[RADIATOR] AddToReply with condition
Hello everyone, After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Best regards, Nuno Marques Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS AuthBy BlackList AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply with condition
On 04/09/2013 08:49 PM, Nuno Marques wrote: After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Try this: create AuthBy GROUP with Identifier BlackList. The group would have two AuthBys and AuthByPolicy ContinueUntilAccept. The first AuthBy is AuthBy SQL with AuthSelect that does lookup in SQL and has AddToReply with the VLAN attributes. In other words, this AuthBy adds the attributes if there's a match. The second AuthBy is of type INTERNAL. It should ACCEPT all requests since the policy will evaluate it only when there was no match in the blacklist SQL. The outcome from the GROUP is an accept from the first or the second AuthBy depending on if the user was blacklisted or not. Please let us know how it goes. Thanks, Heikki Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS * * *AuthBy BlackList* AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 *If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then* AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j* *Attributes:* *NAS-IP-Address = 93.155.11.54* *NAS-Port-Id = /dev/ttyp3* *Calling-Station-Id = 78.169.249.3* *NAS-Identifier = TACACS* *User-Name = mikem@local* *Acct-Status-Type = Start* *Acct-Session-Id = 3529830477* *cisco-avpair = start_time=1353011477* *cisco-avpair = task_id=10700* *cisco-avpair = timezone=GMT* *cisco-avpair = service=shell* *OSC-Version-Identifier = 192* * * *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', Identifier ''* *Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local, 93.155.11.54, * *Thu Nov 15 22:31:17 2012: DEBUG: do
Re: [RADIATOR] AddToReply tacacsgroup
Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j* *Attributes:* *NAS-IP-Address = 93.155.11.54* *NAS-Port-Id = /dev/ttyp3* *Calling-Station-Id = 78.169.249.3* *NAS-Identifier = TACACS* *User-Name = mikem@local* *Acct-Status-Type = Start* *Acct-Session-Id = 3529830477
Re: [RADIATOR] AddToReply tacacsgroup
On 11/16/2012 01:56 PM, Murat Bilal wrote: Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy This is done (usually) with one AuthBy. The correct value for AuthorizeGroupAttr depends on the user. The user has the correct authorization group configured as the reply attribute. For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more information. Thanks, Heikki Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j
Re: [RADIATOR] AddToReply tacacsgroup
Then how to define AddToReply OSC-Group-Identifier clause if you have two different priv groups.AuthSQL accepts only one AddToReply clause.If you do not define AddToReply clause I got this: Authorization denied for user, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access* -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 16:03 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/16/2012 01:56 PM, Murat Bilal wrote: Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy This is done (usually) with one AuthBy. The correct value for AuthorizeGroupAttr depends on the user. The user has the correct authorization group configured as the reply attribute. For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more information. Thanks, Heikki Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012
[RADIATOR] AddToReply tacacsgroup
Hi everyone I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT I try with user mikem in group1.And the trace log Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem] Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem] Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': Thu Nov 15 22:31:17 2012: DEBUG: Packet dump: *** Reply to TACACSPLUS request: Code: Access-Accept Identifier: UNDEF Authentic: p146261924H23516\21252v.14215228 Attributes: tacacsgroup = DEFAULT Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517 Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939 Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105 Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump: Code: Accounting-Request Identifier: UNDEF Authentic: p23514310U177d206X_Z168O12931j Attributes: NAS-IP-Address = 93.155.11.54 NAS-Port-Id = /dev/ttyp3 Calling-Station-Id = 78.169.249.3 NAS-Identifier = TACACS User-Name = mikem@local Acct-Status-Type = Start Acct-Session-Id = 3529830477 cisco-avpair = start_time=1353011477 cisco-avpair = task_id=10700 cisco-avpair = timezone=GMT cisco-avpair = service=shell OSC-Version-Identifier = 192 Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', Identifier '' Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local, 93.155.11.54, Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where NASIDENTIFIER='93.155.11.54' and NASPORT=00': Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('mikem@local', '93.155.11.54', 0, '3529830477', 1353011477, '', '', '')': Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL: Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with Radius::AuthSQL Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) values ('3529830477','Start','TACACS',1353011477,'mikem@local')': Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted Thu Nov 15 22:31:17 2012: DEBUG: Packet dump: *** Reply to TACACSPLUS request: Code: Accounting-Response Identifier: UNDEF Authentic: p23514310U177d206X_Z168O12931j Attributes: Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Accounting-Response Thu Nov 15 22:31:17 2012: DEBUG:
Re: [RADIATOR] AddToReply with Diameter
