(RADIATOR) Install error on radiator 2.19?
Greetings; A few weeks ago we mentioned that on a fresh install of radiator 2.18, which was being done on a freshly installed FreeBSD 4.4-RELEASE machine, we got an error message about hostname.pl. We just did a fresh install of radiator 2.19 on a fresly installed FreeBSD4.4 machine and got the same message, but this time regarding radwho.pl instead of hostname.pl. The exact error message is below along with the surrounding text.. this came from doing a 'make install' Installing /usr/bin/builddbm Installing /usr/bin/radiusd Installing /usr/bin/radwho.pl Writing /usr/local/lib/perl5/site_perl/5.005/i386-freebsd/auto/Radius/.packlist ## Differing version of ./radwho.pl found. You might like to rm /usr/local/lib/perl5/site_perl/5.005/radwho.pl ## Running 'make install UNINST=1' will unlink this file for you. Appending installation info to /usr/libdata/perl/5.00503/mach/perllocal.pod host# Again, like last time, everything seems to work just fine, but was curious what this message is. Jay West === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Need clarification on AuthSelect with AuthColumnDef
Forgot to mention... the FIRST thing we tried using was the radmin.cfg file from our older radiator server, which was (and still is) working fine on that machine... it is AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\ NULL,FRAMED_NETMASK,FRAMED_FILTER_ID,\ MAXIDLETIME \ from RADUSERS where \ USERNAME='%n' and BADLOGINS < 5 and \ VALIDFROM < %t and VALIDTO > %t AuthColumnDef 0,Framed-IP-Netmask,reply AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Idle-Timeout,reply This exact config works on the old server, but on the new server the reply via radpwtst doesn't include the framed-ip-netmask (nor the filter-id, nor the idle-timeout) Thanks! Jay West -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jay West Sent: Thursday, October 18, 2001 3:16 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Need clarification on AuthSelect with AuthColumnDef Can't seem to get radiator 2.18.4 to pass the correct reply items back to the nas. We used the default radmin.cfg, and implemented the changes at the top that are listed in the comments for if you want to add things like Framed-IP-Netmask, Idle-Timeout, etc. According to the Docs, you can specify your OWN Authselect, and then your AuthColumnDef should start at 0, with 0 being the first item passed back AFTER the required first four items. However, this doesn't seem to work (ie. the easy example of how to add things like Framed-IP-Netmask doesn't work). This isn't a database problem or anything, because it does get the Framed-IP-Address correctly for each user, but there is no Framed-IP-Netmask in the reply (shown with radpwtst -trace). Has anyone else run into this, and what is the fix? I have read the docs on AuthColumnDef and feel like there's some piece that I'm missing. The LAST attempt I made I tried specifying everything in the reply rather than just the additions (according to the docs, this isn't necessary, but I was out of other ideas...) AuthSelect select PASS_WORD,\ STATICADDRESS,TIMELEFT,MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID,\ MAXIDLETIME \ from RADUSERS where \ USERNAME='%n' and BADLOGINS < 5 and \ VALIDFROM < %t and VALIDTO > %t AuthColumnDef 0,User-Password,check AuthColumnDef 1,Framed-IP-Address,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Session-Timeout,reply AuthColumnDef 4,Framed-IP-Netmask,reply AuthColumnDef 5,Filter-Id,reply AuthColumnDef 6,Idle-Timeout,reply This gets me no Framed-IP-Netmask in the radpwtst -trace But Here is the stock radmin.cfg from the radiator distribution, and I get the same results... # You can add extra items to your RADUSERS table and make # Radiator take note of them with, for example: # AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\ #MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID,MAXIDLETIME \ #from RADUSERS where \ #USERNAME='%n' and BADLOGINS < 5 and \ #VALIDFROM < %t and VALIDTO > %t # AuthColumnDef 0,Framed-IP-Netmask,reply # AuthColumnDef 1,Filter-Id,reply # AuthColumnDef 2,Idle-Timeout,reply # note that the numbering of AuthColumnDef starts with the # field following the first 4 minumum and required fields. This also gets me no Framed-IP-Netmask in the radpwtst -trace The net effect is we want a stock config, but with the addition of FRAMED_NETMASK, FRAMED_FILTER_ID, and MAXIDLETIME Any ideas??? Jay West === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Need clarification on AuthSelect with AuthColumnDef
Can't seem to get radiator 2.18.4 to pass the correct reply items back to the nas. We used the default radmin.cfg, and implemented the changes at the top that are listed in the comments for if you want to add things like Framed-IP-Netmask, Idle-Timeout, etc. According to the Docs, you can specify your OWN Authselect, and then your AuthColumnDef should start at 0, with 0 being the first item passed back AFTER the required first four items. However, this doesn't seem to work (ie. the easy example of how to add things like Framed-IP-Netmask doesn't work). This isn't a database problem or anything, because it does get the Framed-IP-Address correctly for each user, but there is no Framed-IP-Netmask in the reply (shown with radpwtst -trace). Has anyone else run into this, and what is the fix? I have read the docs on AuthColumnDef and feel like there's some piece that I'm missing. The LAST attempt I made I tried specifying everything in the reply rather than just the additions (according to the docs, this isn't necessary, but I was out of other ideas...) AuthSelect select PASS_WORD,\ STATICADDRESS,TIMELEFT,MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID,\ MAXIDLETIME \ from RADUSERS where \ USERNAME='%n' and BADLOGINS < 5 and \ VALIDFROM < %t and VALIDTO > %t AuthColumnDef 0,User-Password,check AuthColumnDef 1,Framed-IP-Address,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Session-Timeout,reply AuthColumnDef 4,Framed-IP-Netmask,reply AuthColumnDef 5,Filter-Id,reply AuthColumnDef 6,Idle-Timeout,reply This gets me no Framed-IP-Netmask in the radpwtst -trace But Here is the stock radmin.cfg from the radiator distribution, and I get the same results... # You can add extra items to your RADUSERS table and make # Radiator take note of them with, for example: # AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\ #MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID,MAXIDLETIME \ #from RADUSERS where \ #USERNAME='%n' and BADLOGINS < 5 and \ #VALIDFROM < %t and VALIDTO > %t # AuthColumnDef 0,Framed-IP-Netmask,reply # AuthColumnDef 1,Filter-Id,reply # AuthColumnDef 2,Idle-Timeout,reply # note that the numbering of AuthColumnDef starts with the # field following the first 4 minumum and required fields. This also gets me no Framed-IP-Netmask in the radpwtst -trace The net effect is we want a stock config, but with the addition of FRAMED_NETMASK, FRAMED_FILTER_ID, and MAXIDLETIME Any ideas??? Jay West === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator install issue (plus Radmin)
Greetings; Getting ready to upgrade from an old version of Radiator to the latest. Set the new version up on a different set of servers so we can do a clean cutover. Our environment is AuthbyRADMIN using one server for the Radmin website, a second server for Radiator, and a third server for MySQL. 1) Upon installing Radiator on a fresh FreeBSD 4.4 machine, we got a message similar to the following... Differing version of ./hostname.pl you may want to rm /usr/libdata/perl/5.00503/hostname.pl a make install UNIST=1 will unlink this for you What exactly does this mean, and what is the suggested course of action? 2) The install program for Radmin appears to still assume that your webserver machine is on the same machine as Radiator (not a great assumption, IMHO). Exactly what pieces of Radmin need to be hand copied over to the Radiator machine from the webserver, and what is the procedure for this? Thanks in advance! Jay West === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Update: radiator 2.16.3 perhaps broken? HELP!
