Re: (RADIATOR) (Fwd) Date module?
On Sun, Oct 01, 2000 at 08:53:02PM -0500, Mike McCauley wrote: --- Forwarded mail from "Hakim Tass" [EMAIL PROTECTED] From: "Hakim Tass" [EMAIL PROTECTED] To: "Radiator mailing list" [EMAIL PROTECTED] Subject: Date module? Date: Sun, 1 Oct 2000 10:41:58 +0300 hello everybody!!! 1 I am still having problems figuring out which date module to use.I am running Radiator 2.16 on sun- solaris 2.6 and oracle as the backend. 2 I want to assign IP address from a specific pool for certain group of users... I have define the access-list pool on the router CISCO, is there any way i can specify from radius which ip-pool to pick up? You can use the Cisco AV Pair or Ascend-Assign-IP-Pool to refer to one of the IP pools on your Cisco NAS. eg: fredPassword = "blah" Ascend-Assign-IP-Pool = 3 [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Stopping people using ISDN
On Wed, Sep 13, 2000 at 03:22:14PM +1100, Hugh Irvine wrote: Hello Ray - On Wed, 13 Sep 2000, Raymond Brighenti wrote: Hi, What I'm after is a way to stop people using ISDN to connect to our Maxs, I'm only using Handler in my config so would changing it to Handler NAS-Port-Type=Async be the best way about this or is there a better way of handling this? Using a Handler as you describe is certainly a good approach. Just make sure you Reject ISDN users at some stage or your NAS will get upset and think your RADIUS server isn't responding. Then no users can login until the NAS forgives the server. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Prepaid services
On Fri, Apr 28, 2000 at 09:23:41AM +1200, Mark Jenks wrote: I have radiator working for pre paid and post paid voip services on a Cisco as5300 and it works like a dream. Now we want to extend these services past our voip and public terminal access to generalised pre-paid internet. How can I force a session off after a predetermined amount of time...is there a radius attribute for this ? You can use Session-Limit (or Ascend-Maximum-Time). [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Checking if a UNIX user exists without checking his password
On Sun, Apr 23, 2000 at 05:16:15PM -0500, Mike McCauley wrote: My mailers use Radius to authenticate the users. When a mail arrive for a user, or when a user send a mail, I must check if the user exist in the user DB. I have a MySQL database, on which I can check without trouble if a username is valid or not. But old logins are in a UNIX passwd file (I can't migrate those account because te passwords are encrypted). I'd migrate the users from UNIX. Radiator can log the username and the clear text password (look at PasswordLogFileName). [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access-Request Attributes?
On Thu, Apr 20, 2000 at 02:46:45PM +1200, colinc wrote: Where do i specify what access-request attributes i want to check? Depends how Radiator is configured. For my purposes I use Handlers which redirect to AuthBy FILE entries. eg: DEFAULT Auth-Type = System, Called-Station-Id = 666 Check items always go on the first line, the rest of the lines are reply items. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting Stop Problem
On Tue, Apr 18, 2000 at 10:43:21AM -0500, Rafael Ortega wrote: Hello, all I've been experiencing some trouble with Radiator and our TNT Max. Two of our TNT boxes are sending the STOP accounting request without the username, IP, etc. information, only the request id (while the other two boxes work just fine). We compared the config in the NAS for possible differences, but can't find any. I've seen NAS that will send Stops (with no matching Start) for people who try to login (and fail) with CHAP. Otherwise it's a TNT software problem - same version on all systems? [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HELP!
On Fri, Apr 14, 2000 at 08:27:37AM -0500, Mike McCauley wrote: To: [EMAIL PROTECTED] Subject: HELP! Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Content-Length: 702 I was having some trouble with my 3Com TC yesterday after installing 2 additional Hiper DSP cards. I called 3Com and they fixed the problem. Now, however, I am receiving the following in my logfile every 30 seconds. This is what it looks like with a level 4 trace. Thu Apr 13 06:34:33 2000: NOTICE: Request from unknown client 209.165.173.8: ignored Thu Apr 13 06:35:08 2000: DEBUG: Packet dump: *** Received from 209.165.173.8 port 1641 Code: Status-Server Identifier: 49 Authentic: Attributes: Client-Id = 209.165.173.8 NAS-Port = 511 This all started yesterday as soon as we got off the phone. Any help will be greatly appreciated. You need to add a Client entry for 209.165.173.8 with the appropriate secret. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Portal
On Tue, Apr 11, 2000 at 08:49:27AM +1000, Hugh Irvine wrote: There are two ways to go about this: the first is to use the generic AuthBy SQL clause and configure it normally for Oracle with custom AuthSelect and AcctColumnDef statements to match the Portal database schema. The second way is to develop an AuthBy PORTAL clause that already contains the functions described above. This is the second mention of Portal that we have seen in the last couple of weeks, so if there is sufficient interest (or if someone would like to contract us to build it) we will look at implementing it. If you query your Portal database directly, make sure that your licensing is ok for that. Supposedly you either use the provided API or pay more and be able to query it directly with SQL. Of course, technically nothing is standing in your way... Just the light at the end of the tunnel being a bunch of oncoming lawyers. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) IdleTime Out
On Tue, Mar 21, 2000 at 03:33:36PM +0100, 'Tunde Ogedengbe wrote: What is the value of the integer assigned to IdleTime out attribute. Is it in seconds or minutes? Depends on the NAS I suspect. Most ones I've seen it's been in seconds. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) rotate logs signal!
On Fri, Mar 10, 2000 at 02:32:33PM -0500, Sergio Gonzalez wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* Hello there. Somebody know if there is som signal I can send to radiator to automaticaly rotate logs?. I been using the method: Hi, There's no command internal to Radiator which rotates the logs (like Squid does for example). You can use any log rotating script or program as long as it moves the log file - Radiator opens and closes the logfile every time it writes to it so you're safe to move it any time you like and leave Radiator running. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Duplicates Packets
On Wed, Mar 08, 2000 at 04:38:51AM +, tmercado wrote: Hello Hugh, Ok, I'm running Radiator with a Trace 4. We have to wait to see what happend, anyway, I think that the delay is not the problem, because the DupInterval is seted to 60 seconds, so if the MAX TNT send a duplicate after a timeout occurs (i.e. 7 seconds), radiator must ignore it. The question now is, why is not happening that? So, to check for duplicates packets, Radiator compares all data in the packet? or the acct-session-id and NAS-IP-address fields only? The database is ok, I was testing it with radpwtst and I can do between 120 to 130 request trougth radiator in a second (i.e. authenticate a user and save start and stop packets for that user), so is very fast. At this time, the rate for the real system is between 3 to 5 request in a second. It compares the whole packet (well the MD5 checksum from memory). *hops on hobby horse* This means if your duplicate packets aren't identical then Radiator can't detect and ignore duplicates (eg Cisco has Acct-Delay-Time which changes in value for each retransmitted packet). Check your Trace 4 log and compare the Stop records and see what the difference is. *heads to sunset* [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: IMPORTANT - RE: (RADIATOR) Duplicates Packets
On Wed, Mar 08, 2000 at 07:03:28PM -0600, Mike Nerone wrote: Well, for the purpose of this issue, we have to assume that for one reason or another a duplicate packet did, in fact, arrive at Radiator's accounting port. That's the only way this concern even comes into play. After all, why build duplicate packet detection into Radiator unless it can detect duplicate packets. I really suspect I'm misunderstanding something here, so please explain it to me, because what I'm hearing is this scenario: 1. The only way Radiator sees a dup is if, for some reason, Radiator's ack packet doesn't make it back to the NAS, thereby causing a retransmission. 2. Any time the NAS retransmits, it's going to have a different Acct-Delay-Time (time has, after all, passed). 3. Any duplicate Radiator received will therefore have a different Acct-Delay-Time. 4. Radiator compares (a checksum of) the whole packet when checking for duplicates. 5. Therefore, Radiator will perforce fail to recognize the duplication of any accounting packets. I know I'm going to kick myself when I hear this. :) That's how it works. I've try to make up a system for myself which opens up the packets and stores stuff liked Account-Session-Id, username, nas, nas port, session time. It can then checks when a duplicate packet comes in to whether it matches the previously accepted stop packets - if it matches the above items it ACKs it back to the NAS but internally discards it. However, I ended up painted into a corner with some bugs my limited perl skills didn't nail and gave it up. [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Reject:Message
On Fri, Mar 03, 2000 at 10:16:16AM +1100, Hugh Irvine wrote:
Is the Reject:Message feature working on ver. 2.14.1? i had set
it up for some users, and i can see the message in radiators log at
trace 3, but radiator allways sends 'Request Denied' as the value
for the reply-message attribute.