Hi! Thanks, it works! One question for clarification, though. Is there AVP numbers conversion Radiator- Diameter should work? In Radius AVP numbers are 255 (is it correct?). But in my case I had to add Diameter values to the Radius dictionary file. Like this: VENDORATTR 13019 Location-Information 350 string VENDORATTR 13019 Line-Identifier 500 string Is it OK, or some number conversion are still missed in the code? In the diameter_attr.dat file I have: VENDORATTR 13019 Location-Information 350 Grouped VENDORATTR 13019 Line-Identifier 500 OctetString br, Arthur 20.03.2012 10:16, Heikki Vatiainen kirjutas: On 03/19/2012 11:19 AM, Arthur Konovalov wrote: Hello Arthur, I'm using Radiator as Diameter frontend and I'm wondering is there possible to use AddToReply clause with grouped attributes to the Diameter peer? This is possible now if you download the latest patches for 4.9. The patches add functionality for handling Diameter Grouped attributes when converting from RADIUS reply. For instance, I want send reply to the peer like this: Location-Information (AVP Code=350, Vendor=13019, Grouped) - Line-Identifier (AVP Code=500, Vendor=13019, OctetString)=ADSL;privaccess-xxx To the Radiator dictionary added: You can continue using the dictionaries in this format. To test, I did the following: Specified your additional RADIUS dictionary with system dictionary using 'DictionaryFile'. Specified your additional Diameter dictionary with 'DiameterDictionaryFile'. Used this file with AuthBy FILE (quotes required): mikem User-Password=fred Location-Information=Line-Identifier=\ADSL;privaccess-xxx\ This is the output from reply diapwtst gets (-dictionary option needed too): Code: 265 (AA) Version:1 Flags: 0x0 () Application ID: 1 (Nasreq) Hop-to-Hop ID: 1 End-to-End ID: 2887778305 Attributes: Session-Id: .M., testoriginhost;1234;1 Origin-Realm: .M., testoriginrealm Auth-Application-Id: .M., NASREQ Auth-Request-Type: .M., AUTHORIZE_AUTHENTICATE Origin-Host: .M., zulu.open.com.au Result-Code: .M., DIAMETER_SUCCESS Location-Information: V.., Line-Identifier: V.., ADSL;privaccess-xxx There is no need to modify any of the .pm files after patching. The above can be setup with dictionary files. Please let us know how it works. Thanks! Heikki VENDORATTR13019Location-Information350string VENDORATTR13019Line-Identifier500 string To the diameter_attrs.dat added: VENDORATTR13019Location-Information350Grouped VENDORATTR13019Line-Identifier500 OctetString I tried to add the following, but this doesn't work: AddToReply Location-Information, Line-Identifier=ADSL;privaccess-xxx If I tried to add only Line-Information AVP, then it replied, but without grouped AVP and peer doesn't accept it. br, Arthur ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply with Diameter
On 03/21/2012 10:02 AM, Arthur Konovalov wrote: Thanks, it works! Good to hear. One question for clarification, though. Is there AVP numbers conversion Radiator- Diameter should work? In Radius AVP numbers are 255 (is it correct?). But in my case I had to add Diameter values to the Radius dictionary file. Like this: VENDORATTR 13019 Location-Information 350 string VENDORATTR 13019 Line-Identifier 500 string Good guestions. In Radius type is 255, although with Vendor Specific Attributes (VSAs) this is not a must. However, with VSAs types are usually limited to one byte too. If the request is completely processed, including Diameter -- Radius conversion, by the same instance, the type numbers can be larger than 255. Radiator does not limit the RADIUS type to 8 bits for its internal processing. Is it OK, or some number conversion are still missed in the code? In the diameter_attr.dat file I have: VENDORATTR 13019 Location-Information 350 Grouped VENDORATTR 13019 Line-Identifier 500 OctetString There is no number conversion done. The conversion from Radius to Diameter is based on matching vendor and type numbers. Using the above dictionaries as an example, the RADIUS dictionary lookup returns vendor 13019, type 350 for attribute Location-Information. 13109 and 350 and then used to make a Diameter dictionary lookup returning the Diameter information. As an additional note, Line-Identifier is also IANA attribute 127. When the above RADIUS dictionary is specified after the system dictionary e.g. with DictionaryFile parameter, it will override the IANA information. That is why lookup for Line-Identifier returns 13019,350 instead of 0,127, which it would normally return. Thanks! Heikki br, Arthur 20.03.2012 10:16, Heikki Vatiainen kirjutas: On 03/19/2012 11:19 AM, Arthur Konovalov wrote: Hello Arthur, I'm using Radiator as Diameter frontend and I'm wondering is there possible to use AddToReply clause with grouped attributes to the Diameter peer? This is possible now if you download the latest patches for 4.9. The patches add functionality for handling Diameter Grouped attributes when converting from RADIUS reply. For instance, I want send reply to the peer like this: Location-Information (AVP Code=350, Vendor=13019, Grouped) - Line-Identifier (AVP Code=500, Vendor=13019, OctetString)=ADSL;privaccess-xxx To the Radiator dictionary added: You can continue using the dictionaries in this format. To test, I did the following: Specified your additional RADIUS dictionary with system dictionary using 'DictionaryFile'. Specified your additional Diameter dictionary with 'DiameterDictionaryFile'. Used this file with AuthBy FILE (quotes required): mikem User-Password=fred Location-Information=Line-Identifier=\ADSL;privaccess-xxx\ This is the output from reply diapwtst gets (-dictionary option needed too): Code: 265 (AA) Version:1 Flags: 0x0 () Application ID: 1 (Nasreq) Hop-to-Hop ID: 1 End-to-End ID: 2887778305 Attributes: Session-Id: .M., testoriginhost;1234;1 Origin-Realm: .M., testoriginrealm Auth-Application-Id: .M., NASREQ Auth-Request-Type: .M., AUTHORIZE_AUTHENTICATE Origin-Host: .M., zulu.open.com.au Result-Code: .M., DIAMETER_SUCCESS Location-Information: V.., Line-Identifier: V.., ADSL;privaccess-xxx There is no need to modify any of the .pm files after patching. The above can be setup with dictionary files. Please let us know how it works. Thanks! Heikki VENDORATTR13019Location-Information350string VENDORATTR13019Line-Identifier500 string To the diameter_attrs.dat added: VENDORATTR13019Location-Information350 Grouped VENDORATTR13019Line-Identifier500 OctetString I tried to add the following, but this doesn't work: AddToReply Location-Information, Line-Identifier=ADSL;privaccess-xxx If I tried to add only Line-Information AVP, then it replied, but without grouped AVP and peer doesn't accept it. br, Arthur ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply with Diameter
