Re: [RADIATOR] Multiple accounting output formats
Hello, AcctLog would be a very handy feature for us too. Regards Vangelis On 14/6/2016 11:47 πμ, Tuure Vartiainen wrote: > Hi, > >> On 13 Jun 2016, at 18:13, >> wrote: >> >> What I would like to achieve is the following: from a single handler >> generate accounting logs to multiple files in multiple formats (e.g. 2 files >> with the normal output, 1 with JSON output). Outputting to multiple files is >> easy, but of course adding the formatting hook for JSON output causes both >> files to be in that format. >> Is there any way to achieve this in radiator? (It’s not a problem for >> Authentication logs since you can just set a different log filename per e.g. >> AuthBy, but this does not seem to be available for accounting logs). >> > unfortunately currently that’s not possible, all AcctLogFileNames use the > same > configured format. > > AuthLog could be companied with AcctLog which would allow to configure the > described feature. > > > BR ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Problem in EAP-TLS for user authentication in Windows 8.1
Hello, Are there any news concerning this issue? We have tried Windows 8.1 with EAP-TLS and faced the same authentication problem which was solved by disabling server certificate validation as Sami states. Has the problem fixed in Windows 10, or a W10 client has to use the same workaround? Best regards Vangelis On 26/12/2013 6:56 μμ, Andrei Rachita wrote: > > Hello Sami, > > I experienced the same issue you described below with Freeradius > 2.1.12 and I would really appreciate if you could tell me how did you > disabled certificate verification in Windows 8.1. > > > https://www.mail-archive.com/radiator@open.com.au/msg18424.html > > Thanks a lot, > Andrei > > > > > Sent from Samsung tablet > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Farmsize and ServerTACACSPLUS
Hello, I would like to know if the ServerTACACSPLUS is compatible with Farmsize X. Is it possible to have more farm childs serving TCP port 49? Kind regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Changing TACACS AuthorizeGroup on the fly
Hello Heikki, That did exactly what I wanted. Thanks for your valuable help. One more question. If I want to add more authorization lines can I reuse the OSC-Authorize-Group attribute or I must use different attributes, OSC-Authorize-Group1, OSC-Authorize-Group2 etc.? Kind Regards Vangelis On 4/3/2015 10:46 μμ, Heikki Vatiainen wrote: > On 03/04/2015 05:01 PM, Vangelis Kyriakakis wrote: > >>I have configured the following AuthorizeGroup command: >> >> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER} >> >>What I would like to do is to be able to change the ADMIN-USER >> word on the fly. >>For example if User-Name is USER1 I would like the command to be >> >> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1} >> >>If User-Name is USER2 then it will be >> >> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2} >> >>and so on. Is there a way to do variable substitution or change >> the authorize rule on the fly (while the authorization request is being >> processed)? > See the reference manual section '5.96.11 AuthorizeGroupAttr'. Add > something like this in the ServerTACACSS+ configuration: > > AuthorizeGroupAttr OSC-Authorize-Group > > During the authentication, you can return 'group' as usually to set the > authorisation group for the user. In addition to this, you can now > return OSC-Authorize-Group with the user specific values. > > For example: > > >GroupMemberAttr OSC-Group-Identifier >AuthorizeGroupAttr OSC-Authorize-Group ># Rest of the parameters >AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.* >AuthorizeGroup group1 deny .* > > > The attributes in Access-Accept for USER2 during the TACACS+ > authentication would then look like this: > > OSC-Group-Identifier = "group1" > AuthorizeGroupAttr = "permit service=shell cmd\* {task*#ADMIN-USER2}" > > When the TACACS+ authorization requests are processed, this is the > effective list they are evaluated against: > >AuthorizeGroup group1 permit service=shell cmd\* {task*#ADMIN-USER2} >AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.* >AuthorizeGroup group1 deny .* > > In other words, the OSC-Authorize-Group attributes, there can be more > than one, returned during the authentication are evaluated before the > static configuration. > > Thanks, > Heikki > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Changing TACACS AuthorizeGroup on the fly
Hello, I have configured the following AuthorizeGroup command: AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER} What I would like to do is to be able to change the ADMIN-USER word on the fly. For example if User-Name is USER1 I would like the command to be AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1} If User-Name is USER2 then it will be AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2} and so on. Is there a way to do variable substitution or change the authorize rule on the fly (while the authorization request is being processed)? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CoA-Request vs Change-Filter-Request in radpwtst
Hello all, I agree with Hugh. That would be a nice idea. By the way is there a way to send CoA requests directly from radiator perl scripts (mainly from Nas perl scripts) without calling the radpwtst program? Thanks Vangelis On 13/11/2014 3:15 πμ, Hugh Irvine wrote: > Hello Heikki - > > These could be added as synonyms as is done for some RADIUS attribute > definitions. > > > # Radius.pm > # Implements Radius message packet object > # > # Contains the following additional attributes > # SendTo > # StatsTrail, array or refs to statistics hashes > # > # Handles multiple instances of the same attribute > # Handles accounting packets, and authentication of same > # Handles EAP > # > # Author: Mike McCauley (mi...@open.com.au), > # Copyright (C) Open System Consultants > # $Id: Radius.pm,v 1.175 2014/04/02 20:44:24 hvn Exp $ > > package Radius::Radius; > @ISA = qw(Radius::AttrVal); > use Radius::AttrVal; > use Radius::BigInt; > use Socket; > use Digest::MD5; > use Radius::Util; > use strict; > > # RCS version number of this module > $Radius::Radius::VERSION = '$Revision: 1.175 $'; > > # These map request names into request types. > # Some are from RFC 2882. Add synonyms from RFC 5176. > my %codes = ( > 'Access-Request' => 1, > 'Access-Accept' => 2, > 'Access-Reject' => 3, > 'Accounting-Request' => 4, > 'Accounting-Response'=> 5, > 'Accounting-Status' => 6, > 'Access-Password-Request'=> 7, > 'Access-Password-Ack'=> 8, > 'Access-Password-Reject' => 9, > 'Accounting-Message' => 10, > 'Access-Challenge' => 11, > 'Status-Server' => 12, > 'Status-Client' => 13, > 'Resource-Free-Request' => 21, > 'Resource-Free-Response' => 22, > 'Resource-Query-Request' => 23, > 'Resource-Query-Response'=> 24, > 'Alternate-Resource-Reclaim-Request' => 25, > 'NAS-Reboot-Request' => 26, > 'NAS-Reboot-Response'=> 27, > 'Ascend-Access-Next-Code'=> 29, > 'Ascend-Access-New-Pin' => 30, > 'Ascend-Terminate-Session' => 31, > 'Ascend-Password-Expired'=> 32, > 'Ascend-Access-Event-Request'=> 33, > 'Ascend-Access-Event-Response' => 34, > 'Disconnect-Request' => 40, > 'Disconnect-Request-ACKed' => 41, > 'Disconnect-Request-NAKed' => 42, > 'Change-Filter-Request' => 43, > 'CoA-Request' => 43, > 'Change-Filter-Request-ACKed'=> 44, > ‘CoA-ACKed’ => 44, > 'Change-Filter-Request-NAKed'=> 45, > 'CoA-NAKed’ => 45, > 'IP-Address-Allocate'=> 50, > 'IP-Address-Release' => 51, > ); > > > The decode can use the new definitions. > > Thoughts? > > regards > > Hugh > > >> On 13 Nov 2014, at 08:08, Heikki Vatiainen wrote: >> >> On 11/11/2014 02:14 PM, Vangelis Kyriakakis wrote: >> >>> Radpwtst client uses code Change-Filter-Request for message 43 >>> which is based on old rfc2882. Message 43 has been renamed to >>> CoA-Requestin later rfc5176. The same stands for messages 44,45. It >>> would be nice to change the names to the new ones since the old names >>> cause some misunderstandings especially when talking to vendor support >>> teams in order to solve CoA problems. >> Good point. We have discussed updating the names too because of the >> confusion the old names create. The drawback is that doing this requires >> changes to existing scripts that use radpwtst and any existing Radiator >> modules or hooks that do not c
