Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
Right now (to get this working today) I'm just using 'AddToReply'. That lacks flexibiliy but gets the job done for today. Your explanation of why this is failing for 'AddToReplyIfNotIncluded' makes sense. A new directive is probably in order (I dislike making exceptions so modifying AddToReplyIfNotIncluded is out of the question in my mind). Thanks for the response. I'll let you know if I get time to code the new directive before you do :) -Steve - Original Message - From: "Joost Stegeman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 03, 2000 11:53 AM Subject: Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded > Steven, > > As Hugh mentioned earlier, the AddToReplyIfNotIncluded directive takes the list > of parameters passed to it and looks at your reply packet. It takes the first > attrib from the list and looks for it in the reply packet, it finds no > Ascend-Data-Filter attribute and thus adds the attribute. It then takes the > second parameter from the list (another Ascend-Data-Filter) and looks for it in > the reply packet. It finds the Ascend-Data-Filter that was added just before > and thus doesn't add any further Ascend-Data-Filter attribs. > > Solution: patch the code to Allow multiple Ascend-Data-Filters attribs if you > add one OR add a directive AddFilterToReplyIfNotIncluded which does exactly > this. > > Your first mail on this subject caught my attention as I wanted to use this > solution for a new customer. As you found, it doesn't work and I'm looking at > modifying the code to support the latter solution. It isn't that much work, it > just needs to be done and to be tested and my todo list is long enough already. > I'll send the patch to the list when I get around to that item on my list. > > - Joost. > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
Steven, As Hugh mentioned earlier, the AddToReplyIfNotIncluded directive takes the list of parameters passed to it and looks at your reply packet. It takes the first attrib from the list and looks for it in the reply packet, it finds no Ascend-Data-Filter attribute and thus adds the attribute. It then takes the second parameter from the list (another Ascend-Data-Filter) and looks for it in the reply packet. It finds the Ascend-Data-Filter that was added just before and thus doesn't add any further Ascend-Data-Filter attribs. Solution: patch the code to Allow multiple Ascend-Data-Filters attribs if you add one OR add a directive AddFilterToReplyIfNotIncluded which does exactly this. Your first mail on this subject caught my attention as I wanted to use this solution for a new customer. As you found, it doesn't work and I'm looking at modifying the code to support the latter solution. It isn't that much work, it just needs to be done and to be tested and my todo list is long enough already. I'll send the patch to the list when I get around to that item on my list. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
Long winded response with many examples and captures of test sessions coming up: > Well, you are seeing two problems - the first was a "bug" in 2.14.1 in that > only a single attribute would be handled by AddToReplyIfNotExist. Alrighty. This is fixed in 2.15? > However the > second problem with what you are doing is that after the first insertion of the > Ascend-Data-Filter, you then have an attribute of that name, and further > additions with the same name will fail, by definition. ?? How do I send back multiple defintions of the same attribute? If I set this up as a 'replyitem' (pulled from LDAP) it works fine. Its just when its being pulled from the configuration file that it fails. How would you send back a complex data filter? > I think you will have to send me a copy of your configuration file together > with an explanation of what you are trying to do. No problem. Here it is: --config file--- AuthByPolicy ContinueUntilAccept DBSourcedbi:Pg:dbname=radiator;host=10.0.0.1 DBUsername DBAuth # by leaving 'AuthSelect' blank... no authentication is done AuthSelect AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef ASYNCIPADDRESS,Framed-IP-Address HoldServerConnection NoDefaultIfFound Host localhost Port 389 BaseDN ou=mydomain.com, o=mycompany UsernameAttr uid PasswordAttr userpassword AuthAttrDef netmask, Framed-IP-Netmask, reply ReplyAttr replyitems AddToReplyIfNotExist Service-Type=Framed-User,Framed-Protocol=PPP,Ascend-Assign-IP-Pool=0 # AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5", Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in forward" ---END--- The reasoning. The 'AddToReplyIfNotExist' that is not commented out is the one I'm currently using (all attributes _ARE_ being returned properly BTW). The commented one is the data filter that I was testing. The only attribute that gets sent is the first one (which is bad because it'll only forward established connections). What I _WANT_ to happen is for an entire filter sequence to be sent to the NAS that says: if its an established connection, forward it if the destination is 10.0.0.5, forward it if the destination port is 25, drop it forward everything else The purpose of this is to restrict dialup users to only being able to use designated SMTP relays. If I add this to an individual user and allow it to be pulled in via ReplyAttr (from OpenLDAP): uid=seames, ou=mydomain.com, o=mycompany ou=mydomain.com userpassword=supersecretpassword gecos=Steve Ames loginshell=/usr/local/bin/tcsh protocol=PPP uid=seames homedirectory=/home/s/seames enabled=1 replyitems=Ascend-Data-Filter="ip in forward tcp est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5", Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in forward" This works just fine. All of the attributes are returned correctly and in the order they appear: winrad1# radpwtst -s 127.0.0.1 -secret supersecret -trace -user [EMAIL PROTECTED] -password supersecretpassword Code: Access-Request Identifier: 211 Authentic: 1234567890123456 Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<213>*S<191>U<190><8> K<230>Yze1<22><247>" sending Access-Request... OK Code: Access-Accept Identifier: 211 Authentic: <11>~<226><184>3<167><156>;<167>q=<241><196>o<218><224> Attributes: Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip 10.0.0.5/32 Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward Service-Type = Framed-User Framed-Protocol = PPP Maximum-Time = 0 Works fine from a ReplyAttr. But If the account doesn't have the ReplyAttr information and I, instead, want to insert it using "AddToReplyIfNotExist" then it fails. Help? -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in
Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