Here is a quote of the log at trace level 4, for a reject with a custom
message:
Wed Mar 1 18:36:00 2000: DEBUG: Radius::AuthSQL looks for
match with avd
Wed Mar 1 18:36:01 2000: DEBUG: Radius::AuthSQL
REJECT_IMMEDIATE: Segui participando
Wed Mar 1 18:36:01 2000: INFO: Access rejected for avd: Segui
participando
Wed Mar 1 18:36:01 2000: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 3016
Code: Access-Reject
Identifier: 194
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
What is the corresponding configuration? Could you send me the configuration
file (no secrets) so I can see what should be happening?
Just a 'me too' on that. This is with the built in stuff too - from
AuthGeneric.pm:
|| main::my_crypt($password, $value) ne $value)
{
main::log($main::LOG_INFO,
"LOG: Bad Encrypted-Password,$username is trying '$pa
ssword'");
$p-{Handler}-logPassword($username, $password, 'ENCRYPTED', 0)
;
return ($main::REJECT_IMMEDIATE, "Bad Encrypted-Password");
}
This is what happens when it's triggered:
Fri Mar 3 11:57:22 2000: DEBUG: Radius::AuthDBFILE REJECT_IMMEDIATE: Bad Encryp
ted-Password
Fri Mar 3 11:57:22 2000: INFO: LOG: Access-Request (Reject): cmjh || 62610222 |
| 262544720 || 203.23.1.182 || 132
Fri Mar 3 11:57:22 2000: INFO: Access rejected for cmjh: Bad Encrypted-Password
Fri Mar 3 11:57:22 2000: DEBUG: Packet dump:
*** Sending to 203.23.1.182 port 1645
Code: Access-Reject
Identifier: 185
Authentic: 152pT2517E22621239179131h187153%
Attributes:
Reply-Message = "Request Denied"
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: Rewriting usernames and what gets logged with AcctLogFileName
On Tue, Feb 29, 2000 at 06:22:55PM +0800, Andrew Pollock wrote: I think I may have answered my own question, but I'd like to check. If I put this handler above the handler example below, will it do the job for me? Handler Realm=blah,Acct-Status-Type=/Start|Stop AcctLogFileName /var/log/radacct/remote/blah/detail /Handler Will this simply intercept (and accept) accounting packets and log them into the file specified? If it's up the top of the radius.cfg it will do what you want. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How do I know?
On Wed, Feb 23, 2000 at 12:17:44PM -0600, David Lloyd wrote: On Wed, 23 Feb 2000, Mike McCauley wrote: Hi David, Radiator only ever contacts the NAS when it has to: when a user logs in, and the session database thinks they are at their sim-use limit already. That means that Radiator only checks the NAS occasionally. At DEBUG (level 4), Radiator prints a message when it checks the NAS: "Checking if user is still online: ." If it turns out that Radiator conludes the user was not really online when in fact the session database said they were, it prints out another message at NOTICE (level 3): "Session for $name at $nas_id:$nas_port has gone away" Does it do anything if the SNMP query failed? Yeah, you get an error (at level 4). Basically just the error from snmpget - ie wrong community, can't lookup that particular port (eg ISDN on Cisco). The user is allowed to continue past the simuse limitation if there's an error. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) nas-ports for sessionSQL
On Wed, Feb 23, 2000 at 06:23:55PM -0300, Alejandro Dau wrote: Hi, I use the Authen::Radius package to do authentication against radiator for some scripts; when i use sessionSQL with dbd:mysql i get the following error on radiator (though the request is responded sucessfully): Wed Feb 23 18:10:26 2000: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='172.16.1.33' and NASPORT=': You have an error in your SQL syntax near '' at line 1 Find the NASPORT line in SessSQL.pm and remove it from the delete SQL statement. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DBD::Sybase
On Fri, Feb 18, 2000 at 12:49:29PM -0500, Mike McCauley wrote: Hi Leigh, Glad you have made some more progress. Looks like the DBD-Sybase is expecting some behaviour that ouyr MS_SQL does not have. We have tested with DBD-Sybase-0.13 and MS-SQL 6.5 without those problems. Might suggest you downgrade to 0.13? I have DBD-Sybase-0.21 and MS6.5 going ok. I never concerned myself with the failures from make test - there leads to the path to madness (ie the author says they will probably never succeed while the version is below 1). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco NAS-IP oddity
Hi, This is not a Radiator question per se, has anyone experienced this gruesome 'bug' with Cisco? Tue Feb 1 00:30:00 2000: DEBUG: Packet dump: *** Received from 203.23.1.184 port 1645 Code: Access-Request Identifier: 114 Authentic: O1721721784158129220160232$=135v173- Attributes: NAS-IP-Address = 203.23.1.183 I'm pretty sure that Radiator would not be messing with the NAS-IP-Address, as it's only a couple of the NAS'es which are affected and they all reduce by one (ie 184 says it's 183). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Help please
On Fri, Jan 28, 2000 at 11:12:32AM +0530, kailash wrote: Hi I have tried all the options but in vainit could not solve my problem...see when i log in the router when I type 'who' it shows all the people connected...but I could not find any command to drop a particular connection...please let me know... Use the 'clear int interface' command. See your manual for details as it'll probably vary depending on what cisco you have. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SNMP messages
On Tue, Jan 25, 2000 at 07:16:31PM -0700, Chris M wrote: Any idea why these messages appear in the log file? Mon Jan 24 00:00:07 2000: DEBUG: SNMPAgent: received request 129, 64, public Mon Jan 24 00:00:07 2000: WARNING: SNMPAgent: wrong community: public. Ignored Happens a couple times a day. We're not SNMP querying anything yet. Maybe someone is scanning your networks for SNMP things. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Never take the easy way out
On Wed, Jan 12, 2000 at 09:35:54AM +0600, Ricardo Guerra wrote:
Hi!!!
Is there any way to authenticate a user only checking the telefon number
%{Calling-Station-Id} and not to worry about the username or password?
Something like:
Handler
AuthBy FILE
Filename /etc/somefile
/AuthBy
/Handler
/etc/somefile would probably look like:
...
someuserCalling-Station-Id=12345654321
...
(I'm a flat file traditionalist, but it seems easy enough to SQL/LDAP)
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Detail Files
You have to set it up something like this: Handler Called-Station-Id=/9411/ AuthBy DBFILE Filename /etc/raddb/radiator/access-users /AuthBy AcctLogFileName /etc/raddb/radiator/radacct/detail-%m-%Y /Handler [EMAIL PROTECTED] On Wed, Jan 12, 2000 at 04:40:22PM +1100, Dean Brandt wrote: Hi Tom, Yep I found that in the FM :) Now my logfile says: Wed Jan 12 16:35:52 2000: ERR: Unknown keyword 'AcctLogFileName' in /etc/radius.cfg line 50 Regards Dean Brandt +-+ Cain Internet Services Melbourne - Adelaide - Sydney - Brisbane - Bendigo Australia Ph/Fax: 61-3-95373699 Mobile: 0413247188 www.cain.net.au +-+ On Wed, 12 Jan 2000, tom minchin wrote: On Wed, Jan 12, 2000 at 04:05:41PM +1100, Dean Brandt wrote: Hi, I have this line in my /etc/radius.cfg file: LogDir /var/adm/radacct But no detail files are being kept. Any ideas? Detail files are generated by AcctLogFileName (which you stick in AuthBy clauses). LogDir is a place where it sends logging information about the daemon itself (eg debugging if you have it turned on). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) freezing
On Fri, Jan 07, 2000 at 02:19:24PM +0100, Robin Gruyters wrote:
Hi here is a trace (from the second config):
Fri Jan 7 14:13:44 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 7 14:13:44 2000: DEBUG: Deleting session for
¦
^£#÷!M|ůÏãÀ·ÒQ¯Oeèÿ}²õ÷Pu;ÅYB¤ÆÎY¶ÈNk´Ó?4N¾($!yIð1eÔ´úùQæ¼]àÑ¿ómÞÄvüÞÚÄñÅg?¯ùv
*·ì ñåÝfòÑZ:'
rü{=Ô¹Ô¼û(x/ê,t2Ðxsݦ¢K[b¡3$£ë×6Öú¦úß
0IMöj(Û?]"¯fGÌ`yzÉ
$=ßfò¹ÑJ¾«dÊ/älÝ, 195.7.137.175, 18
Fri Jan 7 14:13:44 2000: DEBUG: Handling with Radius::AuthLDAP2
Fri Jan 7 14:13:44 2000: DEBUG: Connecting to ldap1.inside.servers, port 389
It only freezes on de normal radius server(s) not on the proxy one
You probably don't want to be sending garbage to LDAP servers. If they
are like the ones I have to interface with, they are delicate flowers
and the slightest harsh word causes them to fail.
