR] Tacacs password issue
Hi, How are your passwords stored? DES/traditional crypt hashes chops off anything longer than 8 chars. Original message From: Murat Bilal Date: To: radiator@open.com.au Subject: [RADIATOR] Tacacs password issue Hi ALL, We have a starange password issue on radiator tacacs.We setup password length to 8.When user enter 7 character password access rejected,that is ok.But when a user enters more than 8 characters(like 9,10 etc) He can login to the related device.What can be the problem? Thanks___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Memory leak with Radiator?
Hi, We're running RADIATOR with Farms and have noticed that the RADIATOR processes eat up huge chunks of memory. Has anybody else experienced this? last pid: 27248; load avg: 3.88, 3.97, 3.98; up 196+02:04:57 15:09:23 51 processes: 45 sleeping, 1 zombie, 5 on cpu CPU states: 73.9% idle, 24.1% user, 2.0% kernel, 0.0% iowait, 0.0% swap Memory: 8184M phys mem, 128M free mem, 10G swap, 4851M free swap PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 16445 root 1 10 0 2410M 1393M sleep 308.1H 84.69% radiusd 16447 root 1 10 0 2410M 1281M cpu 307.4H 81.52% radiusd 16443 root 1 10 0 2414M 1312M cpu 308.4H 80.92% radiusd 16446 root 1 10 0 2398M 1236M cpu 306.9H 79.59% radiusd 16444 root 1 10 0 2394M 1305M cpu 306.7H 75.31% radiusd The RADIUS services do not crash or anything, but its just that our low memory alert keeps on appearing every week or so. Restarting the RADIATOR daemon gets memory released again. root@radauth01 # pmap 16444 16444: /usr/bin/perl /opt/radiator/radiusd -config_file /usr/local/etc/radius 0001 960K r-x-- /usr/local/bin/perl 0010E000 48K rwx-- /usr/local/bin/perl 0011A000 24K rwx-- [ heap ] 0012 2944K rwx-- [ heap ] 0040 2428928K rwx-- [ heap ] FDA0 1728K r-x-- /opt/oracle/lib32/libnnz10.so FDBB 56K r-x-- /opt/oracle/lib32/libnnz10.so FDBCC000 16K rwx-- /opt/oracle/lib32/libnnz10.so FDBD 128K rwx-- dev:32,13 ino:1539 FDBF 8K rwx-- /opt/oracle/lib32/libnnz10.so FDC0 12288K r-x-- /opt/oracle/lib32/libclntsh.so.10.1 FE80 2752K r-x-- dev:32,13 ino:1627 FEAB 56K r-x-- /opt/oracle/lib32/libclntsh.so.10.1 FEACC000 16K rwx-- /opt/oracle/lib32/libclntsh.so.10.1 FEAD 448K rwx-- dev:32,13 ino:1627 FEB4 16K rwx-- dev:32,13 ino:1627 FEB44000 56K rwx-- /opt/oracle/lib32/libclntsh.so.10.1 FEBF 8K rwx-- [ anon ] FEC0 40K r-x-- /usr/local/lib/libgcc_s.so.1 FEC18000 8K rwx-- /usr/local/lib/libgcc_s.so.1 FEC2 48K r-x-- /usr/lib/libz.so.1 FEC3A000 16K rwx-- /usr/lib/libz.so.1 FEC5 192K r-x-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FEC8 32K r-x-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FEC96000 40K rwx-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FECA 64K rwx-- dev:32,11 ino:152615 FECB 56K rwx-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FECD 64K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FECE 32K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FECF6000 24K rwx-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FED1 376K r---R dev:32,13 ino:1490 FED8 8K r-x-- /lib/libmd5.so.1 FED92000 8K rwx-- /lib/libmd5.so.1 FEDA 8K rwx-- [ anon ] FEDB 24K r-x-- /lib/librt.so.1 FEDC6000 8K rwx-- /lib/librt.so.1 FEDD 32K r-x-- /lib/libaio.so.1 FEDE 16K r-x-- /lib/libpthread.so.1 FEDE8000 8K rwx-- /lib/libaio.so.1 FEDF8000 16K r-x-- /lib/libthread.so.1 FEE0 24K r-x-- /lib/libgen.so.1 FEE16000 8K rwx-- /lib/libgen.so.1 FEE2 8K r-x-- /lib/libkstat.so.1 FEE32000 8K rwx-- /lib/libkstat.so.1 FEE4 128K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/Oracle/Oracle.so FEE6 16K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/Oracle/Oracle.so FEE72000 8K rwx-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/Oracle/Oracle.so FEE8 24K r-x-- /usr/local/lib/perl5/5.8.7/sun4-solaris/auto/List/Util/Util.so FEE94000 8K rwx-- /usr/local/lib/perl5/5.8.7/sun4-solaris/auto/List/Util/Util.so FEEA 64K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBI/DBI.so FEEB 48K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBI/DBI.so FEECA000 16K rwx-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBI/DBI.so FEEE 24K r-x-- /lib/nss_files.so.1 FEEF6000 8K rwx-- /lib/nss_files.so.1 FEF0 8K r-x-- /usr/lib/libsched.so.1 FEF1 64K rwx-- [ anon ] FEF3 16K r-x-- /usr/local/lib/perl5/5.8.7/sun4-solaris/auto/IO/IO.so FEF42000 8K rwx-- /usr/local/lib/perl5/5.8.7/sun4-solari
Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment
Hi Heikki,
The patch works and I can successfully assign the v6 addresses correctly
now. However, it'll not work if I try to return a simplified IP address,
eg: 10:1:1:1.
