RE: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x

2003-10-31 Thread Ward, Josh 
I'm actually having a similar problem right now.  I'm not sure if I'm
not seeing the VSA's or if my VPN 3000 isn't sending them.

When I get the authentication request I see:

Fri Oct 31 10:06:16 2003: DEBUG: Packet dump:
*** Received from 132.241.67.38 port 3323 
Code:   Access-Request
Identifier: 189
Authentic:  
Attributes:
User-Name = jward
User-Password = 
NAS-Port = 10492
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint = 132.241.67.22
NAS-IP-Address = 132.241.67.38
NAS-Port-Type = Virtual

I know that there are other VSAs that should come in with the
Access-Request, but I'm not seeing them.  I'm not sure if my VPN
concentrator is configured wrong or if I'm not accepting them.

Any thoughts or insight?

Thanks!!!

-Josh
Network Operations
California State University, Chico

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Karl Gaissmaier
Sent: Friday, October 31, 2003 12:30 AM
To: Hugh Irvine
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000
Firmware Version 4.x

Hi Hugh,

Hugh Irvine schrieb:

 
 Hi Charly -
 
 Thanks for your mail.
 
 The Radiator 3.7.1 standard dictionary already has most of the  
 definitions you list below.
 
 I will add the additional ones that you have sent, but they will have

 the existing Altiga prefix.
 
 I'll send you a copy of the modified dictionary in a seperate mail.

thanks

 
 NB: have you included a copy of your configuration file (no secrets),
 together with a trace 4 debug showing what is happening?

I just stumled over this error in the first:

Fri Oct 31 09:23:17 2003: ERR: Attribute number 32 (vendor 3076) is not 
defined in your dictionary
Fri Oct 31 09:23:17 2003: DEBUG: Packet dump:
*** Received from 134.60.112.177 port 1287 
Code:   Access-Request
...

I can't trigger all missing attributes, since I use not all
features of the VPN Concentrator. The most useful info for
all new/old attributes is:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_
tech_note09186a0080094e96.shtml 


from where I've the definitions and values, from the other
sources I took the mnemonics for the names.

Regards
Charly

-- 
Karl Gaissmaier   KIZ/Infrastructure, University of Ulm, Germany
Email:[EMAIL PROTECTED]   Service Group Network
Tel.: ++49 731 50-22499

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Authby policy question.

2001-10-15 Thread Ward, Josh 

Here is my config for the authentication for the 'free modem services' at my
university. (see below)

I have a table that I'm creating through AuthbySQL that calculates the
session times and then when users cross over their timelimit, are inserted
into my 'overtime' table in SQL with a bogus password.  I was assuming that
if someone didn't have an entry in the database that Authby SQL would return
an ignore, not a reject.  This is not the case and this has fowled up my
authentication scheme.  I was going to have the users over their time
rejected by that first AuthBy (why I insert a bogus password), then the
other users authenticated properly with the other authby's using a
AuthByPolicy ContinueWhileIgnore.  Like I said, it's not working because
AuthBy SQL is rejecting people not in the database.

Is there anyone who has done anything similar to this?

I just want to pick people off with the first one, and if they are not
found, keep looking.  If they had a bad password, then stop looking.  Seems
simple enough :-)

Any ideas?

-Josh
(config attached below)



Handler #Free modems

AuthByPolicy ContinueUntilAccept
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/

AuthBy SQL

Identifier FreeModemService_OVERTIME
DBSourcedbi:mysql:modems
DBUsername  --
DBAuth  --

AuthSelect SELECT pw FROM overtime WHERE login='%n'
AuthColumnDef 0, User-Password, check

/AuthBy

AuthBy FILE
Identifier FreeModemService_File
Filename /etc/radius/free_users
/AuthBy

AuthBy LDAP2
Identifier FreeModemService_LDAP
Hostdirectory.csuchico.edu

AuthDN  -
AuthPassword-

BaseDN  o=California State University Chico,c=US

UsernameAttruid
PasswordAttruserpassword

AuthAttrDef modemservicetype, X-User-MST, request

PostSearchHook sub {\
my $attr = $_[4]-get_value('modemservicetype');\
if ($attr  1) {\
$_[3]-get_check-add_attr('X-User-MST',\
$attr); \
}\
else { \
$_[3]-get_check-add_attr('X-User-MST',\
'Denied: wrong modem service type'); \
}\
}
/AuthBy
/Handler
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Concatenating or modifying values for SQL accounting

2001-10-03 Thread Ward, Josh 

Ok, 

I'm a new radiator user, so I hope this isn't a silly question.

In my SQL accounting database, I have a field that I need to keep the
'connection info' in.  Basically, what I'd like to stash in that field is
the information about what speed the user had when the initially connected
as passed in the Ascend-Data-Rate and Ascend-Xmit-Rate by my CiscoAS5300.  

What I need is something like:

AcctColumnDef connect_info,Ascent-Data-Rate\/Ascend-Xmit-Rage

So that the entry in the database would look something like:
31200/49333

Is there any way to do this?

Thanks!!

-Josh


Josh Ward, Network Management and Design
California State University, Chico





===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.