Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi, So in total second auhtby (or you can put it first too) would look like: AuthBy SQL DBSource dbi:ODBC:x DBUsername xx DBAuth xx FailureBackoffTime 30 NoDefault IgnoreAuthentication #IgnoreAccounting AccountingStartsOnly AcctSQLStatement \ update Login \ set Expiry_Date = getdate() + 7, First_Use = getdate() \ where Login_name = %U and \ First_Use is NULL /AuthBy SQL Rgds. Toomas - Original Message - From: Mike McCauley [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; Craig Gittens [EMAIL PROTECTED]; Radiator [EMAIL PROTECTED] Sent: Friday, November 28, 2003 8:46 AM Subject: Re: (RADIATOR) Can you use SQL if statements in radiator? On Fri, 28 Nov 2003 05:26 pm, Toomas Kärner wrote: Hi I'm not sure if AuthSQLStatement is executed when IgnoreAuthentication is set. It is not executed. I'd suggest to use IgnoreAuthentication, AcctStart only and make an AcctSQLStatement instead with the same query. Rgds. Toomas ps. I think that then the order change is not needed also. - Original Message - From: Craig Gittens [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; Radiator [EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:55 PM Subject: RE: (RADIATOR) Can you use SQL if statements in radiator? Ok, thanks to Toomas I have come up with this solution but it doesn't work unless I comment out the second AuthBy...it does do an ACCEPT for the first AuthBy but doesn't work for some reason unless I comment out the second AuthBy. Log below. It doesn't send a reply unless I comment out the second AuthBy. Thanks for your help guys. Craig. Realm oneweek.sunbeach.net #Will log Authentication failures to SQL table. AuthLog AuthSQLLogger RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/ RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ #Continue to use AuthBy clauses if AccessAccept to get IP Address assigned AuthByPolicy ContinueUntilReject #Show Reject Reason From SQL Authenticate SP Query RejectHasReason AuthBy SQL DBSource dbi:ODBC:xx DBUsername xx DBAuth xx FailureBackoffTime 30 NoDefault AddToReply Service-Type=Framed-User #DefaultSimultaneousUse 1 CaseInsensitivePasswords RejectEmptyPassword # Accounting AccountingTable CallAccounting blah # Authentication query - calls function Authenticate. AuthSelect \ select \ Blah blah blah AuthColumnDef 0,User-Password,check AuthColumnDef 1,GENERIC,check AuthColumnDef 2,GENERIC,reply /AuthBy SQL AuthBy SQL DBSource dbi:ODBC:x DBUsername xx DBAuth xx FailureBackoffTime 30 NoDefault IgnoreAuthentication IgnoreAccounting AuthSQLStatement \ update Login \ set Expiry_Date = getdate() + 7, First_Use = getdate() \ where Login_name = %U and \ First_Use is NULL /AuthBy SQL /Realm oneweek.sunbeach.net Thu Nov 27 17:36:01 2003: DEBUG: Packet dump: *** Received from 196.3.210.94 port 2048 Code: Access-Request Identifier: 209 Authentic: 23_$28T148919426?206229)s207% Attributes: User-Password = n)|220137?216118524115222329/239141 NAS-Identifier = 5 User-Name = [EMAIL PROTECTED] Acct-Session-Id = 32E9 Called-Station-Id = 2929700 Calling-Station-Id = 2462280430 NAS-Port = 1288 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User Thu Nov 27 17:36:01 2003: DEBUG: Handling request with Handler 'Realm=oneweek.sunbeach.net' Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED] Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to sunweek0 Thu Nov 27 17:36:01 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 196.3.210.94, 1288 Thu Nov 27 17:36:01 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER = '196.3.210.94' and NASPORT = 1288': Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL: Thu Nov 27 17:36:01 2003: DEBUG: Query is: 'select LoginPassword, CheckAttr, ReplyAttr from Authenticate('sunweek0', '2462280430', '11/27/2003 17:36:01', 'Async')': Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL looks for match with sunweek0 Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL ACCEPT: Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL Thu Nov 27 17:36:03 2003: DEBUG: Packet dump: *** Received from 196.3.210.94 port 2048 Code: Access-Request Identifier: 209 Authentic: 23_$28T148919426?206229)s207% Attributes: User-Password = n)|220137?216118524115222329/239141 NAS-Identifier = 5 User-Name = [EMAIL PROTECTED] Acct-Session-Id = 32E9 Called-Station-Id = 2929700 Calling-Station-Id = 2462280430 NAS-Port = 1288 NAS-Port
Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi, Here's an example how I do my prepaid cards (it's different now already but it fit's you) and there's no need for sql if statements. # AuthBy SQL Identifier AcctStartOnlyPrepaidCard DBSource DBUsername DBAuth IgnoreAuthentication AccountingStartsOnly AcctSQLStatementUPDATE cards SET \ START = from_unixtime(%{Timestamp}), \ END = from_unixtime(%{Timestamp} + START_CREDIT), \ START_CREDIT = NULL \ WHERE username='%n' and \ ACTIVE = 'Yes' and \ START_CREDIT is not null /AuthBy # AuthBy SQL Identifier AuthPrepaidCard DBSource DBUsername DBAuth AuthSelect select \ TYPE, \ ACTIVE, \ LOCKED_TO, \ unix_timestamp(end), \ unix_timestamp(expires), \ PASSWORD, \ rate, \ rate, \ start_credit, \ (unix_timestamp(end) - unix_timestamp()) \ from cards where \ USERNAME ='%n' AuthColumnDef 0, ETC-Realm,check AuthColumnDef 1, ETC-Active,check AuthColumnDef 2, NAS-Port, check AuthColumnDef 3, Expiration, check AuthColumnDef 4, Expiration, check AuthColumnDef 5, User-Password, check AuthColumnDef 6, Nomadix-Bw-Down, reply AuthColumnDef 7, Nomadix-Bw-Up, reply AuthColumnDef 8, Session-Timeout, reply AuthColumnDef 9, Session-Timeout, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AddToReplyIfNotExist Nomadix-Bw-Down=2000,Nomadix-Bw-Up=2000,Idle-Timeout=900 AcctSQLStatement insert into . /AuthBy # Realm pre1h AuthLog LoginFailureLog RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ RejectHasReason AuthByPolicy ContinueUntilReject AuthBy AcctStartOnlyPrepaidCard AuthBy AuthPrepaidCard PostAuthHook file:/home/radius/etc/hooks/wn/PostAuthHook.pl /Realm pre1h # - Original Message - From: Craig Gittens [EMAIL PROTECTED] To: Radiator [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 11:51 PM Subject: (RADIATOR) Can you use SQL if statements in radiator? Hey guys, I am trying to get a new product to work where when the username and password is used and is valid then it would update the SQL database with an end date for the product. So I need this logic to work in a SQL statement in Radiator: User is a valid user and is allowed online, User entry gets update in SQL with a date I set (today + 30 days) If not then it would not update the user entry of course Is this possible? I have tried SQL Functions but they can't update a permanent table. Regards, Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi I'm not sure if AuthSQLStatement is executed when IgnoreAuthentication is set. I'd suggest to use IgnoreAuthentication, AcctStart only and make an AcctSQLStatement instead with the same query. Rgds. Toomas ps. I think that then the order change is not needed also. - Original Message - From: Craig Gittens [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; Radiator [EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:55 PM Subject: RE: (RADIATOR) Can you use SQL if statements in radiator? Ok, thanks to Toomas I have come up with this solution but it doesn't work unless I comment out the second AuthBy...it does do an ACCEPT for the first AuthBy but doesn't work for some reason unless I comment out the second AuthBy. Log below. It doesn't send a reply unless I comment out the second AuthBy. Thanks for your help guys. Craig. Realm oneweek.sunbeach.net #Will log Authentication failures to SQL table. AuthLog AuthSQLLogger RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/ RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ #Continue to use AuthBy clauses if AccessAccept to get IP Address assigned AuthByPolicy ContinueUntilReject #Show Reject Reason From SQL Authenticate SP Query RejectHasReason AuthBy SQL DBSource dbi:ODBC:xx DBUsername xx DBAuth xx FailureBackoffTime 30 NoDefault AddToReply Service-Type=Framed-User #DefaultSimultaneousUse 1 CaseInsensitivePasswords RejectEmptyPassword # Accounting AccountingTable CallAccounting blah # Authentication query - calls function Authenticate. AuthSelect \ select \ Blah blah blah AuthColumnDef 0,User-Password,check AuthColumnDef 1,GENERIC,check AuthColumnDef 2,GENERIC,reply /AuthBy SQL AuthBy SQL DBSource dbi:ODBC:x DBUsername xx DBAuth xx FailureBackoffTime 30 NoDefault IgnoreAuthentication IgnoreAccounting AuthSQLStatement \ update Login \ set Expiry_Date = getdate() + 7, First_Use = getdate() \ where Login_name = %U and \ First_Use is NULL /AuthBy SQL /Realm oneweek.sunbeach.net Thu Nov 27 17:36:01 2003: DEBUG: Packet dump: *** Received from 196.3.210.94 port 2048 Code: Access-Request Identifier: 209 Authentic: 23_$28T148919426?206229)s207% Attributes: User-Password = n)|220137?216118524115222329/239141 NAS-Identifier = 5 User-Name = [EMAIL PROTECTED] Acct-Session-Id = 32E9 Called-Station-Id = 2929700 Calling-Station-Id = 2462280430 NAS-Port = 1288 