Thu Sep 22 15:20:01 2011: DEBUG: Packet dump:
*** Received from 10.55.254.100 port 51207
Code: Access-Request
Identifier: 76
Authentic: <127>v<195>J}<2<29><143><8><163>Yv<16>=<143>
Attributes:
User-Name = "dual_stack03@v6"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
<252><166><201>od<23><190>,<224><29><235><222><217><199><165><236>
Thu Sep 22 15:20:01 2011: DEBUG: Handling request with Handler 'Realm =
/v6/i', Identifier ''
Thu Sep 22 15:20:01 2011: DEBUG: LimitLabConnection Deleting session for
dual_stack03@v6, 203.63.154.1, 1234
Thu Sep 22 15:20:01 2011: DEBUG: Handling with Radius::AuthFILE:
Thu Sep 22 15:20:01 2011: DEBUG: Reading users file
/usr/local/etc/radius/users.conf
Thu Sep 22 15:20:01 2011: DEBUG: Radius::AuthFILE looks for match with
dual_stack03@v6 [dual_stack03@v6]
Thu Sep 22 15:20:01 2011: DEBUG: Radius::AuthFILE ACCEPT: :
dual_stack03@v6 [dual_stack03@v6]
Thu Sep 22 15:20:01 2011: DEBUG: AuthBy FILE result: ACCEPT,
Thu Sep 22 15:20:01 2011: DEBUG: Access accepted for dual_stack03@v6
*Thu Sep 22 15:20:01 2011: WARNING: Failed to parse ifid: 10:1:1:1*
Thu Sep 22 15:20:01 2011: DEBUG: Packet dump:
*** Sending to 10.55.254.100 port 51207
Code: Access-Accept
Identifier: 76
Authentic: <<5><250><197><157><201>r<150><130>Pp<158><234><193>4Y
Attributes:
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Interface-Id = 10:1:1:1
On 09/21/2011 08:37 PM, Elias wrote:
That's excellent news! Will test it out and tell you how it works.
On 09/21/2011 04:41 PM, Heikki Vatiainen wrote:
On 08/25/2011 01:00 PM, Eddie Stassen wrote:
Hello Eddie and Elias,
What I'm looking for is ideas or more information what the itf ids may
look like. This would be needed to correctly pack the attribute when it
is sent to the wire.
The only ones I have seen use the un-abbreviated form i.e.
%x:%x:%x:%x, but then my IPv6 experience is very limited.
The latest patch set for Radiator 4.8 now supports IPv6 interface id:
2011-09-19 dictionary Radius.pm
Changed the type of Framed-Interface-Id in dictionary to be ifid.
You can now specify Framed-Interface-Id as strings in the format
':::', which is compatible with FreeRadius.
If you can test this, please let us know how it works.
Thanks!