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SQL timeout
On Tue, Dec 28, 1999 at 05:50:44PM -0500, Andrew Kaplan wrote: I am still plagued with Radiator failing to authenticate. We had problems today. The log shows a bunch of SQL timeout errors at the same time. Any idea as to what is the problem. If it's a regular problem, perhaps leave Radiator running in debug 4 mode. If Radiator reports an SQL timeout, it means that it couldn't query your database to lookup users. Ob: it would be nice if you could specify another AuthBy inside an AuthBy SQL. This AuthBy would only be used if the SQL server failed (eg use a flat file). I know you can do this by cascading AuthBys, but I couldn't figure out how to do it when you already have a cascade of AuthBys already. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Duplicate Request - Livingston PortMaster
On Wed, Dec 15, 1999 at 09:06:41PM +0700, Yang Tercepat wrote: Hi, We are having a problem when we using Portmaster because many duplicated accounting was send and send again. For example there is accounting request (start and stop) sending for more than 3 hours duplicated! Can we fix that duplicate accounting request dirrectly from Portmaster, or we can set using DupInterval parameter? I have try to trace using debug level 5 for this duplicated, and we don't see 'time' parameter value to set on DupInterval. The last Acct-Delay-Time was 11788 and could be higher or lower than that. Question 2, how can be the router send that duplicated request, since the network traffic is not too busy. Or could it be the dictionary is not right? We are having many router type using radius, so we choose global dictionary. Sounds like accounting packets aren't being accepted (do you have specific Handlers, but no Handler to catch all remaining packets? - for example, you are probably generating these from telneting in to the PM). I made a Handler that look like: Handler AuthBy FILE Filename /etc/raddb/radiator/admin-users /AuthBy AcctLogFileName /etc/raddb/radiator/radacct/detail-MISC-%m-%Y /Handler Radiator can only detect duplicate packets based on their MD5 checksum, so when the Acct-Delay-Time changes so does the checksum, thus it can't detect resent packets as duplicates. It does the same thing with Cisco's. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) License
On Thu, Dec 09, 1999 at 10:46:32AM +1030, Paul Thornton wrote: Hi, We currently have an unlimited license for Radiator purchased via DOVE Australia. Since then we have been bought out by Asia Online. We are still only using this license in Adelaide. Now we have multiple pops across the nation, we assume we can use this license at all our sites. We're in the same boat, yes we can use it wherever we want until MTX/Interact is no more. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Error Message in our LogFile
On Wed, Dec 08, 1999 at 09:00:23PM -0800, Greg Kornatowsky wrote: I am getting the following message in our Error Logfile, hopefully someone can tell me what it means. The user masteraccount has been acting kind of strange. They have ALOT of usage, like 500 hours a month yet if I do a usage query (we are running Platypus) it will always only show 170 hours. All of our other accounts seem to work just fine. (Cut and pasted from Linux so carriage returns and line feeds are all screwed up) Wed Dec 8 06:28:02 1999: ERR: Execute failed for 'select DateAdd(Day, ma.extension, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = ':.#@!}!}'} }4}"}} }*} } x;}'}"}(}":i~}#@!}!}(} }4}"}} }*} } x;}'}"}(}"z}3~q' or sa.shell = ':.#@!}!}'} }4}"}} }*} } x;}'}"}(}":i~}#@!}!}(} }4}"}} }*} } x;}'}"}(}"z}3~q') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0': Server message number=170 severity=15 state=1 line=5 server=KINGKONG text=Line 5: Incorrect syntax near '}'. That's someone with line noise (or a stuffed modem) trying to login. Just ignore it - well, find out who it is might be useful from a customer care point of view. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Session Timeout Until xx:xx
On Mon, Dec 06, 1999 at 04:04:57PM +0200, Ferhat DILMAN wrote: Hi, I have tested Session-Timeout="until 1800" parameter and does not work. The config is: Ascend TNT, Radiator 2.14.1 with new AuthGeneric.pm module on Debian Linux and here is the user file and the config file and the logfile. I have radiator main server and i have created a proxy. Main server sends the requests to this server. By the way, main server is still in 2.13 version. Does it matter? Yeah, the Ascends like Ascend-Maximum-Time, so use that instead. Unfortunately unless the code is cleverer than it looks to me (not unlikely) you'll have to butcher the code slightly so that it uses the Ascend attribute rather than the standard RADIUS one. Should be a simple search and replace. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 15% Failure in Authentciations
On Thu, Dec 02, 1999 at 06:13:46PM -0500, John Benson wrote: Support, Radiators Anonymous more likely :) I am having an approximate 15% failure rate in authenticating users against an SQL database using radiator. I believe I am starting to narrow the problem down as to why users are getting the following message on their WIN95/98 boxes. "Error 691: The computer you're dialing in to cannot establish a Dial-Up Networking connection. Check your password, and then try again." I am using a Cisco AS5300 as the NAS. It is also the radiius client passing authentication requests to radiator running on a Linux box. There is also an SQL database on the linux box and radiator is configured to convert the incoming radiius request into an SQL authentication request. It works quite well with the exception of the current error I am trying to debug and fix. It appears to be happening about 15% of the time. When I do a "show modem command" on the AS5300, the 85% success rate statistic confirms the the reason why 15% of the users are calling me. Can you suggest any parameters I might want to try to look at in radiator to adjust in order to eliminate the failed authentications? What does the Radiator logs at debug level 4 say when people do fail authentication? Also, the AS5300 debug trace you sent indicated that they were trying to do CHAP, is this what they are supposed to be using? [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Microsoft SQL 7 and Linux
On Mon, Nov 29, 1999 at 02:36:55PM -0800, Greg Kornatowsky wrote: Has anyone successfully connected their Radiator running on a Linux box to Microsoft SQL 7. If you have would you mind sharing the details. We are running SQL 6.5 and have no problems with the Sybase drivers but we are thinking of upgrading to 7. 6.5-7 breaks the Sybase libraries. Microsoft has recognised this as a bug (ie lost sales) and issue a patch to make it work again. SYBASE CT-Library Clients Cannot Connect to SQL Server --- The information in this article applies to: - Microsoft SQL Server version 7.0 --- BUG #: 55964 (SQLBUG_70) SYMPTOMS SYBASE clients using CT-Library based on Tabular Data Stream (TDS) 5.0 (including Open Client 10.0.4 and 11.1.1) cannot connect to Microsoft SQL Server 7.0. These clients may encounter one of the following SYBASE CT-Library errors reported by SYBASE ISQL.EXE: CT-LIBRARY error: ct_connect(): network packet layer: internal net library error: Net-Library operation terminated due to disconnect CT-LIBRARY error: ct_connect(): protocol specific layer: internal Client Library error: There is a tds state machine error. An illegal tds token sequence was received. The Microsoft SQL Server 7.0 errorlog reports the following error: ods Error: 17832, Severity: 18, State: 7 ods Connection opened but invalid login packet(s) sent. Connection closed.. RESOLUTION == A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next SQL Server service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://www.microsoft.com/support/supportnet/overview/overview.asp The English version of this fix should have the following file attributes or later: Version File name Platform - 7.00.723 s70723i.exe Intel s70723a.exe Alpha NOTE: Due to file dependencies, the most recent hotfix or feature that contains the above files may also contain additional files. STATUS == Microsoft has confirmed this to be a problem in SQL Server version 7.0. MORE INFORMATION Microsoft SQL Server 6.5 and 7.0 are designed for backward compatibility to support TDS 4.2 clients, including TDS 4.2 clients from SYBASE. However, some of Microsoft's customers have traditionally been able to connect their SYBASE TDS 5.0 clients and perform basic queries against a Microsoft SQL 6.5 server. This configuration is not supported by Microsoft, although some customers have been using it. Some changes were made in SQL 7.0 to provide more TDS protocol checks that prevented these SYBASE TDS 5.0 clients from making the same connection as in SQL 6.5. Therefore, a change has been introduced in SQL 7.0 that allows SYBASE TDS 5.0 clients to connect. However, this does not mean the configuration is officially supported by Microsoft. TDS 4.2 is the only level of compatibility that is supported for SYBASE TDS based clients. TDS 5.0 is a SYBASE specification and it is not supported by Microsoft. NOTE: Microsoft will not include these changes in future versions of Microsoft SQL Server. These changes will remain during the lifetime of the 7.0 product, including service packs. Limited testing has been performed by Microsoft regarding the functionality of SYBASE TDS 5.0 clients with this change. Only basic connectivity is ensured. Anyone requiring this functionality should seek a different solution for connecting SYBASE clients to Microsoft SQL Server such as using an ODBC driver or OLE-DB provider. Keywords : kbSQLServ700bug Version : winnt:7.0 Platform : winnt Issue type: kbbug Solution Type : kbfix THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
Re: (RADIATOR) Session Database
On Sun, Nov 28, 1999 at 10:44:22PM -0500, Roy Hooper wrote: At present, I have two situations I want to rememedy: 1. I'm getting a number of "noise" accounting packets sent by one of our vendors to check our server is working. These packets tend to pollute the session database, but can be easily ignored if I can prevent them from making it to the session database by UserID. If they're using something that's always the same, then create a Handler that matches and ignores these packets (although you may want to log them to make sure they're doing their job etc). 2. I've got a number of accounting packets coming in from one NAS in order to track 1-800 service. 50% of this same NAS includes accounting packets I do not want in the radwho database, and am presently not logging to file because I don't want to see them, except when debugging. The rest of the packets I am very interested in tracking, and am presentlying doing this by realm for this NAS -- packets w/o a realm are ignored for logging to file for accounting, the rest are kept. If you can distinguish them easily based on Radius attributes then another Handle to collect the discardables would be the solution. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 56k ISDN Restrictions...
