Re: (RADIATOR) Problem with Simultaneous-Use and proxying
Can you do: StripFromReply Simultaneous-Use or is StripFromReply only for AuthBy? This is just the first thing that popped into my head. / / Jason On Mon, 3 Jul 2000, Joshua M. Thompson wrote: > Date: Mon, 3 Jul 2000 23:13:07 -0400 (EDT) > From: Joshua M. Thompson <[EMAIL PROTECTED]> > To: Hugh Irvine <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Problem with Simultaneous-Use and proxying > > On Tue, 4 Jul 2000, Hugh Irvine wrote: > > > This is what it should do, however it is posting a warning to let you know. Is > > the real question "can I suppress the warning?"? If so, the answer at the > > moment is no, until we completely re-do the logging subsystem. > > The logging itself doesn't bother me. "grep -v" is my friend. :) It's just > that it really does deny the users access: > > Sat Jul 1 20:36:35 2000: WARNING: Could not find a Client for NAS 204.146.166.105 >to double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for that NAS? > Sat Jul 1 20:36:35 2000: INFO: Access rejected for [EMAIL PROTECTED]: > > I think I'll take a look at the code and see about switching the default > behavior and submit the patch. A more detailed fix would be to map all the > existing clients to IPs and compare the actual addresses instead of just > trying to match via reverse DNS but I think I'll get the customers happy > first with the quick fix. > > > I think you may have to do some more investigation to ascertain under what > > conditions the session database is not being correctly updated. > > I will. I just need to watch it so my log doesn't overflow before I find > the piece of info I need. :) > > -- > Senior Systems Engineer | "Where are we going, and what am I doing in > BigNet, Inc. | this handbasket?" > Phone: 248-771-1261 | - Paraphrased from various people's .sigs > Fax: 248-771-1269 | > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem with formatted-date
Hello! Try %Y/%m/%d FYI, the strftime man page contains this information, it is a good resource. >From the page: %eis replaced by the day of month as a decimal number (1-31); single digits are preceded by a blank. %dis replaced by the day of the month as a decimal number (01-31). Good luck! / / Jason On Sun, 2 Jul 2000, Brian Morris wrote: > Date: Sun, 2 Jul 2000 15:10:22 +1000 > From: Brian Morris <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: (RADIATOR) Problem with formatted-date > > I am using a line like the following to write the date in a human-readable > form to by SQL table... > > AcctColumnDef HUMANDATE,Timestamp,formatted-date,'%Y/%m/%e' > > On dates below the 10th of the month it creates entries like 2000/07/ 2 > (With a space before the last digit) - what I would like it to record is > 2000/07/02 (with a zero instead of the space before the last digit) > > Does anyone have any suggestions on how I can do this? Or is this a bug? > > Regards, Brian Morris > > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Help with Handler
How can I write a handler like: or (tried, gets skipped) If I can get Handler to use a negative match, I'll be all set! :) Thanks in advance! Here is what I get from the PM3 when a user dials up as a terminal user. Code: Access-Request Identifier: 137 Authentic: x Attributes: User-Name = "jason" User-Password = NAS-IP-Address = xx.xxx.121.18 NAS-Port = 25 NAS-Port-Type = Async Connect-Info = "48000 LAPM/V42BIS" Called-Station-Id = "848" Calling-Station-Id = "360yyy" Here is what I get when the user connects via PPP/PAP Code: Access-Request Identifier: 137 Authentic: Attributes: User-Name = "jason" User-Password = xxx NAS-IP-Address = xx.xxx.121.18 NAS-Port = 24 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = "50666 LAPM/V42BIS" Called-Station-Id = "848xxx" Calling-Station-Id = "360yyy" / / Jason === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How should I go about this?