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
This message has been scanned by TM antivirus for viruses and spyware and found
to be clean.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment
That's excellent news! Will test it out and tell you how it works. On 09/21/2011 04:41 PM, Heikki Vatiainen wrote: > On 08/25/2011 01:00 PM, Eddie Stassen wrote: > > Hello Eddie and Elias, > >>> What I'm looking for is ideas or more information what the itf ids may >>> look like. This would be needed to correctly pack the attribute when it >>> is sent to the wire. >>> >> The only ones I have seen use the un-abbreviated form i.e. >> %x:%x:%x:%x, but then my IPv6 experience is very limited. > The latest patch set for Radiator 4.8 now supports IPv6 interface id: > > 2011-09-19 dictionary Radius.pm > Changed the type of Framed-Interface-Id in dictionary to be ifid. > You can now specify Framed-Interface-Id as strings in the format > ':::', which is compatible with FreeRadius. > > If you can test this, please let us know how it works. > > Thanks! > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment
Thanks Martin. Our NAS is always assigning this value as 3130:3a31:3a31:3a31 (using the Hex representation as you pointed out) instead of 10:1:1:1. Will check with our NAS vendor then. Thanks! On 08/21/2011 11:45 PM, Martin Burton wrote: On 21/08/2011 15:21, Elias wrote: AVP: l=10 t=Framed-Interface-Id(96): 31303a313a313a31 That's just the raw hex representation of the ASCII string 31 = 1 30 = 0 3a = : so, 10:1:1:1 as expected. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] [IPv6] Issues with Framed-Interface-Id assignment
Hi, We're trying to use the attribute Framed-Interface-Id but the allocation always fails. The output from RADIATOR shows the correct Id being assigned, but a packet trace shows otherwise. How can we properly assign this attribute? [root@radtest radiator]# ./radpwtst -user dual_stack06@v6test -password ds06 -s 10.56.254.100 -noacct -trace Sun Aug 21 11:46:04 2011: DEBUG: Reading dictionary file './dictionary' sending Access-Request... Sun Aug 21 11:46:04 2011: DEBUG: Packet dump: .. Sun Aug 21 11:46:04 2011: DEBUG: Packet dump: *** Received from 10.56.254.100 port 1645 Code: Access-Accept Identifier: 154 Authentic: w<131><210><189>7<255><217>\<158><148>Y<173><246><28><177><142> Attributes: Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Unisphere-Virtual-Router = "HOME" *Framed-Interface-Id = "10:1:1:1"* Framed-IPv6-Prefix = 1000::/64 ### Packet capture ### Frame 3: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol, Src: 10.56.254.100 (10.56.254.100), Dst: 10.56.254.100 (10.56.254.100) User Datagram Protocol, Src Port: 45988 (45988), Dst Port: sightline (1645) Radius Protocol Code: Access-Request (1) Packet identifier: 0x85 (133) Length: 119 Authenticator: 7d76375e8e182997f9c7c5ae3ba7ce83 [The response to this request is in frame 4] Attribute Value Pairs AVP: l=21 t=User-Name(1): dual_stack06@v6test AVP: l=6 t=Service-Type(6): Framed(2) AVP: l=6 t=NAS-IP-Address(4): 203.63.154.1 AVP: l=14 t=NAS-Identifier(32): 203.63.154.1 AVP: l=6 t=NAS-Port(5): 1234 AVP: l=11 t=Called-Station-Id(30): 123456789 AVP: l=11 t=Calling-Station-Id(31): 987654321 AVP: l=6 t=NAS-Port-Type(61): Async(0) AVP: l=18 t=User-Password(2): Encrypted No. TimeSourceDestination Protocol Info 4 6.13934610.56.254.100 10.56.254.100 RADIUS Access-Accept(2) (id=133, l=74) Frame 4: 116 bytes on wire (928 bits), 116 bytes captured (928 bits) Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol, Src: 10.56.254.100 (10.56.254.100), Dst: 10.56.254.100 (10.56.254.100) User Datagram Protocol, Src Port: sightline (1645), Dst Port: 45988 (45988) Radius Protocol Code: Access-Accept (2) Packet identifier: 0x85 (133) Length: 74 Authenticator: 1435dfa93534eecd1cf14b7ada051737 [This is a response to a request in frame 3] [Time from request: 0.008358000 seconds] Attribute Value Pairs AVP: l=6 t=Framed-IP-Address(8): Assigned AVP: l=6 t=Framed-IP-Netmask(9): 255.255.255.255 AVP: l=12 t=Vendor-Specific(26) v=ERX(4874) * AVP: l=10 t=Framed-Interface-Id(96): 31303a313a313a31* AVP: l=20 t=Framed-IPv6-Prefix(97): 1000::/64 ### Setup information ### [root@radtest radiator]# radiusd -v This is Radiator 4.8 on radtest [root@radtest radiator]# grep Framed-Interface-Id dictionary ATTRIBUTE Framed-Interface-Id 96 string ### User profile ### dual_stack06@v6test User-Password= "ds06" Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Unisphere-Virtual-Router = HOME, Framed-Interface-Id = 10:1:1:1, Framed-IPv6-Prefix = 1000::/64, ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) Interoperation with both GRIC and iPass