On Tue, Nov 23, 1999 at 03:07:43PM -0500, Kelly Hamlin wrote: We are having a problem where people signup with 56k access and then dial in with ISDN etc... We are looking for a solution where we can restrict that only ISDN Customers can login with ISDN and we would also like to make it so we can restrict single and dual channel to certain users. We are currently running Win2k/Radiator and Sql7/Platypus, If anyone has had these problems or anyone knows where i can find the solution it would greatly help. Thanks in advance, if you need any additional information, please let me know and ill be sure to make a prompt reply. Yeah, it'd be nice if Radiator could use the account type (eg PPP, Mail, ISDN) that live in the Platypus database and check them against NAS-Port-Type. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple SessionDatabase question
On Tue, Nov 23, 1999 at 02:58:30AM +0100, Félix Izquierdo wrote: Hello! If I have defined multiple SessionDatabase DBM, how can I know what database is Radiator using as default for Realms/Handlers where it's not specified? From experience, it's the first one. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authenticating off of Platypus
On Thu, Nov 11, 1999 at 09:39:55AM -0500, Todd Knaus wrote: Dear Fellow Radiator Users, We are in the process of moving/reinstalling Radiator from Windows NT back to a Unix box (RedHat 6.1 to be exact). However, we want to keep authenticating off of our Platypus Database on the NT server. There was some talk awhile back as well as a few web pages that dealt with this or listed software I needed on the unix box but I am unable to locate that information. If anyone if familiar with this could you please email me the links and or any hints, tips, pointers, etc. There's 3 main choices: 1) use the Sybase libraries (this will worth with SQLserver 6.5 natively and with 7 if you apply some 'compatilibity' patches available from Microsoft) against the DBD-Sybase perl module. I posted a cookbook way of getting this done a few months ago. 2) use FreeTDS and DBD-Sybase - when I tried this it was an exciting mix of linking alpha software with alpha software :) It's probably much better now. 3) use OpenLink. I'm not very up on databases, so when I looked at this I just went "huh?". It was hard enough finding out whether the product would support Linux (glibc2) and SQLserver. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Different logfiles for different groups?
On Mon, Nov 01, 1999 at 03:43:02PM -0600, Dawn Lovell wrote: At 09:53 AM 10/30/99 +1000, Hugh Irvine wrote: Could you try changing the AuthBy UNIX to AuthBy SYSTEM and see what happens then? I would be interested to see if AuthBy SYSTEM performs correctly. I can't find the Shadows module that's mentioned in the reference manual as being necessary when using shadow passwords on Solaris with AuthBy SYSTEM. The site mentioned (ftp://dagobert.eur.nl/pub/homebrew/) doesn't seem to have it anymore and I can't find it on CPAN. Does anyone know of another place where this might be available? Thanks again for your help! You have to retrieve it by the exact path (has some unreadable directories). Alternatively, http://users.interact.net.au/~tom/Shadow-0.01.tar.gz [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Radiator) Client
On Sat, Oct 30, 1999 at 07:00:07AM -0600, Chris M wrote: Is it a better practice to use IP addresses instead of names for Client? What about using both (if DNS fails for some reason it can check the IP)? I suspect it doesn't make much difference, if DNS has failed then well probably other critical things are stuffed as well. If you want you can use Client DEFAULT and keep all your secrets (and NAS's) the same. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql requirements...
On Thu, Oct 28, 1999 at 06:37:34AM -0500, Jay West wrote: I want to install mySQL for use with Radiator on FreeBSD 3.3Release. The instructions say I'll need to install DBI and DBD. I can find DBI easily and have installed it. However, where exactly do I find DBD for mySQL?? You can find all those goodies in CPAN (http://www.cpan.org/) or on the mysql web site (http://www.mysql.com/download_perl.html). CPAN tends to have the newer versions (eg v1.2209). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ye olde perenial ?
On Fri, Oct 29, 1999 at 12:13:45AM +1000, Gary wrote: Before switching over to sql authentication I am cleaning up the users file and adding DefaultReply to the various bits . Now the old question... is Service-Type = Framed-User a check or reply item... ?? Page 39 of the manual (hi Hugh :-) indicates its reply item, but I thought it was a check item ? I always had it as a reply item. Also I am wondering is there an equivalent DefaultCheck for check items ? (if there is I probably missed it in the manual :-) or should this be a feature request ? Don't think so, just chuck a AuthBy FILE in front of the AuthBy SQL which contains a DEFAULT line with the check items you want. Another method is to use a handler which only matches the check items you want. Make sure you have a default handler or realm that'll look at people who don't check out properly and reject them (some NAS's get bitter and twisted if you selectively ignore users - they start trying to use fall back RADIUS servers and you can end up with no RADIUS service at all on that NAS for all users). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator AuthBy limitations
On Wed, Oct 27, 1999 at 10:40:34AM -0500, Erik Meitner wrote: Am I correct in understanding that I cannot authenticate my users from my Unix password file and also have per-user reply items? My current radius server can do this. The reason we bought Radiator was so that we could limit login hours and simultaneous sessions. I do not relish the idea of maintaining two separate files with 10,000 records each. Any suggesttions? There's an example of UNIX authentication and per-user reply items in the sample radius.cfg. The only two files you will have to maintain is /etc/passwd (and /etc/shadow too I guess) and your file of per-user settings. There's also options to add reply items as default for everyone, and to add reply items for users who weren't picked out on a per-user basis. Handler AuthBy FILE Filename /etc/raddb/users-settings /AuthBy /Handler Realm dummyrealmforholdingauthbyunix AuthBy UNIX Identifier System Filename /etc/shadow /AuthBy /Realm What is your current radius server? (we came from Livingston without drama). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator restart
On Wed, Oct 27, 1999 at 07:26:27PM -0400, Andrew Kaplan wrote: Oddly enough, after the restart Radiator died and restarted over and over again (I got a bunch of emails about it). The Radiator logfile had entries like these at the time... Wed Oct 27 15:48:25 1999: DEBUG: Reading users file /etc/acctmgr/users Wed Oct 27 15:48:36 1999: DEBUG: Reading users file /etc/acctmgr/users Wed Oct 27 15:48:48 1999: DEBUG: Reading users file /etc/acctmgr/users Wed Oct 27 15:48:59 1999: DEBUG: Reading users file /etc/acctmgr/users Wed Oct 27 15:49:11 1999: DEBUG: Reading users file /etc/acctmgr/users What does this mean ? Try starting radiusd from the command line and see if there are errors going to standard out/err. Is that all the DEBUG output? [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: SNMP Setup
On Fri, Oct 22, 1999 at 02:15:15PM +1000, Barry W Anderson wrote: You obviously have UCD SNMP installed. Try uninstalling this package, if you can't work out how to disable the agent. You'll need UCD SNMP tools, just disable the snmpd. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Platypus SQL table structure has changed
Hi,
If you have the misfortune to be using Platypus, they seemed to
have changed the table layout in their latest rash of releases. The table
'radiusdat' is now a view (and thus not updateable).
Sat Oct 9 17:54:41 1999: ERR: do failed for 'insert into radiusdat
(username, callstart, callend, sessid )
values ('fred', 'Oct 9, 1999 17:38', 'Oct 9, 1999 17:54',
'1234' )': Server message number=4406 severity=16 state=1
line=1 server=ELEPHANT text=View 'radiusdat' is not updatable because a field of the
view is derived or constant.
Sat Oct 9 17:54:41 1999: ERR: do failed for 'insert into radiusdat
(username, callstart, callend, sessid )
Supposedly if you write to the 'calls' table it will achieve the
same thing (different column layout - more stuff though in by default).
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) memory leak in 2.14.1 ?