I've tried: which doesn't get used since the auth packet doesn't contain a service-type for some reason.. I'm going to try seeing if it's the radius proxy handing me the requests stripping them or the pm3 not sending them to begin with. / / Jason On Thu, 29 Jun 2000, Andy Dills wrote: > Date: Thu, 29 Jun 2000 16:16:53 -0400 (EDT) > From: Andy Dills <[EMAIL PROTECTED]> > To: Jason Godsey <[EMAIL PROTECTED]> > Cc: Hugh Irvine <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) How should I go about this? > > On Thu, 29 Jun 2000, Jason Godsey wrote: > > > > > How do you tell the difference as far as radius is concerned weather to > > return: > > > > DEFAULT Auth-Type = System > > Service-Type = Login-User, > > Login-Service = Rlogin, > > Login-IP-Host = 206.129.xxx.xxx > > > > or > > > > DEFAULT Auth-Type = System > > Framed-Protocol = PPP, > > Framed-MTU = 1500, > > Session-Timeout = 10800, > > Idle-Timeout = 600, > > Port-Limit = 1 > > > > This is where I have the problem. > > > > I hope there is an easy solution such as > > > > :) however, from looking at trace 4, I > > don't see anything I can do to check if it's a ppp or login-user request. > > You make the Service-Type a check item (as opposed to a reply item, as you > have above). Like this: > > DEFAULT Auth-Type = System, Service-Type = Login-User, Simultaneous-Use = 1 > Login-Service = Rlogin, > Login-IP-Host = shell.xecu.net > > Andy > > > Andy Dills 301-682-9972 > Xecunet, LLCwww.xecu.net > > Dialup * Webhosting * E-Commerce * High-Speed Access > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How should I go about this?
How do you tell the difference as far as radius is concerned weather to return: DEFAULT Auth-Type = System Service-Type = Login-User, Login-Service = Rlogin, Login-IP-Host = 206.129.xxx.xxx or DEFAULT Auth-Type = System Framed-Protocol = PPP, Framed-MTU = 1500, Session-Timeout = 10800, Idle-Timeout = 600, Port-Limit = 1 This is where I have the problem. I hope there is an easy solution such as :) however, from looking at trace 4, I don't see anything I can do to check if it's a ppp or login-user request. / / Jason On Thu, 29 Jun 2000, Andy Dills wrote: > Date: Thu, 29 Jun 2000 13:23:08 -0400 (EDT) > From: Andy Dills <[EMAIL PROTECTED]> > To: Jason Godsey <[EMAIL PROTECTED]> > Cc: Hugh Irvine <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) How should I go about this? > > On Thu, 29 Jun 2000, Jason Godsey wrote: > > > > > Hugh, the problem is I don't have a configuration file to support what I > > want to do, which is; > > > > Allow customer Jason Godsey, with user name jason to connect with any > > modem program such as hyperterminal and type Login: jason and be ushered > > to the rlogin host. At the same time, I'd like to allow jason to also use > > the username jason as his login in Dialup Networking for a PPP connection. > > > > We currently solve this by having PPP customers use a capitol P before > > their username Pjason. This is causing alot of problems for customers as > > we get more and more computer novice people who can't figure out why they > > need Pjason to use dialup and just jason for email etc.. > > > > I would like to find some sort of hook I can use in my > identify the session as PPP or Login-User transparently to the customer > > based on what the portmaster sends in the auth packet. If it helps, I > > beleve all of our PPP customers support PAP. > > > > One way I've tried this is trying Sjason for Shell, radiator works great > > catching it, strips the S and checks the user/pass just fine and hands the > > portmasters the Login-IP-Address etc.. The ONLY problem is that the > > portmaster then hands the Rlogin host Sjason instead of just jason. If I > > create a user on the shell system as Sjason it works great. > > > > If there is no easy way to distinguish between a PPP and User-Login based > > on what the portmaster feeds radius in the auth packet, I have the option > > of patching my Rlogin daemon to strip s/^S//; but I was hoping for a more > > elegant solution :) > > Jason, the portmaster should autodetect the difference. I know that > Ascend, Assured Access, and Cisco NASes do. You shouldn't have to have a > capital P in front of their usernames. > > For instance, with us, if you dialup to us, we wait for you to start > PAP. If we don't see PAP after a couple of seconds, it drops you into the > Login-User mode. Same usernames for either connection method. Doesn't get > more elegant than that :> > > Andy > > > Andy Dills 301-682-9972 > Xecunet, LLCwww.xecu.net > > Dialup * Webhosting * E-Commerce * High-Speed Access > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How should I go about this?