[RADIATOR] CoA-Request vs Change-Filter-Request in radpwtst
Hello, Radpwtst client uses code Change-Filter-Request for message 43 which is based on old rfc2882. Message 43 has been renamed to CoA-Requestin later rfc5176. The same stands for messages 44,45. It would be nice to change the names to the new ones since the old names cause some misunderstandings especially when talking to vendor support teams in order to solve CoA problems. Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]
Hello all, This separation of DEBUG levels would be great. Usually many persons can view the DEBUG level logs but we don't want all these persons to be able to see the user passwords. If the problem is related to a bad password a couple of trusted personnel can see the password debugging logs. Moreover, when we send radius logs to a vendor we want to be sure that no password is leftover. So, what Hugh suggests would be a very welcome addition. Regards Vangelis On 13/10/2014 2:38 πμ, Keith Morrell wrote: > UNCLASSIFIED > Yes, ideal solution. > > I agree DEBUG should show all...but having the passwords in clear text in the > logs is generally undesirable. > > Thanks Hugh. > > -Keith > > > -Original Message- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Monday, 13 October 2014 10:35 AM > To: Keith Morrell > Cc: Alan Buxey; Vangelis Kyriakakis; Radiator > Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 > [SEC=UNCLASSIFIED] > > > Hi all - > > We discussed this at length many times over the years and our decision was > always that "DEBUG" meant show everything that is going on, otherwise > debugging is very hard. > > I suppose we could consider two levels: "DEBUG" as it is now, and > "DEBUGWITHOUTPASSWORDS" with passwords obscured. > > Thoughts? > > regards > > Hugh > > > On 13 Oct 2014, at 08:57, Keith Morrell wrote: > >> UNCLASSIFIED >> >> We use debug level 4 on all our subprocesses (we use radiator proxies for >> front ends) to gather detailed data about what's going on - it's just the >> way we like it. >> >> Personally, I think showing any passwords in clear text in logs is >> generally not a good idea... >> >> -Keith >> >> >> From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] >> Sent: Monday, 13 October 2014 8:49 AM >> To: Keith Morrell; Vangelis Kyriakakis; Radiator >> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace >> level 4 [SEC=UNCLASSIFIED] >> >> Why would you be running in this mode? Surely only debug level that >> high for debugging? And how could you be sure that the issue want due >> to incorrect password? ;) >> >> alan >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. > > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Hiding the LDAP Password attribute on Trace level 4
Hello, It would be a nice addition to hide the value that is returned for PasswordAttr during an LDAP fetch. Right now at trace level 4 you can see the value of the attribute that is used for PasswordAttr among the other LDAP attributes, so the password that is stored in the user database is revealed. Can this be altered to **obscured**? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Modyfying UsernamePrompt in ServerTACACSPLUS
Hello, I'm trying to modify the username prompt in a ServerTACACSPLUS method. The problem is that I cannot put trailing spaces after the prompt. It seems that radiator discards any trailing spaces. Is there a way to add trailing spaces? For example I want to print "This is my User prompt: " in order to have: This is my User prompt: username (Space between : and username) Password: password Instead I get: This is my User prompt:username(username is typed right after : ) Password: password Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AuthBy SQL and database connections
Hello, I would like to ask a question about the connections that Radiator opens to a database. If we have an AuthBy SQL clause and a SessionDatabase SQL one, both connecting to the same database with the same DBUsername, will Radiator create two separate connections (one for each clause) or just one for both clauses? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AddressAllocator DHCP and STOP Accounting packets
Hello, I'm trying to use AuthBy DYNADDRESS combined with AddressAllocator DHCP in order to allocate IPv4 addresses from an DHCP server. IP allocation during authentication is working fine but there is no any de-allocation happening with the STOP accounting packet. Is this the expected behaviour? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] about soap authentication
Hello Heikki, I need to make Radiator communicate with an external SOAP server. Can you please provide us with information on which files to change in order to create a custom AuthBy SOAP module? Regards Vangelis Kyriakakis Forthnet S.A. On 5/6/2013 4:49 μμ, Heikki Vatiainen wrote: > On 06/04/2013 05:19 PM, celalettin altinpinar wrote: > >> I am preparing radius authentication solution. I need to fullfil >> following flow with radiator. Has somebody tried similar flow, > Hello Celalettin, > > I think your authentication flow can be done with Radiator. See the > reference manual for AuthByPolicy which controls when the next AuthBy > needs to be tried in a Handler or AuthBy GROUP. > >> 1. Authentication request >> 2. Radius will check user from DB >> 3. If user exist and password correct reply with Access -accept >> 4. If user doesn't exist or password doesn't match ask to query soap for >> user check if new user created there or password is updated there >> 5. If soap query has match return Access-accept and update local database. >> 6. Any other case return Access-reject. >> >> I am new to radiator and looking for easy way to do it. Can I do it with >> radiator soap authentication ui. If possible can you share some sample >> config related? > In this case you would need something like this: > > AuthByPolicy ContinueWhileReject > > ... > > > ... > > > > Notice I have used fictional AuthBy SOAPMODULE, not AuthBy SOAP. The > reason is you would need to adapt the existing AuthBy SOAP to work with > the SOAP interface your SOAP server requires. For more information about > what AuthBy SOAP included with Radiator does, please see goodies/soap* > files. > > In your case I would consider finding out information about the SOAP > interface the SOAP server uses. You can then modify the existing AuthBy > SOAP module to work with that interface. > > There is no generic SOAP authentication interface in Radiator. I do not > think one even exists. Fortunately it is possible to create an AuthBy > module that understands the SOAP interface you have to work with. > > Thanks, > Heikki > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Support for PCRF Diameter messages