*** Your mail has been scanned by TMnet VirusWall. *** Hi, We set up a special prefix to distinguih between a GRIC and IPASS user. We've got help from iPASS to append an IPASS/ prefix to all iPASS usages. Eg: [EMAIL PROTECTED] ---> GRIC IPASS/[EMAIL PROTECTED] ---> IPASS Hope this helps. - Elias - - Original Message - From: Igor Briski <[EMAIL PROTECTED]> Date: Sunday, August 17, 2003 6:04 pm Subject: (RADIATOR) Interoperation with both GRIC and iPass > *** > Your mail has been scanned by TMnet VirusWall. > *** > > > > Has anyone solved a situation where both iPass and GRIC roaming > users are > authenticating on the same radiator server? > > How do I distinguish GRIC and iPass users from each other, how do > I tell > which user to authenticate with GRIC and which with iPass? > > Both systems have the same format [EMAIL PROTECTED], so obviously I > need some > other attribute to know which user is an iPass user and which user > is a GRIC > user. > -- > Igor Briski -- [EMAIL PROTECTED] > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Attribute 42 and 43 for Unisphere ERX
Hi all, Does anybody have the latest dictionary for the Unisphere ERX? Can't seem to find attribute 42 and 43. Tue Mar 25 18:33:03 2003: ERR: Attribute number 42 (vendor 4874) is not defined in your dictionaryTue Mar 25 18:33:03 2003: ERR: Attribute number 43 (vendor 4874) is not defined in your dictionary TQ - Elias -
(RADIATOR) How does Radiator determine duplicate packets?
Hi Hugh, How does Radiator check for duplicate packets? Is there any adjustable parameters for this? If the NAS did not receive a respond from Radiator and sends a retransmit packet, does Radiator reject this as a duplicate? TQ - Elias - - (on inetxys) email-body was scanned and no virus found email-body was scanned and no virus found -
(RADIATOR) Use single or multiple statements?
Hi Hugh, Will there be any performance difference if I structure my config file as below? a. b. Which way would be faster/better for Radiator? Or will both of them just give the same results? Thanks. - Elias - - (on inetxys) email-body was scanned and no virus found email-body was scanned and no virus found -
(RADIATOR) Reject all auth from a specific domain
Hi Hugh, Is there any way I can block/reject a particular domain from authenticating? Right now I simply use to block all authentication from the domain tm.net.my. This does not work all the time as some of our users login as [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc. Is there a way to block everything that has @tm.net.my irregardless of the case? Thx - Elias -
Re: (RADIATOR) Multiple database failover
Hi Hugh, We don't log acct to the database but auth with the multiple failovers work without the clause. - Elias - - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Elias" <[EMAIL PROTECTED]>; "Radiator Mailing" <[EMAIL PROTECTED]> Sent: Monday, March 11, 2002 1:58 PM Subject: Re: (RADIATOR) Multiple database failover > > Hello Elias - > > This is most odd. Does the configuration work correctly without the > ClientListSQL clause for both authentication and accounting to the same > database? > > thanks > > Hugh > > > On Mon, 11 Mar 2002 15:01, Elias wrote: > > Hi Hugh, > > > > The configuration I'm testing works if I remove the clause. > > Any ideas why this is causing the config to not work? If I understand > > correctly, this query is only done once when Radiator first starts up > > right? > > > > > > - Elias - > > > > > > - Original Message - > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > To: "Elias" <[EMAIL PROTECTED]>; "Radiator Mailing" <[EMAIL PROTECTED]> > > Sent: Saturday, March 09, 2002 7:20 AM > > Subject: Re: (RADIATOR) Multiple database failover > > > > > Hello Elias - > > > > > > This looks like a different error on the production machine. Does the SQL > > > database operate correctly prior to the error you show below? > > > > > > I would suggest you upgrade to Radiator 2.19 in any case, and let me know > > > > if > > > > > that makes a difference (there have been some SQL modifications). > > > > > > regards > > > > > > Hugh > > > > > > On Fri, 8 Mar 2002 19:11, Elias wrote: > > > > Hi Hugh, > > > > > > > > I'm trying to get Radiator (we're using 2.18.2) to authenticate against > > > > multiple databases in a failover mode. We have set up our SQL database > > > > and > > > > > > LDAP to sit on different networks. Normally Radiator would authenticate > > > > against the SQL and this works fine. We have 2 SQL databases for > > > > authentication and if the first one fails, Radiator will automatically > > > > switch to the second SQL database. This part works great. > > > > > > > > To add a second layer of redundancy, we have LDAP sitting on another > > > > network. When the whole network where the SQL sits fails, we want > > > > Radiator > > > > > > to switch automatically to LDAP. I've tested this setup using radpwtst > > > > on > > > > > > our development machines and it works. The problem is when I copy the > > > > exact > > > > > > config over to our production machines, it doesn't work. When the SQL > > > > network goes down, Radiator does not switch over to LDAP. > > > > > > > > Looking at the trace4 logs, I can see that everything is working ok in > > > > the > > > > > > development machine. > > > > > > > > Fri Mar 8 10:57:38 2002: ERR: Could not connect to SQL database with > > > > DBI->connect dbi:Oracle:host=xxx;sid=: timeout at Radius/SqlDb.pm > > > > line > > > > > > 120. > > > > Fri Mar 8 10:57:38 2002: ERR: Could not connect to any SQL database. > > > > Request is ignored. Backing off for 1 se > > > > conds > > > > Fri Mar 8 10:57:41 2002: ERR: Could not connect to SQL database with > > > > DBI->connect dbi:Oracle:host=yyy;sid=yyy: timeout at Radius/SqlDb.pm > > > > line > > > > > > 120. > > > > Fri Mar 8 10:57:41 2002: ERR: Could not connect to any SQL database. > > > > Request is ignored. Backing off for 1 se > > > > conds > > > > Fri Mar 8 10:57:44 2002: DEBUG: Handling with Radius::AuthLDAP2 > > > > Fri Mar 8 10:57:44 2002: DEBUG: Connecting to > > > > Fri Mar 8 10:57:44 2002: DEBUG: Attempting to bind with cn=z > > > > Fri Mar 8 10:57:44 2002: DEBUG: Radius::AuthLDAP2 looks for match with > > > > zzz > > > > > > Fri Mar 8 10:57:44 2002: DEBUG: LDAP got result for uid= > > > > > > > > When testing in the production environment, I only get one line in the > > > > logs > > > > > > and Radiator just freezes and will not switch over to LDAP. > > > >
Re: (RADIATOR) Multiple database failover
Hi Hugh, The configuration I'm testing works if I remove the clause. Any ideas why this is causing the config to not work? If I understand correctly, this query is only done once when Radiator first starts up right? - Elias - - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Elias" <[EMAIL PROTECTED]>; "Radiator Mailing" <[EMAIL PROTECTED]> Sent: Saturday, March 09, 2002 7:20 AM Subject: Re: (RADIATOR) Multiple database failover > > Hello Elias - > > This looks like a different error on the production machine. Does the SQL > database operate correctly prior to the error you show below? > > I would suggest you upgrade to Radiator 2.19 in any case, and let me know if > that makes a difference (there have been some SQL modifications). > > regards > > Hugh > > > On Fri, 8 Mar 2002 19:11, Elias wrote: > > Hi Hugh, > > > > I'm trying to get Radiator (we're using 2.18.2) to authenticate against > > multiple databases in a failover mode. We have set up our SQL database and > > LDAP to sit on different networks. Normally Radiator would authenticate > > against the SQL and this works fine. We have 2 SQL databases for > > authentication and if the first one fails, Radiator will automatically > > switch to the second SQL database. This part works great. > > > > To add a second layer of redundancy, we have LDAP sitting on another > > network. When the whole network where the SQL sits fails, we want Radiator > > to switch automatically to LDAP. I've tested this setup using radpwtst on > > our development machines and it works. The problem is when I copy the exact > > config over to our production machines, it doesn't work. When the SQL > > network goes down, Radiator does not switch over to LDAP. > > > > Looking at the trace4 logs, I can see that everything is working ok in the > > development machine. > > > > Fri Mar 8 10:57:38 2002: ERR: Could not connect to SQL database with > > DBI->connect dbi:Oracle:host=xxx;sid=: timeout at Radius/SqlDb.pm line > > 120. > > Fri Mar 8 10:57:38 2002: ERR: Could not connect to any SQL database. > > Request is ignored. Backing off for 1 se > > conds > > Fri Mar 8 10:57:41 2002: ERR: Could not connect to SQL database with > > DBI->connect dbi:Oracle:host=yyy;sid=yyy: timeout at Radius/SqlDb.pm line > > 120. > > Fri Mar 8 10:57:41 2002: ERR: Could not connect to any SQL database. > > Request