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User Thu Nov 27 17:36:01 2003: DEBUG: Handling request with Handler 'Realm=oneweek.sunbeach.net' Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED] Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to sunweek0 Thu Nov 27 17:36:01 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 196.3.210.94, 1288 Thu Nov 27 17:36:01 2003: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER = '196.3.210.94' and NASPORT = 1288': Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL: Thu Nov 27 17:36:01 2003: DEBUG: Query is: 'select LoginPassword, CheckAttr, ReplyAttr from Authenticate('sunweek0', '2462280430', '11/27/2003 17:36:01', 'Async')': Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL looks for match with sunweek0 Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL ACCEPT: Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL Thu Nov 27 17:36:03 2003: DEBUG: Packet dump: *** Received from 196.3.210.94 port 2048 Code: Access-Request Identifier: 209 Authentic: 23_$28T148919426?206229)s207% Attributes: User-Password = n)|220137?216118524115222329/239141 NAS-Identifier = 5 User-Name = [EMAIL PROTECTED] Acct-Session-Id = 32E9 Called-Station-Id = 2929700 Calling-Station-Id = 2462280430 NAS-Port = 1288 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User Thu Nov 27 17:36:03 2003: INFO: Duplicate request id 209 received from 196.3.210.94(2048): ignored === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Major Cisco bug
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, Ok. I have been configuring SMS devices for 3,5 years now and from customer 0. to customer ~40'000. And here is what I know about SMS devices and bandwith management. (at the beginning there is some simple stuff). Fist you can set default parameters that will be applied to all subscribers and these are defined under: subscriber default dns primary 1.2.3.4 dns secondary 4.5.6.7 ip address pool rate-limit rate 450 burst 1 This is context based (defined per each context (Virtual Router) separetly and applies only to subscribers bound to this context durning binding). It is also lower priority than radius, if SMS gets any attributes from radius - they are applied. From radius you can send these parameters with attributes: RB-Rate-Limit-Rate = 450 RB-Rate-Limit-Burst = 1 # #VENDORATTR 2352 RB-Rate-Limit-Rate 10 integer #VENDORATTR 2352 RB-Rate-Limit-Burst 11 integer # Now, from the SW release 6 (I think) is available such a administrative command like: [context]SMSDEVICE#reauthorize ? acct-session-id Reauthorize by account id subscriber Reauthorize by subscriber name Which basically means that you can initialize reauthorization proccess by yourself. Durning that proccess SMS sends Access-Request to radius, receives reply, applies any attributes received to subscriber on filght. So, if it receives now that Rate has to be 2000 (Rate limit rate (Kb/s)) then it will start rateing by 2000. Fist they had some problems - Reauthorization Access-Request didn't include all attribuest that were present in initial Access-Request but that got fixed. I have tested Release 6.0.3.0 and it works fine. And even better, you can initialize reauth by sending SNMP set. It is basically possible to get the status of a session (Acct-Session-Id), kill it and set it to reauth by just reading, seting to 1 or 2 with the same OID and instance calculated from Acct-Session-Id. So, to make it all work you just have to build a portal that authenticates portal login against your userdatabase and against session database (to verify http source ip), edit user record in userdatabase in desired way, then get session-id (I'd prefer that to a username) from session-db, snmp-set SMS device for that session reauth. PS. if this authentication fails - nothing happens and user will not get disconnected, just no attributes will be applied, so it is quite safe to try even with online SMS. I even built db that contained sessions that had their attributes different than per-product. In there I keep also user-desired timeouts (up to what time they desired such parameters). Then it is easy to build a piece of SW that looks up the table, finds expired sessions/users, sets their user-record back to original in user-db and snmp-set's SMS for reauth of their session. I didn't send any code because they are all very old and bad and most of it is rubbish. If I clean it up one day, maybe I'll send it then. Meanwhile, if somebody is interested in launching something like it will have to ask directly over mail ([EMAIL PROTECTED]). (There's lot more that you can find out in 3,5 years in dsl buisness :).) Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED] Cc: Guðbjörn S. Hreinsson [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 2:33 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Hello Toomas - Not really a Radiator issue, but very interesting none the less. And I am sure that there are many subscribers to the list who enjoy this level of discussion as much as I do. Please feel free to continue posting such interesting material. regards Hugh On Wednesday, Jun 25, 2003, at 18:27 Australia/Melbourne, Toomas Kärner wrote: Hi, I have successfully built and tested sord of portal for users where they can SET their desired bandwith for desired ammount of time and it applies to whole connection (not just to certain direction) with RedBack SMS. It uses SNMP set to initialize user reauthentication and then SMS applies new parameters on flight without droping any sessions. Juniper ERX family is capable of doing such things even based on access-lists (you can just order 2Mbps to sertain site) but it uses COPS/LDAP and so on and is much more harder to set up. I haven't spent much time with it also. This is how we will address users problem to spend extra money and get more. Anyway .. not more a radiator list issue ... Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:10 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Cheers, We perform matching 10 min. after the hour every hour. This will analyze the logs, import it into an sql server and it is then compared to the radius logs which are also in an sql server. I
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, I have successfully built and tested sord of portal for users where they can SET their desired bandwith for desired ammount of time and it applies to whole connection (not just to certain direction) with RedBack SMS. It uses SNMP set to initialize user reauthentication and then SMS applies new parameters on flight without droping any sessions. Juniper ERX family is capable of doing such things even based on access-lists (you can just order 2Mbps to sertain site) but it uses COPS/LDAP and so on and is much more harder to set up. I haven't spent much time with it also. This is how we will address users problem to spend extra money and get more. Anyway .. not more a radiator list issue ... Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:10 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Cheers, We perform matching 10 min. after the hour every hour. This will analyze the logs, import it into an sql server and it is then compared to the radius logs which are also in an sql server. I think it should scale pretty good, if you have performance problems use standard techniques, like breaking up the logging in the Collector etc. The problem is tracking live sessions and configuring your whole access system so that as little as possible is lost about sessions. Radius is not the best protocol to insure no session information is lost. Not really very heavy... Flat fee and traffic shaping sounds good, do you think your customers would be willing to pay for keeping the extra bandwidth after they have consumed the included bandwidth? Rgds, -GSH - Original Message - From: Toomas Kärner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:30 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Hi, I wonder up to what point you are able to deal with such a log's? We have at the moment around 5.5M records per month in our DSL customers log and to match that to a NetFlow log about 114TB (that's their generated traffic)... huhh How far this kind a solution scales? Anyway, we give (test period at the moment) to one certian site 2Mbps but to any else accoring to the original bandwith (256kbps to 512kbps) but we don't account for ammount of data - everything is flat fee. This feature is basically traffic shaping based on access-lists. Hardware used is Unisphere/Siemens/(and now already)Juniper ERX family. RedBack's will also have that feature for their SMS series by the end of summer and SE (SmartEdge) is already capable of it (I think - haven't tested jet the latest software). Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 22, 2003 1:25 PM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. We use Cisco Netflow to measure traffic, we exclude certain sites so that traffic does not appear in the logs. We then match radius accounting packets and netflow logs to generate rating data for billing. We don't speed limit customers when they pass their limits, but bill them for the extra download. Rgds, -GSH I am not sure if this soultion is done with Radiator or not. I have noticed many ISP's offering ADSL connections with free traffic to certain web sites. They are also speed limiting customers when they run passed their download limit but not counting the traffic to the free websites. Anyone know how the radius accounting is done. Or does anyone know what product they are using to do this. - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, I wonder up to what point you are able to deal with such a log's? We have at the moment around 5.5M records per month in our DSL customers log and to match that to a NetFlow log about 114TB (that's their generated traffic)... huhh How far this kind a solution scales? Anyway, we give (test period at the moment) to one certian site 2Mbps but to any else accoring to the original bandwith (256kbps to 512kbps) but we don't account for ammount of data - everything is flat fee. This feature is basically traffic shaping based on access-lists. Hardware used is Unisphere/Siemens/(and now already)Juniper ERX family. RedBack's will also have that feature for their SMS series by the end of summer and SE (SmartEdge) is already capable of it (I think - haven't tested jet the latest software). Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 22, 2003 1:25 PM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. We use Cisco Netflow to measure traffic, we exclude certain sites so that traffic does not appear in the logs. We then match radius accounting packets and netflow logs to generate rating data for billing. We don't speed limit customers when they pass their limits, but bill them for the extra download. Rgds, -GSH I am not sure if this soultion is done with Radiator or not. I have noticed many ISP's offering ADSL connections with free traffic to certain web sites. They are also speed limiting customers when they run passed their download limit but not counting the traffic to the free websites. Anyone know how the radius accounting is done. Or does anyone know what product they are using to do this. - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL
Hi, Actually I don't need special hooks per client. My problem is that when I do my $identifier = $p-{Client}-{Identifier}; in PreClientHook (the client is not selected jet) I will get nothing so I just need to execute my hook a little later than PreClient and PreHandler would be perfect. So if there were a keyword in ClientList SQL with what I could call for hook that would be executed with every client. I need this Identifier (from SQL) for NAS detection, to be abel to send back correct set of parameters needed for tis NAS in order to set up session. So the thing that I relly need is to add an attribute to every request with a NAS type and this type should come from SQL. Rgds. Toomas - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Claudio Lapidus [EMAIL PROTECTED]; [EMAIL PROTECTED]; Toomas Kärner [EMAIL PROTECTED] Sent: Friday, January 31, 2003 1:04 AM Subject: Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL Hello Toomas, Hello Claudio - I have been thinking about this a bit more, and there are alternative approaches that you could consider. The first would be a StartupHook that compiles code with multiple entry points and then patches those entry points into the Client structures that have been built from the database (probably using the Identifier tags). The second would be a generic PreClientHook that checks to see for which Client clause the current request is destined for, then does the processing for that Client. Both of these approaches are a bit more complicated than using PreHandlerHooks in the Client clauses directly, but at least its possible. regards Hugh On Friday, Jan 31, 2003, at 09:38 Australia/Melbourne, Mike McCauley wrote: Hello Claudio and Toomas, On Fri, 31 Jan 2003 09:27 am, Hugh Irvine wrote: Mikey - Could you answer this please? ta Hugh Begin forwarded message: From: Toomas Kärner [EMAIL PROTECTED] Date: Fri Jan 31, 2003 02:36:44 Australia/Melbourne To: Claudio Lapidus [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL Hi, Any comments? ... I have the same issue. Rgds. Toomas Kärner - Original Message - From: Claudio Lapidus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 07, 2002 12:01 AM Subject: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL Hello, I need to get the PreHandlerHook for certain clients from our standard RADCLIENTLIST SQL table. The problem is that I'd prefer to store the hook code in a file and not directly inside the table, for various reasons. I've setup this config and it works fine: Client x.x.x.x Secret s PreHandlerHook file:%D/preauth.pl /Client As expected, the hook gets executed for this particular client. However, this one doesn't work: ClientListSQL DBSource dbi:mysql:radiator DBUsername sqluser DBAuth donttellya /ClientListSQL from the table we get: mysql select NASIDENTIFIER, SECRET, PREHANDLERHOOK from RADCLIENTLIST; +---+-+--+ | NASIDENTIFIER | SECRET | PREHANDLERHOOK | +---+-+--+ | x.x.x.x | s | file:%D/preauth.pl | +---+-+--+ 1 row in set (0.00 sec) By seeing further action it is apparent that the hook doesn't get executed this time. However, even at level 4 trace doesn't show anything regarding this step. I also tried changing double quotes to single quotes in the field contents, to no avail. So: 1. Is it legal to store the hook's filename into the table instead of the code itself? (I hope so :-) No. The file:..syntax is recognised by the config file parser, so it only works in the config file. 2. Is there a way to increase debug verbosity for ClientListSQL operations? Only by adding more $self-log($main::LOG_DEBUG, ...); lines. If you have a particular need for more debug, let me know where, and I will see if we can add it. Cheers. TIA, cl. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator
Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL
Hi, Any comments? ... I have the same issue. Rgds. Toomas Kärner - Original Message - From: Claudio Lapidus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 07, 2002 12:01 AM Subject: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL Hello, I need to get the PreHandlerHook for certain clients from our standard RADCLIENTLIST SQL table. The problem is that I'd prefer to store the hook code in a file and not directly inside the table, for various reasons. I've setup this config and it works fine: Client x.x.x.x Secret s PreHandlerHook file:%D/preauth.pl /Client As expected, the hook gets executed for this particular client. However, this one doesn't work: ClientListSQL DBSource dbi:mysql:radiator DBUsername sqluser DBAuth donttellya /ClientListSQL from the table we get: mysql select NASIDENTIFIER, SECRET, PREHANDLERHOOK from RADCLIENTLIST; +---+-+--+ | NASIDENTIFIER | SECRET | PREHANDLERHOOK | +---+-+--+ | x.x.x.x | s | file:%D/preauth.pl | +---+-+--+ 1 row in set (0.00 sec) By seeing further action it is apparent that the hook doesn't get executed this time. However, even at level 4 trace doesn't show anything regarding this step. I also tried changing double quotes to single quotes in the field contents, to no avail. So: 1. Is it legal to store the hook's filename into the table instead of the code itself? (I hope so :-) 2. Is there a way to increase debug verbosity for ClientListSQL operations? TIA, cl. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Anyone here used a Hot Spot Gateway ?
Hi I have tried Nokia Access Controller, now I'm useing Nomadix USG and today I will look at one box from Cisco. There are some feature differences and Nomadix USG (Universal Subscriber Gateway) is actually L2 device. It can do pretty nice stuff (for example no L3 reconfiguration is needed on customers PC, even with wrong static IP aadress). They all do basically the same thing but I would like to have even more features than they support today. Lets see what the Cisco is capable of. Rgds. Toomas Kärner - Original Message - From: Wayne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 10:33 PM Subject: (RADIATOR) Anyone here used a Hot Spot Gateway ? Hi, I'm looking to authenticate my wireless and IP DSL customers using Radius. Has anybody used a Hot Spot Gateway like MicroTik router to do this ? I don't have a very large wireless or DSL network only about 500 users. I would like to know if anyone had any suggestions for edge routers or servers to limit customers bandwidth and keep track of there IP via Radius. Wayne === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) WiFi - Business
Hi, We also in Estonia have alse set up some WiFi HotSpot's. I'm involved with it on access controller and AAA side. Rgds. Toomas Kärner - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, January 17, 2003 3:35 AM Subject: (RADIATOR) WiFi - Business Hi All, We are looking to provide Hotspot business but based on the current hotspot model arounds we find no business case. I will appriecate someone could share he/her opinions. Best Regards [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bug?