Hello, Can Radiator (acting as a diameter server) handle PCRF Diameter messages? Regards Vangelis Kyriakakis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] UpdateQuery details
Hello, Without defining UpdateQuery in SessionDatabase SQL, Radiator updates the contents of the RADONLINE database whenever an Alive packet is processed. Manual says: "If UpdateQuery is defined as an empty string, then the query will not be executed. The default is the empty string." If I define UpdateQuery will Radiator update the contents of the RADONLINE plus do the defined query, or just the second? Regards Vangelis Kyriakakis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddressAllocator DHCP question
Hello Hugh, So, shall I wait for a patch on this, or it is something that has to do with the DHCP achitecture? Regards Vangelis On 5/2/2013 10:43 μμ, Hugh Irvine wrote: > Hello Heikki - > > I can confirm that when I wrote this module, only port 67 was supported. > > regards > > Hugh > > > On 6 Feb 2013, at 00:59, Heikki Vatiainen wrote: > >> On 02/04/2013 03:49 PM, Vangelis Kyriakakis wrote: >> >>>I'm trying to use AddressAllocator DHCP with a different >>> ServerPort (2067) in order to be able to run radiator process as a >>> simple user (not root). >>> Is this possible? It seems that radiator doesn't get back the >>> DHCPOFFER packet from the DHCP server. Do I have to run radiator with >>> root privileges if I want to use AddressAllocator DHCP? >> Hello Vangelis, >> >> I tested this with ISC DHCP server. This is the result I got: >> >> % sudo tcpdump -n -i eth0 '(port 67 or port 68 or port 2067 or port 2068)' >> >> 15:48:34.716208 IP 172.16.172.18.2067 > 255.255.255.255.67: BOOTP/DHCP, >> Request from 0f:ff:00:00:00:04, length 300 >> 15:48:35.182436 IP 172.16.172.1.67 > 172.16.172.18.67: BOOTP/DHCP, >> Reply, length 311 >> >> It appears the replies are not sent back to the non-default port 2067 >> but to 67 instead. >> >> I have not tried more yet, but this seems to be the case with ISC DHCPd >> 3.1.1 with Radiator configured with 'ServerPort 2067 ClientPort 2068'. >> >> Are you seeing the same? >> >> Thanks, >> Heikki >> >> -- >> Heikki Vatiainen >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >> NetWare etc. >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddressAllocator and IPv6
Hello Heikki, We are going to use rfc3162 attributes and possibly the http://tools.ietf.org/html/draft-ietf-radext-ipv6-access-04 Framed-IPv6-Address attribute. We would like the AddressAllocator SQL to be able to create the following prefixes in the pool table based on a base prefix/mask and a new mask: Range 2a02:2148:::::::/112 to /128 should create 2a02:2148::::::/128 - 2a02:2148::::::/128 Range 2a02:2148:::/48 to /64 should create 2a02:2148::/64 - 2a02:2148::/64 Range 2a02:2148:::/48 to /56 should create 2a02:2148::/56 - 2a02:2148::ff00/56 You can have a look at this tool http://waldner.netsons.org/f4-ipv6summ.php which creates the prefixes as I have described above. Regards Vangelis On 14/4/2011 5:25 ??, Heikki Vatiainen wrote: On 04/14/2011 01:30 PM, Vangelis Kyriakakis wrote: Does AddressPool support IPv6 addresses. Can I create and allocate IPv6 pools using the AddressAllocator - AddressPool mechanism? The implementation is very much IPv4 only at the moment, but the design should work for both protocols. So no, not with the current code. Can you tell us a bit more how you would be using this? Would it be using attributes attributes from http://tools.ietf.org/html/rfc3162 Thanks! ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AddressAllocator and IPv6
Hello, Does AddressPool support IPv6 addresses. Can I create and allocate IPv6 pools using the AddressAllocator - AddressPool mechanism? Regards Vangelis Kyriakakis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Why does this attribute fail?
Hello, I have a Juniper Router sending the following packet (see the full log). I get a Warning error about Vendor 3561 Attribute 2 which is DSLForum-Agent-Remote-Id = "00:0f:bb:2c:bb:1b" Can you see any problem with the packet? Regards Vangelis Tue Mar 22 17:04:19 2011: WARNING: Malformed request packet: Vendor 3561 Attribute 2 with length : ignored Tue Mar 22 17:04:19 2011: DEBUG: Packet dump: *** Received from 194.219.231.127 port 50338 Packet length = 293 01 34 01 25 d9 21 b2 2f 4c cd b4 e2 73 59 2f 49 6e a9 aa b1 01 15 74 65 73 74 6c 6c 75 40 66 6f 72 74 68 6e 65 74 2e 67 72 02 12 9e 34 1d ed 51 8a 8d 41 d7 25 98 79 bf fb 62 28 59 03 00 2c 05 32 38 31 1a 16 00 00 13 0a 38 10 38 63 37 33 2e 36 65 61 63 2e 30 32 34 32 20 12 62 62 72 61 73 2d 6c 61 62 2d 6b 6c 6e 2d 30 31 05 06 10 4f 94 4e 57 18 67 65 2d 31 2f 32 2f 31 2e 31 30 30 3a 33 33 32 31 2d 31 31 30 32 3d 06 00 00 00 0f 1a 90 00 00 0d e9 01 1f 50 4f 50 2d 4b 4c 4e 2d 4d 32 2d 4d 31 20 61 64 73 6c 20 30 33 2f 31 30 3a 38 2e 33 35 02 13 30 30 3a 30 66 3a 62 62 3a 32 63 3a 62 62 3a 31 62 81 06 00 00 03 fc 82 06 00 00 5d bd 83 06 00 00 01 00 84 06 00 00 02 00 85 06 00 00 05 10 86 06 00 00 6e f0 87 06 00 00 04 00 88 06 00 00 5d c0 89 06 00 00 00 00 8a 06 00 00 00 00 8b 06 00 00 00 10 8c 06 00 00 00 01 8d 06 00 00 00 14 8e 06 00 00 00 05 90 03 00 02 04 06 c2 db e7 7f Code: Access-Request Identifier: 52 Authentic: <217>!<178>/L<205><180><226>sY/In<169><170><177> Attributes: User-Name = "test...@forthnet.gr" User-Password = x Chargeable-User-Identity = "" Acct-Session-Id = "281" Unisphere-Dhcp-Mac-Addr = "8c73.6eac.0242" NAS-Identifier = "bbras-lab-kln-01" NAS-Port = 273650766 NAS-Port-Id = "ge-1/2/1.100:3321-1102" NAS-Port-Type = Ethernet DSLForum-Agent-Circuit-Id = "POP-KLN-M2-M1 adsl 03/10:8.35" DSLForum-Agent-Remote-Id = "00:0f:bb:2c:bb:1b" DSLForum-Actual-Data-Rate-Upstream = 1020 DSLForum-Actual-Data-Rate-Downstream = 23997 DSLForum-Minimum-Data-Rate-Upstream = 256 DSLForum-Minimum-Data-Rate-Downstream = 512 DSLForum-Attainable-Data-Rate-Upstream = 1296 DSLForum-Attainable-Data-Rate-Downstream = 28400 DSLForum-Maximum-Data-Rate-Upstream = 1024 DSLForum-Maximum-Data-Rate-Downstream = 24000 DSLForum-Minimum-Data-Rate-Upstream-Low-Power = 0 DSLForum-Minimum-Data-Rate-Downstream-Low-Power = 0 DSLForum-Maximum-Interleaving-Delay-Upstream = 16 DSLForum-Actual-Interleaving-Delay-Upstream = 1 DSLForum-Maximum-Interleaving-Delay-Downstream = 20 DSLForum-Actual-Interleaving-Delay-Downstream = 5 DSLForum-Access-Loop-Encapsulation = "" ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AuthBy SQL results
Hello, I would like to know what happens when AuthSelect query in AuthBy SQL returns two or more rows. Which one is used? The first or the last? Example: Username | Reply_item --- user | reply1 user | reply2 AuthSelect select Reply_item from table where Username='user' AuthColumnDef 0,GENERIC,reply Which reply_item is going to be used? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] rapwtst and CoA-Request Error-Cause