Hugh, the problem is I don't have a configuration file to support what I want to do, which is; Allow customer Jason Godsey, with user name jason to connect with any modem program such as hyperterminal and type Login: jason and be ushered to the rlogin host. At the same time, I'd like to allow jason to also use the username jason as his login in Dialup Networking for a PPP connection. We currently solve this by having PPP customers use a capitol P before their username Pjason. This is causing alot of problems for customers as we get more and more computer novice people who can't figure out why they need Pjason to use dialup and just jason for email etc.. I would like to find some sort of hook I can use in my Date: Thu, 29 Jun 2000 09:41:41 +1000 > From: Hugh Irvine <[EMAIL PROTECTED]> > To: Jason Godsey <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) How should I go about this? > > > Hello Jason - > > I think I will need to see a more complete configuration file, together with a > more complete description of what you are trying to do. The information below > appears to be incomplete. > > thanks > > Hugh > > > On Thu, 29 Jun 2000, Jason Godsey wrote: > > This is basically how I'm setup now: > > > > > > # auth by . > > > > > > # auth by . > > > > > > > > > > # auth by . > > > > > > > > We currently have users using "Pjason" as their PPP login, and jason as > > shell, however we would like to change this to allow jason to allow for > > PPP session and Sjason to work as shell since we don't offer SLIP. > > > > The problem I've run into is that after radiator does it's thing: > > Wed Jun 28 10:16:21 2000: DEBUG: Check if Handler User-Name=/^S/ should be > > used to handle this request > > Wed Jun 28 10:16:21 2000: DEBUG: Handling request with Handler > > 'User-Name=/^S/' > > Wed Jun 28 10:16:21 2000: DEBUG: Rewrote user name to jason > > > > which is good, however it passes back to the pm3's to use a Rlogin host, > > even though radiator strips off the S, the pm3 retains it and passes it to > > the rlogin daemon on the login host. > > > > Has anyone faced this before? I've thought of: > > > > , but I'm not sure if this would > > work either. > > > > Thank you for any help! > > > > > > / / Jason > > > > > > > > === > > Archive at http://www.starport.net/~radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) How should I go about this?
This is basically how I'm setup now: # auth by . # auth by . # auth by . We currently have users using "Pjason" as their PPP login, and jason as shell, however we would like to change this to allow jason to allow for PPP session and Sjason to work as shell since we don't offer SLIP. The problem I've run into is that after radiator does it's thing: Wed Jun 28 10:16:21 2000: DEBUG: Check if Handler User-Name=/^S/ should be used to handle this request Wed Jun 28 10:16:21 2000: DEBUG: Handling request with Handler 'User-Name=/^S/' Wed Jun 28 10:16:21 2000: DEBUG: Rewrote user name to jason which is good, however it passes back to the pm3's to use a Rlogin host, even though radiator strips off the S, the pm3 retains it and passes it to the rlogin daemon on the login host. Has anyone faced this before? I've thought of: , but I'm not sure if this would work either. Thank you for any help! / / Jason === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql and I'm lazy.
I have read the goodies, however we would like to log EVERYTHING not just the limited entries in the example. one thing I'm having trouble with is I need to migrate our detail files from 1997+ into the database also. This gives me the problem of not knowing the int value of le-terminate-detail etc.. Thanks! On Tue, 21 Mar 2000, Hugh Irvine wrote: > Date: Tue, 21 Mar 2000 14:44:22 +1100 > From: Hugh Irvine <[EMAIL PROTECTED]> > To: Jason Godsey <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) mysql and I'm lazy. > > > Hello Jason - > > On Tue, 21 Mar 2000, Jason Godsey wrote: > > Hello again, > > > > I've discovered I'm quite lazy and am looking for a simple way to setup > > SQL tables for all the records I want out of the detail file. > > > > Are there any utils to parse a detail file and generate a proper sql > > dump to hold all the information contained in the detail file? > > > > Other wise, do I just look up the attribute I want in the detail file > > to see if it is text/int? Is there a simply way to tell how long the > > field is? > > > > There is a sample SQL creation script in goodies/mysqlCreate.sql. And really > the simplest way to write the database is with Radiator and an AuthBy SQL. > > hth > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) mysql and I'm lazy.