Someone wrote -- New install, FreeBSD 4.1r, DBI-1.14, Data-ShowTable-3.3, Msql-Mysql-modules-1.2215, MySQL 3.22.32., Radiator-2.16.3 It all works just fine for me. We installed it clean on 2 machines, one using the FreeBSD packages, another from source only. In both cases we had success. -- Now this just doesn't make any sense! Several people mentioned they've gotten it to work using the same versions that I am. However, they mentioned doing it from FreeBSD packages, not from FreeBSD ports as I am. Here's the process I go through... fresh install of FreeBSD v4.1 from the 4.1 distribution CDROM. During installation select "Yes" to install the ports collection. Do a cd to /usr/ports/databases/p5-Mysql and do a make & make install. Do the same for the other needed software (/usr/ports/security/p5-MD5, /usr/ports/databases/mysqlclient, etc. etc.). I'm going from memory here but you get the idea, I'm using the ports collection to get everything, not the packages collection and not from original source. I've installed FreeBSD and most of these ports thousands of times... I can't believe I'm screwing something up here. Then I do the exact word for word install of Radiator-2.16.3. The make test runs fine. However, if I put a call to start up radiusd in /etc/rc.local. I get an error message about DBD/mysql.pm and something about can't load libmysql.so from dynamic.pm or somesuch message. The interesting thing is that the libraries and modules it's comlaining about ARE there in the spot indicated by @INC (right in the message). However, running the test suites that come with DBI and DBD do run fine against my mysql servers. I'm still baffled. I can reproduce this problem at will every time. I wonder if the problem is the ports collection since the person above mentioned that it works from packages and source for him. Any help is most appreciated! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Update: radiator 2.16.3 perhaps broken? HELP!
Hugh wrote --- It sounds like either DBI or DBD is not installed properly. I am using DBI-1.08, Msql-Mysql-modules-1.2200 and mysql-3.22.24. --- No wonder it works for you, you're using really ancient versions :) Several of the versions you mention above (or their dependencies) aren't easily found anymore since they're so old. Can someone help here? I'm beginning to wonder if Radiator works on FreeBSD 4.1 at all. The problem does appear to be radiator. The mysql client works just fine, and the tests included with both DBI and DBD pass just wonderfully, thus Radiator is the only thing left that doesn't appear to work right, as short perl scripts calling DBI/DBD do seem to work ok. Here's what we've got loaded (including dependencies for stuff unrelated): gd-1.8.3 gnuplot-3.7.1 jpeg-6b libtool-1.3.4 mysql-client-3.22.32 p5-DBI-1.13 (also tried 1.14, same problem) p5-Data-ShowTable-3.3 p5-MD5-1.7 p5-Mysql-modules-1.2213 (also tried 1.2214, same problem) p5-Net-Daemon-0.29 (also tried 0.31, same problem) p5-PlRPC-0.2012 p5-Storable-0.6.11 (also tried 0.7.4, same problem) png-1.0.7 (also tried 1.0.8, same problem) Of course, the OS is FreeBSD 4.1 and Radiator 2.16.3 with all 2.16.3 patches. I'm gonna make a wild guess (I'm not a perl programmer) that on FreeBSD 4x and associated ports, something major has changed in library names or structures that Radiator can't deal with. If it doesn't take long, I might be willing to pay the consulting time for Radiator to be brought up to speed with FreeBSD 4x. We need this up quickly as the old machine is dying. There have been so many cert advisories on 3.3 that we really don't want to run and patch that. Help? Any ideas? Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radiator 2.16.3 perhaps broken? HELP!
We're getting ready to replace a radiator machine with a newer piece of gear. The new machine has an OS of FreeBSD 4.1. Loaded the latest non-beta copy of radiator. Using mysql 3.22.32 on a different server. make test works ok. However, when the system boots and starts the radius daemon, here's the message I get. Can't read $DBI::errstr, last handle unknown or destroyed at /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 137, chunk 13. We were using p5-DBI v1.13, tried upgrading to p5-DBI v1.14 with same results. the mysql clients can connect to the database server and read tables just fine. Any ideas? Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) setting ports by radius client?