Hello Steve - On Fri, 03 Mar 2000, Steven E. Ames wrote: > I sent this message in last week but never saw any responses. Its a > tricky one. > What it seems like is that there is a limit to how long a single line in > the configuration file can be. Although it always cuts off after the > first set of quotes so maybe this isn't it. > > And I have had no success in having multiple 'AddToReplyIfNotExist' > lines (the last one gets used it seems). > > I really need to nail this problem by the end of the week and would > appreciate any help that can be thrown my way. Thanks. > Well, you are seeing two problems - the first was a "bug" in 2.14.1 in that only a single attribute would be handled by AddToReplyIfNotExist. However the second problem with what you are doing is that after the first insertion of the Ascend-Data-Filter, you then have an attribute of that name, and further additions with the same name will fail, by definition. I think you will have to send me a copy of your configuration file together with an explanation of what you are trying to do. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
I sent this message in last week but never saw any responses. Its a tricky one. What it seems like is that there is a limit to how long a single line in the configuration file can be. Although it always cuts off after the first set of quotes so maybe this isn't it. And I have had no success in having multiple 'AddToReplyIfNotExist' lines (the last one gets used it seems). I really need to nail this problem by the end of the week and would appreciate any help that can be thrown my way. Thanks. -Steve > > > > I want to add a filter to the authentication reply. This filter will only > > go to Ascend TNT so the syntax here is correct. This works fine as a > > 'replyitem' on individual accounts but I cannot get it to be included > > across the board. > > > > What I'm trying to do is: > > > > AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp > est",Ascend-Data-Filter="ip in forward dstip 204.120.165.33", > Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in > forward" > > > > I'm only seeing the 1st part of the filter in the reply packet and then > > an ERR in the log file saying the rest is a bad A/V pair. > > > > Are the quotes confusing things? > > > > Radiator version 1.14.1 (just downloaded 1.15 to put into my test > > environment) > > > > -Steve > > > > === > > Archive at http://www.thesite.com.au/~radiator/ > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem with AddToReplyIfNotIncluded
> Hi Steven, > > You have uncovered a bug here, that is triggered by white space before an > attribute name in an AddToReplyIfNotExist. We have fixed that for the next > release. Thanks for reporting it. > > All the same, Radiator is only going to add the first Ascend-Data-Filter in > your AddToReplyIfNotExist, since when it looks at the second one, it will > find there is already an Ascend-Data-Filter in the reply, and decline to > add it and all the following ones. Hmm, seems I have some hacking to do. I planned to use this next week for this new customer. I'll have a look. Too bad Ascend filters always come in pairs (or more). I have patched AuthLDAP.pm to be able to just supply a filter name, instead of the whole lot of AV pairs. AuthLDAP.pm now uses this name to lookup the filter definition in a file and then reply_parse's this filter def. in the reply packet. Very neat, makes changing filters so much easier. I'll send in the patch this week. - Joost. > > Hope that helps > Cheers. > > On Feb 22, 4:31pm, Steven Ames wrote: > > Subject: (RADIATOR) Problem with AddToReplyIfNotIncluded > > > > I want to add a filter to the authentication reply. This filter will only > > go to Ascend TNT so the syntax here is correct. This works fine as a > > 'replyitem' on individual accounts but I cannot get it to be included > > across the board. > > > > What I'm trying to do is: > > > > AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp > est",Ascend-Data-Filter="ip in forward dstip 204.120.165.33", > Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in > forward" > > > > I'm only seeing the 1st part of the filter in the reply packet and then > > an ERR in the log file saying the rest is a bad A/V pair. > > > > Are the quotes confusing things? > > > > Radiator version 1.14.1 (just downloaded 1.15 to put into my test > > environment) > > > > -Steve > > > > === > > Archive at http://www.thesite.com.au/~radiator/ > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > >-- End of excerpt from Steven Ames > > > > -- > Mike McCauley [EMAIL PROTECTED] > Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW > 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au > Phone +61 3 9598-0985 Fax +61 3 9598-0955 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > NT, Rhapsody > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem with AddToReplyIfNotIncluded
Hi Steven, You have uncovered a bug here, that is triggered by white space before an attribute name in an AddToReplyIfNotExist. We have fixed that for the next release. Thanks for reporting it. All the same, Radiator is only going to add the first Ascend-Data-Filter in your AddToReplyIfNotExist, since when it looks at the second one, it will find there is already an Ascend-Data-Filter in the reply, and decline to add it and all the following ones. Hope that helps Cheers. On Feb 22, 4:31pm, Steven Ames wrote: > Subject: (RADIATOR) Problem with AddToReplyIfNotIncluded > > I want to add a filter to the authentication reply. This filter will only > go to Ascend TNT so the syntax here is correct. This works fine as a > 'replyitem' on individual accounts but I cannot get it to be included > across the board. > > What I'm trying to do is: > > AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est",Ascend-Data-Filter="ip in forward dstip 204.120.165.33", Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in forward" > > I'm only seeing the 1st part of the filter in the reply packet and then > an ERR in the log file saying the rest is a bad A/V pair. > > Are the quotes confusing things? > > Radiator version 1.14.1 (just downloaded 1.15 to put into my test > environment) > > -Steve > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Steven Ames -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Problem with AddToReplyIfNotIncluded
I want to add a filter to the authentication reply. This filter will only go to Ascend TNT so the syntax here is correct. This works fine as a 'replyitem' on individual accounts but I cannot get it to be included across the board. What I'm trying to do is: AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est",Ascend-Data-Filter="ip in forward dstip 204.120.165.33", Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in forward" I'm only seeing the 1st part of the filter in the reply packet and then an ERR in the log file saying the rest is a bad A/V pair. Are the quotes confusing things? Radiator version 1.14.1 (just downloaded 1.15 to put into my test environment) -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.