is ignored. Backing off for 1 se > > conds > > Fri Mar 8 10:57:44 2002: DEBUG: Handling with Radius::AuthLDAP2 > > Fri Mar 8 10:57:44 2002: DEBUG: Connecting to > > Fri Mar 8 10:57:44 2002: DEBUG: Attempting to bind with cn=z > > Fri Mar 8 10:57:44 2002: DEBUG: Radius::AuthLDAP2 looks for match with zzz > > Fri Mar 8 10:57:44 2002: DEBUG: LDAP got result for uid= > > > > When testing in the production environment, I only get one line in the logs > > and Radiator just freezes and will not switch over to LDAP. > > > > Fri Mar 8 11:05:29 2002: ERR: Execute failed for 'select > > ENCRYPTEDPASSWORD, reply_attr from SUBSCRIBERS where LOGIN='DEFAULT' and > > STATUS=1': SQL Timeout > > > > > > --- Radiator config --- > > > > > > > > Identifier SQL_auth > > FailureBackoffTime 1 > > > > DBSource xxx > > DBUsername xxx > > DBAuth xxx > > Timeout3 > > > > DBSource yyy > > DBUsername yyy > > DBAuth yyy > > Timeout3 > > > > AuthSelect select . > > AuthColumnDef 0, ... > > > > > > > > > > > > > > Identifier LDAP_auth > > Timeout 3 > > > > Hostzzz > > AuthDN zzz > > AuthPassword zzz > > BaseDN ... > > > > UsernameAttruid > > PasswordAttruserpassword > > > > > > > > > > > > RejectHasReason > > AuthByPolicy ContinueWhileIgnore > > AuthBy SQL_auth > > AuthBy LDAP_auth > > > > > > > > - Elias - > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple database failover
Hi Hugh, I'm trying to get Radiator (we're using 2.18.2) to authenticate against multiple databases in a failover mode. We have set up our SQL database and LDAP to sit on different networks. Normally Radiator would authenticate against the SQL and this works fine. We have 2 SQL databases for authentication and if the first one fails, Radiator will automatically switch to the second SQL database. This part works great. To add a second layer of redundancy, we have LDAP sitting on another network. When the whole network where the SQL sits fails, we want Radiator to switch automatically to LDAP. I've tested this setup using radpwtst on our development machines and it works. The problem is when I copy the exact config over to our production machines, it doesn't work. When the SQL network goes down, Radiator does not switch over to LDAP. Looking at the trace4 logs, I can see that everything is working ok in the development machine. Fri Mar 8 10:57:38 2002: ERR: Could not connect to SQL database with DBI->connect dbi:Oracle:host=xxx;sid=: timeout at Radius/SqlDb.pm line 120. Fri Mar 8 10:57:38 2002: ERR: Could not connect to any SQL database. Request is ignored. Backing off for 1 se conds Fri Mar 8 10:57:41 2002: ERR: Could not connect to SQL database with DBI->connect dbi:Oracle:host=yyy;sid=yyy: timeout at Radius/SqlDb.pm line 120. Fri Mar 8 10:57:41 2002: ERR: Could not connect to any SQL database. Request is ignored. Backing off for 1 se conds Fri Mar 8 10:57:44 2002: DEBUG: Handling with Radius::AuthLDAP2 Fri Mar 8 10:57:44 2002: DEBUG: Connecting to Fri Mar 8 10:57:44 2002: DEBUG: Attempting to bind with cn=z Fri Mar 8 10:57:44 2002: DEBUG: Radius::AuthLDAP2 looks for match with zzz Fri Mar 8 10:57:44 2002: DEBUG: LDAP got result for uid= When testing in the production environment, I only get one line in the logs and Radiator just freezes and will not switch over to LDAP. Fri Mar 8 11:05:29 2002: ERR: Execute failed for 'select ENCRYPTEDPASSWORD, reply_attr from SUBSCRIBERS where LOGIN='DEFAULT' and STATUS=1': SQL Timeout --- Radiator config --- Identifier SQL_auth FailureBackoffTime 1 DBSource xxx DBUsername xxx DBAuth xxx Timeout3 DBSource yyy DBUsername yyy DBAuth yyy Timeout3 AuthSelect select . AuthColumnDef 0, ... Identifier LDAP_auth Timeout 3 Hostzzz AuthDN zzz AuthPassword zzz BaseDN ... UsernameAttruid PasswordAttruserpassword RejectHasReason AuthByPolicy ContinueWhileIgnore AuthBy SQL_auth AuthBy LDAP_auth - Elias - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question on defining realms
Hi Hugh, I defined a realm abc in my config file. So far Radiator has been running great but now I have several users logging in as user@abc@abc. How can I stop this? Thanks! . . . - Elias - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Help with LDAP auth
Hi Hugh,
I'm running Radiator 2.18.2 with perl-ldap-0.24
- Elias -
Original Message -
From: "Hugh Irvine" <[EMAIL PROTECTED]>
To: "Elias" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 4:22 PM
Subject: Re: (RADIATOR) Help with LDAP auth
>
> Hello Elias -
>
> Could you tell me what version of Radiator you are running?