Our NAS devices and radiator server use ports 1812 and 1813 for authentication and accounting. We just added another NAS that needs to use 1646 for accounting - that cannot be changed. So we have a choice - reconfigure everything to use 1645/1646, or is there a way to let radiator accept accounting packets on either 1813 or 1646 (but keep authetication on 1812 only)? Or better yet, use 1812/1813 for all our gear except this one particular nas and have only this nas use 1812 for authentication and 1646 for accounting? Thanks in advance! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) advice requested on high availability configuration
Hugh wrote... > I would be inclined to put a UDP redirector in front of your Radiator hosts to > transparently handle any number of hosts at a single IP address. No problem, basically the cisco can do this - on later releases of IOS you can specify load balancing between multiple radius hosts. >Then I would > put my SQL database on a dual-port RAID box and have both servers access the > same database. I would also have a single session database for multiple logon > restriction. This is a major no-no for high availability. It's a glaring single point of failure. We're hard over on not having any single points of failure, especially with our authentication services. It's true that having a single sql box with two separate dual channel controller cards going to drives that mirror from one controller to the other is a good thing. But there are more frequent problems that can be encountered than disk/controller failures. Someone pulls an ethernet cable. The video card or motherboard dies causing the system to die, the OS crashes, etc. There just has to be a better way of handling the back end. > And no, there are no problems with multiple radiator machines querying a single > database. What I meant by that last question was slightly different. Here's what I was thinking. Set the cisco to do round-robbin between the two different radius servers - thus load balancing. Each subsequent aaa request would go to the other radius server. Both radius servers would be configured to try one sql database (on sql machine1) and then another sql database (on sql machine2). This would be accomplished I believe in the radius config file. I seem to recall seeing that the radius config file can contain multiple authbySQL's (or in my case multiple authbyRADMIN's) for a single realm and thus radius would try one and then the next. If it didn't get a response from one, it would start using the other one until it didn't get a response from that one and then would move back to the first. At least, I seem to remember it being documented that way - I haven't tried it. This would seem to solve all my problems except I have two concerns. First, would it not be possible that one of the sql machines might go down, and one of the radius servers sees it so it switches to the other sql machine. Then say the failed sql machine was only down a split second and came back up before the next radius server tried to authenticate. Then you would have each radius machine talking to two different sql servers. This isn't that bad except for two items - I suspect your "users online" database would be messed up, and if you were trying to do simultaneous login checking it would be REALLY messed up. There are other scenarios I can think of that would cause the two radius machines to each be looking at a different sql server. I can't seem to get my head around this problem - but there just has to be a way :) Any advice is most appreciated! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) advice requested on high availability configuration
I'm not sure if this went out to the list, so pardon me if I'm reposting... > Current setup: > Two FreeBSD machines, each one running radiator (radius1 and radius2) > Two FreeBSD machines, each one running MySQL for the radiator database > (mysql1 and mysql2) > Cisco 3640 router (NAS) terminating L2F sessions for each dialup user > > The cisco 3640 is set to try authenticating via radius first on radius1, and > if that times out to authenticate on radius2. Radius1 uses the SQL database > on mysql1 and radius2 uses the SQL database on mysql2. There are some high > availability problems with this setup - if mysql1 goes down, the cisco won't > know it and will keep querying radius1. The cisco does support (at the > latest IOS release) rotating between multiple radius servers, but that would > only let half the folks in. > > Changes I want to make: > What's the best way to set up high availability so that any host (except the > router) can fail and things will still work? I'm not currently using > maxlogins (or simultaneous-logins or maxsessions or whatever) but do plan to > in the very near future. I see many possibilities - but the first one I'm > thinking of is to set each of the two radius servers to query sql1 and if > that fails query sql2 (this done via specifying multiple sql servers in the > radius config file). But then the question becomes how to keep the databases > in sync between sql1 and sql2. I could set up some batch process to copy the > databases nightly, but doesn't this get in the way of trying to enforce > multiple logon limits? > > On a directly related note - is there any problems with having two copies of > radiator - one on each machine - working on the same database? > > Any hints from those who've done this before?? Net result should be two > radiator machines and two sql machines and any one can fail. > > Thanks in advance! > > Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radmin help with framed filter id
We're using the default Radmin database. Some of our users have a framed_filter_id and some do not. We found that if the FRAMED_FILTER_ID field in the RADUSERS table is set to nothing - not null, just no value, that radiator will send a reply attribute of Frame-Filter-ID = "". If it is set to NULL then radiator doesn't send a framed-filter-id at all. So - all the users that have filter id's have them in that field, all other users have them set to null. However, when we add a new user through the web cgi scripts, it sets the framed-filter-id to nothing - not null. Thus users added with the web pages can't log it. Is this a bug or did I set something up wrong? Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) advice requested on high availability configuration
Current setup: Two FreeBSD machines, each one running radiator (radius1 and radius2) Two FreeBSD machines, each one running MySQL for the radiator database (mysql1 and mysql2) Cisco 3640 router (NAS) terminating L2F sessions for each dialup user The cisco 3640 is set to try authenticating via radius first on radius1, and if that times out to authenticate on radius2. Radius1 uses the SQL database on mysql1 and radius2 uses the SQL database on mysql2. There are some high availability problems with this setup - if mysql1 goes down, the cisco won't know it and will keep querying radius1. The cisco does support (at the latest IOS release) rotating between multiple radius servers, but that would only let half the folks in. Changes I want to make: What's the best way to set up high availability so that any host (except the router) can fail and things will still work? I'm not currently using maxlogins (or simultaneous-logins or maxsessions or whatever) but do plan to in the very near future. I see many possibilities - but the first one I'm thinking of is to set each of the two radius servers to query sql1 and if that fails query sql2 (this done via specifying multiple sql servers in the radius config file). But then the question becomes how to keep the databases in sync between sql1 and sql2. I could set up some batch process to copy the databases nightly, but doesn't this get in the way of trying to enforce multiple logon limits? On a directly related note - is there any problems with having two copies of radiator - one on each machine - working on the same database? Any hints from those who've done this before?? Net result should be two radiator machines and two sql machines and any one can fail. Thanks in advance! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Possible bug in newest version of AuthRADMIN???
Because AuthRADMIN.pm was ignoring the Trace level, we upgraded to the latest AuthRADMIN.pm from the website patch area. Now when a user authenticates, Radiator gives the following message and the daemon dies... Can't locate object method "getOneRow" in /usr/local/lib/perl/site_perl/5.005/Radius/AuthRADMIN.pm line 97 I'm not sure if I typed the path correctly, but you get the idea Is this in fact broken or is it my misconfiguration? Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radmin enhancement request
I was wondering if it would be possible to include something like "user permissions" in an upcoming release of radmin. For example - we want tech support staff to be able to get into the radmin website and look at user data, but not be able to change anything. Administration staff should be able to change things. Specifically, we don't want tech support to be able to put in an ip address for the user. They've been known to type in our router IP address to get assigned to a ppp user :) But it's not just IP addresses - they need to see a user but not update them, and they need access to the logs, etc. I know this can be done via .htpasswd type structures, but I before I go setting up stuff like that I was wondering if there might be thoughts of doing this in the vanilla package. That way my stuff doesn't just stop working when I upgrade radmin :) Also - it would be nice if the radmin webpages for viewing messages and usagelogs had a button to clear the log. If the above change was implemented, this would be an admin only feature. One other thing - it'd be nice if one could access the other files (like radclients for example) on the web instead of user radusers. Just a few thoughts - thanks for a great product! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthbyRADMIN logging file problems?