On Wed, Oct 13, 1999 at 09:08:46PM -0700, Ric O'Connell wrote: We have also seen extreme memory leaks in 2.14.1. We backed off to 2.13 and have not had problems. I doubt it is Perl, unless 2.14 is using some parts of Perl that Radiator 2.13 is not. I find it hard to understand how a Perl program has memory leaks - Perl should do automatic Garbage collection. There's the potential of bugs in perl and mistakes in coding that'll give you memory leaks. I've found that 2.14.1 with just File and DBM authentication doesn't leak a bit (it's only adding DBI stuff that you get into less trodden paths - especially when a lot of DBI programming appears to be single execution and exit which doesn't show up memory leak issues). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) detailed logging module?
On Thu, Sep 30, 1999 at 10:52:11PM -0400, Joshua M. Thompson wrote: Before I reinvent the wheel has anyone else written a module to do detailed logging of the authentication process? What i mean by that is something that shows each Authentication request, Accounting Start and Accounting Stop as a series of one-liners showing the user@host, NAS name/port, the result (pass/fail) and if it's an error the message returned from the authenticator. We just added a extra lines in AuthGeneric.pm to get that kind of thing. Sure, a slight pain to migrate but things haven't changed drastically in that module for a while. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) To many start records
On Tue, Sep 07, 1999 at 09:50:26AM +0930, Paul Thornton wrote: Hi, We seem to be having a small problem with our radius records and was wandering what might be causing this. As the record shows below the user has sent a Start record followed by a Stop (User Request). Shortly thereafter another Start Record has appeared. This causes our accounting server to see them as being online. This inturn causes all of their credit to dissapear until there is none left. Could this have something to do with the DupInterval value. We have this set to "2". Should it be higher, or could there be something else? -- Snip - 8|username|seagull-1.mtx.net.au|203.15.27.59|dove|PPP|Start|936187714|2B000E98| 8|username|seagull-1.mtx.net.au|203.15.27.59|dove|PPP|Stop|936187728|2B000E98|User-Request 8|username|seagull-1.mtx.net.au|203.15.27.59|dove|PPP|Start|936187759|2B000E98| -- Snip - Looks like duplicate packets alright. Try setting the DupInterval to something higher (like 60 seconds). Also, try increasing the retransmit time on your NAS - if you're Cisco then it defaults to 5 seconds which is a bit fast in peak times. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) correct spelling of Van-Jacobson-TCP-IP
On Sun, Sep 05, 1999 at 03:17:11PM +0200, Ben-Nes Michael wrote: I think the the Van-Jacobsen compression is the default. am i right ? If you used Livingston Radius then it started off with the incorrect spelling then allowed both the incorrect and correct spelling in a later version to reduce support issues. Van-Jacobson is the right spelling. If you're stilling using backend programs of that vintage you can always modify the dictionary to use the incorrect spelling. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) using the Group check item
On Thu, Sep 02, 1999 at 10:43:24AM +1000, Hugh Irvine wrote:
manage our users, simply by making them members (or not) or certain
groups. However, I now have a problem: If a user has the primary group
"email", radiator does not use it, and auths them with the second entry.
However, if I now put the username into the /etc/group file with group
"email", it works OK. This becomes a problem because I have more than
1000 users, and the entries in the /etc/group file are limited to a
certain length. Is this a failing in Radiator, or am I doing something
wrong?
You aren't doing anything wrong - Section 13.1 of the Radiator 2.14.1 reference
manual explicitly states that the Group check item will check the UNIX
/etc/group file. I think you will have to do something different - possibly
have two separate users files corresponding to your two groups.
You might also want to look at some of the other Auth modules, as AuthUNIX
is only traditional non-shadow /etc/passwd. AuthPAM or AuthSYSTEM.
A brutal hack on AuthUNIX will also work, here's what I did to mine:
---
#return defined $group_of_last_user_found
#$self-{GroupsToGID}{$group} == $group_of_last_user_found;
my $grouptest = grep { $_ eq $user } split(/,/, $self-{Groups}{$group});
# getpwnam is not supported on Win95
if ($grouptest == 0 $^O ne 'MSWin32')
{
my @userarray = getpwnam($user);
my @grouparray = getgrgid($userarray[3]);
$grouptest = 1
if ($grouparray[0] eq $group);
}
return $grouptest;
}
1;
---
The only problem here is that access to the /etc/passwd will be uncached and
you could encounter performance issues if your /etc/passwd changes a lot.
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Auto-logoff at specific time i.e 18:00
On Sun, Aug 29, 1999 at 03:34:48PM +1000, Gary wrote: I think what Michael is asking is whether there is an easy way to calculate Session-Time according to the time of day. eg: normal max session is 3 hours (10800) but this user is restricted to to having their connection complete by say 18:00 and they ring in at 17:45 so their Session-time should now be equal to 15 minutes = 900 seconds In Michael's case the NAS does support session time or I suppose he wouldn't be asking :-) I think Ascend and tigris is the answer. You'll have to convince Mike to put it on the wishlist. I wouldn't mind seeing the time restrictions feature send out Session-Timeout or Ascend-Maximum-Time replies with the Access-Accept packet. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Using more than one type of NAS
On Fri, Aug 27, 1999 at 01:34:59PM -0500, David Lloyd wrote: On Fri, 27 Aug 1999, Brian wrote: We have been using only one type of NAS, since starting with Radiator. We have been using 3Com Total Control boxes. We use the dictionary.usr as our dictionary. Now we are adding an Ascend MAX TNT. I noticed the dictionary is not set under each Client clause, but rather is done in the global section. How do I incorporate two different vendors NAS boxes into Radiator (basically how do I get two dictionary's to work). Do I have to merge the data from the dictionaries? We have the same problem, we actually have 4 different types of NAS. What I have been doing is just using a generic dictionary, and ignoring the spam in my logfiles If there is a better way (short of running 3 Radiators) I'd love to hear about it! If you don't have any overlap between dictionaries, I just added the specific dictionary entries that all the NAS's wanted into a single one. The Cisco and Ascend attributes seems to all fit together without a problem. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Check attributes
On Thu, Aug 26, 1999 at 06:37:29PM +0200, Rajesh Khator wrote: Hi all I am using AUTHBYSQL. How can I check the expiration date while authenticating a user. I tried adding the AuthColumnDef but didn't worked.Could u tell the details You'd use the AuthSelect and make your own SQL statement. For example, if you have a column that indicates whether a user is active (A) or disabled (D): AuthSelect select PASSWORD from SUBSCRIBERS\ where USERNAME='%n' and STATUS = 'A'; You can do other stuff using the special formatting characters: AuthSelect select PASSWORD from SUBSCRIBERS\ where USERNAME='%n'\ ACCTSTARTDATE %b and ACCTENDDATE %b; (user can login as long as the current timestamp (%b) is greater than the account start date and less than the account end date - and their password matches of course). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple stop accounting requests
Oh, the reason why Radiator doesn't pick up the two Stops as duplicates? The Acct-Delay-Time value is different in both packets (0 and 5), Radiator does a comparison of the whole packet and they must be identical to be determined to be duplicates. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple stop accounting requests
On Thu, Aug 26, 1999 at 10:24:42AM +1200, John Vorstermans wrote: Hi. I cannot get to the bottom of this problem. On occasions we are seeing multiple stop accounting records being added to the records of a session. Looking at the logs I can confirm that multiple stop records are actually send and received. I have attached radius.cfg and a section of the logfile incase anyone can help me sort this out. The user concerned in this case is "shi" We are running Radiator 2.14.0 and the packets are coming to us from a Ascend TNT via a proxy radiator server. What should I look for to sort this problem out? Currently your Ascend is resending every 5 secounds, which means if the server that Radiator is on is temporarily loaded, or there's a flurry of RADIUS traffic on the server, it might not be completed in time and acknowledged within 5 secounds. Try setting the retransmit time on your NAS to 10 or 15 seconds. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Changing Shadow Password from Radmin
On Tue, Aug 24, 1999 at 10:56:35AM +, Paul Black wrote: I have written a bit of perl code to allow Radmin to add new users to my shadow password file when a new user is added using Radmin. Now I need to write a bit of code to allow the shadow password to be changed when a password is changed using Radmin. Could anyone tell me how to go about this? Can't you just use the same code you use for adding new users (just the chpasswd bit I think is all you need)? [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on radiator
On Thu, Aug 19, 1999 at 09:25:20AM +, Alexander Koch wrote: Hallo. As I am evaluating a new radius daemon to chose I have some questions on Radiator. We have several Ascend Max 4k and 6k, all doing radius auth to special hosts (several, no real redundancy and backup), we are running the Ascend radius daemon (oh well, no comments, please) and we would need one feature: Have several (2+) radius servers that respond differently (however that is achieved, config-wise, fall-through or something) depending on the source IP of the request. So far we have two radius daemons on the same box, each is listening to another port. This works, but if it can be just one radius daemon, this would be really fine. Is anything like this possible? And, if so, how (roughly)? Mind you, this is no roaming... How do you mean differently? Radiator is able to use NAS-IP-Address (or similar) and Handlers to use different authentication sources etc. Handler NAS-IP-Address=/10.1.1.2|10.1.1.3/ # whatever ... /Handler Handler NAS-IP-Address=/10.2.2.2|10.2.2.3/ # something else ... /Handler You could do it at another level with NAS-IP-Address check items as well. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Simulatnius-usae and Port-limit
On Thu, Aug 19, 1999 at 04:56:11PM +0200, Ben-Nes Michael wrote: So how othe Radius server do this ? And what the livingston send that tell the Radius that its the second port of the current Session ? It's not able to do this. It can send Port-Limit = whatever You can configure Radiator to send the same Reply attribute, however, there's substantial caveats in the Livingston RADIUS server: http://www.livingston.com/tech/docs/radius/userinfo.html#1014088 Especially note that it only limits multilink ISDN sessions, it does not prevent two separate non-multilinked logins. It doesn't not solve the problem you face, you'll have to think of another way around it - static IPs, caller id, multilink session ids (if your NAS sends them - Cisco does). Port-Limit is not the solution. Neither is Simultaneous-Usage. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Simulatnius-usae and Port-limit
On Wed, Aug 18, 1999 at 11:45:26AM +0200, Ben-Nes Michael wrote: But if ill put both set to 2 then i can easily have two users on 64k thats mean 1 less customer. I think the should be considered as bug. any one know the email of the developing team ? You might be able to do something with a PreAuthHook (if you can distinguish, from your NAS RADIUS client, the difference between two separate 64K channels and the forming of 128k channel). There's probably not much you can do if you can't tell the difference based on RADIUS between the two (allocate a static IP?). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problems with Radiator and USR TC, FreeBSD 2.2.6, NIS, Simul-Use
On Sun, Aug 15, 1999 at 06:24:43PM +1000, Hugh Irvine wrote: my outstanding issues are as follows: - need to either: - deny access to users is group "noppp" (gid 102) - only allow access to users is group "users" (gid 101) I don't understand the requirements above - could you expain? Probably want to use the Group Check item in your DEFAULT and per-user entries. DEFAULT Group = "users" ... auser Group = "users" ... Any other users not in that group will be denied by default. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Session timeout.