Hello Hugh, Bruno, I'm using -trace 4. Here is the log output of both the NAS and the radpwtst: NAS: Jul 26 18:17:03.173: RADIUS: COA received from id 48 xxx.xxx.xxx.xxx:11678, CoA Request, len 77 Jul 26 18:17:03.173: COA: 212.251.84.21 request queued Jul 26 18:17:03.173: RADIUS: authenticator 65 1B F5 01 6D 6F 96 A1 - CA 21 E3 21 EC 89 AC D7 Jul 26 18:17:03.173: RADIUS: Vendor, Cisco [26] 47 Jul 26 18:17:03.173: RADIUS: Cisco AVpair [1] 41 "ip:sub-qos-policy-in=ADSL-10Mbps-policy" Jul 26 18:17:03.173: RADIUS: Acct-Session-Id [44] 10 "015B4AA9" Jul 26 18:17:03.173: ++ CoA Attribute List ++ Jul 26 18:17:03.173: 231FC340 0 0009 sub-qos-policy-in(371) 18 ADSL-10Mbps-policy Jul 26 18:17:03.173: 231F3BD4 0 0001 session-id(362) 4 22760105(15B4AA9) Jul 26 18:17:03.173: Jul 26 18:17:03.173: RADIUS(): sending Jul 26 18:17:03.173: RADIUS(): Send CoA Nack Response to xxx.xxx.xxx.xxx:11678 id 48, len 88 Jul 26 18:17:03.173: RADIUS: authenticator B5 AC 44 56 F1 9B 50 02 - 9C 2F BA 91 02 11 E0 EB Jul 26 18:17:03.173: RADIUS: Vendor, Cisco [26] 44 Jul 26 18:17:03.173: RADIUS: Cisco AVpair [1] 38 "sub-qos-policy-in=ADSL-10Mbps-policy" Jul 26 18:17:03.173: RADIUS: Reply-Message [18] 18 Jul 26 18:17:03.173: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] Jul 26 18:17:03.173: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503] radpwtst: Mon Jul 26 18:17:03 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary' sending Change-Filter-Request... Mon Jul 26 18:17:03 2010: DEBUG: Packet dump: *** Sending to XXX.XXX.XXX.XXX port 1816 Code: Change-Filter-Request Identifier: 48 Authentic: e<27><245><1>mo<150><161><202>!<227>!<236><137><172><215> Attributes: cisco-avpair = "ip:sub-qos-policy-in=ADSL-10Mbps-policy" Acct-Session-Id = "015B4AA9" OK As you can see although the NAS sends back a CoA-NAK packet with Session Context Not Found, radpwtst outputs just OK. Any Ideas? Regards Vangelis On 30/7/2010 1:11 ??, Hugh Irvine wrote: Hello Vangelis - Bruno is correct - perl radpwtst -trace 4 …… regards Hugh On 30 Jul 2010, at 00:08, Bruno Tiago Rodrigues wrote: Vangelis: Have you tried adding the -trace option to radpwtst? On Jul 29, 2010, at 12:48 PM, Vangelis Kyriakakis wrote: Hello, We are using radpwtst to send CoA packets to a Cisco NAS. If there is a problem the NAS sends back a CoA NAK packet which contains the Error-Cause attribute. Radpwtst just reports OK without taking note of the Error-Cause attribute. Is there any way to print it? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] rapwtst and CoA-Request Error-Cause
Hello, We are using radpwtst to send CoA packets to a Cisco NAS. If there is a problem the NAS sends back a CoA NAK packet which contains the Error-Cause attribute. Radpwtst just reports OK without taking note of the Error-Cause attribute. Is there any way to print it? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) AddressAllocator and SQL
Hello, Ok. I found the correct syntax for the Sybase, but should I always limit the reply of the query to only one row? I thought that the allocator gets a number of rows from the FindQuery and uses the first available address it can find. Regards Vangelis Hugh Irvine wrote: Hello Vangelis - This is from the Radiator 3.7.1 reference manual ("doc/ref.html"): 6.56.5 FindQuery This optional parameter allows you to define a custom SQL query to find an available address. Defaults to select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP %0 is replaced by the pool hint. %1 is replaced by the username. Hint : You can get a substantial speedup during address allocation with mysql by adding `limit 1'' to the end of the FindQuery. You should check your Sybase documentation to ascertain what the equivalent syntax is. A quick Google search on "sybase select limit" turns up quite a few useful hits. regards Hugh On 17/12/2003, at 8:26 PM, Vangelis Kyriakakis wrote: Hello, we are trying to use AddressAllocator with Microsoft SQL and Sybase. In both situations the default FindQuery select TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP tries to allocate a lot of addresses and finally returns an error "Too many simultaneous address requests" In Microsoft SQL I can use the following query: select top 1 TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP and it works fine, trying once to allocate an IP. But this query doesn't work with Sybase. What can I use instead of this? Do I do something wrong with default query? Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddressAllocator and SQL
Hello, we are trying to use AddressAllocator with Microsoft SQL and Sybase. In both situations the default FindQuery select TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP tries to allocate a lot of addresses and finally returns an error "Too many simultaneous address requests" In Microsoft SQL I can use the following query: select top 1 TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP and it works fine, trying once to allocate an IP. But this query doesn't work with Sybase. What can I use instead of this? Do I do something wrong with default query? Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) New directory entries
Oh ok, I haven't applied the latest patches. I think Cisco has the attribute with capital C, that's why I sent it like "Cisco-Policy-Up" Regards Vangelis Hugh Irvine wrote: Hello Vangelis - These attributes are included in the latest Radiator 3.7.1 (plus patches): VENDORATTR 9 cisco-Policy-Up 37 string VENDORATTR 9 cisco-Policy-Down 38 string Note the spelling, which is different to what you show below. regards Hugh On 12/12/2003, at 8:59 PM, Vangelis Kyriakakis wrote: Hello, can you add the following attributes into the Radius directory? VENDORATTR 9 Cisco-Policy-Up 37 string VENDORATTR 9 Cisco-Policy-Down 38 string Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) New directory entries
Hello, can you add the following attributes into the Radius directory? VENDORATTR 9 Cisco-Policy-Up 37 string VENDORATTR 9 Cisco-Policy-Down 38 string Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Use of the %{Eval:}
Hello, I'm trying to use something like the following: %{Eval: (%{Acct-Output-Octets}<20) ? %{Acct-Output-Octets} : 0} but it doesn't work. How is the correct syntax of this? I'm also trying the following %{Eval: %{Acct-Output-Octets}%% 20} but it doesn't work too. Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Input queue size
Can all these Radiator instances use the same logfiles? Or they'll have problems racing for file locks? Vangelis Frank Danielson wrote: It's really not that hard. You run a number of Radiator instances, with each one having it's own connection to the LDAP, SQL, or whatever backend. Then you front end those with an instance or two of Radiator running AuthBy ROUNDROBIN or AuthBy LOADBALANCE to distribute the requests among them. You can process quite a lot of requests simultaneously this way. If your current server is not responding fast enough but the CPU utilization is not maxed out you are probably just hitting the ceiling on how many requests a single instance can process at a time. Start up some more processes on the box and use all those processor cycles that you paid for. -Frank -Original Message- From: Claudio Lapidus [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 9:19 PM To: Guðbjörn S. Hreinsson; [EMAIL PROTECTED] Subject: Re: (RADIATOR) Input queue size .. From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) New Cisco SNMP query