We're having problems with the logfile stuff when using radmin.
Here's our radmin.cfg file:
==begin paste
AuthPort 1812
AcctPort 1813
DictionaryFile /usr/local/etc/raddb/dictionary
PidFile /var/run/radiusd.pid
Trace 3
LogDir /var/log/radius
LogFile logfile
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername aa
DBAuth
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername aaa
DBAuth
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername aaa
DBAuth
# Dont check MAXLOGINS, but do take note of these...
# FRAMED_NETMASK,FRAMED_FILTER_ID,MAXIDLETIME
AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\
NULL,FRAMED_NETMASK,FRAMED_FILTER_ID,\
MAXIDLETIME \
from RADUSERS where \
USERNAME='%n' and BADLOGINS < 5 and \
VALIDFROM < %t and VALIDTO > %t
AuthColumnDef 0,Framed-IP-Netmask,reply
AuthColumnDef 1,Filter-Id,reply
AuthColumnDef 2,Idle-Timeout,reply
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
=end paste==
Several problems...
1) Even though we have Trace set to 3, radiator is logging lots of level 4
messages (to RADMESSAGES) which are quite annoying and voluminous :) Any way
to tell it that trace 3 means just trace 3 and lower?
2) Radiator set up as above is logging to three places
/var/log/radius/logfile, /usr/local/etc/raddb/logfile, and the RADMESSAGES
table. Is there any way to tell it to log to RADMESSAGES via SQL ONLY -
nowhere else?
THANKS for any input!
Jay West
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Help! Argh! problems with radmin.cfg
Hugh wrote... > The only possibilities I can think of are that you perhaps forgot the "," > between MAXLOGINS and FRAMED_NETMASK, or that the field FRAMED_NETMASK is > not defined in your database. > > Have a look at the trace 4 debug output to see exactly what Radiator is > doing with the database, and you can also set the DBI debugging environment > variable to get lots of debug information out of DBI/DBD. Nope, I didn't forget the "," and the field FRAMED_NETMASK is definitely defined in the database. Here's the debug level 4 for the userid/password in question, so you can see it just says bad password. The ONLY change between working and non-working was the additionof FRAMED_NETMASK to the AuthSelect and then adding AuthColumnDef 4,Framed-IP-Netmask,reply. ==debug output Type Time stamp Message 4 03/30/2000 14:08 Handling request with Handler 'Realm=DEFAULT' 4 03/30/2000 14:08 Deleting session for jlwest, 209.83.134.1, 1234 4 03/30/2000 14:08 do query is: delete from RADONLINE where NASIDENTIFIER='209.83.134.1' and NASPORT=01234 4 03/30/2000 14:08 Handling with Radius::AuthRADMIN 4 03/30/2000 14:08 do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (954446903, 4, 'Handling with Radius::AuthRADMIN') 4 03/30/2000 14:08 Handling with Radius::AuthRADMIN 4 03/30/2000 14:08 Handling with Radius::AuthRADMIN 4 03/30/2000 14:08 do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (954446903, 4, 'Handling with Radius::AuthRADMIN') 4 03/30/2000 14:08 Handling with Radius::AuthRADMIN 4 03/30/2000 14:08 Query is: select PASS_WORD,STATICADDRESS,TIMELEFT,MAXLOGINS,FRAMED_NETMASK from RADUSERS where USERNAME='jlwest' and BADLOGINS < 5 and VALIDFROM < 954446903 and VALIDTO > 954446903 4 03/30/2000 14:08 Radius::AuthRADMIN looks for match with jlwest 4 03/30/2000 14:08 do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (954446903, 4, 'Radius::AuthRADMIN looks for match with jlwest') 4 03/30/2000 14:08 Radius::AuthRADMIN looks for match with jlwest 4 03/30/2000 14:08 Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE where USERNAME='jlwest' 4 03/30/2000 14:08 Radius::AuthRADMIN REJECT: Bad Password 4 03/30/2000 14:08 do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (954446903, 4, 'Radius::AuthRADMIN REJECT: Bad Password') 4 03/30/2000 14:08 Radius::AuthRADMIN REJECT: Bad Password 4 03/30/2000 14:08 do query is: update RADUSERS set BADLOGINS=BADLOGINS+1 where USERNAME='jlwest' 4 03/30/2000 14:08 Query is: select PASS_WORD,STATICADDRESS,TIMELEFT,MAXLOGINS,FRAMED_NETMASK from RADUSERS where USERNAME='DEFAULT' and BADLOGINS < 5 and VALIDFROM < 954446903 and VALIDTO > 954446903 3 03/30/2000 14:08 Access rejected for jlwest: Bad Password === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Help! Argh! problems with radmin.cfg
Again...
We're trying to convert from the sample radiator sql database to the sample
radmin sql database. I'm having problems specifying the AuthColumnDef stuff
properly (I think). To start with, I know I need to specify my own
AuthSelect and AuthColumnDef's when using AuthbyRADMIN if you want
additional attributes. To start out simple, I created a radmin.cfg that just
specifies the exact same AuthSelect and AuthColumnDef stuff that the
AuthRADMIN.pm does already by default. Here is the radmin.cfg that works
(note the rest of the problem is described below the radmin.cfg text)...
=
AuthPort 1812
AcctPort 1813
DictionaryFile /usr/local/etc/raddb/dictionary
PidFile /var/run/radiusd.pid
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername
DBAuth
Table RADMESSAGES
Trace 4
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername
DBAuth
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername
DBAuth
DBSource dbi:mysql:radmin:pearl.tseinc.com
DBUsername
DBAuth
AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\
MAXLOGINS \
from RADUSERS where \
USERNAME='%n' and BADLOGINS < 5 and \
VALIDFROM < %t and VALIDTO > %t
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,Framed-IP-Address,reply
AuthColumnDef 2,Session-Timeout,reply
AuthColumnDef 3,Simultaneous-Use,reply
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
=
The above works fine, and radpwtst works fine too. Here's the change - I
want to also pass to the NAS the Framed-IP-Netmask, as well as the above
default fields. The *ONLY* change I make to the above config file is to add
the field "FRAMED_NETMASK" to the above AuthSelect right after MAXLOGINS
(but before the \). Then I add a AuthColumnDef after the last one (ex.