On 03/19/2012 11:19 AM, Arthur Konovalov wrote: Hello Arthur, I'm using Radiator as Diameter frontend and I'm wondering is there possible to use AddToReply clause with grouped attributes to the Diameter peer? This is possible now if you download the latest patches for 4.9. The patches add functionality for handling Diameter Grouped attributes when converting from RADIUS reply. For instance, I want send reply to the peer like this: Location-Information (AVP Code=350, Vendor=13019, Grouped) - Line-Identifier (AVP Code=500, Vendor=13019, OctetString)=ADSL;privaccess-xxx To the Radiator dictionary added: You can continue using the dictionaries in this format. To test, I did the following: Specified your additional RADIUS dictionary with system dictionary using 'DictionaryFile'. Specified your additional Diameter dictionary with 'DiameterDictionaryFile'. Used this file with AuthBy FILE (quotes required): mikem User-Password=fred Location-Information=Line-Identifier=\ADSL;privaccess-xxx\ This is the output from reply diapwtst gets (-dictionary option needed too): Code: 265 (AA) Version:1 Flags: 0x0 () Application ID: 1 (Nasreq) Hop-to-Hop ID: 1 End-to-End ID: 2887778305 Attributes: Session-Id: .M., testoriginhost;1234;1 Origin-Realm: .M., testoriginrealm Auth-Application-Id: .M., NASREQ Auth-Request-Type: .M., AUTHORIZE_AUTHENTICATE Origin-Host: .M., zulu.open.com.au Result-Code: .M., DIAMETER_SUCCESS Location-Information: V.., Line-Identifier: V.., ADSL;privaccess-xxx There is no need to modify any of the .pm files after patching. The above can be setup with dictionary files. Please let us know how it works. Thanks! Heikki VENDORATTR13019Location-Information350string VENDORATTR13019Line-Identifier500 string To the diameter_attrs.dat added: VENDORATTR13019Location-Information350Grouped VENDORATTR13019Line-Identifier500 OctetString I tried to add the following, but this doesn't work: AddToReply Location-Information, Line-Identifier=ADSL;privaccess-xxx If I tried to add only Line-Information AVP, then it replied, but without grouped AVP and peer doesn't accept it. br, Arthur ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) AddToReply
Hello Andrea - If you want to add the attributes shown below for everyone that does not have them set in their reply attributes (ie. only have the ones that are different in the user records) you should do something like this: AuthBy SQL . AddToReplyIfNotExist Class = 3, Idle-Timeout = 600 /AuthBy I see from your other mail that you have already learned how to change the AuthSelect statement. regards Hugh On Friday, Oct 10, 2003, at 11:36 Australia/Melbourne, Andrea Brancatelli wrote: in my SUBSCRIBERS table I have the following entry: Username = ugo Password = Checkattr = (NULL) ReplyAttr = 'Class = 3, Idle-Timeout = 600' TimeLeft = (NULL) WHERE am I supposed to see the replyattr? The access point is not doing what is specified there and radpwtst doesn't show any reply attribute as well. what's wrong? I have to send Class = 3, Idle-Timeout = 600 to almost anyone. How do I do that? The best solution would be a per-user granularity (so the SUBSCRIBERS table fits) but it doesn't seem to work. Any suggestion? here's radpwtst output: Reading dictionary file '/etc/radiator/dictionary' sending Access-Request... Packet dump: *** Sending to 127.0.0.1 port 1645 Code: Access-Request Identifier: 161 Authentic: 1234567890123456 Attributes: User-Name = ugo Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 145g172177131203179k1781195]152257136 Packet dump: *** Received from 127.0.0.1 port 1645 Code: Access-Accept Identifier: 161 Authentic: 132|244cP177160148172828kxD144 Attributes: OK sending Accounting-Request Start... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 162 Authentic: Attributes: User-Name = ugo Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 162 Authentic: -203Fc170z~f169192331392232318225 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 163 Authentic: Attributes: User-Name = ugo Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 163 Authentic: 248a136X242233202174164v15219421822A8 Attributes: OK NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply
in my SUBSCRIBERS table I have the following entry: Username = ugo Password = Checkattr = (NULL) ReplyAttr = 'Class = 3, Idle-Timeout = 600' TimeLeft = (NULL) WHERE am I supposed to see the replyattr? The access point is not doing what is specified there and radpwtst doesn't show any reply attribute as well. what's wrong? I have to send "Class = 3, Idle-Timeout = 600" to almost anyone. How do I do that? The best solution would be a per-user granularity (so the SUBSCRIBERS table fits) but it doesn't seem to work. Any suggestion? here's radpwtst output: Reading dictionary file '/etc/radiator/dictionary' sending Access-Request... Packet dump: *** Sending to 127.0.0.1 port 1645 Code: Access-Request Identifier: 161 Authentic: 1234567890123456 Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "145g172177131203179k1781195]152257136" Packet dump: *** Received from 127.0.0.1 port 1645 Code: Access-Accept Identifier: 161 Authentic: 132|244cP177160148172828kxD144 Attributes: OK sending Accounting-Request Start... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 162 Authentic: Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 162 Authentic: -203Fc170z~f169192331392232318225 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 163 Authentic: Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 163 Authentic: 248a136X242233202174164v15219421822A8 Attributes: OK
Re: (RADIATOR) AddToReply Usage
Hello Mahesh - Can you please send me a copy of the configuration file and a trace 4 debug showing what is happening? regards Hugh On Monday, Sep 15, 2003, at 12:16 Australia/Melbourne, Mahesh Neelakanta wrote: Thanks Hugh. Will this Reply-Message also match the %1 from the FailureFormat of the AuthLOG? The reason is that in our Radiator (2.19), %1 should print Request Denied but does not. mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2003 6:43 PM To: Mahesh Neelakanta Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddToReply Usage Hello Mahesh - You can use the RejectHasReason in your Realm or Handler clause. See section 6.16.23 in the Radiator 3.6 reference manual (doc/ref.html). regards Hugh On Sunday, Sep 14, 2003, at 00:27 Australia/Melbourne, Mahesh Neelakanta wrote: Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AddToReply Usage