Hello again, I've discovered I'm quite lazy and am looking for a simple way to setup SQL tables for all the records I want out of the detail file. Are there any utils to parse a detail file and generate a proper sql dump to hold all the information contained in the detail file? Other wise, do I just look up the attribute I want in the detail file to see if it is text/int? Is there a simply way to tell how long the field is? Jason === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Y2K: %y results in single '0'
This is proper behavior, since according to the man page it's "years since 1900" so proper behavior for programs to get the 2 digit year would be $twodigit = subst(1900+%y, 2, -2); ** I think :) maybe even subst(%Y, 2, -2); On Tue, 4 Jan 2000, Ben-Nes Michael wrote: > Date: Tue, 04 Jan 2000 10:32:47 +0200 > From: Ben-Nes Michael <[EMAIL PROTECTED]> > To: radius <[EMAIL PROTECTED]> > Subject: Re: (RADIATOR) Y2K: %y results in single '0' > > Hi All > > its probobly timelocal() > > try: > ($sec,$min,$hour,$mday,$month,$year) = localtime(time); > print $year."\n"; > > you get: 100! > > Mike McCauley wrote: > > > Hi Thomas, > > > > Thanks for reporting that. We have fixed it and posted a fixed version of > > radiusd to the patches area. It also affected %e. > > > > Thanks again, and apologies for the inconvenience. > > Cheers. > > > > On Jan 3, 8:26am, Thomas Voss wrote: > > > Subject: (RADIATOR) Y2K: %y results in single '0' > > > Hello Mike, > > > > > > there is a problem with the '%y'-parameter: > > > Instead of "Last 2 digits of the current year (2 digits)" the %y now > > > results in a single '0' (one digit)!. > > > > > > We got a lot of trouble because we use the parameter to construct > > > tablenames (although there's nothing that we aren't able to repair). > > > > > > Happy new year to australia, > > > > > > Thomas. > > > > > > > > > > > > > > > > > > > > > === > > > Archive at http://www.thesite.com.au/~radiator/ > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > >-- End of excerpt from Thomas Voss > > > > -- > > Mike McCauley [EMAIL PROTECTED] > > Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW > > 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au > > Phone +61 3 9598-0985 Fax +61 3 9598-0955 > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > > NT, Rhapsody > > === > > Archive at http://www.thesite.com.au/~radiator/ > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > -- > Canaan Surfing Ltd. > Internet Service Providers > Ben-Nes Michael - Manager > Tel: 972-6-6925757 > Fax: 972-6-6925858 > http://www.canaan.co.il > -- > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Manual?
The url in the manual for Shadowf (for perl) package is not correct. I was able to find it searching the list but it would be nice to have a working url in the manual. Thanks! -- Jason Godsey === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different logfiles for different groups?
I will give it a try, however I'm fairly sure we have tried. In my case there is a bit of a problem, I am generating/maintaining the password files on our mail server. There are 2 seperate radius servers who I rsync the files over ssh to every change. The radius server also act as backup MX servers for us so I didn't want any local accounts on the machines. In my case I'm actually pointing to /usr/local/etc/shadow,passwd,group. Will auth by system work in this way? This is why I said I just whiped up a little perl program to make the user:pass:uid:gid file in the mix. On the mail server I use PAM which matches primary and secondary just fine. Jason On Sat, 30 Oct 1999, Hugh Irvine wrote: > Date: Sat, 30 Oct 1999 10:00:35 +1000 > From: Hugh Irvine <[EMAIL PROTECTED]> > To: Jason Godsey <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Different logfiles for different groups? > > > Hello Jason - > > On Sat, 30 Oct 1999, Jason Godsey wrote: > > I'm having a problem getting the users primary group, I'm running radiator > > on linux and have the passwordfile pointed to /etc/shadow, it is able to > > check the crypted password just fine, however linux's shadow file does not > > contain the users primary group (however the freebsd box's master.passwd > > does). Is there an easier fix that my current solution? > > > > Perhaps try AuthBy SYSTEM rather than AuthBy UNIX. > > Please let me know how it works. > > cheers > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > NT, Rhapsody > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different logfiles for different groups?
This is the exact same problem I have. It can be fixed using PAM, however
I don't like pam, it's much slower in my tests than using the password
files. If you peek in /etc/shadow you'll notice no groups are listed.
This is why I asked to have ShadowFile directive added to Radiator so you
can point to PasswordFile /etc/passwd, GroupFile /etc/group, and
ShadowFile /etc/shadow. This would fix this problem for me anyway :)
On Fri, 29 Oct 1999, Dawn Lovell wrote:
> Date: Fri, 29 Oct 1999 08:31:04 -0500
> From: Dawn Lovell <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Different logfiles for different groups?
>
> Hi, Hugh! We are running 2.14.1; the note in the revision history was
> part of why we thought it should work. We had not explicitly specified
> GroupFilename, so we added that option and tried again. It still seems
> to be ignoring our primary groups; maybe we're missing something else?
>
> Here's the relevant portion of our config file:
>
>
> Identifier System
> Filename /etc/shadow
> GroupFilename /etc/group
> DefaultSimultaneousUse 1
>
>
>
> # The filename defaults to %D/users
> Filename %D/users.trial
>
> ## Trial userids will have a Class of "trial" and
> ## all others will have no Class attribute set.