AuthColumnDef 4,Framed-IP-Netmask,reply). Those two things are all I change.
Now when I run radpwtst, it tells me the user was rejected with a bad
password. I know the password is correct, because radpwtst worked with the
same userid/password combination before those two changes to radmin.cfg were
made.
HELP! I've spent days messing with this already and am getting flustered.
What am I doing wrong
OS: FreeBSD 3.3, Radiator 2.15, Radmin 1.3. My code is freshly installed and
unmodified except one source code change. I changed the update to the log
file in LogSQL.pm to use TYPE instead of the (problematic) PRIORITY.
Thanks *VERY* much in advance!
Jay West
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) bothersome error messages (radmin.cfg)
Ok, it appears to be a bug or an oversight at least Radiator creates the log file (RADLOG) with columns TIMESTAMP, PRIORITY, and MESSAGE (or thereabouts). The insert statment in LogSQL is hardcoded for these columns names. However, when RADMIN creates its log file (RADMESSAGES) it creates the columns TIMESTAMP, TYPE, and MESSAGE. But there is no LOG RADMIN clause in your config file, so you're supposed to just use the LOG SQL clause. This chokes because there is no PRIORITY column. So what's the best way to fix this? You can't specify a different insert command with the right columns in your LOG SQL clause in your config file (ok, you could hack up the LogSQL.pm code, but I don't want to). For the future release to fix this, I would see several options... 1) When the radmin install procedure creates it's log file (RADMESSAGES), have it use the same column names as Radiator does for RADLOG or 2) Create a LOG RADMIN clause to use instead of LOG SQL that does the right insert statement or 3) Allow uses to specify their own update statement in the LOG SQL clause in the config file so they can specify any columns they want I'd like to know how the authors intend to address this so that my "quick and dirty" workaround doesn't get stepped on by future releases. Thanks! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Bothersom error message started with radmin.config
When I change from radius.cfg to radmin.cfg upon starting radiator, it coughs with the following messages: garnet# /usr/bin/radiusd -config_file /usr/local/etc/raddb/radmin.cfg garnet# DBD::mysql::db do failed: Unknown column 'PRIORITY' in 'field list' at /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 228. DBD::mysql::db do failed: Unknown column 'PRIORITY' in 'field list' at /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 228. garnet# I can't find any reference to PRIORITY in the SqlDb.pm file though. The server seems to still start and respond, but I'm not sure if it's working correctly. Any ideas what's causing the above and how to fix it? OS: FreeBSD v3.3Release, Radiator 2.15, Radmin 1.3 Thanks Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radmin help, additional check/reply items
Mike wrote > IN AuthBy RADMIN, you can use AuthSelect and AuthColumnDef to specify > _additional_ SQL columns beyond the ones that are used by default. For example, > to also get FRAMED_FILTER_ID and FRAMED_NETMASK from the database, and put them > in Filter-Id and Framed-IP-Netmask reply attributes, add something like this to > your AuthBy RADMIN: > > AuthSelect ,FRAMED_FILTER_ID,FRAMED_NETMASK > AuthColumnDef 0,Filter-Id,reply > AuthColumnDef 1,Framed-IP-Netmask,reply Quick followup to save me testing time :).. I didn't know that in AuthSelect you could do the ,x thing to just add fields rather than respecifying them all (and that the authcolumndef numbers were relative to the additional fields rather than all of them. I'm using Radiator 2.14.1 and Radmin 1.3. Is that syntax valid or do I need to specify them all? Thanks so much! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radmin help, additional check/reply items
Ok, I'm probably being obtuse here, but I can't see the forest for the trees ;) We're trying to convert from the default SQL database supplied with radiator to the default SQL database supplied with radmin. There are several reply attributes that we use for every user (and they are different for each user): FRAMED_FILTER_ID and FRAMED_NETMASK These are defined in the RADUSERS file. From what I've seen gazing through the code (I'm NOT a perl programmer) it would appear that by default these fields are not used (like they aren't in the default SQL database in radiator; in radiator you need to explicitly add an AuthSelect that pulls the CHECKATTR and REPLYATTR data for any extra items, the above two included). I want to basically do the same thing with the Radmin stuff. I was thinking you just need to specify an AuthSelect in to return the additional fields, but the plot thickens In AuthRADMIN.pm, it appears that they already modify the default AuthSelect (is this perchance documented anywhere?) to include things like STATICADDRESS, MAXLOGINS, etc. This would make me think I just need to put in my own AuthSelect in the radius config file, but when looking at that code it has a comment about pulling extra things from RADCONFIG and RADATCONFIG. So... this makes me think I might be heading down the wrong path and not using something that might already be built in. So what do I need to do here to have radiator honor these fields in the radmin database just specify an AuthSelect that also selects things like FRAMED_FILTER_ID and FRAMED_NETMASK, or do I need to hack up AuthRADMIN.pm, or do I just need to add some stuff to the RADCONFIG and RADATCONFIG tables, or a combination of the above? Hopefully I'm making SOME sense at least. Any help/advice is most appreciated! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) misc. radmin stuff
If I understand the last post Hugh sent on the subject: The valid-to date in the sample SQL database does not support being "blank" and meaning "no expiration date". First, I'd like to ask what exactly uses the valid-from and valid-to fields. It appears that they are not used at all? Several followup questions come to mind: 1) It does not appear that radiator will use the valid-from and valid-to fields. Is this correct? 2) How would one go about making radiator use those two fields, if it doesn't already? 3) Since all the reporting stuff in radmin allows either a from or to date (ie. one or the other or both can be blank) wouldn't it be a sane request to ask that the valid-to date be allowed to be blank, thus meaning no expiration date? Same for valid-from. There's a lot of fields and tables in the sample radmin database that don't appear to be used. RADATTRS, RADSERVICES, RADSTCONFIG, RADVALUES, etc. Are these values in fact not used by radiator or radmin? It would appear that the documentation for radmin is lacking in this point. Thanks for any advice you can give! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) quick radmin question - valid to