Thanks Hugh. Will this Reply-Message also match the %1 from the FailureFormat of the AuthLOG? The reason is that in our Radiator (2.19), %1 should print Request Denied but does not. mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2003 6:43 PM To: Mahesh Neelakanta Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddToReply Usage Hello Mahesh - You can use the RejectHasReason in your Realm or Handler clause. See section 6.16.23 in the Radiator 3.6 reference manual (doc/ref.html). regards Hugh On Sunday, Sep 14, 2003, at 00:27 Australia/Melbourne, Mahesh Neelakanta wrote: Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply Usage
Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply Usage
Hello Mahesh - You can use the RejectHasReason in your Realm or Handler clause. See section 6.16.23 in the Radiator 3.6 reference manual (doc/ref.html). regards Hugh On Sunday, Sep 14, 2003, at 00:27 Australia/Melbourne, Mahesh Neelakanta wrote: Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply and Hosts
I am attempting to use the AddToReply and StripFromReply on a per host basis with SQLRADIUS and am not having much luck... Upon looking at the source code and the archives it looks like it should work... Here are the relevant pieces of my config, I am almost certain I am doing it correctly. HostSelect SELECT host%0, authport%0, acctport%0, secret%0, retries, retrytimeout, failurepolicy, \ serverhasbrokenaddresses, serverhasbrokenportnumbers, ignorereplysignature, noforwardaccounting, rewriteusername, stripfromreply, addtoreply \ FROM RAD_RADIUSINFO \ WHERE realm = '%W' HostColumnDef 0, Host HostColumnDef 1, AuthPort HostColumnDef 2, AcctPort HostColumnDef 3, Secret HostColumnDef 4, Retries HostColumnDef 5, RetryTimeout HostColumnDef 6, failurePolicy HostColumnDef 7, ServerHasBrokenAddresses HostColumnDef 8, ServerHasBrokenPortNumbers HostColumnDef 9, IgnoreReplySignature HostColumnDef 10, NoForwardAccounting HostColumnDef 11, RewriteUsername HostColumnDef 12, StripFromReply HostColumnDef 13, AddToReply The record gets pulled and processed correctly, host response is as it should be, but my StripFromReply and AddToReply are ignored... I also did a test with AUTH RADIUS entering in a Host xx.xx.xx.xx with an AddToReply statement in there and it was ignored as well... If anyone has any suggestions about ways to correct this, or to handle this with a hook I would greatly appreciate any feedback. Just as an informational, I am wanting to do this in order to be able to specify different reply attributes for the reply packet based on the realm, but I do not want to create a separate handler for each realm. TIA -Miko === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply and Hosts
Hello Miko - No this won't work. As you have discovered, AddToReply and StripFromReply will not work in a Host .. clause. I think you will need to use a ReplyHook to manipulate the proxy reply. You will find some example hooks in the file goodies/hooks.txt. regards Hugh On Saturday, Apr 5, 2003, at 05:30 Australia/Melbourne, [EMAIL PROTECTED] wrote: I am attempting to use the AddToReply and StripFromReply on a per host basis with SQLRADIUS and am not having much luck... Upon looking at the source code and the archives it looks like it should work... Here are the relevant pieces of my config, I am almost certain I am doing it correctly. HostSelect SELECT host%0, authport%0, acctport%0, secret%0, retries, retrytimeout, failurepolicy, \ serverhasbrokenaddresses, serverhasbrokenportnumbers, ignorereplysignature, noforwardaccounting, rewriteusername, stripfromreply, addtoreply \ FROM RAD_RADIUSINFO \ WHERE realm = '%W' HostColumnDef 0, Host HostColumnDef 1, AuthPort HostColumnDef 2, AcctPort HostColumnDef 3, Secret HostColumnDef 4, Retries HostColumnDef 5, RetryTimeout HostColumnDef 6, failurePolicy HostColumnDef 7, ServerHasBrokenAddresses HostColumnDef 8, ServerHasBrokenPortNumbers HostColumnDef 9, IgnoreReplySignature HostColumnDef 10, NoForwardAccounting HostColumnDef 11, RewriteUsername HostColumnDef 12, StripFromReply HostColumnDef 13, AddToReply The record gets pulled and processed correctly, host response is as it should be, but my StripFromReply and AddToReply are ignored... I also did a test with AUTH RADIUS entering in a Host xx.xx.xx.xx with an AddToReply statement in there and it was ignored as well... If anyone has any suggestions about ways to correct this, or to handle this with a hook I would greatly appreciate any feedback. Just as an informational, I am wanting to do this in order to be able to specify different reply attributes for the reply packet based on the realm, but I do not want to create a separate handler for each realm. TIA -Miko === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AddToReply and Hosts
Thanks Hugh,,, unfortunately that makes things a bit more difficult for me... Is there anyway that I could use a variable created in a preclienthook from within a replyhook??? -Miko -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 5:13 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddToReply and Hosts Hello Miko - No this won't work. As you have discovered, AddToReply and StripFromReply will not work in a Host .. clause. I think you will need to use a ReplyHook to manipulate the proxy reply. You will find some example hooks in the file goodies/hooks.txt. regards Hugh On Saturday, Apr 5, 2003, at 05:30 Australia/Melbourne, [EMAIL PROTECTED] wrote: I am attempting to use the AddToReply and StripFromReply on a per host basis with SQLRADIUS and am not having much luck... Upon looking at the source code and the archives it looks like it should work... Here are the relevant pieces of my config, I am almost certain I am doing it correctly. HostSelect SELECT host%0, authport%0, acctport%0, secret%0, retries, retrytimeout, failurepolicy, \ serverhasbrokenaddresses, serverhasbrokenportnumbers, ignorereplysignature, noforwardaccounting, rewriteusername, stripfromreply, addtoreply \ FROM RAD_RADIUSINFO \ WHERE realm = '%W' HostColumnDef 0, Host HostColumnDef 1, AuthPort HostColumnDef 2, AcctPort HostColumnDef 3, Secret HostColumnDef 4, Retries HostColumnDef 5, RetryTimeout HostColumnDef 6, failurePolicy HostColumnDef 7, ServerHasBrokenAddresses HostColumnDef 8, ServerHasBrokenPortNumbers HostColumnDef 9, IgnoreReplySignature HostColumnDef 10, NoForwardAccounting HostColumnDef 11, RewriteUsername HostColumnDef 12, StripFromReply HostColumnDef 13, AddToReply The record gets pulled and processed correctly, host response is as it should be, but my StripFromReply and AddToReply are ignored... I also did a test with AUTH RADIUS entering in a Host xx.xx.xx.xx with an AddToReply statement in there and it was ignored as well... If anyone has any suggestions about ways to correct this, or to handle this with a hook I would greatly appreciate any feedback. Just as an informational, I am wanting to do this in order to be able to specify different reply attributes for the reply packet based on the realm, but I do not want to create a separate handler for each realm. TIA -Miko === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AddtoReply