You also need to add the following aaa command: aaa session-mib disconnect Regards Vangelis Vangelis Kyriakakis wrote: Hello, With Cisco IOS 12.2.15T there is a new SNMP OID that gives the users that are connected according to the Decimal Acct-Session-Id. So with this OID you can always use snmpget to check if a user is still online. This works for Async, ISDN and ADSL users. You need to use the Decimal form of the Acct-Session-Id not the Hexadecimal. We use an SQL Session database and we do the conversion there. I don't know if there is a Hextoint function in Perl Regards Vangelis package Radius::Nas::Cisco; use Radius::SNMP; use strict; # The Cisco SNMP MIB $Radius::Nas::CiscoMIB = '.iso.org.dod.internet.private.enterprises.9'; sub isOnline { my ($name, $nas_id, $nas_port, $session_id, $client) = @_; return 1 unless &Radius::SNMP::snmpgetprogExists(); &main::log($main::LOG_DEBUG, "Cisco: Checking $session_id-> $nas_id:$nas_port:$name" ); my $result = &Radius::SNMP::snmpget ($nas_id, $client->{SNMPCommunity}, "$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id"); return 1 if (!$result || $result =~ /no response/i); # Could not SNMP. Assume still there return uc($1) eq uc($name) if ($result =~ /^.*\"([^"]+)".*$/); return 0; # not there } 1; === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) New Cisco SNMP query
Hello, With Cisco IOS 12.2.15T there is a new SNMP OID that gives the users that are connected according to the Decimal Acct-Session-Id. So with this OID you can always use snmpget to check if a user is still online. This works for Async, ISDN and ADSL users. You need to use the Decimal form of the Acct-Session-Id not the Hexadecimal. We use an SQL Session database and we do the conversion there. I don't know if there is a Hextoint function in Perl Regards Vangelis package Radius::Nas::Cisco; use Radius::SNMP; use strict; # The Cisco SNMP MIB $Radius::Nas::CiscoMIB = '.iso.org.dod.internet.private.enterprises.9'; sub isOnline { my ($name, $nas_id, $nas_port, $session_id, $client) = @_; return 1 unless &Radius::SNMP::snmpgetprogExists(); &main::log($main::LOG_DEBUG, "Cisco: Checking $session_id-> $nas_id:$nas_port:$name" ); my $result = &Radius::SNMP::snmpget ($nas_id, $client->{SNMPCommunity}, "$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id"); return 1 if (!$result || $result =~ /no response/i); # Could not SNMP. Assume still there return uc($1) eq uc($name) if ($result =~ /^.*\"([^"]+)".*$/); return 0; # not there } 1; === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Total SNMP query Timeout
Hello, Is there a way to apply a total Timeout to the Simultaneous-Use SNMP verification process? When a Router is very slow some snmpwalk queries take a long time to finish after Radiator has reached the Router (so the snmpwalk timeout doesn't expire). I would like to have a Timeout that would include both the time to reach the Router and the time ta get the whole results. Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Using AcctSQLStatement with integer-date format
Hello Hugh, I'm trying to calculate %{Timestamp} - %{Acct-Session-Time} in order to get the Connect Time from the STOP packet. thanks Vangelis Hugh Irvine wrote: > Hello Vangelis - > > Could you explain to me what you are trying to do? In other words, what > value are you trying to calculate? > > thanks > > Hugh > > On Monday, Jan 20, 2003, at 23:29 Australia/Melbourne, Vangelis > Kyriakakis wrote: > > > Hi again, > > > > I'm trying to use something like > > > > AcctColumnDef CONNECTTIME,%b-0%{Acct-Session-Time},integer-date > > > > but it doesn't work. It gives a NULL value for the CONNECTTIME > > attribute. > > I have also tried AcctColumnDef > > CONNECTTIME,%{Timestamp}-0%{Acct-Session-Time},integer-date > > > > If I write AcctColumnDef CONNECTTIME,Timestamp,integer-date it works, > > but > > ofcourse it's not what I want. > > I want to use this attribute with Sybase Datetime type > > > > Regards > > Vangelis > > > > Hugh Irvine wrote: > > > >> Hello Vangelis - > >> > >> You should use AcctColumnDef's for what you show below. > >> > >> See section 6.28.14 in the Radiator 3.5 reference manual. > >> > >> regards > >> > >> Hugh > >> > >> On Saturday, Jan 18, 2003, at 02:55 Australia/Melbourne, Vangelis > >> Kyriakakis wrote: > >> > >>> Hello, > >>> > >>> I want to write the following AcctSQLStatement: > >>> > >>> AcctSQLStatement insert into TABLE (LOGIN_TIME, LOGOUT_TIME,.) > >>> values > >>> (%{Timestamp}-%{Acct-Session-Time}Formatted using integer-date and > >>> (%Y%m%d %H:%M) Format,%{Timestamp}Formatted using integer-date and > >>> (%Y%m%d %H:%M) Format,...) > >>> > >>> How should I write the above SQL query? I have read the manual > >>> but > >>> I cannot figure out the exact format of the query. > >>> > >>> Regards > >>> Vangelis > >>> > >>> === > >>> Archive at http://www.open.com.au/archives/radiator/ > >>> Announcements on [EMAIL PROTECTED] > >>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>> 'unsubscribe radiator' in the body of the message. > >>> > >>> > >> > >> -- > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > >> - > >> Nets: internetwork inventory and management - graphical, extensible, > >> flexible with hardware, software, platform and database independence. > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Using AcctSQLStatement with integer-date format
Hi again, I'm trying to use something like AcctColumnDef CONNECTTIME,%b-0%{Acct-Session-Time},integer-date but it doesn't work. It gives a NULL value for the CONNECTTIME attribute. I have also tried AcctColumnDef CONNECTTIME,%{Timestamp}-0%{Acct-Session-Time},integer-date If I write AcctColumnDef CONNECTTIME,Timestamp,integer-date it works, but ofcourse it's not what I want. I want to use this attribute with Sybase Datetime type Regards Vangelis Hugh Irvine wrote: > Hello Vangelis - > > You should use AcctColumnDef's for what you show below. > > See section 6.28.14 in the Radiator 3.5 reference manual. > > regards > > Hugh > > On Saturday, Jan 18, 2003, at 02:55 Australia/Melbourne, Vangelis > Kyriakakis wrote: > > > Hello, > > > > I want to write the following AcctSQLStatement: > > > > AcctSQLStatement insert into TABLE (LOGIN_TIME, LOGOUT_TIME,.) > > values > > (%{Timestamp}-%{Acct-Session-Time}Formatted using integer-date and > > (%Y%m%d %H:%M) Format,%{Timestamp}Formatted using integer-date and > > (%Y%m%d %H:%M) Format,...) > > > > How should I write the above SQL query? I have read the manual but > > I cannot figure out the exact format of the query. > > > > Regards > > Vangelis > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Using AcctSQLStatement with integer-date format
Hello, I want to write the following AcctSQLStatement: AcctSQLStatement insert into TABLE (LOGIN_TIME, LOGOUT_TIME,.) values (%{Timestamp}-%{Acct-Session-Time}Formatted using integer-date and (%Y%m%d %H:%M) Format,%{Timestamp}Formatted using integer-date and (%Y%m%d %H:%M) Format,...) How should I write the above SQL query? I have read the manual but I cannot figure out the exact format of the query. Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Request for Feature
Hello, Sometimes it is very helpful to disable NAS queries while checking for Simultaneus-Use on some Handlers. Now we can only prevent NAS queries on a client basis using NasType. Is a Handler or AuthBy based flag, that would enable-disable the queries, possible? Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) FailureBackoffTime within
Hello, I'm using FailureBackoffTime in an AuthBy LDAP2 clause trying to make it stop replying to requests when the LDAP host is down. As I can see from Trace 4 log stops quering the LDAP server during the FailureBackoffTime, but it responds to NAS's request with a "User database access error" reject. Is it possible for Radiator to totally ignore the NAS's request in this case? It is a problem since the NAS keeps sending requests to the same server although it cannot handle them. Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy LDAP2 behavior when LDAP server is down.