Greetings! We're trying to get radmin up and running, and converting from radiators default sql database format to the default sql database format that radmin creates. The radmin "adduser" webpage asks for a valid from date and valid to date. For valid from, it accepts "now" which is fine - but we don't normally use expiration dates for most accounts. What can we put in this field to indicate "no expiration date". We want to be able to put in an expiration date for some accounts, but not all. I could just put in something like "99year" but this seems somewhat silly. That's the best solution? Thanks in advance! Jay West === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Fw: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server
Because many of the folks here use MySQL, I thought this was appropriate to cross-post here. This affects mysql server v3.22 on any platform, not just FreeBSD. Jay West - Original Message - From: FreeBSD Security Officer <[EMAIL PROTECTED]>; FreeBSD Security Officer <[EMAIL PROTECTED]> To: Sent: Monday, February 28, 2000 11:26 PM Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server > -BEGIN PGP SIGNED MESSAGE- > > = > FreeBSD-SA-00:05 Security Advisory > FreeBSD, Inc. > > Topic: MySQL allows bypassing of password authentication > > Category: ports > Module: mysql322-server > Announced: 2000-02-28 > Affects:Ports collection before the correction date. > Corrected: 2000-02-15 > FreeBSD only: NO > > I. Background > > MySQL is a popular SQL database client/server distributed as part of the > FreeBSD ports collection. > > II. Problem Description > > The MySQL database server (versions prior to 3.22.32) has a flaw in the > password authentication mechanism which allows anyone who can connect to > the server to access databases without requiring a password, given a valid > username on the database - in other words, the normal password > authentication mechanism can be completely bypassed. > > MySQL is not installed by default, nor is it "part of FreeBSD" as such: it > is part of the FreeBSD ports collection, which contains over 3100 > third-party applications in a ready-to-install format. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security audit > of the most security-critical ports. > > III. Impact > > The successful attacker will have all of the access rights of that > database user and may be able to read, add or modify records. > > If you have not chosen to install the mysql322-server port/package, then > your system is not vulnerable. > > IV. Workaround > > Use appropriate access-control lists to limit which hosts can initiate > connections to MySQL databases - see: > > http://www.mysql.com/Manual_chapter/manual_Privilege_system.html > > for more information. If unrestricted remote access to the database is not > required, consider using ipfw(8) or ipf(8), or your network perimeter > firewall, to prevent remote access to the database from untrusted machines > (MySQL uses TCP port 3306 for network communication). Note that users who > have access to machines which are allowed to initiate database connections > (e.g. local users) can still exploit the security hole. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the mysql322-server > port. > > 2) Reinstall a new package obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mys ql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/my sql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/m ysql-server-3.22.32.tgz > > 3) download a new port skeleton for the mysql322-server port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz > > -BEGIN PGP SIGNATURE- > Version: 2.6.2 > > iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D > u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 > SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng > vzxtva695bI= > =KYqf > -END PGP SIGNATURE- > > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-announce" in the body of the message > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) ARGH!!!!! (problem solved with static ip not working)
It took me a long time to isolate the problem I was having with reply attributes not being passed back to the NAS. Finally after a decent nights sleep, basic troubleshooting with radpwtst and (eek!) reading the manual, the problem was found. I was using the sample common-sql.cfg and sql.cfg in the goodies directory. It does not define an AuthSelect. Therefore radiator uses a built-in default authselect which does NOT return check and reply items, just the password. I know it's documented as above, but wouldn't it make sense for the built-in default authselect to INCLUDE the check and reply items, not just the password?? Surely other people have run into this Thanks to all who helped me along the way! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Reply attributes not working?
Here is an example debug log from a 'select * from RADLOG;'... *** Sending to 209.83.134.1 port 1645 Code: Access-Accept Identifier: 241 Authentic: <13><3>&<157>+<6><196>+ka<213>c:<240>h<142> Attributes: Service-Type = Framed-User Frame | Doesn't it look odd that the Attributes: are listed on the next line, not the same line, and appear to be truncated? Note, the above wrapping and alignment is exactly how the select returned... There should have been about 10 reply attributes showing up here...I have no idea what could cause this - any clues? Thanks! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Help! Static IP assignments not working!
My full configuration was included in a previous email about 'problems with authbysql'. I'm now having a problem with static IP addresses. Note the file settings: mysql > select * from SUBSCRIBERS -> where Username='testuser'; +--+--+---+---+- -+ | USERNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR | REPLYATTR | +--+--+---+---+- -+ | testuser | | NULL | NULL | Framed-IP-Address = "192.168.1.73",Framed-IP-Netmask = "255.255.255.252",Idle-Timeout = "0" | +--+--+---+---+- -+ 1 row in set (0.00 sec) And since I'm using authbysql followed by authbyfile with continuewhileaccept this is important: DEFAULT Service-Type = Framed-User Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP However, I've just verified that when this user (testuser) logs in, they're getting assigned an IP address from a pool defined on the router (via 255.255.255.254) instead of the specific IP address listed in SUBSCRIBERS (as well as a host route of 255.255.255.255 instead of the 252 above). Help (and THANKS IN ADVANCE!) Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RADONLINE not showing IP addresses?