Hi all, Sorry, my bad I looked at the code, understanded it and looked at the manual again and realized that NoDefault is affective in case of REJECT and NOT only in case on Not found. That started my little snowball. Only real idea that grew out of this is that maybe $defaultNumber should have a limit. With my loop I created 52000 request's to SQL and I can't think a reason why someone should need so many defaults and would allow them in so big cost of load. I think 512 should by way enough. Rgds and appologies. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 13, 2002 11:50 PM Subject: Re: (RADIATOR) Bug? Hello Toomas - The fundamental issue is the architecture of Radiator itself and specifically the AuthBy clauses, all of which fundamentally implement a find_user routine which is why you see the problem that you do. You are correct that what I show below is a workaround, ie. the first AuthBy uses a couple of DEFAULT entries so that find_user works, then passes off the request using the Auth-Type construct to an AuthBy clause in which you can do anything you like. The extra processing overhead is minimal, as the AuthBy FILE will cache the DEFAULT lines in memory and will simply do a couple of memory lookups. I encourage you to have a look at the code in Radius/AuthGeneric.pm and Radius/AuthSQL.pm to see what goes on. I have also copied this mail to Mike for his additional comments. regards Hugh On Friday, Dec 13, 2002, at 22:26 Australia/Melbourne, Toomas Kärner wrote: Hi, So, AuthBy's like: AuthBy SQL Identifier AuthBlacklistCheck DBSourcedbi:mysql: DBUsername DBAuth AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \ MACADDRESS like '%{Calling-Station-Id}' and \ ACTIVE = 'Yes' AuthColumnDef 0, Service-Type,check AuthColumnDef 1, Reply-Message,reply NoDefault AcceptIfMissing /AuthBy and AuthBy SQL Identifier AuthUser DBSource dbi:mysql: DBUsername DBAuth AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\ REPLYATTR \ from xx where USERNAME ='%n' AuthColumnDef 0, ETC-Admin-Active, check AuthColumnDef 1, ETC-Admin-Wireless, check AuthColumnDef 2, GENERIC, check AuthColumnDef 3, User-Password, check AuthColumnDef 4, GENERIC, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AccountingTable log AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d' . . . /AuthBy and realm like Realm admin RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueUntilReject AuthBy AuthBlacklistCheck AuthBy AuthUser /Realm admin is impossible because AuthBlacklistCheck has nothing to do with usernames and that freaks it out to go to loop with DEFAULT? I think that this is more than configuration issue and configuration that you gave me is more like a workaround that probably takes more load. If this is true that if no such thing as username is received from sql results in a new query with default username then it is impossible to use radiator for authentication of layer 2. If you are confused what I mean by Layer 2 authentication, this is checking layer 2 information for given request and if that succeeds then go forward with username authentication. Also from the Archive: 17. oct. 2002 to [EMAIL PROTECTED] you said: { The reason for doing it this way is because the AuthBy processing is looking for a user, which the AuthBy SQL clause is not doing. } I don't want to do anything with user in that AuthBy, I just want to verify 2L information. Is that a limitation in Radiator? Rgds. Toomas - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 13, 2002 12:59 AM Subject: Re: (RADIATOR) Bug? Hello Toomas - This is not a bug really - it is more a configuration issue. The problem that you show below is due to the fact that the AuthBy is looking for the username, and you are overriding it to look for something else. This leads to the AuthBy continuing to look for DEFAULT... . The correct way to build a configuration file to do blacklist checking is to use cascaded AuthBy clauses. Something like this: # define AuthBy clauses AuthBy SQL Identifier CheckMACAddress .. /AuthBy AuthBy FILE Identifier CheckBlacklist Filename %D/blacklist /AuthBy
Re: (RADIATOR) Bug?
Hi, So, AuthBy's like: AuthBy SQL Identifier AuthBlacklistCheck DBSourcedbi:mysql: DBUsername DBAuth AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \ MACADDRESS like '%{Calling-Station-Id}' and \ ACTIVE = 'Yes' AuthColumnDef 0, Service-Type,check AuthColumnDef 1, Reply-Message,reply NoDefault AcceptIfMissing /AuthBy and AuthBy SQL Identifier AuthUser DBSource dbi:mysql: DBUsername DBAuth AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\ REPLYATTR \ from xx where USERNAME ='%n' AuthColumnDef 0, ETC-Admin-Active, check AuthColumnDef 1, ETC-Admin-Wireless, check AuthColumnDef 2, GENERIC, check AuthColumnDef 3, User-Password, check AuthColumnDef 4, GENERIC, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AccountingTable log AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d' . . . /AuthBy and realm like Realm admin RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueUntilReject AuthBy AuthBlacklistCheck AuthBy AuthUser /Realm admin is impossible because AuthBlacklistCheck has nothing to do with usernames and that freaks it out to go to loop with DEFAULT? I think that this is more than configuration issue and configuration that you gave me is more like a workaround that probably takes more load. If this is true that if no such thing as username is received from sql results in a new query with default username then it is impossible to use radiator for authentication of layer 2. If you are confused what I mean by Layer 2 authentication, this is checking layer 2 information for given request and if that succeeds then go forward with username authentication. Also from the Archive: 17. oct. 2002 to [EMAIL PROTECTED] you said: { The reason for doing it this way is because the AuthBy processing is looking for a user, which the AuthBy SQL clause is not doing. } I don't want to do anything with user in that AuthBy, I just want to verify 2L information. Is that a limitation in Radiator? Rgds. Toomas - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 13, 2002 12:59 AM Subject: Re: (RADIATOR) Bug? Hello Toomas - This is not a bug really - it is more a configuration issue. The problem that you show below is due to the fact that the AuthBy is looking for the username, and you are overriding it to look for something else. This leads to the AuthBy continuing to look for DEFAULT... . The correct way to build a configuration file to do blacklist checking is to use cascaded AuthBy clauses. Something like this: # define AuthBy clauses AuthBy SQL Identifier CheckMACAddress .. /AuthBy AuthBy FILE Identifier CheckBlacklist Filename %D/blacklist /AuthBy .. # define Realms or Handlers Realm ... AuthByPolicy ContinueWhileAccept . AuthBy CheckBlacklist . /Realm . The SQL table would contain something like this: MACADDRESS ACTION nn.nn.nn.nn.nn.nn Auth-Type = Reject oo.oo.oo.oo.oo.oo Auth-Type = Reject . The file blacklist would contain this: # blacklist DEFAULT Auth-Type = CheckMACAddress DEFAULT Auth-Type = Accept This topic has been discussed on the list many times, so check the archive if you are interested. www.open.com.au/archives/radiator regards Hugh On Thursday, Dec 12, 2002, at 21:38 Australia/Melbourne, Toomas Kärner wrote: Hi When I have config like: Realm plah AuthByPolicy ContinueUntilReject AuthBy Identifier_of_some_authby_that_gives_reject AuthBy SQL plahplah /AuthBy /Realm plah This kind a conf results loop in Identifier_of_some_authby_that_gives_reject and never goes to AuthBy SQL. debug 4 of such config (it had other problems as well but it shouldnt have gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found). Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52061 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52062 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS
Re: (RADIATOR) Bug?
Yes, I know but as you can see it finds the account and then the NoDefault shouldn't be affective at all. NoDefault is useful ONLY if Select gives back Empty Set. So ... this is another issue ... - Original Message - From: Ingvar Berg (EAB) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 1:23 PM Subject: RE: (RADIATOR) Bug? There is some NoDefault parameter you could use in the looping AuthBy /Ingvar -Original Message- From: Toomas Kärner [mailto:[EMAIL PROTECTED]] Sent: den 12 december 2002 11:39 To: [EMAIL PROTECTED] Subject: (RADIATOR) Bug? Hi When I have config like: Realm plah AuthByPolicy ContinueUntilReject AuthBy Identifier_of_some_authby_that_gives_reject AuthBy SQL plahplah /AuthBy /Realm plah This kind a conf results loop in Identifier_of_some_authby_that_gives_reject and never goes to AuthBy SQL. debug 4 of such config (it had other problems as well but it shouldnt have gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found). Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52061 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52062 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52063 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Anyway I think it would be good idea to add a keyword RejectIfFound to features for blacklist buliding pruposes. Rgds. Toomas Kärner === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bug?