Ignore my request. I figured it out myself. Regards Vangelis Vangelis Kyriakakis wrote: > When the LDAP server that is defined in an AuthBy LDAP2 clause is down > Radiator returns an Access-Reject "User database access error". > It would be better if it timed out so Radiator could use another AuthBy > clause or discarded the request. This is how Radiator behaves when the > LDAP server gets a query from the Radiator but fails to respond in > timeout seconds. > > Regards >Vangelis > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy LDAP2 behavior when LDAP server is down.
When the LDAP server that is defined in an AuthBy LDAP2 clause is down Radiator returns an Access-Reject "User database access error". It would be better if it timed out so Radiator could use another AuthBy clause or discarded the request. This is how Radiator behaves when the LDAP server gets a query from the Radiator but fails to respond in timeout seconds. Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple Host definitions in AuthBy LDAP2
How is the correct syntax? It is not clear in the manual. If I use Host host1 Host host2 Port 389 Radiator uses the second one. If I use Host host1,host2 Radiator uses host1,host2 as one name regards Vangelis Hugh Irvine wrote: > Hello Vangelis - > > Yes. Have a look at section 6.35 in the Radiator 3.3.1 reference manual > ("doc/ref.html"). > > regards > > Hugh > > On Thursday, Nov 21, 2002, at 22:56 Australia/Melbourne, Vangelis > Kyriakakis wrote: > > > Hello, > > > > If I use two LDAP servers in an AuthBy LDAP2 (two Host > > attributes) > > will Radiator change to the second one when the first one fails? > > > >thanks > > Vangelis > > > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple Host definitions in AuthBy LDAP2
Hello, If I use two LDAP servers in an AuthBy LDAP2 (two Host attributes) will Radiator change to the second one when the first one fails? thanks Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) A SOLUTION: Session check for Cisco ISDN users
Our solution to this problem is to make an snmpwalk to another SNMP variable and then grep the result for the username. This works perfectly for Simultaneous-Use=1 but not for more since it always checks with the first occurence of the username in the snmpwalk output Vangelis Hugh Irvine wrote: > Hello Utku - > > Please send the code (a "diff -c ..." preferably) to Mike and we will take a look. > > I have also been working an a different approach with another customer, and I should >be posting something soon. > > regards > > Hugh > > On Friday, November 1, 2002, at 05:14 AM, Utku Er wrote: > > Hi everyone, > > This is discussed on this list before... We have problems getting information >with snmp on ISDN users from the Cisco access servers. RADIATOR can doublecheck the >session table entries when needed from the Cisco NAS with SNMP for the ASYNC users. >RADIATOR uses the SNMP request of >".iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.NASPORT" to get the username >connected to that port. > > However, when RADIATOR tries to doublecheck the NAS for the ISDN users, this >SNMP request is not working. Since radiator cannot verify this user is still >connected, session check problems occur... Like discussed in >http://www.open.com.au/archives/radiator/2000-02/msg00246.html and in many of the >others. > > I contacted TAC and they've said it's not possible to get this username/nasport >relation via SNMP for the ISDN users. Since we agree on they cannot provide it (maybe >they'll do it in later IOS releases) I alter the radiator source a little and create >my solution. > > Cisco ISDN nas_port are structured like 2XXYY in the start record. I guess this >means SerialXX:YY. I altered /usr/lib/perl5/site_perl/5.6.0/Radius/Nas/Cisco.pm to >finger to NAS if NAS-Port is higher than 2 and use the normal snmp procedure for >the other users. This procedure searches "SeXX:YY username" in this finger output. >(of course XX and YY can be zero or include zero and username is printed only 10 >characters) > > This is working quite well and ISDN users cannot connect more than their >simultaneous-use allow them to. I can send this updated Cisco.pm code if writer or >Open System Consultants allow me to. > > regards, > > Utku Er > http://www.utkuer.com > > NB: I am travelling this week, so there may be delays in our correspondence. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB
What kind of Cisco NAS are you using? We have never faced such a problem with Cisco 5300 and Cisco 3640. It always gives eitheir an AsyncXXX or a SerialX:XX (SerialX/XX:XX) format Regards Vangelis Dave Kitabjian wrote: > I finally tracked down the reason why our Online DB has been reporting > a much lower count of onliners than are actually online. > > Look at the attached sequence of two accounting records. tmeyers logs > on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while > he's still online, cheezwhiz logs off of the same NAS and Port, > clobbering tmeyers' entry in the online DB. > > But how can two people have been on the same port at the same time, > you ask? The answer is that when Cisco is (again) lazy, it's easy to > happen. If you look at the Cisco-NAS-Port attribute, you'll see that > they are really on two distinct ports. Cisco is just taking a portion > of the info and plopping it in NAS-Port, even though that means that > many people can be on the same NAS-Port at once. Most manufacturers > come up with a procedure for encoding all that > "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port > number and then put that in NAS-Port. > > Now, if we were enforcing concurrency limits we'd be even more > screwed. > > Has anyone else experienced this? How are you dealing with it? Does > Radiator have any solutions? I wonder if using the Acct-Session-Id for > deletions would be more reliable than matching NAS/Port combos. > Comments welcome! > > Dave > _ > > Wed Jul 10 15:23:21 2002: DEBUG: Packet dump: > *** Received from 216.118.66.25 port 1646 > Code: Accounting-Request > Identifier: 188 > Authentic: > <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142> > Attributes: > Acct-Session-Id = "87C2" > Framed-Protocol = PPP > Connect-Info = "46667/24000 V90/V42bis/LAPM" > cisco-avpair = "connect-progress=Call Up" > Acct-Authentic = RADIUS > Acct-Status-Type = Start > User-Name = "tmeyers" > Acct-Multi-Session-Id = "511D" > Acct-Link-Count = "<0><0><0><2>" > Framed-Address = 216.118.88.4 > Cisco-NAS-Port = "Async4/105*Serial7/0:25:3" > NAS-Port = 105 > NAS-Port-Type = Async > Class = "netcarrier.com" > Service-Type = Framed-User > NAS-IP-Address = 216.118.66.25 > Event-Timestamp = 1026329001 > Acct-Delay-Time = 0 > > Wed Jul 10 15:26:16 2002: DEBUG: Packet dump: > *** Received from 216.118.66.25 port 1646 > Code: Accounting-Request > Identifier: 239 > Authentic: <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>? > Attributes: > Acct-Session-Id = "84AB" > Framed-Protocol = PPP > cisco-avpair = "connect-progress=Call Up" > Acct-Session-Time = 2897 > Connect-Info = "49333/24000 V90/V42bis/LAPM" > Acct-Input-Octets = 349671 > Acct-Output-Octets = 2362531 > Acct-Input-Packets = 3246 > Acct-Output-Packets = 2835 > Acct-Terminate-Cause = User-Request > cisco-avpair = "disc-cause-ext=PPP Receive Term" > Acct-Authentic = RADIUS > Acct-Status-Type = Stop > User-Name = "cheezwhiz" > Acct-Multi-Session-Id = "4F51" > Acct-Link-Count = "<0><0><0><1>" > Framed-Address = 216.118.90.220 > Cisco-NAS-Port = "Async3/105*Serial7/0:18:21" > NAS-Port = 105 > NAS-Port-Type = Async > Class = "netcarrier.com" > Service-Type = Framed-User > NAS-IP-Address = 216.118.66.25 > Event-Timestamp = 1026329176 > Acct-Delay-Time = 0 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cannot get the framed_ip_address in NAS.pm
Hello, The framed_ip_address variable in isOnline functions does not get a value. It's always empty. For example if I try to use the Ping NasType I cannot get the framed_ip_address from the SQL session database. I'm using the standard SessionDatabase SQL configuration and the RADONLINE table is working fine. What could be wrong? thanks Vangelis Kyriakakis FORTHnet S.A. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Maximum username and Password length.