On Thu, Aug 12, 1999 at 09:04:51AM -0500, Dennis Khaw wrote: Hi everyone, I'm new to Radiator and currently setting it up for the first time. Please bear with me if this is a common question. How do I set the session timeout for each login? If setting a session timout is possible, could I also setup different timeouts for different realms? I do not see a command similar to that in the Radiator manual. BTW, I'm not using any database for authentication. I'm using a authby UNIX and authby tacacplus. Hmm, those two AuthBys don't give you a lot of flexibility, but you can use AddToReply to send a session timeout for each AuthBy. You'll have to find out what RADIUS attribute your NAS will take to limit a session to a certain time. AuthBy TACACSPLUS ... AddToReply Session-Timeout = 14400 ... /AuthBy [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Passwd Program
On Fri, Aug 13, 1999 at 02:44:32AM +, Paul Black wrote: I'm a new Radmin user and I have found that there is a problem with authenticating out of the Radmin database and Sendmail. The basic problem is that Sendmail does not use Pam and Sendmail checks that users exist against the Shadow password file. Mike McCauley has shown me how to patch Radmin to add new customers to the password file as well as to the Radmin database. In order to implement this patch I need a version of the passwd program which takes the username and password as a command line argument. Before I spend time hacking the existing password program, I thought it would be good to know if anyone already has or knows of a version of the passwd program that can be run from a script. There's chpasswd which is part of the Shadowsuite of tools. You can run batch updates etc using this command line utility. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Radmin Adding Users
On Fri, Aug 13, 1999 at 04:46:16AM +, Paul Black wrote:
I've almost got Radmin adding new users to my shadow password file. My perl is
pretty basic. Following is the function being used to add the users.
My first problem is that useradd is not working. How can I display the error
message from useradd?
The useradd line doesn't seem to have a leading /, you should also check
out the syntax of your useradd program as they vary from OS to OS.
The second problem is that chpasswd takes its input on STDIN. Is the code
below (currently commented out) correct to do this?
You'll have to do something slightly different with chpasswd:
open(CHANGEPASSWORD,"|/usr/sbin/chpasswd");
print CHANGEPASSWORD "$obj-{USERNAME}\:$obj-{PASS_WORD}\n";
close(CHANGEPASSWORD);
[EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiusd option
On Fri, Aug 06, 1999 at 05:27:42PM +0300, Requiem Aurelien (Ext/NTC) wrote: Hello A lot of daemon use option mydaemon [start/stop/restart] I think it could be a good idea to add these options to the radius daemon Not really they don't. It's just the shell wrappers which start them up that have these options. Have look inside a few of them and you'll see. You'll easily be able to modify one of them to suit Radiator however. On most systems just copy the syslogd or the sendmail init script and use that. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco And Session-Timeout
On Wed, Aug 04, 1999 at 01:58:50PM +0300, Adam wrote: Hi all I really hope i can find answers to my problem, so please anybody with any idea HELP... we have here Cisco 5200 with IOS 11.3T release7 and Cisco 3640 with IOS 11.3T release9 we configure the Radiator and its working great but we are facing one problem... We want to automatically disconnect users basing on how much time they have left, so we are sending session-time out like this: AuthBy SQL AuthSelect select Password,TimeBalance from users where username='%n' AuthColumnDef 0,Password,check AuthColumnDef 1,Session-Timeout,reply Try using Ascend-Maximum-Time instead. That worked for us (and Session-Timeout didn't). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Limit Acces
On Fri, Jul 30, 1999 at 12:25:20PM +0200, DAVID PARAJE wrote: DAVID PARAJE wrote: My name is David and i'm from Unisource, Spain. I have some questions about Radius Radiator and i hope anyone can help me. I want to limitate the simultaneous use of my clients, but i dont know how can i do it. I am working in a Solaris and AUTH BY FILE. I have read some questions about this problem and, for example, when i write DefaultSimultaneousUse 1 (to limit acces to 1) and stop and start radius, there are a ERROR in the logfile that say that don't recognice that command. Some question: Do i have to configure SNMP in my Acces Server (cisco) and in the Radius? Do i have to add in the dictionary file some words (like DefaultSimultaneousUse or Simultaneous-Use)? And, in a few words, what i have to do to limit access, please Not a lot. This in your radius.cfg: SessionDatabase DBM Filename /path/where/the/database/file/will/live /SessionDatabase Then for each user add: Simultaneous-Use = 1 (or use AddToReply and save some work) I'd recommend enabling SNMP on your Cisco's as that will allow Radiator to double check before rejecting a user for exceeding the Simultaneous-Use check. The manual is pretty good in this respect. But you don't have to use SNMP - just have to access the odd reject if your network/NAS/Server drops the odd Stop packet. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Detail Accounting Help
On Sun, Jul 25, 1999 at 12:08:07PM +0600, Mohammad Tawrit wrote: Hi Mike, How can I generate datewise accounting log file ? I mean for each date, a seperate logfile. You use AcctLogFileName with the special characters on page 11 of the manual. eg: AcctLogFileName /usr/radacct/detail-%d-%m-%Y which generates the detail file for today called /usr/radacct/detail-25-07-1999 [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Getting Started
On Sun, Jul 25, 1999 at 12:22:11AM +1000, Radiator Mailing List wrote: I've just started to setup Radiator on a Linux Redhat 6.0 machine with Authentication against a shadow password file. I'm having a problem with tests from radpstest not authenticating, accounting records are working fine. What do the logs say (at debug level 4)? The rest of the config looks pretty valid. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (off-topic?) simple snmp info from nas
On Sat, Jul 24, 1999 at 04:05:55PM +1000, Craig Sanders wrote: Re: (RADIATOR) SNMP Counter logging On Wed, Jul 07, 1999 at 04:26:38PM +1000, tom minchin wrote: I use the SNMP method to clear the interface, that sends a Stop (IOS version 11.3(8)T1). snmpset hostname community .1.3.6.1.4.1.9.2.9.10.0 i interface would you have a list anywhere of what these cisco oids mean? There's some meaty documents on www.cisco.com which go through each MIB that you can download from the website. I was never able to integrate the Cisco MIBs into CMU or UCD (but I'm hardly an expert). Unfortunately I don't have any URLs as they keep changing the damn site layout. am i missing something really basic about snmp or is it meant to be ridiculously clumsy and over-complicated?? I'm sure it's not meant to be clumsy, but the way Cisco (and others) have implemented it (ie in an accumulatory fashion rather than any attractive plan) means that it's ugly and complicated. The Cisco solution is to buy CiscoWorks and be done with it :) [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) NAS' in Multiple Timezones, AAA in One ?