> AcctLogFileName %L/%N/detail%{Class}
>
>
> From the users.trial file:
> DEFAULT Auth-Type = System, Group = trial, NAS-Port-Type = Async
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Reply-Message="choice: ",
> Port-Limit = 1,
> Idle-Timeout = 1200,
> Session-Timeout = 28800,
> Class = trial
>
> DEFAULT Auth-Type = System, NAS-Port-Type = Async
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Reply-Message="choice: ",
> Port-Limit = 1,
> Idle-Timeout = 1200,
> Session-Timeout = 28800
>
> This works great for userids that are explicitly listed in the groups
> file, but doesn't seem to work if they are not. We are running nscd,
> just in case that may be related to our problem. This is a Solaris 7
> box. Passwd and group are both set to files in nsswitch.conf.
>
> Here's an example user and the debug output for it.
>
> In /etc/passwd:
> testuser:x:12268:2000:Test User:/tmp:/bin/noshell
>
> In /etc/group:
> trial::2000:user1,user2
>
> Debug output:
> Fri Oct 29 08:09:59 1999: DEBUG: Check if Handler should be used to handle
> this request
> Fri Oct 29 08:09:59 1999: DEBUG: Handling request with Handler ''
> Fri Oct 29 08:09:59 1999: DEBUG: Deleting session for testuser, 209.142.178.4,
> 0
> Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthFILE
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with testuser
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
> Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX REJECT: User testuser is not
> in Group trial
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE REJECT: User testuser is not
> in Group trial
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
> Fri Oct 29 08:09:59 1999: DEBUG: Handling with Radius::AuthUNIX
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX looks for match with testuser
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthUNIX ACCEPT:
> Fri Oct 29 08:09:59 1999: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Oct 29 08:09:59 1999: DEBUG: Access accepted for testuser
>
> Thanks again for your help!
>
> Dawn
>
> At 12:26 PM 10/29/99 +1000, Hugh Irvine wrote:
>
> >This was fixed in Radiator 2.14. The following is from the revision history on
> >the web page (http://www.open.com.au/radiator/history.html):
> >
> >
> > AuthBy SYSTEM now checks the primary group as well as
> > the secondary groups. It used only to do the secondaries.
> >
> >You will also need to use the GroupFilename parameter in your AuthBy.
> >
> >hth
> >
> >Hugh
> >
> >--
> >Radiator: the most portable, flexible and configurable RADIUS server
> >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> >NT, Rhapsody
> >
> >===
> >Archive at http://www.thesite.com.au/~radiator/
> >To unsubscribe, email '[EMAIL PROTECTED]' with
> >'unsubscribe radiator' in the body of the message.
>
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http
Re: (RADIATOR) Different logfiles for different groups?
I'm having a problem getting the users primary group, I'm running radiator on linux and have the passwordfile pointed to /etc/shadow, it is able to check the crypted password just fine, however linux's shadow file does not contain the users primary group (however the freebsd box's master.passwd does). Is there an easier fix that my current solution? I have a perl script run every minute and check for different timestamps on the shadow and fidalgo.passwd file, if they are diff, it merges the passwd and shadow file into a normal passwd file w/ only login:cryptedpass:uid:group nothing else.. Thanks! Jason On Fri, 29 Oct 1999, Hugh Irvine wrote: > Date: Fri, 29 Oct 1999 12:26:14 +1000 > From: Hugh Irvine <[EMAIL PROTECTED]> > To: Dawn Lovell <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Different logfiles for different groups? > > > Hello Dawn - > > On Fri, 29 Oct 1999, Dawn Lovell wrote: > > > > As usual, I do have another question. :-) This doesn't appear to be > > working for primary groups, only for userids specified explicitly in > > the /etc/group file. I saw some discussion about this in the archive, > > but didn't find a definitive answer. Does 2.14.1 find the primary > > group info when using /etc/shadow instead of /etc/passwd as the file > > for AuthBy UNIX? > > > > This was fixed in Radiator 2.14. The following is from the revision history on > the web page (http://www.open.com.au/radiator/history.html): > > > AuthBy SYSTEM now checks the primary group as well as > the secondary groups. It used only to do the secondaries. > > You will also need to use the GroupFilename parameter in your AuthBy. > > hth > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > NT, Rhapsody > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Client-Id matching in Handler's not working