Hello, Is there a maximum Username length or a maximum Password length for Radiator 2.19? Regards Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator and iPass
Hello, Do I have to install IPassPerl in order to do outbound roaming using the new scheme with the AuthBy Radius proxy? thanks Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Sending Accounting log to SYSLOG
Hello, We are using RADIATOR 2.19. Is there a way to send the accounting log to the SYSLOG? Vangelis Kyriakakis FORTHNET S.A. Greece === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Verify ISDN users on Cisco boxes with SNMP
Hello, Using SNMP to verify that a user is still connected on Cisco boxes works only for Async connections. Is there a way to verify ISDN users? thanks Vangelis Kyriakakis FORTHNET S.A. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) MaxSessions issue, still a problem
I think the problem when you use the Internal session database is that it uses the username from the Accounting file to count the number of sessions. When a new user logs in it checks the rewritten username against the session database. So it checks with the name uunoc and not with the [EMAIL PROTECTED] and sees that it hasn't logged in again. I had the same problem with small and capital letters. Maxsession 0 works always since it's no need to check the session database... Vangelis Dmitry Kopylov wrote: > Hi, > > I upgraded to the 18.2.2 but the problem with MaxSession still exists. Here > is part of config and trace 4 output: > > > RewriteUsername s/^([^@]+).*/$1/ > MaxSessions 1 > > > AcctLogFileName %L/bbeyond/details > PasswordLogFileName %L/bbeyond/uunet-passwords.log > > > If I set MaxSessions 0, it works and rejects all sessions, but when I set > MaxSessions to 1 it allows the second connection with the same username. > > MaxSessions 0: > > Thu Jul 12 11:30:06 2001: DEBUG: Reading users file > /opt/radiator-2.18/raddb/users > Thu Jul 12 11:30:06 2001: DEBUG: Reading users file > /opt/radiator-2.18/raddb/users > Thu Jul 12 11:30:06 2001: INFO: Server started: Radiator 2.18.2 on > bbyrad1.bbeyond.nl > Thu Jul 12 11:30:25 2001: DEBUG: Packet dump: > *** Received from 62.177.149.2 port 1645 > Code: Access-Request > Identifier: 102 > Authentic: z<211><178><22><170><220><204><200><219>w6<5>;<11>>: > Attributes: > User-Name = "[EMAIL PROTECTED]" > User-Password = "_<178><219>A<0><201><238><192>3<130><183> > <28>@q<228>" > NAS-IP-Address = 213.116.1.14 > NAS-Port = 70 > NAS-Port-Type = Sync > Service-Type = Framed-User > Framed-Protocol = PPP > State = "" > Calling-Station-Id = "235652175" > Called-Station-Id = "0107110035" > Acct-Session-Id = "328619273" > Ascend-Data-Rate = 64000 > Ascend-Xmit-Rate = 64000 > Proxy-State = > PX01<0><0><*z<211><178><22><170><220><204><200><219>w6<5>; > <11>>:<0><2><6><149><213>t<1><14><0><0><0><0><0><0><0><0><0><0><0>F<0><2><7> > <20> > ><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0><224><199><221>h<251>< > 225> > <236>&<13>XA<188>NY<153>O > > Thu Jul 12 11:30:25 2001: DEBUG: Check if Handler Realm=bbeyond.nl should be > use > d to handle this request > Thu Jul 12 11:30:25 2001: DEBUG: Handling request with Handler > 'Realm=bbeyond.nl > ' > Thu Jul 12 11:30:25 2001: DEBUG: Rewrote user name to uunoc > Thu Jul 12 11:30:25 2001: DEBUG: Deleting session for [EMAIL PROTECTED], > 213.116 > .1.14, 70 > Thu Jul 12 11:30:25 2001: INFO: Access rejected for uunoc: MaxSessions > exceeded > Thu Jul 12 11:30:25 2001: DEBUG: Packet dump: > *** Sending to 62.177.149.2 port 1645 > Code: Access-Reject > Identifier: 102 > Authentic: z<211><178><22><170><220><204><200><219>w6<5>;<11>>: > Attributes: > Reply-Message = "Request Denied" > > MaxSessions 1: > > Thu Jul 12 11:31:26 2001: NOTICE: SIGTERM received: stopping > Thu Jul 12 11:31:28 2001: DEBUG: Reading users file > /opt/radiator-2.18/raddb/users > Thu Jul 12 11:31:28 2001: DEBUG: Reading users file > /opt/radiator-2.18/raddb/users > Thu Jul 12 11:31:29 2001: INFO: Server started: Radiator 2.18.2 on > bbyrad1.bbeyond.nl > Thu Jul 12 11:31:37 2001: DEBUG: Packet dump: > *** Received from 62.177.149.1 port 1645 > Code: Access-Request > Identifier: 173 > Authentic: <242><12> <252>)<203>T<230><252><143>P<201><22>}9Y > Attributes: > User-Name = "[EMAIL PROTECTED]" > User-Password = "e<218><137><3>\<17><241><230>gi<150>q <208>cn" > NAS-IP-Address = 213.116.1.30 > NAS-Port = 2054 > NAS-Port-Type = Sync > Service-Type = Framed-User > Framed-Protocol = PPP > State = "" > Calling-Station-Id = "235652175" > Called-Station-Id = "0107110035" > Acct-Session-Id = "347654980" > Ascend-Data-Rate = 64000 > Ascend-Xmit-Rate = 64000 > Proxy-State = PX01<0><0><9><254><242><12> > <252>)<203>T<230><252><143>P<2 > 01><22>}9Y<0><2><6><140><213>t<1><30><0><0><0><0><0><0><0><0><0><0><8><6><0> > <2>< > 7><20>><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0>u<151><253>^<30> > H<18 > 5><142><234><10>v\w<187><218>n > > Thu Jul 12 11:31:37 2001: DEBUG: Check if Handler Realm=bbeyond.nl should be > use > d to handle this request > Thu Jul 12 11:31:37 2001: DEBUG: Handling request with Handler > 'Realm=bbeyond.nl > ' > Thu Jul 12 11:31:37 2001: DEBUG: Rewrote user name to uunoc > Thu Jul 12 11:31:37 2001: DEBUG: Deleting session for [EMAIL PROTECTED], > 213.116 > .1.30, 2054 > Thu Jul 12 11:31:37 2001: DEBUG: Handling with Radius::AuthFILE > Thu Jul 12 11:31:37 2001: DEBUG: Radius::AuthFILE looks for match with uunoc > Thu Jul 12 11:31:37 2001: DEBUG: Radius::AuthFILE ACCEPT: > Thu Jul 12 11:31:37 2001: DEBUG: Acc
Re: (RADIATOR) How can I log failed accounting information onlyonce?