If you don't like this behavior, you can specify your handlers like this: Handler Realm=bogus-service, Request-Type=Access-Request ... ... AddToRequest Attribute-Name = Attribut-Value /Handler Handler Realm=bogus-service, Request-Type=Accounting-Request ... ... /Handler Cheers, Alexander -Original Message- From: Wim Biemolt [mailto:[EMAIL PROTECTED]] Sent: zaterdag 24 augustus 2002 14:12 To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddtoReply So many e-mail. So little time. But ... == From: Hugh Irvine This is the expected behaviour - why is it a problem? Why is it expected behaviour that AddToReply also works for Accounting replies when the manual states (6.17.8 AddToReply) Adds attributes to Access-Accepts before replying to the originating client.? If I read this I expect AddToReply wouldn't add attributes to accounting replies. And since I don't need attributes added to the accounting replies I would be in favour of the behaviour described in the manual. But since on the other hand the added attributes to the accounting replies don't cause any real problem updating the manual would also be fine with me. Leaving everything just the way it is now probably isn't a good idea. -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
== From: [EMAIL PROTECTED] If you don't like this behavior, you can specify your handlers like this: Handler Realm=bogus-service, Request-Type=Access-Request ... ... AddToRequest Attribute-Name = Attribut-Value /Handler Handler Realm=bogus-service, Request-Type=Accounting-Request ... ... /Handler I know. But I'm having too many handlers to implement this solution. Although this was not my point. The manual states that AddToRequest does something with Access-Requests. It doesn't mention it affects all requests. So I'm a bit surprised when somebody claims that the latter is the expected behavior. It wasn't for me. -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AddtoReply
The only downside to doing it this way is that it still adds the attributes to access-reject reply packets, which inherantly does not cause problems, except when dealing with larger networks, such as UUNet which request that the only attributes passes back are Proxy-State and Reply-Message... -Miko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 26, 2002 8:25 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: (RADIATOR) AddtoReply If you don't like this behavior, you can specify your handlers like this: Handler Realm=bogus-service, Request-Type=Access-Request ... ... AddToRequest Attribute-Name = Attribut-Value /Handler Handler Realm=bogus-service, Request-Type=Accounting-Request ... ... /Handler Cheers, Alexander -Original Message- From: Wim Biemolt [mailto:[EMAIL PROTECTED]] Sent: zaterdag 24 augustus 2002 14:12 To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddtoReply So many e-mail. So little time. But ... == From: Hugh Irvine This is the expected behaviour - why is it a problem? Why is it expected behaviour that AddToReply also works for Accounting replies when the manual states (6.17.8 AddToReply) Adds attributes to Access-Accepts before replying to the originating client.? If I read this I expect AddToReply wouldn't add attributes to accounting replies. And since I don't need attributes added to the accounting replies I would be in favour of the behaviour described in the manual. But since on the other hand the added attributes to the accounting replies don't cause any real problem updating the manual would also be fine with me. Leaving everything just the way it is now probably isn't a good idea. -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
== From: [EMAIL PROTECTED] The only downside to doing it this way is that it still adds the attributes to access-reject reply packets, which inherantly does not cause problems, except when dealing with larger networks, such as UUNet which request that the only attributes passes back are Proxy-State and Reply-Message... The nice thing about radiator is that it is very flexible and until now I always could come up with some kind of configuration which was doing what I needed. In your situation the following will probably work (didn't actual test it!) ... Handler Realm=bogus-service ... ... ReplyHook file:/some/path/makesurenottosendtoomuch.pl /Handler and # -*- mode: Perl -*- # makesurenottosendtoomuch.pl # sub { my $p = ${$_[0]};# proxy reply packet my $rp = ${$_[1]};# reply packet to NAS my $op = ${$_[2]};# original request packet my $sp = ${$_[3]};# packet sent to proxy # Get the request code from the proxy reply. my $code = $p-code; unless ($code eq 'Access-Accept') { main::log($main::LOG_DEBUG, about to undo AddtoReply); $rp-delete_attr('Attribute-Name'); main::log($main::LOG_DEBUG, removed Attribute-Name); return; } } Although the best thing probably would be to make radiator behave with respect to AddtoReply as described in the radiator 3.2 manual. Adds attributes to *Access-Accepts*. So not to Access-Rejects and not to Accounting-Requests ;) -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