Hi, It works (partly - some problems with AuthByPolicy's) if you put it into realm. I added some comments and also I haven't tested it (I tested earlyer version which I already changed and this is recreation). # AuthBy SQL Identifier AuthBlacklistCheck DBSourcedbi:mysql: DBUsername DBAuth AuthSQLStatement UPDATE macblacklist SET \ LASTTRY = '%Y-%m-%d %H:%M:%S', \ - PS. HERE I CAN'T USE '%{Timestamp}' LASTTRYUSERNAME = '%n', \ LASTTRYLOCATION = '%{NAS-Port}' \ where MACADDRESS = '%{Calling-Station-Id}' \ and ACTIVE = 'Yes' AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \ MACADDRESS like '%{Calling-Station-Id}' and \ ACTIVE = 'Yes' AuthColumnDef 0, Service-Type,check AuthColumnDef 1, Reply-Message,reply #MAC Address is compared with Service-Type to get REJECT if found. #NoDefault AcceptIfMissing /AuthBy # Realm admin # PreAuthHook sub { \ my $p=${$_[0]}; \ if ((${$_[0]}-code) eq 'Access-Request') { \ $p-add_attr('ETC-Admin-Wireless','Admin'); \ $p-add_attr('ETC-Admin-Active','Yes'); \ } \ } # AuthLog AdminLoginFailuresLog RewriteUsername s/^([^@]+).*/$1/ RejectHasReason AuthByPolicy ContinueUntilReject AuthBy AuthBlacklistCheck # AuthBy SQL Identifier AcctStartOnlyAdmin DBSourcedbi:mysql DBUsername DBAuth IgnoreAuthentication AccountingStartsOnly AcctSQLStatementUPDATE X SET \ LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \ LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \ LAST_LOGIN_LOCATION = '%{NAS-Port}' \ WHERE username='%U' /AuthBy # AuthBy SQL Identifier AdminAuth DBSource dbi:mysql: DBUsername DBAuth AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\ REPLYATTR \ from where USERNAME ='%n' AuthColumnDef 0, ETC-Admin-Active, check AuthColumnDef 1, ETC-Admin-Wireless, check AuthColumnDef 2, GENERIC, check AuthColumnDef 3, User-Password, check AuthColumnDef 4, GENERIC, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AccountingTable XXX AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d' AcctColumnDef TIME,Timestamp ,formatted-date,'%H:%M:%S' AcctColumnDef TIMESTAMP,Timestamp AcctColumnDef USERNAME,User-Name AcctColumnDef REALM,ETC-Realm AcctColumnDef CONNECTION,ETC-Network-Type AcctColumnDef LOCATION, NAS-Port AcctColumnDef MAC_ADDRESS,Calling-Station-Id AcctColumnDef SESSION_ID,Acct-Session-Id AcctColumnDef BRAS,NAS-IP-Address AcctColumnDef FRAMED_IP,Framed-IP-Address AcctColumnDef TYPE,Acct-Status-Type AcctColumnDef DURATION,Acct-Session-Time,integer AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer AcctColumnDef ERR_CODE,Session-Error-Code AcctColumnDef ERR_MSG,Acct-Terminate-Cause AcctFailedLogFileName %L/SQLacct-Admin-radius-%Y-%m-%d AddToReplyIfNotExist Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600 /AuthBy PostAuthHook file:./wn/AdminPostAuthHook.pl /Realm admin # - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 4:12 PM Subject: RE: (RADIATOR) Bug? Hi, I think you should show important part AuthBy SQL plahplah /AuthBy with complet plahplah ( without secret pw,db,user,IP) David -Pùvodní zpráva- Od: Toomas Kärner [mailto:[EMAIL PROTECTED]] Odesláno: 12. prosince 2002 12:43 Komu: Ingvar Berg (EAB); [EMAIL PROTECTED] Pøedmìt: Re: (RADIATOR) Bug? Yes, I know but as you can see it finds the account and then the NoDefault shouldn't be affective at all. NoDefault is useful ONLY if Select gives back Empty Set. So ... this is another issue ... - Original Message - From: Ingvar Berg (EAB) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 1:23 PM Subject: RE: (RADIATOR) Bug? There is some NoDefault parameter you could use in the looping AuthBy /Ingvar -Original Message- From: Toomas Kärner [mailto:[EMAIL PROTECTED]] Sent: den 12 december 2002 11:39 To: [EMAIL PROTECTED] Subject: (RADIATOR) Bug? Hi When I have config like: Realm plah AuthByPolicy ContinueUntilReject AuthBy Identifier_of_some_authby_that_gives_reject AuthBy SQL plahplah /AuthBy /Realm plah This kind a conf results loop
Re: (RADIATOR) Bug?
Please do read comments two lines below the check. The point is to GET REJECT if found (mac address in blacklist). Easiest way to do - compare it with something that will never be the same (Service-Type) and then you can do also some bogus in PostAuthHook that rewrites Reply-Message if it consists Service-Type to something like MAC address in blacklist. Rgds. Toomas - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 5:17 PM Subject: RE: (RADIATOR) Bug? Hi I see first error in this part - you dont check Service-Type but MACADDRESS, so have to use special check GENERIC ## AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \ MACADDRESS like '%{Calling-Station-Id}' and \ ACTIVE = 'Yes' AuthColumnDef 0, GENERIC,check AuthColumnDef 1, Reply-Message,reply Hope help David -Pùvodní zpráva- Od: Toomas Kärner [mailto:[EMAIL PROTECTED]] Odesláno: 12. prosince 2002 15:52 Komu: kramar; [EMAIL PROTECTED]; [EMAIL PROTECTED] Pøedmìt: Re: (RADIATOR) Bug? Hi, It works (partly - some problems with AuthByPolicy's) if you put it into realm. I added some comments and also I haven't tested it (I tested earlyer version which I already changed and this is recreation). # AuthBy SQL Identifier AuthBlacklistCheck DBSourcedbi:mysql: DBUsername DBAuth AuthSQLStatement UPDATE macblacklist SET \ LASTTRY = '%Y-%m-%d %H:%M:%S', \ - PS. HERE I CAN'T USE '%{Timestamp}' LASTTRYUSERNAME = '%n', \ LASTTRYLOCATION = '%{NAS-Port}' \ where MACADDRESS = '%{Calling-Station-Id}' \ and ACTIVE = 'Yes' AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \ MACADDRESS like '%{Calling-Station-Id}' and \ ACTIVE = 'Yes' AuthColumnDef 0, Service-Type,check AuthColumnDef 1, Reply-Message,reply #MAC Address is compared with Service-Type to get REJECT if found. #NoDefault AcceptIfMissing /AuthBy # Realm admin # PreAuthHook sub { \ my $p=${$_[0]}; \ if ((${$_[0]}-code) eq 'Access-Request') { \ $p-add_attr('ETC-Admin-Wireless','Admin'); \ $p-add_attr('ETC-Admin-Active','Yes'); \ } \ } # AuthLog AdminLoginFailuresLog RewriteUsername s/^([^@]+).*/$1/ RejectHasReason AuthByPolicy ContinueUntilReject AuthBy AuthBlacklistCheck # AuthBy SQL Identifier AcctStartOnlyAdmin DBSourcedbi:mysql DBUsername DBAuth IgnoreAuthentication AccountingStartsOnly AcctSQLStatementUPDATE X SET \ LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \ LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \ LAST_LOGIN_LOCATION = '%{NAS-Port}' \ WHERE username='%U' /AuthBy # AuthBy SQL Identifier AdminAuth DBSource dbi:mysql: DBUsername DBAuth AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\ REPLYATTR \ from where USERNAME ='%n' AuthColumnDef 0, ETC-Admin-Active, check AuthColumnDef 1, ETC-Admin-Wireless, check AuthColumnDef 2, GENERIC, check AuthColumnDef 3, User-Password, check AuthColumnDef 4, GENERIC, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AccountingTable XXX AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d' AcctColumnDef TIME,Timestamp ,formatted-date,'%H:%M:%S' AcctColumnDef TIMESTAMP,Timestamp AcctColumnDef USERNAME,User-Name AcctColumnDef REALM,ETC-Realm AcctColumnDef CONNECTION,ETC-Network-Type AcctColumnDef LOCATION, NAS-Port AcctColumnDef MAC_ADDRESS,Calling-Station-Id AcctColumnDef SESSION_ID,Acct-Session-Id AcctColumnDef BRAS,NAS-IP-Address AcctColumnDef FRAMED_IP,Framed-IP-Address AcctColumnDef TYPE,Acct-Status-Type AcctColumnDef DURATION,Acct-Session-Time,integer AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer AcctColumnDef ERR_CODE,Session-Error-Code AcctColumnDef ERR_MSG,Acct-Terminate-Cause AcctFailedLogFileName %L/SQLacct-Admin-radius-%Y-%m-%d AddToReplyIfNotExist Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600 /AuthBy PostAuthHook file:./wn/AdminPostAuthHook.pl /Realm admin # - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 4:12 PM Subject: RE: (RADIATOR) Bug? Hi, I think you should show important part AuthBy SQL plahplah /AuthBy
Re: (RADIATOR) Multiple Items in the same AcctColumnDef
Hi Brian, Probably this is not possible by standard ways of radiator but you can make a preauthhook where you join these to parameters into one (your own) parameter and the log it. Rgds. Toomas Kärner - Original Message - From: Brian Morris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 09, 2002 9:38 AM Subject: (RADIATOR) Multiple Items in the same AcctColumnDef Hi All, We receive session info from a few different NAS's but I would like to store all the connection specific information in a single table element. EG: I would like to store the Ascend-Disconnect-Cause as well as the standard Account-Terminate-Cause into the same table column. Is this possible to do? If so, what is the syntax for the ACCTCOLUMNDEF entry? Thanks in advance. Brian Morris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: Do you have an update to the dictionary