>
> thanks
>
> Hugh
>
>
> On Wednesday 19 September 2001 13:04, Elias wrote:
>
> > > Hi Hugh,
> >
> > I'm experimenting with LDAP for authentication and seem to be stuck. I'm
> > totally new to LDAP and hence am not sure if the problem's with LDAP or
my
> > Radiator config. The authentication seems to work if I supply the
> > additional parameter ServerChecksPassword. If I omit this, Radiator will
> > return a "No such user" message all the time. I've included a sample of
my
> > config and also the usual trace 4 output. BTW, I don't know if this is
> > important or not, the password is stored as either userpassword:
{SHA}x
> > xx or userpassword: {crypt}x. The password differs depending on
> > when the user was created. Thanks !
> >
> >
> >
> > -- ldap config -
> >
> >
> > RejectHasReason
> > RewriteUsername s/^([^@]+).*/$1/
> >
> >
> > Hostldaptest
> > BaseDN %0=%1,ou=People,o=tm.net.my,o=isp
> >
> > # This is the attribute to match the radius user name
> > UsernameAttruid
> > PasswordAttruserpassword
> > #ServerChecksPassword
> >
> > AddToReply Framed-Protocol = PPP,\
> > Framed-IP-Netmask = 255.255.255.255,\
> > Framed-Routing = None,\
> > Framed-MTU = 1500,\
> > Framed-Compression = Van-Jacobson-TCP-IP
> >
> >
> >
> > trace 4 output (without the ServerChecksPassword
option)
> > Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 60377
> > Code: Access-Request
> > Identifier: 206
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "anuar@ldap"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
> >
> > Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should
be
> > used to handle this request Wed Sep 19 10:28:57 2001: DEBUG: Check if
> > Handler Realm=sql should be used to handle this request Wed Sep 19
10:28:57
> > 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this
> > request Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler
> > 'Realm=ldap' Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar
> > Wed Sep 19 10:28:57 2001: DEBUG: Deleting session for anuar@ldap,
> > 203.63.154.1, 1234 Wed Sep 19 10:28:57 2001: DEBUG: Handling with
> > Radius::AuthLDAP2
> > Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
> > Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with ,
> > Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP
> > database Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for
match
> > with anuar Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port
> > 389
> > Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with ,
> > Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error
> > LDAP_NO_SUCH_OBJECT. Wed Sep 19 10:28:57 2001: INFO: Access rejected for
> > anuar: No such user Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 60377
> > Code: Access-Reject
> > Identifier: 206
> > Authentic: 1234567890123456
> > Attributes:
> > Reply-Message = "No such user"
> >
> >
> > trace 4 output (with the ServerChecksPassword
option)
> > -
> >
> > Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
> > *** Received from 127.0.