Hello Wim, Hello Miko - Thanks Wim - I was going to write the same thing as you did. The reason that AddToReply does what it does is because there are people who do want to add attributes to both rejects and to accounting replies. The manual is incorrect and has been fixed for the next release. regards Hugh On Monday, August 26, 2002, at 10:25 PM, Wim Biemolt wrote: == From: [EMAIL PROTECTED] The only downside to doing it this way is that it still adds the attributes to access-reject reply packets, which inherantly does not cause problems, except when dealing with larger networks, such as UUNet which request that the only attributes passes back are Proxy-State and Reply-Message... The nice thing about radiator is that it is very flexible and until now I always could come up with some kind of configuration which was doing what I needed. In your situation the following will probably work (didn't actual test it!) ... Handler Realm=bogus-service ... ... ReplyHook file:/some/path/makesurenottosendtoomuch.pl /Handler and # -*- mode: Perl -*- # makesurenottosendtoomuch.pl # sub { my $p = ${$_[0]};# proxy reply packet my $rp = ${$_[1]};# reply packet to NAS my $op = ${$_[2]};# original request packet my $sp = ${$_[3]};# packet sent to proxy # Get the request code from the proxy reply. my $code = $p-code; unless ($code eq 'Access-Accept') { main::log($main::LOG_DEBUG, about to undo AddtoReply); $rp-delete_attr('Attribute-Name'); main::log($main::LOG_DEBUG, removed Attribute-Name); return; } } Although the best thing probably would be to make radiator behave with respect to AddtoReply as described in the radiator 3.2 manual. Adds attributes to *Access-Accepts*. So not to Access-Rejects and not to Accounting-Requests ;) -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddtoReply
Anyone else having a problem with AddToReply where it adds the reply attributes to Accounting replies as well??? Miko === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
Hello miko, Friday, August 2, 2002, 8:37:13 PM, you wrote: myc Anyone else having a problem with AddToReply where it adds the reply myc attributes to Accounting replies as well??? What version of radiator are you running? We're running the latest v3.1 with patches here. I want to make radiator do this to test some things, but v3.1's addtoreply (and postauthhooks) won't add attributes into accounting responses. -- Best regards, Wildphmailto:[EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
Hello Miko - This is the expected behaviour - why is it a problem? If you want to deal with accounting requests differently to authentication requests, you can use Handlers: # define Handlers Handler Request-Type = Accounting-Request . /Handler Handler .. /Handler regards Hugh On Saturday, August 3, 2002, at 05:37 AM, [EMAIL PROTECTED] wrote: Anyone else having a problem with AddToReply where it adds the reply attributes to Accounting replies as well??? Miko === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddtoReply
Hello - Please send me a copy of your configuration file (no secrets) together with a trace 4 debug showing what is happening. thanks Hugh On Saturday, August 3, 2002, at 09:40 AM, Wildph wrote: Hello miko, Friday, August 2, 2002, 8:37:13 PM, you wrote: myc Anyone else having a problem with AddToReply where it adds the reply myc attributes to Accounting replies as well??? What version of radiator are you running? We're running the latest v3.1 with patches here. I want to make radiator do this to test some things, but v3.1's addtoreply (and postauthhooks) won't add attributes into accounting responses. -- Best regards, Wildphmailto:[EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply also in accounting?
Hola Mariano, Hello Hugh, == From: Hugh Irvine Yes Mariano is correct in what is shown below. Note that there may or may not be reply attributes in accounting responses. Wim is right in saying that they are usually empty, but there are some applications (usually proxy setups) that require reply attributes in accounting responses as well as in access accepts. As Wim points out, AddToReply(IfNotExist) can be used in both cases. And as Mariano shows below, Handlers can be used to deal with authentication and accounting separately. The solution of Mariano could work. But my greatest problem is that is see something which is not correct according to the reference manual. According to the reference manual AddToReply adds attributes *to Access-Accepts*. But as I understand it now this should be adds attributes to (all) replies. Just a minor detail. Cheers, -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply also in accounting?
Hi Wim - I have copied Mike on this mail and the manual will be clarified for the next release. Thanks for pointing out the inconsistency. regards Hugh On Friday 19 October 2001 00:04, Wim Biemolt wrote: Hola Mariano, Hello Hugh, == From: Hugh Irvine Yes Mariano is correct in what is shown below. Note that there may or may not be reply attributes in accounting responses. Wim is right in saying that they are usually empty, but there are some applications (usually proxy setups) that require reply attributes in accounting responses as well as in access accepts. As Wim points out, AddToReply(IfNotExist) can be used in both cases. And as Mariano shows below, Handlers can be used to deal with authentication and accounting separately. The solution of Mariano could work. But my greatest problem is that is see something which is not correct according to the reference manual. According to the reference manual AddToReply adds attributes *to Access-Accepts*. But as I understand it now this should be adds attributes to (all) replies. Just a minor detail. Cheers, -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply also in accounting?
Hi, I'm using the AddToReply(IfNotExist) command to add certain attributes. Like a Framed-IP-Address to assign an IP-address if none was specified. According to the reference manual (2.18.4) AddToReply Adds attributes to Access-Accepts before replying to the originating client. However I noticed that the AddToReply(IfNotExist) command also seem to affect the Accounting-Response: *** Sending to 10.20.30.40 port 1813 Code: Accounting-Response Identifier: 156 Authentic: R187230238!25181i10n.n}Y Attributes: Framed-IP-Address = 192.168.192.168 Although everything is working fine, I don't need this attribute in the Accounting-Response and according to the reference manual this isn't the correct behavior. Is this a bug? Cheers, -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply also in accounting?