VENDORATTR 2352 Session-Error-Code 142 integer VENDORATTR 2352 Session-Error-Msg 143 string - Original Message - From: Karel van der Velden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 14, 2002 10:02 AM Subject: (RADIATOR) RE: Do you have an update to the dictionary Hello Hugh, Did you already receive the latest dictionary from Redback? I have the same statements in my logs. Regards, Karel van der Velden Hello - We don't have these definitions yet either, but I have copied this mail to Onno Becker at Redback who will send them to us I'm sure. Hi Onno! :-) regards Hugh On Wed, 5 Jun 2002 17:55, [EMAIL PROTECTED] wrote: Wed Jun 5 09:55:30 2002: ERR: Attribute number 143 (vendor 2352) is not defined in your dictionary Wed Jun 5 09:55:30 2002: ERR: Attribute number 142 (vendor 2352) is not defined in your dictionary It came from a RedBack machine , new version . === - Karel van der Velden | telnr: +31 50 5881003 Leonard Springerlaan 29| faxnr: +31 50 5883216 9727 AR Groningen | e-mail: [EMAIL PROTECTED] The Netherlands DISCLAIMER: This Statement is not an official statement from, nor does it represent an official postion of Planet Technologies or KPN - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Editing Reply-Message
Hi All, I have seen in the examples and it also partly works but not as I would expect. PostAuthHooksub { \ ${$_[1]}-change_attr('Reply-Message' , 'MyMessage') \ if (${$_[2]} == $main::REJECT ); \ } results in: Code: Access-Reject Identifier: 208 Authentic: 5800=`00231;00oY00 Attributes: Reply-Message = MyMessage Reply-Message = Bad Password Somehow it results in two Reply-Messages, but I would like to send only mine. Rgds. Toomas === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) IP Lease problem
Hi Skeeve, Maybe it would be a good idea to give Session-Timeout also and set it to 24 hours. So if even the user is online and useing the address for longer than 23:59 then it will be disconnected and ip address we bee released. Of cource then you have to make official policy out of it that you don't allow longer than 24 hour sessions (what is not a bad thing and I hope that I would have done it when my network was starting - release unused resources). Rgds Toomas - Original Message - From: Skeeve Stevens [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 11:55 PM Subject: Re: (RADIATOR) IP Lease problem If there is a problem with stop records, and people are staying on for 1 or 2 days... then there is quite possibly a chance for problems. Using static IP for a large number of customer without good reason could cause us to bleed higher usage on Address Space which APNIC would also not be responsive to so I am trying to be conservative. Is there no solution? or is it just complicated. ...Skeeve On Thu, Sep 26, 2002 at 07:38:33AM +1000, Hugh Irvine wrote into the ether: Hello Skeeve - The short answer is to use static addresses for long-held connections. By definition, dynamic addresses are designed for frequent re-use. regards Hugh On Wednesday, September 25, 2002, at 11:50 PM, Skeeve Stevens wrote: Question We currently have a pool of 64 IP's stored in a database, and when a user connects AND they don't have a static IP they get assigned one from the database of dynamic IP's... The problem I have is that the pool has the Lease Period set to 24 hours after 24 hours the dynamic IP is reclaimed... which is all good.. But what if the user was dedicated and did not disconnect after 24 hours. The IP still gets reclaimed.. and can be assigned by the database to a new connection even though the user is still using it.. If I set it to have no Lease or a Lease longer than, lets say a week and the user has no stop record, then I risk not getting the IP back for a while if not at all... and the pool can fill. Any Thoughts ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ Si vis pacem, para bellum === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- - | Skeeve Stevens url: http://www.skeeve.org/ | | email:[EMAIL PROTECTED]/ url: http://www.eIntellego.org/ | - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Nomadix VSA's
Found it .. thanx anyway... - Original Message - From: Toomas Kärner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 17, 2002 4:08 PM Subject: Nomadix VSA's Hello, I cant find all Nomadix VSA's and there is no use of http://www.nomadix.com As I have found out they are included in the latest dictionary of radiator. Could somebody send me only the Nomadix VSA part. Rgds. Toomas === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500
Same in here - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: User BALGAA System Engineer [EMAIL PROTECTED] Cc: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, September 13, 2002 12:18 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Balgaa - I have not heard anything further. Toomas? regards Hugh On Friday, September 13, 2002, at 02:21 AM, User BALGAA System Engineer wrote: Hi Toomas/Hugh, We get Radiator 3.2 work with Redback SMS1800. Any update on NasType? Thanks, Balgaa On Fri, 2 Aug 2002, [iso-8859-1] Toomas Kärner wrote: Hi Hugh, Thanks. I have worked together with Onno on one project when he visited us in Estonia. I'll send you any information as I get it. Rgds. Toomas Kärner Estonian Telephone Company Head Administrator of DSL - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 7:33 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Toomas - You should check with Redback to see what is possible as far as querying the device is concerned, as well as what is recorded in the accounting requests (and the correspondence of course). I have copied this mail to Onno Becker at Redback who may be able to help, as there are many of Onno's customers using Radiator already. Please copy us on what you discover so we can add the correct NasType code. regards Hugh On Friday, August 2, 2002, at 04:05 PM, Toomas Kärner wrote: Hi Hugh, We also use Redback equipment. At the moment we always assume that session DB is correct, but I'd like to chek also. So far I haven't found a suitable NasType parameter. Only place where Redback is mentioned in the ref.pdf is section about dictionaries (v.2.19 v.3.1). Could you tell us what type might be most suitable? I have also the same problem with Unisphere ERX family equipment. Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:08 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Sven - There are many readers of this list who use Redback equipment, and there are people at Redback on this list as well. Radiator maintains one or more session databases (in memory, SQL, DBM, ...) and tries to keep track of current sessions by using the accounting starts to add records and accounting stops (and access requests) to delete records. The NAS itself is only contacted if Radiator detects what it thinks is a simultaneous-use exception, and then only if the NasType parameter is set in the corresponding Client clause(s). In this situation, Radiator goes through the list of sessions for the particular user and queries the NAS(s) to verify that the sessions are still active. If any session has gone away, that record in the session database is deleted and the connection is allowed to proceed. If on the other hand, all the sessions are still active, then the connection is rejected. You will find the mechanisms used to query the different NasTypes in section 6.5.5 of the Radiator 3.1 reference manual (doc/ref.html) and you will find the corresponding code in the Radius/Nas directory. regards Hugh Hi, has anyone any eyperiences with the upper configuration? I'm also interested in the function, how radiator checks via snmp that an account is use. I did a snmpwalk on a portmaster and i haven't found any information about needfull data (what does not mean that it isn't there :-) And please don't tell me that cisco is better, it was not my decision ;-) with kind regards || Mit freundlichen Gruessen Sven Holz -- Sven Holz - IP-Services - WOBCOM GmbHPhone : +49.5361.189.473 Hesslinger Str. 1-5, D-38440 Wolfsburg Fax : +49.5361.189.199 Email: [EMAIL PROTECTED] - IRC: bofw2Mobile : +49.170.920.153.5 --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL
Re: (RADIATOR) FW: As requested.