I finally got Radiator up and running with mySQL. Thanks to all who gave me input. Looking back on it, it really wasn't that difficult. One strange thing I noticed though... when I do a 'select * from RADONLINE;', it does show me the users who are currently online. All the fields are filled in (username, nasid, etc. etc.) except one. The Framed-IP-Address that was assigned to the router is not filled in. Perhaps this additional info might help... I went back through old detail logs before we switched to SQL. I noticed that start records do not show an ip address, only stop records do. I wonder if this is because of how we manage dialup vs. dedicate address space? In SUBSCRIBERS, all users that are dialup users get an ip address of 255.255.255.254 which when passed back to our cisco 2611 tells is to assign the address from a pool defined in the router. Static IP address people have their ip address hardcoded in their REPLYATTR entry. If that is why we're not seeing an IP address in RADONLINE, I see two possible fixes... 1) is there a way for the router to tell radiator what IP address it assigned to the person so it gets put in RADONLINE or 2) Is there a way to have Radiator manage a pool of addresses and let it decide the address before it's passed to the cisco? Perhaps there are other ideas for this... Thanks in advance for anyone's input! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problems with authby SQL and authby FILE with ContinueWhileAccept
You wrote > I suspect the routers in question are Cisco's? If so, then you will need a > Service-Type = Framed-User as a Reply attribute. Your current definition for > DEFAULT has it only as a check item. Try this: > > DEFAULT Service-Type = Framed-User > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP > > Note: Cisco's *always* expect to see the Service-Type in the Access-Accept > match the Service-Type in the Access-Request. Ok, I can give that a shot. But this brings to mind two followup questions: 1) It seems quirky to have Service-Type as both a check and reply item. Is there a "null" check item that would work instead of listing it twice? I know this is picky to the point of insanity, but thought I'd ask. 2) My radius.cfg says to check SQL first, then FILE with ContinueWhileAccept. Just out of curiosity, what would happen if I had a Framed-IP-Address in both the SQL replyattr AND the defuser file? For example, a large percentage of my users should use a framed ip of 255.255.255.254 and netmask of 255.255.255.255. I'd like to put that in my defuser. But for people with a static IP and netmask, I'd like the reply attr's in SQL to take precedence over the ones in DEFUSER. When radiator checks SQL and then FILE for reply attr's and like attributes are found, are they overwritten with the last one, the first one, or are both sent??? Thanks!!! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) problems with authby SQL and authby FILE with ContinueWhileAccept
We're trying to convert an existing Radiator setup from dbm to mySQL. The
platform is freebsd 3.3R and mySQL 3.22. Before I describe the problem,
here's the background details:
Here's the radius.cfg file:
AuthPort1812
AcctPort1813
DictionaryFile /usr/local/etc/dictionary
PidFile /var/run/radiusd.pid
DBSource dbi:mysql:radius
DBUsername
DBAuth
Table RADLOG
Trace 4
DBSource dbi:mysql:radius
DBUsername
DBAuth
DBSource dbi:mysql:radius
DBUsername
DBAuth
AuthByPolicy ContinueWhileAccept
DBSource dbi:mysql:radius
DBUsername
DBAuth
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
Filename /usr/local/etc/defuser
Here's the defuserfile:
DEFAULT Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
Here's a typical users entry from the users file that was run through
buildsql:
testuser Password = ""
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Idle-Timeout = 1200
Here's the appropriate lines from RADLOG (select * from RADLOG;):
| 942621812 |4 | Handling with Radius::AuthSQL
|
| 942621812 |4 | Query is: select PASSWORD from SUBSCRIBERS where
USERNAME='testuser'
|
| 942621812 |4 | Radius::AuthSQL looks for match with testuser
|
| 942621812 |4 | Radius::AuthSQL ACCEPT:
|
| 942621812 |4 | Handling with Radius::AuthFILE
|
| 942621812 |4 | Radius::AuthFILE looks for match with testuser
|
| 942621812 |4 | Radius::AuthFILE looks for match with DEFAULT
|
| 942621812 |4 | Radius::AuthFILE ACCEPT:
|
| 942621812 |4 | Access accepted for testuser
|
| 942621812 |4 | Packet dump:
*** Sending to 209.83.134.1 port 1645
Code: Access-Accept
Identifier: 150
Authentic: <15><159><131>K<242>{<143><25><230><201>Wf8Yj<248>
Attributes:
Framed-Protocol = PPP
Fra |
++--+---
---+
xx rows in set (0.01 sec)
Ok, now for the problem description. I turn on debugging on the router for
aaa. The user calls in and the router tries first to check the local
usertable in the router. This fails as it should. Then it checks
authorization via radius. The radius server generates the above "accept"
message. The router debug shows the user PASSes authentication. A split
second later the routers says authorization failed, even though it's
previous message was accepted. The user does not connect.
Bear in mind I'm using the exact same dictionary that was working with
authby DBM. I suspect one of two problems. Notice the Attribues: item in the
above RADLOG looks strange - there's a bunch of leading spaces (it wraps
around) then says Framed-Protocol=PPP and wraps around more and then says
Fra which is part of the next reply attribute. If this is what is being
sent back, there's the problem. What on earth could be causing this? The
second possibility is that Radiator isn't correctly getting the REPLYATTR's
from SQL and correctly combining them with the "global" ones from userdef
and sending back one complete merged set of REPLY attr's.
In case it matters, I'm not using quite the same users.dbm file I was
before. My attributes on average were longer than the 255 characters mySQL
allows for a character field. So I had to remove common items from the users
file and put then in the authbyfile defuser and just keep the user-unique
items in the SQL database for replyattr's.
I'm desperate to get this working! Any ideas???
Jay West
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Help requested on
I want to use to log all radius messages to a mysql tables called RADLOG. However, any way that I set LogFile or LogDir causes radiator to still create a /var/log/radius/logfile too. I want radiator to ONLY log via SQL and never create any ...radius/logfile. What do I need to set in my radius.cfg??? Thanks in advance for any tips and or pointers! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question on auth by sql setup
- Original Message - From: Jay West <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 09, 1999 6:44 AM Subject: Question on auth by sql setup > We're trying to switch from DBM user files to mySQL user files. I have one > simple question... > > The script that is given to build the tables initially from flat files > mentions something to the effect that it is a bare-bones sample, and that > you will probably want to add additional fields, etc. > > Being fairly new to msSQL, I was wondering if it's easy to add these fields > later after user records and accounting records are active in SQL, or - is > it a much better idea to get all the requisit fields built initially. > > Thanks in advance! > > Jay West > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question on auth by sql setup
We're trying to switch from DBM user files to mySQL user files. I have one simple question... The script that is given to build the tables initially from flat files mentions something to the effect that it is a bare-bones sample, and that you will probably want to add additional fields, etc. Being fairly new to msSQL, I was wondering if it's easy to add these fields later after user records and accounting records are active in SQL, or - is it a much better idea to get all the requisit fields built initially. Thanks in advance! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql requirements...