Well, I found out that the multiple entries were caused by the retransmissions of the Access Server towards the Radius proxy not from the proxy to the other RADIUS server. I used the AccountingHandled attribute so when the proxy RADIUS gets an accounting packet from the Access server ACKs it without wait for an ACK from the other RADIUS server. Is this the right approach? thanks Vangelis Hugh Irvine wrote: > Hello Vangelis - > > At 5:20 PM +0300 6/25/01, Vangelis Kyriakakis wrote: > >Hello, > > > > I want to be able to send accounting information to a RADIUS > >server via proxy RADIUS and log accounting information, that didn't > >reach this server after some retries, in a local file. > > If I use AcctFailedLogFileName I get one line for every failed > >retransmission of the packet. Is there a configuration I can use in > >order to log only one line for each failed accounting packet? > > My reading of the code (in AuthRADIUS.pm, sub forward()) indicates > that the AcctFailed processing occurs after all retries have timed > out (just before the NoReplyHook is called). > > Can you send me a copy of the configuration file (no secrets) > together with a trace 4 debug from Radiator showing what is happening? > > thanks > > Hugh > > -- > > NB: I am travelling this week, so there may be delays in our correspondence. > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) How can I log failed accounting information only once?
Hello, I want to be able to send accounting information to a RADIUS server via proxy RADIUS and log accounting information, that didn't reach this server after some retries, in a local file. If I use AcctFailedLogFileName I get one line for every failed retransmission of the packet. Is there a configuration I can use in order to log only one line for each failed accounting packet? Thanks Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SimultaneousUse using internal session database
Hugh Irvine wrote: > Hello Vangelis - > > To do what you describe you need to use an SQL session database and > supply your own AddQuery to use the rewritten username. NB - doing > this will prevent you from using a NasType in your Client clauses. Does this mean that if we use an SQL session database we won't be able to double check if user is really connected via SNMP or other method? thanks Vangelis P.S. I think it would be very helpful if you included an option for case insensitivity for the internal session database in a future version of RADIATOR > > > regards > > Hugh > > At 5:01 PM +0300 6/18/01, Vangelis Kyriakakis wrote: > >Hello, > > > > using the internal session database for SimultaneousUse check > >there is the following problem (if I am correct): > >If a user changes the case of his username RADIATOR can't find him in > >the session database if he has already logged in with his username > >spelled in different case. Is it possible to rewrite the username that > >RADIATOR uses for its internal session database so it can keep track of > >the user regardless of the case he uses? > > > > thanks > > Vangelis > > > >=== > >Archive at http://www.open.com.au/archives/radiator/ > >Announcements on [EMAIL PROTECTED] > >To unsubscribe, email '[EMAIL PROTECTED]' with > >'unsubscribe radiator' in the body of the message. > > -- > > NB: I am travelling this week, so there may be delays in our correspondence. > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SimultaneousUse using internal session database
Hello, using the internal session database for SimultaneousUse check there is the following problem (if I am correct): If a user changes the case of his username RADIATOR can't find him in the session database if he has already logged in with his username spelled in different case. Is it possible to rewrite the username that RADIATOR uses for its internal session database so it can keep track of the user regardless of the case he uses? thanks Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Problem with AcctFailedLogFileName
Hello, I'm trying to use the AcctFailedLogFileName in an AuthBy RADIUS clause. I get the error: ERR: Unknown keyword 'AcctFailedLogFileName' in /usr/radius/cf/test.cfg The config file has the following: Identifier Radius Host xxx.xxx.xxx.xxx Secret xxx NoForwardAuthentication AcctFailedLogFileName /usr/radius/log/failed Is this the right syntax for the AcctFailedLogFileName command? thanks Vangelis === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Setting max session limits for both individual users and realm
We would like to do the following: Have one domain domain1.com with a limit of 500 simultaneous users Have another domain domain2.com with a limit of 1000 simultaneous users Users of domain1 or domain2 will have a limit of 1 or 2 Simltaneous Use. Is something like that possible? Can we use a different CountQuery with each Simultaneous Use check? thanks Vangelis Hugh Irvine wrote: > Hello Vangelis - > > You should use DefaultSimultaneousUse in the AuthBy (not MaxSessions) > together with a Simultaneous-Use check item on a per user basis. > > Section 6.16.14 in the Radiator 2.18.1 reference manual. > > regards > > Hugh > > On Wednesday 02 May 2001 17:29, Vangelis Kyriakakis wrote: > > Hello, > > > > Is it possible to set a Max sessions limit for a user in a Realm > > realm1.com and a Max sessions limit for the realm1.com? > > If someone changes the CountQuery in order to set a limit for a > > particular Realm can he still be able to set limits for individual users > > in the same Realm? > > > > thanks > > Vangelis > > > > > > > > === > > Archive at http://www.starport.net/~radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Setting max session limits for both individual users and realm
Hello, Is it possible to set a Max sessions limit for a user in a Realm realm1.com and a Max sessions limit for the realm1.com? If someone changes the CountQuery in order to set a limit for a particular Realm can he still be able to set limits for individual users in the same Realm? thanks Vangelis === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Various questions
Hugh Irvine wrote: > Hello Vangelis - > > The AuthBy TACACSPLUS module only handles authentication requests. You will > have to deal with authorisation and accounting seperately. > > regards > > Hugh > Is there a module in Radiator that can get authorization commands from the TACACS server and send them to the Access server, or is something we'll have to do outside the RADIATOR? thanks Vangelis === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Various questions
Hugh Irvine wrote: > Hello Vangelis - > > On Mon, 21 Aug 2000, Vangelis Kyriakakis wrote: > > Hello, > > > > 1) Is Radiator capable of sending authentication requests to TACACS+ > > servers? We need to implement a scheme in which a call will be > > authenticated based on the domain name either from a wholesale > > customer's Radius server or from a wholesale customer's TACACS+ server. > > The NAS will ask our Radius server which will forward the request to the > > appropriate customer's server. > > > > Yes, Radiator includes an AuthBy TACACSPLUS module. See section 6.34 in the > Radiator 2.16.2 reference manual. > Is there a way to get Authorization and Accounting from a TACACS+ server? thanks Vangelis === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Various questions
Hello, 1) Is Radiator capable of sending authentication requests to TACACS+ servers? We need to implement a scheme in which a call will be authenticated based on the domain name either from a wholesale customer's Radius server or from a wholesale customer's TACACS+ server. The NAS will ask our Radius server which will forward the request to the appropriate customer's server. 2) We would like to implement the following scheme: A number of POPs (Point of Presence) each one with its own NAS boxes, and a number of RADIUS servers which are used by the NASs for AAA services. We would like to have our Wholesale customers authenticate their users through our NASs but we would like to be able to set a limit on the number of modems they can useacross the whole network. For example let's say we have 3 POPs, 2 AAA servers. POP 1 sends its requests to AAA server 1, POP 2 to AAA server 1 and 2, POP 3 to AAA server 2. A wholesale customer has a limit of using 100 modems. 40 of its customers have logged in through POP 1, 30 through POP 2 and 30 through POP 3. Then this wholesale customer has reached its modems' limit, so if another of its customers tries to log in is not authorized. Is it possible to set such a limit across a number of RADIATOR servers? If not are there any values we can take from them in order to keep track of the limits from another machine... 3) Is there a developer's kit or something like that for the RADIATOR? thanks Vangelis Kyriakakis FORTHnet S.A. Greece === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator support for Nortel CVX-1800
Hello, Does Radiator support Nortel CVX-1800 Access switch? thanks Vangelis Kyriakakis FORTHnet S.A. Greece === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.