Hi Wim, I guess your problem comes from doing accounting authentication in the same AuthBy ... clause. You should (correct me, Hugh if I'm wrong) AuthBy WhatEver Identifier auth-only all the stuff related with authentication including the AddToReply /AuthBy WhatEver AuthBy WhatEver Identifier acct-only all the stuff related with accounting NOT including the AddToReply /AuthBy WhatEver Handler Request-Type=Access-Request AuthBy auth-only /Handler Handler Request-Type=Accounting-Request AuthBy acct-only /Handler El 17 Oct 2001, a las 17:55, Wim Biemolt escribió: Hi, I'm using the AddToReply(IfNotExist) command to add certain attributes. Like a Framed-IP-Address to assign an IP-address if none was specified. According to the reference manual (2.18.4) AddToReply Adds attributes to Access-Accepts before replying to the originating client. However I noticed that the AddToReply(IfNotExist) command also seem to affect the Accounting-Response: *** Sending to 10.20.30.40 port 1813 Code: Accounting-Response Identifier: 156 Authentic: R187230238!25181i10n.n}Y Attributes: Framed-IP-Address = 192.168.192.168 Although everything is working fine, I don't need this attribute in the Accounting-Response and according to the reference manual this isn't the correct behavior. Is this a bug? Cheers, -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Mariano Absatz El Baby -- Computers are only human. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply also in accounting?
Hello Wim, Hello Mariano - Yes Mariano is correct in what is shown below. Note that there may or may not be reply attributes in accounting responses. Wim is right in saying that they are usually empty, but there are some applications (usually proxy setups) that require reply attributes in accounting responses as well as in access accepts. As Wim points out, AddToReply(IfNotExist) can be used in both cases. And as Mariano shows below, Handlers can be used to deal with authentication and accounting separately. regards Hugh On Thursday 18 October 2001 06:54, Mariano Absatz wrote: Hi Wim, I guess your problem comes from doing accounting authentication in the same AuthBy ... clause. You should (correct me, Hugh if I'm wrong) AuthBy WhatEver Identifier auth-only all the stuff related with authentication including the AddToReply /AuthBy WhatEver AuthBy WhatEver Identifier acct-only all the stuff related with accounting NOT including the AddToReply /AuthBy WhatEver Handler Request-Type=Access-Request AuthBy auth-only /Handler Handler Request-Type=Accounting-Request AuthBy acct-only /Handler El 17 Oct 2001, a las 17:55, Wim Biemolt escribió: Hi, I'm using the AddToReply(IfNotExist) command to add certain attributes. Like a Framed-IP-Address to assign an IP-address if none was specified. According to the reference manual (2.18.4) AddToReply Adds attributes to Access-Accepts before replying to the originating client. However I noticed that the AddToReply(IfNotExist) command also seem to affect the Accounting-Response: *** Sending to 10.20.30.40 port 1813 Code: Accounting-Response Identifier: 156 Authentic: R187230238!25181i10n.n}Y Attributes: Framed-IP-Address = 192.168.192.168 Although everything is working fine, I don't need this attribute in the Accounting-Response and according to the reference manual this isn't the correct behavior. Is this a bug? Cheers, -Wim -/- SURFnet === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Mariano Absatz El Baby -- Computers are only human. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply
Hi again, When I have set AddToReply with all the attributes that I need everything works fine. But when the same is set to AddToReplyIfNotExist then the user can not surf the wed or even ping any address, am I missing something in the latter way of adding to the reply. best regards === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply
Hello - On Tuesday 16 October 2001 13:49, Tech wrote: Hi again, When I have set AddToReply with all the attributes that I need everything works fine. But when the same is set to AddToReplyIfNotExist then the user can not surf the wed or even ping any address, am I missing something in the latter way of adding to the reply. As usual, a copy of the configuration file (no secrets) and a trace 4 debug showing what is going on are what I need. Note that an AddToReplyIfNotExist will not let you add multiple identical attributes (like cisco-avpair), because the first one that is added then exists, and the others won't be added by definition. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) addtoreply
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Tech [EMAIL PROTECTED]] Date: Wed, 3 Oct 2001 19:28:29 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Wed Oct 3 19:28:28 2001 Received: from smtp.tcr.com.au ([202.182.128.3]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f940SG304544 for [EMAIL PROTECTED]; Wed, 3 Oct 2001 19:28:27 -0500 Received: from tcrholdings.com (ppp-129-3.tcrs.com.au [202.182.129.3]) by smtp.tcr.com.au (8.9.3/8.9.3) with ESMTP id MAA08737 for [EMAIL PROTECTED]; Thu, 4 Oct 2001 12:13:26 +1000 (EST) Message-ID: [EMAIL PROTECTED] Date: Thu, 04 Oct 2001 12:28:18 +1000 From: Tech [EMAIL PROTECTED] X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: addtoreply Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi , Below is a realm file this works ok but when I have tried to make this AddToReply as part of a postauthHook as a addtoreplyifnotexit for all default users but if user x,y,k then only addtoreplyifnotexit this or if group this or type this Suggestions or specific examples would be appreciated. Realm test.com RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS RejectEmptyPassword AddToReply Ascend-Metric = 1, \ Ascend-Assign-IP-Pool = 1, \ Ascend-Number-Sessions = 1, \ Ascend-Maximum-Channels = 1, \ Ascend-Route-IP = Route-IP-Yes, \ Ascend-Bridge = Bridge-No, \ Ascend-Route-IPX = Route-IPX-No, \ Ascend-Shared-Profile-Enable = Shared-Profile-No, \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx, \ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx, \ Ascend-Client-Assign-DNS = DNS-Assign-Yes, \ Ascend-Bridge = Bridge-No, \ Ascend-Route-IP = Route-IP-Yes, \ Framed-Netmask = 255.255.255.255, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 22, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 23, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 23, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 79, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 161, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 161, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 512, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 513, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 514, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 1521, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 1645, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 1646, \ Ascend-Data-Filter = ip in forward, \ Ascend-Data-Filter = ip out forward, Host xxx.xxx.xxx.xxx Secret x /AuthBy /Realm --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) addtoreply