On Fri, Jul 23, 1999 at 08:17:00AM +, Brad Vonarx - AAPTN VicOne wrote: Has anybody dealt with this issue ? I have Access Servers Australia wide, however Radiator servers in Melb and Syd only.I need to display the time the caller connected locally not the Radiator local time. Then the issue gets more complicated during daylight savings time, any Ideas ? You could always hack the source, negate or add 3600 seconds to the time stamps. Another option is to have your RADIUS server run on a computer with the timezone you require. I've always left the time alone, although it does require you to remember about daylight saving differences between states. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) CLID only authentication ?
On Mon, Jul 19, 1999 at 11:52:08PM +1000, Gary wrote: I have just installed radiator for the first time. I also have just installed a new tigris. Has anyone managed to get a CLID authorisation only session going on a tigris ?? You can use the Calling-Station-Id RADIUS check item, eg: fredPassword = "mypasswd", Calling-Station-Id = "3454563453" This is standard RADIUS, and your Tigris will need to send the CLID when it authenticates against your RADIUS server. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator 2.14 how compressed?
On Fri, Jul 16, 1999 at 04:58:03PM +0200, Karl Gaissmaier wrote: Hi all, was anyone successful with downloading and decompression of the Radiator-2-14.tgz? I got: # /soft/local/gnu/bin/tar ztf Radiator-2-14.tgz gzip: stdin: invalid compressed data--format violated /soft/local/gnu/bin/tar: Child returned status 1 /soft/local/gnu/bin/tar: Error exit delayed from previous errors Something wrong with the package I think. Worked ok for me. [tom@grey tom]$ gzip -tv /usr/local/src/Radiator-2.14.tgz /usr/local/src/Radiator-2.14.tgz:OK Downloaded as ascii? [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Why is radiator rejecting auth request ?
Just ignore them. Those are special users (see Ascend Max manual or website
for details) which can define stuff like static routes and ip pools via
RADIUS.
[EMAIL PROTECTED]
On Wed, Jul 14, 1999 at 12:11:13AM -0500, postmaster wrote:
Hello,
I am using Radiator-2.13.1 on Solaris 2.5.1. I have radiator setup to
do mSQL Accounting and Auth by File. My radius.cfg is shown below:
Note: NAS is is Ascend MAX
-
Foreground
LogStdout
AuthPort1645
AcctPort1646
LogDir .
# LogFile %L/%Y-logfile
DbDir .
DictionaryFile %D/dictionary.ascend
FingerProg /bin/finger
Trace 4
Client DEFAULT
Secret xxx
NasType Ascend
/Client
Realm DEFAULT
AuthByPolicy ContinueUntilAccept
RewriteUsername tr/[A-Z]/[a-z]/
MaxSessions 1
RejectHasReason
AuthBy SQL
AuthSelect
DBSourcedbi:mSQL:radius
AccountingTable ACCOUNTING
AcctColumnDef Username,User-Name
AcctColumnDef the_date,Timestamp,formatted-date,'%e-%m-%Y'
AcctColumnDef the_time,Timestamp,formatted-date,'%H:%M:%S'
AcctColumnDef NAS_Identifier,NAS-Identifier
AcctColumnDef NAS_Port,NAS-Port,integer
AcctColumnDef Acct_Status_Type,Acct-Status-Type
AcctColumnDef Acct_Delay_Time,Acct-Delay-Time,integer
AcctColumnDef Acct_Session_Id,Acct-Session-Id
AcctColumnDef Acct_Session_Time,Acct-Session-Time,integer
AcctColumnDef Acct_Input_Octets,Acct-Input-Octets,integer
AcctColumnDef Acct_Output_Octets,Acct-Output-Octets,integer
AcctColumnDef Acct_Term_Cause,Acct-Terminate-Cause
AcctColumnDef Framed_Address,Framed-IP-Address
AcctColumnDef Framed_Protocol,Framed-Protocol
AcctColumnDef Connect_Rate,Ascend-Data-Rate
AcctColumnDef Disconnect_Cause,Ascend-Disconnect-Cause
AcctColumnDef First_Destination,Ascend-First-Dest
AcctColumnDef Client_Port_DNIS,Client-Port-DNIS
/AuthBy
# If SQL fails then authenticate from flat file
AuthBy FILE
DefaultSimultaneousUse 1
Filename ./users
/AuthBy
/Realm
SessionDatabase SQL
DBSourcedbi:mSQL:radius
AddQuery insert into RADONLINE (Username, Time_Stamp, \
NAS_Identifier, NAS_Port, Acct_Session_Id, Framed_Address, \
Nas_Port_Type, Service_Type) values ('%n', %{Timestamp},'%N', \
%{NAS-Port}, '%{Acct-Session-Id}', '%{Framed-IP-Address}', \
'%{Port-Type}', '%{Service-Type}')
DeleteQuery delete from RADONLINE where Username='%n' and \
NAS_Identifier='%N' and NAS_Port=%{NAS-Port}
ClearNasQuery delete from RADONLINE where NAS_Identifier='%N'
CountQuery select NAS_Identifier, NAS_Port, Acct_Session_Id from \
RADONLINE where Username='%n'
/SessionDatabase
---
this works fine in 'radpwtst'. But, when the users connect, I get the foll
errors, Has anyone seen these errors: If so, please let me know:
Note: Note that instead of the actual Username it's sending incorrect data
like 'route-max4-1', "pools-max4", "permconn-max4-1" as the
username.
PS: the xxx.xxx.xxx.xxx are the actual IP Addresses.
*** Received from xxx.xxx.xxx.xxx port 1025
Code: Access-Request
Identifier: 1
Authentic: ...
Attributes:
User-Name = "route-max4-1"
User-Password = "."
NAS-Identifier = xxx.xxx.xxx.xxx
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Dialout-Framed-User
Tue Jul 13 23:54:16 1999: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jul 13 23:54:16 1999: DEBUG: Rewrote user name to route-max4-1
Tue Jul 13 23:54:16 1999: DEBUG: Query is: select NAS_Identifier,
NAS_Port, Acct_Session_Id from RADONLINE where Username='route-max4-1'
Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthSQL
Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthFILE
Tue Jul 13 23:54:16 1999: DEBUG: Radius::AuthFILE looks for match with
route-max4-1
Tue Jul 13 23:54:16 1999: INFO: Access rejected for route-max4-1: No such
user
Tue Jul 13 23:54:16 1999: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1025
Code: Access-Reject
Identifier: 1
Authentic: ..
Attributes:
Reply-Message = "Request Denied"
Reply-Message = "No such user"
Tue Jul 13 23:54:16 1999: DEBUG: Packet dump:
===
Archive at
Re: (RADIATOR) Upgrading
On Mon, Jul 12, 1999 at 06:22:22PM -0700, Greg Kornatowsky wrote: We are currently using Raditaor 2.12.1 what is the best way to upgrade to 2.9.1 What kind of problems can we anticipate. We are authenticating off an SQL database, will our existing config file be compatible with the new version? Hi Greg, 2.9.1 is a lesser version than 2.12.1. There's 2.13.1 (and Mike promises a new version RSN so maybe hang off until then). I find with upgrading Radiator you have to be careful as slight configuration file changes can mean problems if you try and use it straight off in a production environment. Since you're installing most of the Radiator guts into the perl tree you may have to install it on another machine and test it out to see if there's some major show stoppers (using radpwtst) and so that you don't interfere with your working Radiator setup. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Hard Drive Space
On Thu, Jul 08, 1999 at 09:19:13AM -0500, Matt Chambers wrote: I have 7 NAS total and I want to store dialup logs for at least one month. I also have about 2500 dialup customerswhat size hard drive will best suit my needs? Depends how much logging you want to do. We log heaps of info for our support desk, going through nearly 30 megabytes a day. Obviously, if you volume or timecharge you won't want to run out of logspace, 10gig drives are cheap, get two and RAID1 them. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SNMP Counter logging
On Tue, Jul 06, 1999 at 09:38:10AM +0200, Karl Gaissmaier wrote: Hi Leigh and Mike, Mike McCauley schrieb: ... 5. I have forwarded your message to a chap who I know has some _excellent_ SNMP monitoring-mysql software with a web interface. Its about 3000 times better than MRTG, highly configurable, with beautiful graphs, but I dont know if its on offer to anyone. You may hear from him. it would be nice to tell the list what you get as answer from this guy because I'm also loooking in the moment for such a program. aolme too!/aol [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RADIATOR and SNMP
On Fri, Jun 25, 1999 at 12:34:52PM -0600, Chris M wrote: Now that I have RADIATOR working, I'm trying to use some of the more advanced options. When I start RADIATOR on Linux I get: [root]# Error: binding to port 161: Address already in use So I assume that some other SNMP stuff I'm running on that box is causing trouble? Is there a way to make SNMP things coexist with Radiator? You'll have to use another port for the Radiator SNMP (or remove the other snmpd from port 161). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ascend Max TNT?