I want to install mySQL for use with Radiator on FreeBSD 3.3Release. The instructions say I'll need to install DBI and DBD. I can find DBI easily and have installed it. However, where exactly do I find DBD for mySQL?? Thanks! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radiator and mysql high availability config
Greetings! Just wanted to confirm my line of thinking on this with others. We want to set up redundant radiator servers for our domain. We want to have a primary and secondary, and NAS's will be told to check aaa in that order. If the primary machine goes down, the secondary will still answer. We will be using mySQL for the user database. My thought was to have two machines, with each machine running both radiator and mySQL. The radiator on the primary will use mySQL on the primary, the radiator on the secondary will use mySQL on the secondary. This should accomplish the above. Then we could set up radiator on the first machine to use mySQL on the second machine (in addition) in case it's own mySQL process fails and vice-versa on the secondary. Several questions: 1) Is this a good recommended configuration or is there something I'm missing or a better way to accomplish high availability? Do we need more machines? 2) In the above config, the primary takes the full load and the secondary only comes into play if the primary is down. In general terms, what changes would need to be made to implement load balancing between the two instead (with one machine taking the full load if the other fails)? Thanks! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Unix based SQL selection request......which one should I use?
We're using FreeBSD 3.2Release for our radius servers. I've decided I have to switch to using SQL rather than dbm files to get some other functionality that we want. My question is, does anyone have any suggestions as to which SQL server to use? I have a strong preference for it to run on FreeBSD, and be free of charge :) Must work well with radiator, and take a minimum of cpu/disk/memory, etc The SQL server we pick will only be used for radius, not website databases, etc. etc. based on those requirements, should I be looking at msql or mysql or other? Thanks in advance for everyone's input! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radiator cgi script hosting
There's a cgi program included in radiator that can be called from a webbrowser to see who's currently online, etc. etc. Is there any way that this cgi can be run on a different machine than the radiator server? I hate mucking up my nice radius servers with web server software when I have quite a few perfectly good web servers sitting next to them. Is this possible and what (in general terms) is required? Thanks in advance!! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator with sessiondbm and radwho.cgi
I have two questions with regards to sessiondbm and radwho.cgi... 1) We have two radiator servers, primary and secondary. Each one has a sessiondbm file. We would like them to both use the same session file so simuse is tracked, etc. We don't want to setup NFS because of security issues. Is there any other way to have the two radiators use the same dbm session file without NFS and without going to SQL? 2) We would like to use the radwho.cgi program. However, our session file (sessionDBM, see above) is on our radiator server. We don't want to install a webserver on the radiator server when we have several perfectly good webservers sitting next to it. It would appear that the session.dbm file has to be on the same machine as the webserver unless you use SQL. Is this correct and is there a way around it? Thanks! Jay West === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ssh woes...(OT)
Thanks to everyone on the list for their replies thus far... One item though - most people are suggestion a solution that is user specific (ie., @user/.ssh/whatever). Isn't there a way to do it that is "global", ie - any user on system A can ssh or scp to system B without typing in a password? Thanks! Jay West -Original Message- From: Stuart Henderson <[EMAIL PROTECTED]> To: Jay West <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Tuesday, March 23, 1999 10:08 AM Subject: Re: (RADIATOR) ssh woes...(OT) >> I installed ssh on both radius1 and radius2. On radius2, I created a >> /usr/local/etc/shosts.equiv that contains the host name for radius1. > >Assuming sshd is on radius1 and you are connecting from radius2, add the >contents of radius2:~user/.ssh/identity.pub to >radius1:~user/.ssh/authorized_keys (and vice-versa if you want it to >work in both directions). > === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) ssh woes...(OT)
I know this is a bit off-topic, but was hoping someone might shed some light on this. I installed ssh on both radius1 and radius2. On radius2, I created a /usr/local/etc/shosts.equiv that contains the host name for radius1. When I do an ssh radius2, it asks for the root password. I was hoping it would not. What am I doing wrong? Thanks in advance! Jay West === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) syncing multiple users files question...
Greetings! We have two radiator servers, each is independent but the configurations and user files are identical. Our NAS is setup to query the first, and if there is no reply to query the second. In this way, if one server fails the other is available to respond. Is there a slick neato way to sync up the users file between the two? It's a pain to have to add new users in two places. We'd prefer to not have one spot (like a remote SQL database, etc.) because this introduces a single point of failure. The first method that comes to mind is setting up a cron job to rcp or ftp the users file on one machine or the other. We're not crazy about allowing rcp or ftp into our radius servers though... Is there another method anyone has found? Jay West === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Argh!
>> 3) Even though radpwtst works ok (except for the above), when I move into >> production and point my NAS at radiator, all user authentication fails with >> "bad password" (even user/passwords that worked with radpwtst)?! > >Probably you dont have the shared secret set in Radiator to agree with the one >in your NAS. Hum - ok - then 1) Is the secret case sensitive? 2) if the secrets were different, my log file shouldn't show any user authentication attemps though should it? I would think if the secret was wrong then radiusd wouldn't even look at the incoming request and reply with bad password... Jay West PS - Mike, so far I'm REALLY impressed by how well designed radiator is, and how flexible. Kudos! === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Argh!
Several Radiator questions for the folks here from a radiator newbie The following questions all pertain to radiator 2.13.1 on FreeBSD 3.1 (O/S was installed with DES, NOT MD5, but the perl MD5 lib is present and working)... 1) The documentation states all dictionary files must have at least 4 attributes, which are user-name, user-password, encrypted-password, and acct-delay-time. However, some of these are missing from the stock supplied dictionary.whatever files. User-Password and Encrypted-Password for example aren't in the supplied dictionary.livingston. Is this an oversight or misunderstanding on my part? 2) radiusd starts fine and radpwtst gives correct results when run. However, when I look at the detail and logfile files, the user is assigned a strange IP address (206.63something as I recall) when my user file specified 255.255.255.254 should be passed back to the NAS (radpwtst). 3) Even though radpwtst works ok (except for the above), when I move into production and point my NAS at radiator, all user authentication fails with "bad password" (even user/passwords that worked with radpwtst)?! If it helps, my NAS is a cisco 3620. When users dial in they ask the cisco for authentication, which in turn passes the request off to my radiator machine. I was using a livingston 2.x radius setup with the same equipment and all worked fine. Passwords are just cleartext in the users file. Any suggestions from the crowd? Thanks in advance! Jay West === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