Hello - There are some example hooks in the file goodies/hooks.txt in the Radiator distribution. hth Hugh Below is a realm file this works ok but when I have tried to make this AddToReply as part of a postauthHook as a addtoreplyifnotexit for all default users but if user x,y,k then only addtoreplyifnotexit this or if group this or type this Suggestions or specific examples would be appreciated. Realm test.com RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS RejectEmptyPassword AddToReply Ascend-Metric = 1, \ Ascend-Assign-IP-Pool = 1, \ Ascend-Number-Sessions = 1, \ Ascend-Maximum-Channels = 1, \ Ascend-Route-IP = Route-IP-Yes, \ Ascend-Bridge = Bridge-No, \ Ascend-Route-IPX = Route-IPX-No, \ Ascend-Shared-Profile-Enable = Shared-Profile-No, \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx, \ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx, \ Ascend-Client-Assign-DNS = DNS-Assign-Yes, \ Ascend-Bridge = Bridge-No, \ Ascend-Route-IP = Route-IP-Yes, \ Framed-Netmask = 255.255.255.255, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 22, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 23, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 23, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 79, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 161, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 161, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 512, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 513, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 514, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 tcp dstport = 1521, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 1645, \ Ascend-Data-Filter = ip in drop dstip xxx.xxx.xxx.xxx/24 udp dstport = 1646, \ Ascend-Data-Filter = ip in forward, \ Ascend-Data-Filter = ip out forward, Host xxx.xxx.xxx.xxx Secret x /AuthBy /Realm --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply SQL
Title: AddToReply SQL Hi, I want to add to all reply's Ascend-Maximum-Time= [ sessiontime value from table subscribers] attribute. I want to create some accounts with limited time like 30 hours in one month and after 30 hours it will disconnect. Then after every disconnect I'll update Total-Session-time value like total-session-time=total-session-time - last-session-time. In next login I want to use the new total-session-time from last subtraction. Can I do it with AddToReply or is there any other way to do it. Regards Lutfi
Re: (RADIATOR) AddToReply SQL
Hello Lufti - On Mon, 17 Jan 2000, Lutfi YUNUSOGLU wrote: I want to add to all reply's " Ascend-Maximum-Time= [ sessiontime value from table subscribers] " attribute. I want to create some accounts with limited time like 30 hours in one month and after 30 hours it will disconnect. Then after every disconnect I'll update Total-Session-time value like total-session-time=total-session-time - last-session-time. In next login I want to use the new total-session-time from last subtraction. Can I do it with AddToReply or is there any other way to do it. If you use AuthBy SQL, you can do this with an AuthSelect statement and the corresponding AuthColumnDef: AuthBy SQL DBSource DBAuth DBUsername AuthSelect your SQL statement AuthColumnDef total-session-time, Ascend-Maximum-Time, reply /AuthBy Have a look at section 6.24 in the Radiator 2.14.1 reference manual, and the various examples in the radius.cfg file and the goodies directory in the distribution. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply working?
Hi John, On Jun 8, 8:40pm, [EMAIL PROTECTED] wrote: Subject: (RADIATOR) AddToReply working? Thanks Tom for the answer earlier, that did the trick. On another topic, I'm not sure if all my AddToReply messages are going out to the remote client. Here is what I have setup: AddToReply Idle-Timeout = "1200" AddToReply Session-Timeout = "28800" AddToReply Framed-Compression = "Van-Jacobson-TCP-IP" AddToReply Framed-MTU = 1500 AddToReply Framed-Routing = None AddToReply Framed-Netmask = 255.255.255.255 If you do it that way, the only last one will get in (as you can see in your trace). You want to do this: AddToReply Idle-Timeout = "1200",Session-Timeout = "28800",\ Framed-Compression = "Van-Jacobson-TCP-IP",Framed-MTU = 1500,\ Framed-Routing = None,Framed-Netmask = 255.255.255.255 So its a bunch of comma-separated attribute-value pairs. You can put it all on one line, or spread it over several lines with line continuation characters as I have shown above. Hope that helps. Cheers. And here is what the trace output shows: *** Sending to xxx.xxx.xxx.xxx port 50218 Code: Access-Accept Identifier: 143 Authentic: 252217l]-230d@`:262542171323 Attributes: User-Service = 2 Framed-Protocol = 1 Framed-Netmask = 255.255.255.255 Do you think they are going out, but not showing up or are they not being sent? I can't see them on the remote end since that is not my server. The logins are working, but these are the attributes that were requested by the remote end. They run a managed modem pool for us. Thanks, John Kicklighter Internet 2xtreme Date sent:Wed, 9 Jun 1999 13:14:36 +1000 From: tom minchin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Copies to:[EMAIL PROTECTED] Subject: Re: (RADIATOR) RewriteUserName help needed On Tue, Jun 08, 1999 at 07:37:36PM -0700, [EMAIL PROTECTED] wrote: Another issue with adding realm names at the end of each username with the Client clause, multiple logins cannot be enforced between POPs since each POP has it's own realm name. If the same username logs attempts to login to the same POP twice, that should work though. If I could strip off the realm name before any AuthBy clauses in the realm, this would solve both problems I believe. Since I'm not very good at regular expressions in perl, can someone show me how to truncate a username based on the '@' ? There's an example in the manual: RewriteUsername s/^([^@]+).*/$1/ [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.