Identifier: 167 - Original Message - From: Martin Edge [EMAIL PROTECTED] To: Radiator [EMAIL PROTECTED] Sent: Thursday, September 05, 2002 9:16 AM Subject: (RADIATOR) FW: As requested. Hey Guys, On what conditions does a packet appear to Radiator as Duplicate? Below I attach two RADIUS packets I received, within 1 second of each other. Of course, the second packet was said to be duplicated, but the packets themselves would show they are completely different.. Thanks, Martin :-) -- FIRST PACKET IN Thu Sep 5 00:14:46 2002: DEBUG: Packet dump: *** Received from 203.194.56.121 port 1813 Code: Accounting-Request Identifier: 167 Authentic: h254]166V243.18245V2480Y236211v Attributes: NAS-IP-Address = 203.220.252.241 NAS-Port = 7204 NAS-Port-Type = Async Called-Station-Id = 142330886300424 Calling-Station-Id = 886324356 Acct-Status-Type = Alive Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 0009E3D8 Framed-Protocol = PPP Ascend-Session-Svr-Key = AA9D6ABD Acct-Link-Count = 1 Ascend-Num-In-Multilink = 1 Acct-Multi-Session-Id = 25972 Framed-IP-Address = 203.220.230.249 Ascend-PreSession-Time = 24 Ascend-Pre-Input-Octets = 157 Ascend-Pre-Output-Octets = 113 Ascend-Pre-Input-Packets = 5 Ascend-Pre-Output-Packets = 4 Acct-Input-Octets = 706094 Acct-Output-Octets = 2766801 Acct-Input-Packets = 5904 Acct-Output-Packets = 5436 Acct-Session-Time = 2286 Ascend-Multilink-ID = 25972 Acct-Delay-Time = 0 User-Name = andym Proxy-State = BSP2ims01-syd/72480B24F09399CB54AE56B24540BA02B5A54B62BCBA8CA37CCA09027797F0 3488D35E66BCBA8CADB716F56D71F9EC12 430FB8C3BCA889FA4DB97DF311AEA447CFE22D4ED3DCB5B22B8D68F213EE81 Thu Sep 5 00:14:46 2002: DEBUG: Handling request with Handler '' Thu Sep 5 00:14:46 2002: DEBUG: mysessiondb Adding session for andym, 203.220.252.241, 7204 Thu Sep 5 00:14:46 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.220.252.241' and NASPORT=07204 --- FIRST PACKET END --- --- FIRST PACKET RESPONSE START Thu Sep 5 00:14:46 2002: DEBUG: Accounting accepted Thu Sep 5 00:14:46 2002: DEBUG: Packet dump: *** Sending to 203.194.56.121 port 1813 Code: Accounting-Response Identifier: 167 Authentic: h254]166V243.18245V2480Y236211v Attributes: Proxy-State = BSP2ims01-syd/72480B24F09399CB54AE56B24540BA02B5A54B62BCBA8CA37CCA09027797F0 3488D35E66BCBA8CADB716F56D71F9EC12 430FB8C3BCA889FA4DB97DF311AEA447CFE22D4ED3DCB5B22B8D68F213EE81 --- FIRST PACKET RESPONSE STOP - --- SECOND PACKET START- Thu Sep 5 00:14:47 2002: DEBUG: Packet dump: *** Received from 203.194.56.121 port 1813 Code: Accounting-Request Identifier: 167 Authentic: 2I136PA3s244{30k191143hN196 Attributes: Acct-Session-Id = 3541 Framed-Protocol = PPP Framed-IP-Address = 203.220.218.5 Ascend-Connect-Progress = prLanSessionUp Ascend-PreSession-Time = 36 Ascend-Xmit-Rate = 33600 Ascend-Data-Rate = 33600 Acct-Session-Time = 12200 Connect-Info = 33600 V34+/V42bis/LAPM Acct-Input-Octets = 817119 Acct-Output-Octets = 4990544 Ascend-Pre-Input-Octets = 122 Ascend-Pre-Output-Octets = 114 Acct-Input-Packets = 9177 Acct-Output-Packets = 11655 Ascend-Pre-Input-Packets = 5 Ascend-Pre-Output-Packets = 5 Acct-Terminate-Cause = Session-Timeout Ascend-Disconnect-Cause = sessTimeOut Acct-Authentic = RADIUS Acct-Status-Type = Stop NAS-Port = 7241 Called-Station-Id = 142320198333414 Calling-Station-Id = 891881736 NAS-Port-Type = Async Service-Type = Framed-User NAS-IP-Address = 203.220.251.113 Ascend-Session-Svr-Key = EE3451F2 Event-Timestamp = 103114 Acct-Delay-Time = 0 User-Name = noseeds Proxy-State = BSP2ims01-syd/7685C184EE7199F2CBEA363B011E321B84656D6D2109E1F70235F83144 1D0F6D91616D6D21E52A2BF9E7FE5F5856 C4B14B386D7F2682D08476F99E081003485CE249020B18CAB6B06CF98B543D307C Thu Sep 5 00:14:47 2002: INFO: Duplicate request id 167 received from 203.194.56.121(1813): ignored --- SECOND PACKET STOP - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL
Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500
Hi Hugh, We also use Redback equipment. At the moment we always assume that session DB is correct, but I'd like to chek also. So far I haven't found a suitable NasType parameter. Only place where Redback is mentioned in the ref.pdf is section about dictionaries (v.2.19 v.3.1). Could you tell us what type might be most suitable? I have also the same problem with Unisphere ERX family equipment. Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:08 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Sven - There are many readers of this list who use Redback equipment, and there are people at Redback on this list as well. Radiator maintains one or more session databases (in memory, SQL, DBM, ...) and tries to keep track of current sessions by using the accounting starts to add records and accounting stops (and access requests) to delete records. The NAS itself is only contacted if Radiator detects what it thinks is a simultaneous-use exception, and then only if the NasType parameter is set in the corresponding Client clause(s). In this situation, Radiator goes through the list of sessions for the particular user and queries the NAS(s) to verify that the sessions are still active. If any session has gone away, that record in the session database is deleted and the connection is allowed to proceed. If on the other hand, all the sessions are still active, then the connection is rejected. You will find the mechanisms used to query the different NasTypes in section 6.5.5 of the Radiator 3.1 reference manual (doc/ref.html) and you will find the corresponding code in the Radius/Nas directory. regards Hugh Hi, has anyone any eyperiences with the upper configuration? I'm also interested in the function, how radiator checks via snmp that an account is use. I did a snmpwalk on a portmaster and i haven't found any information about needfull data (what does not mean that it isn't there :-) And please don't tell me that cisco is better, it was not my decision ;-) with kind regards || Mit freundlichen Gruessen Sven Holz -- Sven Holz - IP-Services - WOBCOM GmbHPhone : +49.5361.189.473 Hesslinger Str. 1-5, D-38440 Wolfsburg Fax : +49.5361.189.199 Email: [EMAIL PROTECTED] - IRC: bofw2Mobile : +49.170.920.153.5 --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Pre Handler hook help...