On Fri, 29 Oct 1999, Aaron Holtz wrote: > Date: Fri, 29 Oct 1999 09:03:24 -0400 (EDT) > From: Aaron Holtz <[EMAIL PROTECTED]> > To: Hugh Irvine <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Client-Id matching in Handler's not working > > Hugh, > > I've discovered the problem - only Clients designated by a > clause work - anything labled as an IdenticalClients > does not work. Example: > > > Secret pw > > > > That would match Client-Id for 111.111.111.20 whether it is with a regex > or direct. However, > > > IdenticalClients 111.111.111.20 > Secret pw > Will it match 111.111.111.3 even when they are dialed into .20? If so, this is the behavior I'd want. If you want to match .20, then it's not identical to .3 Just my point of view. Jason > > > That would NOT match 111.111.111.20 because it isn't on the Client line. > Can a patch be made to include the IdenticalClients listed to work with > the Client-Id check item? It seems practical that IdenticalClients > should/could be subject to checks just like the listed Client IP's would > be. Thoughts? > > -- > Aaron Holtz > ComNet Inc. > UNIX Systems Administration/Network Operations > "It's not broken, it just lacks duct tape." > -- > > > On Oct 29, Hugh Irvine molded the electrons to say > > > > >Hello Aaron - > > > >On Thu, 28 Oct 1999, Aaron Holtz wrote: > >> After making changes to match on Client-Id instead of Nas-IP-Address, I > >> don't seem to be able to make any matches whether I do exact matches or a > >> regex. Trace 4 dump: > >> > > > >I have just tested this here with no problems. Note that the Client-Id check > >item was added to Radiator 2.14.1. From the revision history: > > > > Added support for NasType and Client-Id check items > > > > (http://www.open.com.au/radiator/history.html) > > > >hth > > > >Hugh > > > > > >-- > >Radiator: the most portable, flexible and configurable RADIUS server > >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > >Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > >NT, Rhapsody > > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authenticate users from BSDI password file
A quick fix is to change your radius.cfg file to point to
/etc/master.passwd I think.
I'm having a similar problem w/ linux (however I just started using PAM)..
Where if I point to /etc/shadow it doesn't get the users primary group.
I'd sure like to see radiator support PasswordFile /etc/passwd and
ShadowFile /etc/shadow etc... :)
Jason
On Mon, 11 Oct 1999, S.K.D. Lakmin Premnath wrote:
> Date: Mon, 11 Oct 1999 18:22:40 +
> From: S.K.D. Lakmin Premnath <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Authenticate users from BSDI password file
>
> hi mikem
>
> I'm running Radiator 2.14.1(single CPU Licence) on bsdi 4.0 machine. I need
> to authenticate users from UNIX password file. when I try to do this it
> says following
>
> lakmin is my user & abc123 is my password.
>
> radiator: {2} % perl radpwtst -user lakmin -password abc123
> sending Access-Request...
> Rejected
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
> radiator: {3} %
>
> following is output of password log file
> Mon Oct 11 18:05:17 1999:939643517:lakmin:abc123:ENCRYPTED:FAIL
>
> In radius.cfg file
>
>
> Identifier System
> Filename /etc/passwd
> GroupFilename /etc/group
>
>
>
> In users file
> #DEFAULT Auth-Type = System, Group = group1, Auth-Type=Radius
> DEFAULT Auth-Type = System, Group = wheel
> # Reply-Message = you are in group 1
>
>
> thankx
>
> lakmin
>
>
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Livingston Compatablity (User File)
We are having trouble figuring out how to work w/ our Radius 2.1 users file in Radiator.. Everything we do works except for the Group check.. We use something like DEFAULT Prefix=P, Auth-Type=System, Group=kflex, NAS-IP-Address=127.0.0.1 DEFAULT Prefix=P, Auth-Type=System, Group=kflex, NAS-IP-Address=127.0.0.2 DEFAULT Prefix=P, Auth-Type=System, Group=kflex, NAS-IP-Address=127.0.0.3 DEFAULT Prefix=P, Auth-Type=System, Group=888, Called-Station-Id=5551212 We are hoping to use the unix group to check for an auth or not.. Thanks, Jason === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Run perl code to generate more accounting fields
Shouldn't you look for account delay time? I've never seen it be other
than 0 but I'm sure it's there for something :)
- Jason
On Mon, 5 Jul 1999, Mike McCauley wrote:
> Hi John,
>
> On Jul 2, 1:56pm, John Coy wrote:
> > Subject: (RADIATOR) Run perl code to generate more accounting fields
> > I'd like to calculate two fields (login_time and logout_time)
> > from the "Timestamp" and the "Acct-Session-Time" accounting
> > STOP records for insert into an SQL database. I'd like
> > to define:
> >
> > LOGIN_TIME = (Timestamp - Acct-Session-Time)
> > LOGOUT_TIME = Timestamp
> >
> > Is there an easy way to have Radiator calculate the LOGIN_TIME
> > field prior to insertion into the Radius database? If there
> > was a way to add a fake accounting field by running arbitrary
> > perl code, that would be helpful. I thought I read in the
> > docs you can add arbitrary authentication replies to an
> > auth record, but nothing that I read talked about the
> > authentication record.