On Fri, Jun 11, 1999 at 08:57:23AM -0500, Mike McCauley wrote: Hello Hielke, On Jun 10, 5:34pm, Hielke Christian Braun wrote: Subject: (RADIATOR) Ascend Max TNT? Hi everybody, does anybody use a Ascend Max TNT with radiator server? I have the problem that the Max TNT's try to authenticate some strange users like appleroute-tnt01-1, pools-tnt01, permconn-tnt01-1, frdlink-tnt01-1 and so on. The radiator server does not know about them and rejects them. But the Max TNT's keep on trying to authenticate. Maybe somebody can mail a config or users file for the radiator? Looks to me like the TNT is trying to get some of its configuration from the radius server. Im not an Ascend expert so I cant tell you too much about this. I've seen this before (Cisco emulated the Ascend behaviour). The TNT is asking the RADIUS server for hints on dynamic IP pools, static routes etc. You can either ignore the requests or use the facility provided by them. Ascend have documented this on their support website somewhere (don't think Cisco even bothered to document this). I guess one solution is to make RADIUS entries for them which don't do anything that should satisfy it. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DBM Auth
On Sun, Apr 25, 1999 at 07:53:26PM -0600, Chris Magnuson wrote: Not gaining access on Linux, here's the relevant info: Here's my config file snippet: Realm DEFAULT # AuthBy UNIX # The filename defaults to %D/users # Identifier System # Filename /etc/shadow # /AuthBy AuthBy DBFILE Identifier System Filename %D/users /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detail /Realm That's different to the way I do it (which works): Realm DEFAULT AuthBy DBFILE Filename %D/users /AuthBy AcctLogFileName %L/detail /Realm Realm dummyrealmforholdingauthbyunix AuthBy UNIX Identifier System Filename /etc/shadow /AuthBy /Realm [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ah. Authby SQL question..
On Sun, Apr 18, 1999 at 03:49:09PM -0500, Mike McCauley wrote: Hi Rob, On Apr 17, 11:47pm, Rob Thomas wrote: Subject: (RADIATOR) Ah. Authby SQL question.. I've been plowing through radiator, and I'm pretty happy with it. Just going through and I don't seem to find any documentation on having a different database for authentication and accounting. Am I blind, or is it not there? Its there, just a bit non-obvious You wil need to set up 2 AuthBy SQL, each with slightly differetn setup. With SQL, if you have an _empty string_ for the AuthSelect, it wont to do authentication. If AcctTable is not defined, it wont do accounting, so: Would it also work if you used a Handler? Handler Acct-Status-Type=/Stop|Start/ AuthBy SQL [...blah blah off to the accounts SQL server...] /AuthBy SQL /Handler [... continue on to the rest of the handlers/realms...] [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DNIS authentication
On Thu, Apr 15, 1999 at 07:15:02AM -0300, Carlo Marazzi wrote: Hello, Does anyone know how I can authenticate with a different AuthType base on DNIS that comes from the NAS. So users calling xxx- telephone number use AuthType X, and users calling yyy- telephone number use AuthType Y. You bet you can. Check out the Handler feature and match Called-Station-Ids to each AuthType. Handler Called-Station-Id=/324234|2534534/ 5/ AuthBy xxx ... /AuthBy /Handler Handler Called-Station-Id=/54321|12345/ 5/ AuthBy yyy ... /AuthBy /Handler [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with Radiator duplicate detection
On Thu, Apr 08, 1999 at 10:09:28AM +0100, Arnie Roberts wrote: On Wednesday, April 07, 1999 3:13 AM, tom minchin [SMTP:[EMAIL PROTECTED]] wrote: * yes it's bad the packet is being lost, but RADIUS should recover from that. How?? RADIUS runs over UDP. Surely this is a problem with RADIUS not Radiator. Radiator is detecting the repeated Access-Request as a duplicate and ignoring it. It should, according to RADIUS, resend the Access-Accept to the NAS not discard it as obviously the NAS didn't get the first one as it's stilling asking. [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with Radiator duplicate detection
On Thu, Apr 08, 1999 at 11:14:29AM +0100, Arnie Roberts wrote:
I see. Sounds like you need to set DupInterval to 0 or else fix the problem with
the newtwork which causes it to lose packets.
I still think this is essentially a problem caused by the limitations of the Radius
spec.
DupInterval is a Radiator "addition" to the spec which overcomes the limitation.
You can never guarantee there won't be an occasional network quirk,
the Radiator server getting busy or the NAS's are on full peak hour.
Radiator should stick to stopping Accounting duplicates (which is what
we want), not interfering with normal RADIUS operations.
I've complained to Cisco ("wishlist") but Mike is easier to convince :)
[EMAIL PROTECTED]
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Preferred method for setting default attributes
On Tue, Apr 06, 1999 at 02:02:22AM -0500, Andrew Aken wrote: What is the preferred method for setting default attributes for all of our users for both check items and reply items? We are authenticating from a users file and would like to over-ride the settings for individual users. I've tried setting a DEFAULT user, but this allows anyone to logon and still does not give the specified attributes to users that did not override the default's attributes. e.g. DEFAULT Simultaneous-Use = 1 Service-Type = Framed-User, Port-Limit = 1, Session-Timeout = 57600, Idle-Timeout = 1680, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-Netmask = 255.255.255.255 # Fall-Through = Yes Ouch. You don't want this at all. You're not specifying any authentication method so anyone can login (as you found). Look at the AddToReply feature in your manual. [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SimUse
One other thing you can check is when you do a make test (when installing Radiator) it does check that Simultaneous-Use = 1 works. Might want to check that again. Another trick is that if the same user logins again on the same NAS/Port as their current login, it's considered that the user dropped off and RADIUS will let them in. Tom On Sun, Mar 28, 1999 at 11:31:55AM -0500, Tom Williams wrote: I did this to my users file and it still allows me to login twice? do I have to do anything in the radiusd.cfg that I am using? Thanks for you help TTYL Tom Williams [EMAIL PROTECTED] On Sun, 28 Mar 1999, tom minchin wrote: On Sat, Mar 27, 1999 at 02:59:25PM -0500, Tom Williams wrote: I have an account set up with the following tomwAuth-Type = System, Expiration = "Jan 13 2010" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 216.13.31.35, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Simultaneous-Use = 1, Framed-MTU = 1500 Session-Timeout = 14400 however when I login once it lets me in but it should not let a second account in right? well it does, does any one have any ideas? Need to put Simultaneous-Use = 1 in with the other check items, and make sure you append commas to the end of each line (except the first and the last) eg: tomwAuth-Type = System, Expiration = "Jan 13 2010", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 216.13.31.35, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Session-Timeout = 14400 [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) numbered realms
On Tue, Mar 23, 1999 at 10:17:43AM +0100, Volker Klau wrote: Hi, i'm new to this list and don't know if this question was discussed before: Is it possible to use numbered realms (i.e. the called station id) to do something special with incoming requests ? Yup. Have a look at Handler, a more advanced Realm. Handler Called-Station-Id=12345 AuthBy xxx /AuthBy /Handler [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Caller ID
On Mon, Feb 22, 1999 at 09:41:09PM +0200, Lutfi Yunusoglu wrote: Hi, We are using MaxTNT's and Radiator with Oracle8, What should I put to check items for CLID Authentication. Thanks Lutfi PS: I want to do this for some users. You'd use Calling-Station-Id = "1234567" as a check item in each user record you wanted to lock down to a certain number. [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Here is a LARGE email outlining the problems I'm haivng w/ AuthBY Unix/System
On Fri, Nov 05, 1999 at 11:58:28AM -0800, Jason Godsey wrote: Here I run radiator w/ AuthBY unix and system, showing mixed results, if authby system worked w/ shadow on linux, I'd be all set, or if authby unix had a seperate directive for passwordfilename, shadowfilename, and groupfilename it'd work also :) AuthBy SYSTEM works great with shadow on Linux, just need to use the UseGetspnam and the Shadow module for perl (see manual for details). I use RedHat's nscd for caching to try and increase speed. Realm dummyrealmforholdingauthbyunix AuthBy SYSTEM Identifier System UseGetspnam /AuthBy /Realm [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
