(RADIATOR) Radiator and LDAP2 - multiple realm
I am running radiator 3.7.1 on RH7.3. We are, and have been using
AuthBy UNIX and the Odyssey Client for months to authenticate our
wireless users. Now, I would like to authenticate users based on
whether or not they are trying to login to the domain or not. When a
user logs in with domain\username, I have been unable to get the request
to be handled by the proper handler. I have placed the rewrite username
in multiple locations but, never see the handler being used, only the
tunnelled by TTLS is ever invoked. I have read the manual but obviously
missed something...Can someone point me in the right direction?
As a workaround, I tried using ContinueUntilAccept in the tunnelled by
TTLS handler and then I fail with the info below. I verified the
username and password are correct so, is there another module required?
See below
Mon Oct 13 16:03:59 2003: DEBUG: Handling with Radius::AuthLDAP2:
Mon Oct 13 16:03:59 2003: INFO: Connecting to , port 389
Mon Oct 13 16:03:59 2003: INFO: Attempting to bind to LDAP server
:389)
Mon Oct 13 16:03:59 2003: ERR: Could not bind connection with
CN=Radtest,OU=admin,DC=testrealm,DC=local, , error:
LDAP_INVALID_CREDENTIALS (server :389).
Mon Oct 13 16:03:59 2003: ERR: Backing off from :389 for 600
seconds
Thanks,
--
Steve
Identifier wlan
Secret mysecret
DupInterval 2
IgnoreAcctSignature
AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format
RewriteUsername s/(.*)\\(.*)/$2/
# strips the realm from a User-Name before authenticating it
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
Hostdc1.labnet.local
AuthDN CN=Radtest,OU=admin,DC=testrealm,DC=local
AuthPassword
AuthPassword
BaseDN OU=AD Users,DC=testrealm,DC=local
ServerChecksPassword
UsernameAttr samaccountname
AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format
RewriteUsername s/(.*)\\(.*)/$2/
# strips the realm from a User-Name before authenticating it
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
# anonymous-PEAP must be in here:
Filename /etc/wlanpeople
AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
# Strip realm if in MSN format
# RewriteUsername s/(.*)\\(.*)/$2/
# Convert a MSN realm\user into [EMAIL PROTECTED]
# RewriteUsernames/^(.*)\\(.*)/[EMAIL PROTECTED]/
# strips the realm from a User-Name before authenticating it
# RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
DBSourcedbi:mysql:radius
DBSourcedbi:mysql:database=radius;host=radserver.musc.edu
DBUsername radtest
DBAuth radpwd
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d
%H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccounting.log
# Strip realm if in MSN format
# RewriteUsername s/(.*)\\(.*)/$2/
# Convert a MSN realm\user into [EMAIL PROTECTED]
RewriteUsernames/^(.*)\\(.*)/[EMAIL PROTECTED]/
# strips the realm from a User-Name before authenticating it
# RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
Filename /etc/radiator/users
EAPType TTLS
EAPTLS_CAFile /usr/local/certs/radtest.pem
EAPTLS_CertificateFile /usr/local/certs/radtest.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /usr/local/certs/radtest.pem
EAPTLS_PrivateKeyPassword
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
(RADIATOR) Authentication Issue - Odyssey and iPaq 5450
I'm having an issue authenticating users with the iPaq 5450 (internal
nic) and the Odyssey Client. It appears that when the user
authenticates, Radiator initially issues an access-accept and then
follows it up with an access-reject.
I am only having this issue with the above deviceall other clients
authenticate sucessfully. Any ideas would be appreciated.
Attached are debugs and the config. Radiator version 3.7.1 on RH7.3.