> >
> > Ideas would be appreciated.
>
> Best way to do this is to construct an AcctSQLStatement that does the
> arithmentic you want:
>
> AcctSQLStatement insert into accounting
> LOGIN_TIME=%{Timestamp}-%{Acct-Session-Time}, LOGOUT_TIME=%{Acct-Session-Time}
> .
>
> Hope that helps.
>
> Cheers.
>
>
> --
> Mike McCauley [EMAIL PROTECTED]
> Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) compatability w/ livingston radius users file...
PjasonAuth-Type = System, Prefix = "P", NAS-Port-Type = Async, Called-Station-Id = "3830001" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 206.129.156.2, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Session-Timeout = 28800, Idle-Timeout = 1200, Port-Limit = 1 DEFAULT Auth-Type = Reject, Prefix = "P", Group = "shutoff" DEFAULT Auth-Type = Reject, Group = "shutoff" DEFAULT Auth-Type = Reject, Prefix = "P", Group = "poponly" DEFAULT Auth-Type = Reject, Group = "poponly" DEFAULT Auth-Type = System, Prefix = "P", NAS-Port-Type = ISDN, Group = "dualisdn", Called-Station-Id = "4240001" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Session-Timeout = 28800, Idle-Timeout = 1200, Port-Limit = 2 Should this work out of box by using a simple AuthFILE in the .cfg? The auth system is FreeBSD, we have expiration field set in master.passwd. Will this work to expire radius logins also? Thanks :) - Jason === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) static ip customers
would tere be an easy way to setup some way to check for a user's ip and netmask from a db? %static = ( "godsey" => "192.168.1.128/25"; "jason" => "192.168.1.1/32"; "joe" => "192.168.1.2/32"; ); - Jason === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Logfile size
-rw-r- 1 root wheel 15470156 Feb 28 23:59 detail.1999.02.gz -rw-r- 1 root wheel 17094556 Mar 31 23:59 detail.1999.03.gz -rw-r- 1 root wheel 17061311 Apr 30 23:59 detail.1999.04.gz -rw-r- 1 root wheel 257358389 May 31 23:59 detail.1999.05 -rw-r- 1 root wheel 14702947 Jun 2 16:46 detail.1999.06 We have 2.5k dialup users. Looks like about 8megs/day. Looks like you'll need much more than 2 20gig drives to keep a years worth :) (you'll need that for just 2 months) Each month will eat nearly 30megs if our numbers scale. - Jason Godsey On Wed, 2 Jun 1999, ryanm wrote: > Hello everyone, > > I am curious what size my daily logfiles will be with 1+ logins > a day. I am doing some capicity planning and want to add a couple > disks to store logging info on. I would appreciate any average > sizes you have. I have looked at the entries in the detail log > and 1 login/logout is roughyl 800 bytes. I multiplies this out > by 1 and got 8,000,000 so I am assuming roughly 10 Megs a day?? > I plan on archiving these for up to a year for various reasons so > was hoping to get 2 20 gig Disks to do this. I also plan on using > some form of compression scheme. > > Thanks for any info anyone can get back to me, > > Thanks again, > > Ryan > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Here is a LARGE email outlining the problems I'm haivng w/ AuthBYUnix/System
Here I run radiator w/ AuthBY unix and system, showing mixed results, if authby system worked w/ shadow on linux, I'd be all set, or if authby unix had a seperate directive for passwordfilename, shadowfilename, and groupfilename it'd work also :) [root@jason raddb]# tail -n 2 /etc/passwd /etc/shadow /etc/group ==> /etc/passwd <== bob:x:516:516::/home/bob:/bin/bash bob2:8OdzREbpXQKaY:516:1::/home/bob:/bin/bash ==> /etc/shadow <== bob2:8OdzREbpXQKaY:10900:0:9:7:-1:-1:134537292 bob:8OdzREbpXQKaY:10900:0:9:7:-1:-1:134537292 ==> /etc/group <== ppp:x:1:bob,jason,root shutoff:x:11000:jason (bob2 has primary group of 10k, bob has secondary group of 10k used tward the end) Radiator Config: (part that matters) RewriteUsername s/^([^@]+).