Hi, You can also do it like this: $p-add_attr( 'Calling-Station-Id',(($p-get_attr( 'RB-NAS-Real-Port') 0xff) 16) .\ .. ($p-get_attr( 'RB-NAS-Real-Port') 0x)); \ Here is only vpi.vci because i dont need more ... rgds. Tomkar - Original Message - From: Robert Blayzor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 12, 2002 10:21 PM Subject: (RADIATOR) Pre Handler hook help... We have an handler which uses the following hook: Client 64.246.152.18 Identifier DSL1 Secret s DupInterval 2 NasType ignore PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type', 'SDSL'); my $i_p = ${$_[0]\ }-get_attr('RB-NAS-Real-Port'); my $i_a = sprintf(%s/%s/%s.%s, map oct(0b$_), unpack(\ B32, pack(N, $i_p)) =~ /(.{5})(.{3})(.{8})(.*)/); ${$_[0]}-add_attr('Calling-Station-Id\ ', $i_a);} /Client In a nutshell the Hander basically adds a NAS-Port-Type and is to take a 32bit integer representation of DSL ports and put them in the 'Calling-Station-Id' attribute. The output should come out to be soething like: 5/0/0/233, etc. However everything comes out at 0/0/0.0, like $i_p is null, but it's not because the following code (if I reverse things) works fine... PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type', 'SDSL'); my $i_p = ${$_[0]\ }-get_attr('RB-NAS-Real-Port'); ${$_[0]}-add_attr('Calling-Station-Id', $i_p);} Output the following code right from PERL works fine too: perl -e 'print sprintf(%s/%s/%s.%s, map(oct(0b$_), unpack(B32, pack(N, 671088873)) =~ /(.{5})(.{3})(.{8})(.*)/)) .\n;' 5/0/0.233 Any ideas? I really need to get this to work. Thanks! -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] Pinky, you've left the lens cap of your mind on again. - The Brain === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple Realm Forwarding
Hi I think he wants to build a tree of realms. I cant think the use of it yet but it might be useful on some ways. You could logon to username@serviceprovider@service@subservice. Tomkar - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 7:53 AM Subject: Re: (RADIATOR) Multiple Realm Forwarding Hello Julien - Sorry, but I don't quite understand what you are wanting to do. Could you give me an example please? thanks Hugh Hi, Here is what I mean about Multiple realm forwarding: user1@realm1@realm2 is forwarded and then striped to user1@realm2 then forwarded again. I think it can be done using RewriteUsername but I dont have any idea of how to modify this syntax : s/^([^@]+)@realm1 Does someone know how to remove the midle realm in user1@realm1@realm2 using rewriteusername ? I think this can be usefull in many case ! Thanks, Julien --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) How to make to SQL querys out of one ClearNasQuery?
Hi, My problem is that I cant find a way to execute two SQL querys because of single accounting-on or accounting-off packet. Wher the box goes down or comes up everything works with session database (it get's cleared) but I want to have that message also in the user accounting log table. We are planning to start counting time and then if the box goes down and I have only start records then, I can't count anything because that message is not in the log. As I tried and as it was writen in here ; between the querys doesn't help. Only way to do it is in some sord of PreClientHook but I'm afraid of the impact to preformance (because this is executed on every incomeing packet - the longer it is the slower it is ). Rgds. Toomas Kärner === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AcctSQLStatement in v.2.19
Hi Mike. Here is a working example for you. AuthBy SQL Identifier AcctStartOnlyLight DBSource DBUsername DBAuth IgnoreAuthentication AccountingStartsOnly AcctSQLStatement UPDATE users SET LOCKED_TO_PVC=%{NAS-Real-Port} \ WHERE username='%n' and ACTIV = 'Enabled' /AuthBy AuthBy SQL Identifier Auth DBSource DBUsername DBAuth AuthSelect select PASSWORD,CHECKATTR,LOCKED_TO_PVC,REPLYATTR,RATE,BURST from users \ where USERNAME ='%n' and ACTIV = 'Enabled' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, RB-NAS-Real-Port, check AuthColumnDef 3, GENERIC, reply AuthColumnDef 4, RB-Rate-Limit-Rate, reply AuthColumnDef 5, RB-Rate-Limit-Burst, reply DefaultSimultaneousUse 1 NoDefault RejectEmptyPassword AddToReplyIfNotExist Rate-Limit-Rate=100,Rate-Limit-Burst=1 AccountingTable log AcctColumnDef USERNAME,User-Name AcctColumnDef DATE,Timestamp,formatted-date,'%Y-%m-%d' AcctColumnDef TIME,Timestamp,formatted-date,'%H:%M:%S' AcctColumnDef TYPE,Acct-Status-Type AcctColumnDef FRAMED_IP,Framed-IP-Address AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer AcctColumnDef SESSION_ID,Acct-Session-Id AcctColumnDef RATE,Rate-Limit-Rate AcctColumnDef BURST,Rate-Limit-Burst AcctColumnDef DURATION,Acct-Session-Time,integer AcctColumnDef BRAS,NAS-Identifier AcctColumnDef VPI_VCI,NAS-Real-Port AcctFailedLogFileName %L/SQLacct-failed-mudapingviin-%Y-%m-%d /AuthBy Rgds. Toomas Kärner - Original Message - From: Mike McCauley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 13, 2002 4:24 AM Subject: Re: (RADIATOR) AcctSQLStatement in v.2.19 -- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Quintin [EMAIL PROTECTED]] Date: Tue, 12 Mar 2002 17:48:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Tue Mar 12 17:48:30 2002 Received: from ctmsun4.macau.ctm.net (ctmsun4.macau.ctm.net [202.175.36.44]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g2CNmS308583; Tue, 12 Mar 2002 17:48:29 -0600 Received: from C2035 (quintin.office.ctm.net [202.175.4.50]) by ctmsun4.macau.ctm.net (8.12.2/8.12.2) with SMTP id g2D1JsRb021759; Wed, 13 Mar 2002 09:19:54 +0800 (CST) Message-ID: 156e01c1ca2e$8077b640$cc65010a@C2035 From: Quintin [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: (RADIATOR) AcctSQLStatement in v.2.19 Date: Wed, 13 Mar 2002 09:29:21 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Dear Hugh, Thanks for ur quick response. Actually, I just want to add some information into another table (it's not required to authenticate here) after the SessionDatabase and before any LDAP/UNIX authentication. I have tried many configuration even with two Auth Groups, do you have any ideas? Thanks Rgds, Quintin - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Quintin [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, March 13, 2002 7:28 AM Subject: Re: (RADIATOR) AcctSQLStatement in v.2.19 Hello Quintin - Dear Hughes, Actually, I like to insert some information into the database when my = customer login. The following config is from Hughes long time ago and it = is still working in 2.18.2 . However, if the same config running in = 2.19, it rejects and will show Authentication disabled in the log = file. Could you please help?? AuthBy SQL Identifier debitinfo DBSourceDBI:mysql:ewallet:192.168.1.239:3306 DBUsername radius DBAuth radius FailureBackoffTime 60 AccountingStartsOnly AuthSelect AcctSQLStatement delete from DEBITINFO where USERNAME=3D'%U' AcctSQLStatement insert into DEBITINFO (USERNAME, NASIDENTIFIER, = NASPORT, \ TIME_STAMP, DEBIT_TIMESTAMP, DEBIT_AMOUNT) values ('%U', '%N', = \ 0%{NAS-Port}, %{Timestamp}, %{Timestamp}, 1000) /AuthBy Handler RewriteUsername s/^([^@]+).*/$1/ SessionDatabase MarkStart MaxSessions 1 AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy debitinfo AuthBy authen-ewallet AuthBy debitwhenauth-ewallet /AuthBy /AuthBy AuthLog authlog AcctLogFileName /var/adm/radacct/%C/detail /Handler I don't quite understand what your Handler is meant to do. The AuthBy SQL with Identifier debitinfo has authentication turned off with the empty