Thanks,
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#
# Radiator configuration file.
#
#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir /var/log/radius
DbDir /etc/radiator
PidFile /var/run/radius.pid
DictionaryFile /etc/radiator/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
AuthPort 1645,1812
AcctPort 1646,1813
# Add Clients below...
Identifier ppp
Secret
DupInterval 2
Identifier ppp
Secret
DupInterval 2
Identifier video
Secret
DupInterval 2
Identifier vpn
Secret
DupInterval 2
Identifier wlan
Secret
DupInterval 2
IgnoreAcctSignature
#
#
PPP Config ##
AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
DBSourcedbi:mysql:radius
DBUsername < >
DBAuth < >
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d
%H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccountin.log
#DefaultSimultaneousUse 1
Filename /etc/passwd.ras
# Log accounting to a detail file
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
VPN Config ##
AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
DBSourcedbi:mysql:radius
DBUsername < >
DBAuth < >
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d
%H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef CLASS,Class
AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccountin.log
#DefaultSimultaneousUse 1
Filename /etc/passwd.ras
Re: (RADIATOR) Question about AuthBy ADSI
Hugh,
Layers 8 & 9 prevent me from running Radiator on anything but a Linux
box, I have no bias. :-)
I am not very familiar with AD. My understanding is that policies can
be managed for users, machines, etc. In our environment, we are mapping
drives and limiting machines/user rights to resources. We would like
for these policies to be passed down from the AD server.
In the meantime...I have been trying to get it working via LDAP2.
Unfortunately, I must be missing something because it does not look like
AuthBy LDAP 2 is ever being used.
I attached my config and a debug of an attempt to connect from a machine
logging into the domain. Can you tell me what I am missing?
Notice that I have the Tunnelled by TTLS and PEAP commented out, *do
not* have an anonymous user in my password file, but, I can authenticate
wireless users via TTLS sucessfully. Am I mistaken or should this be
happening? - Just not those trying to authenticate to the domain.
Thanks,
Steve
Hugh Irvine wrote:
Hello Steve -
You can use the AuthBy RADIUS clause to forward radius requests to a
remote radius server. The exact configuration will depend on what else
you are already doing in your configuration file. I am not sure I
understand what you mean by "domain policies" - can you give me a bit
more detail?
BTW - Radiator runs just fine on W2K server.
regards
Hugh
On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi
wrote:
Running radiator on a W2K server does not appear to be an option for
us...I need to forward any domain logins ie, domain\username to a
Windows radius server, but only if they try to login to the domain.
Has anyone done this and be willing to share their methodology?
Can the domain policies be passed down to the machine as well using
AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages,
or disadvantages, between these?
Thanks,
Steve
Hugh Irvine wrote:
Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual
("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve
Caporossi wrote:
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie
into AD for domain login and username/password checking. In the
reference manual section 6.40 it has the statement,
It is only available on Windows 2000 platforms. It is implemented in
AuthADSI.pm"
I am a little confused...does this mean that radiator needs to be
running on W2K?
Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#
#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir /var/log/radius
DbDir /etc/radiusserver
PidFile /var/run/radius.pid
DictionaryFile /etc/radiusserver/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
AuthPort 1645,1812
AcctPort 1646,1813
# Add Clients below...
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
Identifier vpn
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
Identifier wlan
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature
#
#
PPP Config ##
# AuthByPolicy ContinueAlways
AuthByPolicy ContinueWhileIgnore # Default
DBSourcedbi:mysql:radius
DBUsername dbuser
DBAuth password
Re: (RADIATOR) Question about AuthBy ADSI
Running radiator on a W2K server does not appear to be an option for
us...I need to forward any domain logins ie, domain\username to a
Windows radius server, but only if they try to login to the domain. Has
anyone done this and be willing to share their methodology?
Can the domain policies be passed down to the machine as well using
AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or
disadvantages, between these?
Thanks,
Steve
Hugh Irvine wrote:
Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported
on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance of
Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual
("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve
Caporossi wrote:
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie
into AD for domain login and username/password checking. In the
reference manual section 6.40 it has the statement,
It is only available on Windows 2000 platforms. It is implemented in
AuthADSI.pm"
I am a little confused...does this mean that radiator needs to be
running on W2K?
Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Question about AuthBy ADSI
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 it has the statement, It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm" I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Odyssey client and Radiator - Question
It seems to me that the accounting is useless if everything appears to come from "anonymous". Is there a way to configure radiator so it records the actual username that authenticated? Funk says this will be possible in the new release of their radius server and suggests I buy it...not acceptable to us. Thanks, Steve Mike McCauley wrote: Hello Steve, Begin forwarded message: From: Steve Caporossi <[EMAIL PROTECTED]> Date: Tue Mar 4, 2003 00:38:57 Australia/Melbourne To: [EMAIL PROTECTED] Subject: (RADIATOR) Odyssey client and Radiator - Question We are evaluating the Odyssey client for authenticating our wireless users via TTLS. I noticed that unless a user sets their username under the TTLS settings tab, "anonymous" is recorded in the logs. Is anyone else using this client and, have you come up with a workaround for this behavior? This is the normal and expected behaviour for TTLS. They put anonymous by default in the outer request so that the 'real' user name is not available for sniffing. The downside is that the Radius requests all appear to be from 'anonymous'. You can change this behaviour in the Odyssey client by editing the Profile/TTLS Setting page, and changing the 'Anonymous name:' field. Hope that helps. Cheers. Thanks, -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Odyssey client and Radiator - Question
We are evaluating the Odyssey client for authenticating our wireless users via TTLS. I noticed that unless a user sets their username under the TTLS settings tab, "anonymous" is recorded in the logs. Is anyone else using this client and, have you come up with a workaround for this behavior? Thanks, -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) EAP_TTLS
Mike,
I downloaded and applied the patches as you recommended. That fixed the
problem. I guess I had an earlier patch set.
Thanks for all your help. Radiator support Rules!
Steve
Mike McCauley wrote:
> Hi Steve,
>
> thanks for your note and the suggestion of your colleague, but I suspect this
> problem is occurring because you dont have (or arent running) the
> AuthGeneric.pm from the 3.3.1 patches. The latest AuthGeneric.pm defines
> EAPType as an array, not as a scalar. Perhaps you have an earlier patch set?
>
> Pls let me know how you go.
>
>
>
> On Tue, 1 Oct 2002 22:36, Steve Caporossi wrote:
>
>>Mike and Hugh,
>>
>>I downloaded, and installed the patches but got the same results...A
>>colleague of mine, Chris Dufala, looked at the code in EAP.pm...tweaked
>>it a bit and now it is working. You should have an received an email
>>from him as well. However, since you are more familiar with all the
>>code, maybe this was just a temporary fix for our problem, and may
>>introduce problems later?
>>
>>His email is below
>>
>>I am an associate of Steve Caporrossi's at the Medical University of
>>South Carolina.
>>
>>Steve had notified you, regarding a problem using EAP-TTLS with the
>>3.3.1 version
>>of Radiator with patches applied. While looking through the EAP.pm
>>module, I located
>>a small syntax error in the code that was preventing a sucessful
>>connection using the
>>Odyssey Client :
>>
>>Error Message :
>>
>>Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
>> use string ("TTLS") as an ARRAY ref while "strict refs" in use at
>> /usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
>>
>>Resolution : (lines 117 & 118)
>>
>>Current :
>># my $defaulttype = $eap_name_to_type{$self->{EAPType}[0]}
>>#|| return ($main::REJECT, "Unknown default EAP type
>>$self->{EAPType}[0]");
>>
>>Change to :
>>my $defaulttype = $eap_name_to_type{$self->{EAPType}}
>>
>>|| return ($main::REJECT, "Unknown default EAP type
>>
>>$self->{EAPType}");
>>
>>
>>I hope this helps :>
>>
>>-Chris
>>
>>Thanks,
>>
>>Steve
>>
>>Mike McCauley wrote:
>>
>>>Hello Steve,
>>>
>>>On Tue, 1 Oct 2002 08:27, Hugh Irvine wrote:
>>>
>>>>Hello Steve -
>>>>
>>>>I have copied this mail to Mike, as he has been doing quite a bit of
>>>>work on this code recently.
>>>>
>>>>You should download the latest patches from the web site and install
>>>>them.
>>>>
>>>>Mike will be able to answer any questions.
>>>
>>>Yes, as Hugh suggests, you should collect the latest patches from
>>>www.open.com.au/radiator/downloads/patches-3.3.1 and then let me know
>>>what you see.
>>>
>>>Cheers.
>>>
>>>
>>>>regards
>>>>
>>>>Hugh
>>>>
>>>>On Tuesday, October 1, 2002, at 03:20 AM, Steve Caporossi wrote:
>>>>
>>>>>Hugh-
>>>>>
>>>>>Can you tell me what this means? I looked through the EAP.pm
>>>>>butdo not understand alot of it.
>>>>>
>>>>>Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
>>>>>use string ("TTLS") as an ARRAY ref while "strict refs" in use at
>>>>>/usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
>>>>>
>>>>>I recently upgraded to 3.3.1, from 3.2, since then, I have been
>>>>>getting this error when trying to use EAP_TTLS and the Odyssey client.
>>>>>The config file is the same that I had in version 3.2.
>>>>>
>>>>>Thanks,
>>>>>
>>>>>Steve
>>>>>
>>>>>***
>>>>>**
>>>>>
>>>>>My logs show the following...
>>>>>
>>>>>Mon Sep 30 12:44:25 2002: DEBUG: Packet dump:
>>>>>*** Received from x.x.x.135 port 1030
>>>>>Code: Access-Request
>>>>>Identifier: 3
>>>>>Authentic: ^<236><21><243><153><4><203><225><232>4.R<150>u<162><21>
>>>>>Attributes:
>>
Re: (RADIATOR) EAP_TTLS
Mike and Hugh,
I downloaded, and installed the patches but got the same results...A
colleague of mine, Chris Dufala, looked at the code in EAP.pm...tweaked
it a bit and now it is working. You should have an received an email
from him as well. However, since you are more familiar with all the
code, maybe this was just a temporary fix for our problem, and may
introduce problems later?
His email is below
I am an associate of Steve Caporrossi's at the Medical University of
South Carolina.
Steve had notified you, regarding a problem using EAP-TTLS with the
3.3.1 version
of Radiator with patches applied. While looking through the EAP.pm
module, I located
a small syntax error in the code that was preventing a sucessful
connection using the
Odyssey Client :
Error Message :
Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
use string ("TTLS") as an ARRAY ref while "strict refs" in use at
/usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
Resolution : (lines 117 & 118)
Current :
# my $defaulttype = $eap_name_to_type{$self->{EAPType}[0]}
#|| return ($main::REJECT, "Unknown default EAP type
$self->{EAPType}[0]");
Change to :
my $defaulttype = $eap_name_to_type{$self->{EAPType}}
|| return ($main::REJECT, "Unknown default EAP type
$self->{EAPType}");
I hope this helps :>
-Chris
Thanks,
Steve
Mike McCauley wrote:
> Hello Steve,
>
> On Tue, 1 Oct 2002 08:27, Hugh Irvine wrote:
>
>>Hello Steve -
>>
>>I have copied this mail to Mike, as he has been doing quite a bit of
>>work on this code recently.
>>
>>You should download the latest patches from the web site and install
>>them.
>>
>>Mike will be able to answer any questions.
>
>
> Yes, as Hugh suggests, you should collect the latest patches from
> www.open.com.au/radiator/downloads/patches-3.3.1 and then let me know what
> you see.
>
> Cheers.
>
>
>>regards
>>
>>Hugh
>>
>>On Tuesday, October 1, 2002, at 03:20 AM, Steve Caporossi wrote:
>>
>>>Hugh-
>>>
>>>Can you tell me what this means? I looked through the EAP.pm
>>>butdo not understand alot of it.
>>>
>>>Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
>>>use string ("TTLS") as an ARRAY ref while "strict refs" in use at
>>>/usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
>>>
>>>I recently upgraded to 3.3.1, from 3.2, since then, I have been
>>>getting this error when trying to use EAP_TTLS and the Odyssey client.
>>> The config file is the same that I had in version 3.2.
>>>
>>>Thanks,
>>>
>>>Steve
>>>
>>>***
>>>**
>>>
>>>My logs show the following...
>>>
>>>Mon Sep 30 12:44:25 2002: DEBUG: Packet dump:
>>>*** Received from x.x.x.135 port 1030
>>>Code: Access-Request
>>>Identifier: 3
>>>Authentic: ^<236><21><243><153><4><203><225><232>4.R<150>u<162><21>
>>>Attributes:
>>> User-Name = "username"
>>> NAS-IP-Address = x.x.x.135
>>> Called-Station-Id = "004096439873"
>>> Calling-Station-Id = "00078592640e"
>>> NAS-Identifier = "usb3ap1"
>>> NAS-Port = 37
>>> Framed-MTU = 1400
>>> NAS-Port-Type = 19
>>> EAP-Message = <2><0><0><13><1>username
>>> Message-Authenticator =
>>><127>1@<26><194><180><230><203><189><138>(<188><214>h<23>"
>>>
>>>Mon Sep 30 12:44:25 2002: DEBUG: Handling request with Handler
>>>'Realm=DEFAULT'
>>>Mon Sep 30 12:44:25 2002: DEBUG: Deleting session for username,
>>>x.x.x.135, 37
>>>Mon Sep 30 12:44:25 2002: DEBUG: Handling with Radius::AuthSQL
>>>Mon Sep 30 12:44:25 2002: DEBUG: Handling with Radius::AuthUNIX:
>>>Mon Sep 30 12:44:25 2002: DEBUG: Radius::AuthUNIX looks for match with
>>>username
>>>Mon Sep 30 12:44:25 2002: DEBUG: Handling with EAP
>>>Mon Sep 30 12:44:25 2002: DEBUG: EAP code 2, 0, 13
>>>Mon Sep 30 12:44:25 2002: DEBUG: Response type 1
>>>Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
>>>use string ("TTLS") as an ARRAY ref while "strict refs" in use at
>>
(RADIATOR) EAP_TTLS
Hugh-
Can you tell me what this means? I looked through the EAP.pm butdo
not understand alot of it.
Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
use string ("TTLS") as an ARRAY ref while "strict refs" in use at
/usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
I recently upgraded to 3.3.1, from 3.2, since then, I have been getting
this error when trying to use EAP_TTLS and the Odyssey client. The
config file is the same that I had in version 3.2.
Thanks,
Steve
*
My logs show the following...
Mon Sep 30 12:44:25 2002: DEBUG: Packet dump:
*** Received from x.x.x.135 port 1030
Code: Access-Request
Identifier: 3
Authentic: ^<236><21><243><153><4><203><225><232>4.R<150>u<162><21>
Attributes:
User-Name = "username"
NAS-IP-Address = x.x.x.135
Called-Station-Id = "004096439873"
Calling-Station-Id = "00078592640e"
NAS-Identifier = "usb3ap1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
EAP-Message = <2><0><0><13><1>username
Message-Authenticator =
<127>1@<26><194><180><230><203><189><138>(<188><214>h<23>"
Mon Sep 30 12:44:25 2002: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Sep 30 12:44:25 2002: DEBUG: Deleting session for username,
x.x.x.135, 37
Mon Sep 30 12:44:25 2002: DEBUG: Handling with Radius::AuthSQL
Mon Sep 30 12:44:25 2002: DEBUG: Handling with Radius::AuthUNIX:
Mon Sep 30 12:44:25 2002: DEBUG: Radius::AuthUNIX looks for match with
username
Mon Sep 30 12:44:25 2002: DEBUG: Handling with EAP
Mon Sep 30 12:44:25 2002: DEBUG: EAP code 2, 0, 13
Mon Sep 30 12:44:25 2002: DEBUG: Response type 1
Mon Sep 30 12:44:25 2002: ERR: Could not handle an EAP request: Can't
use string ("TTLS") as an ARRAY ref while "strict refs" in use at
/usr/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 117.
Mon Sep 30 12:44:25 2002: DEBUG: Radius::AuthUNIX REJECT: Could not
handle an EAP request
Mon Sep 30 12:44:25 2002: INFO: Access rejected for username: Could not
handle an EAP request
Mon Sep 30 12:44:25 2002: DEBUG: Packet dump:
*** Sending to x.x.x.135 port 1030
Code: Access-Reject
Identifier: 3
Authentic: ^<236><21><243><153><4><203><225><232>4.R<150>u<162><21>
Attributes:
Reply-Message = "Request Denied"
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Help getting MySQL Accounting working
Can anyone give me any hints as to why I
cannot get any accounting entries in my database? Below is my
radius config and the output from a Trace 4. I am authenticating from the
system password file OK but no accounting is being put into the database.
I am running RH7.2 and Radiator 3.0.
Thanks, Steve
*** Config ***
# radius.cfg## Radiator configuration
file.# #
#Foreground#LogStdoutLogDir
/var/log/radiusDbDir
/etc/radiator# Use a low trace level in production systems. Increase# it
to 4 or 5 for debugging, or use the -trace flag to
radiusdTrace 4
# Add other Clients below... Identifier
ppp
Secret removed DupInterval
0
Identifier
ppp
Secret removed
DupInterval 0
Identifier vpn
Secret removed
DupInterval 0
Filename /etc/shadow
# Log accounting
to a detail file AcctLogFileName
%L/%{Client:Identifier}/%m%d%y.log
DBSource
dbi:mysql:radiuslogs
DBUsername removed
DBAuth removed
AuthSelect
AccountingTable
ACCOUNTING
AcctColumnDef
USERNAME,username
AcctColumnDef
TIME_STAMP,Timestamp,integer
AcctColumnDef
ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef
ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef
ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef
ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef
ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef
ACCTINPUTPACKETS,Acct-Input-Packets,integer
AcctColumnDef
ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
AcctColumnDef
ACCTSESSIONID,Acct-Session-Id
AcctColumnDef
ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef
ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef
NASIPADDRESS,NAS-IP-Address,
AcctColumnDef
NASIDENTIFIER,NAS-Identifier
AcctColumnDef
NASPORT,NAS-Port,integer
AcctColumnDef
NASPORTTYPE,NAS-Port-Type
AcctColumnDef
FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef
CALLEDSTATIONID,Called-Station-Id
AcctColumnDef
CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef
ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef
FRAMEDPROTOCOL,Framed-Protocol
AcctColumnDef
ACCTLINKCNT,Acct-Link-Count
AcctColumnDef
ACCTMULTISESSID,Acct-Multi-Session-Id
AcctColumnDef
CLASS,Class
AcctColumnDef
ACCOUNTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
# AcctFailedLogFileName
%D/missedaccounting
*** TRACE 4 ***
Mon Jul 29 15:37:22 2002: DEBUG: Packet dump:*** Received from x.x.x.x
port 1645 Code:
Access-RequestIdentifier: 57Authentic:
?R<210><13>r<<135><132>R<192><4><28><207>9<183><134>Attributes:
NAS-IP-Address = x.x.x.x NAS-Port
= 114 NAS-Port-Type =
Async User-Name =
"username" Called-Station-Id =
"3238732" Calling-Station-Id =
"5551212" User-Password =
"<202><2>]L><195><197>u<184><248><130><198><128>.<30>9"
Service-Type = Framed-User
Framed-Protocol = PPP
Mon Jul 29 15:37:22 2002: DEBUG: Handling request with Handler
'Realm=DEFAULT'Mon Jul 29 15:37:22 2002: DEBUG: Deleting session for
username, x.x.x.x, 114Mon Jul 29 15:37:22 2002: DEBUG: Handling with
Radius::AuthUNIX: Mon Jul 29 15:37:22 2002: DEBUG: Radius::AuthUNIX looks
for match with usernameMon Jul 29 15:37:22 2002: DEBUG: Radius::AuthUNIX
ACCEPT: Mon Jul 29 15:37:22 2002: DEBUG: Access accepted for usernameMon
Jul 29 15:37:22 2002: DEBUG: Packet dump:*** Sending to x.x.x.x port 1645
Code: Access-AcceptIdentifier:
57Authentic:
?R<210><13>r<<135><132>R<192><4><28><207>9<183><134>Attributes:
Mon Jul 29 15:37:22 2002: DEBUG: Packet dump:*** Received from x.x.x.x
port 1646 Code:
Accounting-RequestIdentifier: 58Authentic:
Q<29>:<144>-A<198><199>z<154>*}<<145>Q<171>Attributes:
NAS-IP-Address = x.x.x.x NAS-Port
= 114 NAS-Port-Type =
Async User-Name =
"username" Called-Station-Id =
"3238732" Calling-Station-Id =
"5551212" Acct-Status-Type =
Start Acct-Authentic =
RADIUS Service-Type =
Framed-User Acct-Session-Id =
"01D4" Framed-Protocol =
PPP Acct-Link-Count =
1 Acct-Multi-Session-Id =
"44" Framed-IP-Address =
x.x.x.49 Acct-Delay-Time = 0
Mon Jul 29 15:37:22 2002: DEBUG: Handling request with Handler
'Realm=DEFAULT'Mon Jul 29 15:37:22 2002: DEBUG: Adding session for
username, x.x.x.x, 114Mon Jul 29 15:37:22 2002: DEBUG: Handling with
Radius::AuthUNIX: M