(RADIATOR) Help with LDAP auth
ar,ou=People, o=tm.net.my, o=ispWed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.myWed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailboxWed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: activeWed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: [EMAIL PROTECTED]Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson inetorgperson inetUsereWed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: activeWed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuarWed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuarWed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0 Admin ConsoleWed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuarWed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuarWed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NtWed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=tWed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909ZWed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909ZWed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuarWed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT: Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuarWed Sep 19 10:32:06 2001: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 60398 Code: Access-AcceptIdentifier: 141Authentic: 1234567890123456Attributes: Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP - Elias -
(RADIATOR) Alternate way to define clients
Hi Hugh, I'm currently using the clause to specify my radius clients. I don't want to put the clients definition in my config file as we've got lots of clients pointing to us and each of them have their own secret key. Is there a way to make Radiator get the clients list from a text file ? - Elias -
Re: (RADIATOR) Detecting login with prefixes
Title: Re: (RADIATOR) Detecting login with prefixes Hi Hugh, As you suggested, I tried using a handler to detect logins with specific prefixes, but it doesn't seem to work. My guess here is that there's probably something wrong with my regexp. I'm trying to detect logins such as IPASS/login@domain. Any ideas on what the corerct regexp should be? Man, I definately need to get myself a copy of the Camel book! AuthBy iPassProxy Regards, Elias - Original Message - From: Hugh Irvine To: Elias ; [EMAIL PROTECTED] Sent: Saturday, March 31, 2001 4:11 PM Subject: Re: (RADIATOR) Detecting login with prefixes Hello Elias - At 13:12 +0700 28/3/31, Elias wrote: Hi, Is there a way to detect login prefixes with radiator? I want to detect logins such as [EMAIL PROTECTED] [prefix/login@domain] and proxy the request to another radius server. Can this be done? Thanks. This is very easily done with Handlers and Perl regexp's: # configure AuthBy RADIUS clause for proxy Identifier ProxyTo . # special Handler for prefix and proxy # where "prefix" is the string you want to match RewriteUsername .. AuthBy ProxyTo You will need to consult the Camel book (Perl reference) for the exact syntax of the regexp for what you want to do. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS serveranywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
Re: (RADIATOR) Detecting login with prefixes
Title: Re: (RADIATOR) Detecting login with prefixes Hi Hugh, As you suggested, I tried using a handler to detect logins with specific prefixes, but it doesn't seem to work. My guess here is that there's probably something wrong with my regexp. I'm trying to detect logins such as IPASS/login@domain. Any ideas on what the corerct regexp should be? Man, I definately need to get myself a copy of the Camel book! AuthBy iPassProxy Regards, Elias - Original Message - From: Hugh Irvine To: Elias ; [EMAIL PROTECTED] Sent: Saturday, March 31, 2001 4:11 PM Subject: Re: (RADIATOR) Detecting login with prefixes Hello Elias - At 13:12 +0700 28/3/31, Elias wrote: Hi, Is there a way to detect login prefixes with radiator? I want to detect logins such as [EMAIL PROTECTED] [prefix/login@domain] and proxy the request to another radius server. Can this be done? Thanks. This is very easily done with Handlers and Perl regexp's: # configure AuthBy RADIUS clause for proxy Identifier ProxyTo . # special Handler for prefix and proxy # where "prefix" is the string you want to match RewriteUsername .. AuthBy ProxyTo You will need to consult the Camel book (Perl reference) for the exact syntax of the regexp for what you want to do. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS serveranywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
(RADIATOR) Interoperation with both GRIC and iPASS
Hi, Is there a way to make radiator work with both GRIC and iPASS services? Currently our GRIC roaming is already working, but we are having trouble getting iPASS to work. Our current setup forwards all non-local realms to GRIC. How can I include iPASS into this setup? Thanks for you help. Host xx Secret xxx AuthPort 1645 AcctPort 1646 Retries 1 AddToReply Framed-Protocol = PPP,\ Service-Type = Framed-User,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = Listen,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP - Elias -
(RADIATOR) Detecting login with prefixes
Hi, Is there a way to detect login prefixes with radiator? I want to detect logins such as [EMAIL PROTECTED] [prefix/login@domain] and proxy the request to another radius server. Can this be done? Thanks. - Elias -
(RADIATOR) Fixed IP and prepaid services
Hi, Has anyone successfully implemented a running prepaid service? I'd appreciate it if any of you out there could share the config file with me. Second question is.how can I implement a fixed IP service? Currently, our NAS handles the assignment of all IPs through a dynamic IP pool automatically. Our radiators only return these attributes to get a pooled IP. AddToReply Framed-Protocol = PPP,\ Service-Type = Framed-User,\ Framed-Routing = Listen,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP Now, to get a fixed IP I've tried adding 2 extra reply attributes which are Framed-Address = xxx.xxx.xxx.xxx Framed-Netmask = 255.255.255.255 but this config doesn't seem to work as users still get an IP assigned from the IP pool. Are these 2 attributes enough, or do I need to send some other reply attributes? Thanks for the help. - Elias -
(RADIATOR) Performance Monitoring
Hi, I'm trying to monitor the performance of Radiator. Is there any way to check the number of users authenticated per day and the number of authentication failures? Also, how can I record the total response time for each authentication request? Thanks.