*/$1/ # This is suposed to work :) Radiator Output: User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l" Fri Nov 5 14:55:33 1999: DEBUG: Handling request with Handler 'Realm=ip.nu' Fri Nov 5 14:55:33 1999: DEBUG: Rewrote user name to bob Fri Nov 5 14:55:33 1999: DEBUG: Deleting session for bob, 203.63.154.1, 1234 Fri Nov 5 14:55:33 1999: DEBUG: Handling with Radius::AuthSYSTEM Fri Nov 5 14:55:33 1999: DEBUG: getpwnam got bob, x, 516, 516, , , , /home/bob, /bin/bash Fri Nov 5 14:55:33 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob Fri Nov 5 14:55:33 1999: DEBUG: Radius::AuthSYSTEM REJECT: Bad Encrypted-Password Fri Nov 5 14:55:33 1999: INFO: Access rejected for bob: Bad Encrypted-Password Fri Nov 5 14:55:33 1999: DEBUG: Packe Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l" Fri Nov 5 14:55:38 1999: DEBUG: Handling request with Handler 'Realm=ip.nu' Fri Nov 5 14:55:38 1999: DEBUG: Rewrote user name to bob2 Fri Nov 5 14:55:38 1999: DEBUG: Deleting session for bob2, 203.63.154.1, 1234 Fri Nov 5 14:55:38 1999: DEBUG: Handling with Radius::AuthSYSTEM Fri Nov 5 14:55:38 1999: DEBUG: getpwnam got bob2, 8OdzREbpXQKaY, 516, 516, , , , /home/bob, /bin/bash Fri Nov 5 14:55:38 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob2 Fri Nov 5 1Authentic: 1234567890123456 Attributes: User-Name = "bob2" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l" Fri Nov 5 15:57:15 1999: DEBUG: Handling request with Handler 'Realm=ip.nu' Fri Nov 5 15:57:15 1999: DEBUG: Rewrote user name to bob2 Fri Nov 5 15:57:15 1999: DEBUG: Deleting session for bob2, 203.63.154.1, 1234 Fri Nov 5 15:57:15 1999: DEBUG: Handling with Radius::AuthUNIX Fri Nov 5 15:57:15 1999: DEBUG: Radius::AuthUNIX looks for match with bob2 Fri Nov 5 15:57:Authentic: 1234567890123456 Attributes: User-Name = "bob" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l" Fri Nov 5 15:58:15 1999: DEBUG: Handling request with Handler 'Realm=ip.nu' Fri Nov 5 15:58:15 1999: DEBUG: Rewrote user name to bob Fri Nov 5 15:58:15 1999: DEBUG: Deleting session for bob, 203.63.154.1, 1234 Fri Nov 5 15:58:15 1999: DEBUG: Handling with Radius::AuthUNIX Fri Nov 5 15:58:15 1999: DEBUG: Radius::AuthUNIX looks for match with bob Fri Nov 5 15:58:15 1999: DEBUG: Radius::AuthUNIX ACCEPT: Fri Nov 5 15:58:15 1999: DEBUG: Access accepted for bob Fri Nov 5 15:58:15 1999: DEBUG: Packet dump: *** Sending to 192.168.1.1 port 1051 Code: Access-Accept Identifier: 134 Authentic: 1234567890123456 Attributes: Here both bob and bob2 are authenticated, however when using a more complex radiator.cfg which uses the users file to check users group, we can only use authby unix, not system (first output). AuthBy UNIX checks the users secondary group just fine, just not the primary.. Fri Nov 5 16:16:04 1999: DEBUG: Handling with Radius::AuthFILE Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with bob2 Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT Fri Nov 5 16:16:04 1999: WARNING: This AuthBy does not know how to check Group membership Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthFILE REJECT: User bob2 is not in Group shutoff Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1 Fri Nov 5 16:16:04 1999: DEBUG: Handling with Radius::AuthSYSTEM Fri Nov 5 16:16:04 1999: DEBUG: getpwnam got bob2, 8OdzREbpXQKaY, 516, 1, , , , /home/bob, /bin/bash Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob2 Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthSYSTEM ACCEPT: Fri Nov 5 16:16:04 1999: DEBUG: Radius::AuthFILE ACCEPT: Fri Nov 5 16:16:04 1999: DEBUG:
