Re: (RADIATOR) cisco-avpair accounting
Hello Jesus - If you are receiving multiple attributes with the same name (ie: cisco-avpair = .) then yes you will need to use a Hook to parse them into seperate differently named attributes. Then you can use the AcctColumnDef's in your AuthBy SQL clause. regards Hugh On Friday, Oct 10, 2003, at 05:01 Australia/Melbourne, Jesus Rodriguez wrote: Hello, Is still needed to use a PreClientHook to make mysql accounting of multiple cisco-avpair attributes? Thanks. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco AVPAIR not working
Hello Thony, On the 5300 terminal, do: debug radius debug aaa authorization terminal monitor then make a test call and see what comes out. I think you'll see the router ignoring or flagging one of the attributes as erroneous. BTW, your IOS version looks rather old. I wouldn't expect avpairs to do properly their job in anything older than 12.1. If you come to see something odd at the debug output, you may want to upgrade IOS to, say, 12.2.6 or better. regards cl. From: Anthony Roque Adriano [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: (RADIATOR) Cisco AVPAIR not working Date: Wed, 4 Sep 2002 10:31:51 +0800 Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it. The setup is working for the ASCEND RAS but for my CISCO 5300 its not. Have gone through the mailing list and try all suggestion, but still can't get it to work, can anyone point out what i'm doing wrong. Here's my config : #LogStdout LogDir /var/log/radius-log LogFile %L/%Y-%m-%d-radiuslog DbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.cisco DictionaryFile /usr/local/etc/raddb/dictionary.ascend2 DictionaryFile /usr/local/etc/raddb/dictionary.livingston DictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 4 AuthBy RADMIN Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= ip:dns-servers=xxx.xxx.xxx.xxx, \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy Handler Realm=myrealm AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System Software IOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 08-Dec-99 20:25 by phanguye Image text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump
(RADIATOR) Cisco AVPAIR not working
Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it.The setup is working for the ASCEND RASbut for myCISCO5300its not. Have gone through the mailing list and try all suggestion, butstill can't get it to work, can anyone point out what i'm doing wrong. Here's my config: #LogStdoutLogDir /var/log/radius-logLogFile %L/%Y-%m-%d-radiuslogDbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.ciscoDictionaryFile /usr/local/etc/raddb/dictionary.ascend2DictionaryFile /usr/local/etc/raddb/dictionary.livingstonDictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged# to the RADMESSAGES table in the database. 3 will give you everything# except debugging messagesTrace 4 AuthBy RADMIN Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSource dbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= "ip:dns-servers=xxx.xxx.xxx.xxx", \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy Handler Realm=myrealm AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System SoftwareIOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Wed 08-Dec-99 20:25 by phanguyeImage text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump:*** Received from xxx.xxx.xxx.xxx port 33554 Code: Access-RequestIdentifier: 174Authentic: E1472035162145t149E3180T1942022318Attributes: NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 228 NAS-Port-Type = Virtual User-Name = "user@myrealm" Called-Station-Id = "" Calling-Station-Id = "" User-Password = "212 1441647176206113182255165164141145181149" Service-Type = Framed-User Framed-Protocol = PPP Tue Sep 3 15:13:37 2002: DEBUG: Check if Handler Realm=myrealm should be used to handle this requestTue Sep 3 15:13:37 2002: DEBUG: Handling request with Handler 'Realm=myrealm'Tue Sep 3 15:13:37 2002: DEBUG: Deleting session for user@myrealm, xxx.xxx.xxx.xxx, 228Tue Sep 3 15:13:37 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=0228 Tue Sep 3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with Radius::AuthRADMIN') Tue Sep 3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with Radius::AuthRADMIN: Acceptmehere') Tue Sep 3 15:13:37 2002: DEBUG: Query is: select
Re: (RADIATOR) Cisco AVPAIR not working
Hello Anthony - You will have to check a debug on the Cisco to see what is happening, and you will have to check with Cisco to ascertain the correct syntax for the cisco-avpair. It may also be possible to use Ascend compatibility on the Cisco to achieve this. I do not believe there is any way to override hard-coded DNS settings on a host, although someone else on the list may know more than I do. regards Hugh On Wednesday, September 4, 2002, at 12:31 PM, Anthony Roque Adriano wrote: Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it. The setup is working for the ASCEND RAS but for my CISCO 5300 its not. Have gone through the mailing list and try all suggestion, but still can't get it to work, can anyone point out what i'm doing wrong. Here's my config : #LogStdout LogDir /var/log/radius-log LogFile %L/%Y-%m-%d-radiuslog DbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.cisco DictionaryFile /usr/local/etc/raddb/dictionary.ascend2 DictionaryFile /usr/local/etc/raddb/dictionary.livingston DictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 4 AuthBy RADMIN> Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL> below # so its the same DBSource dbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= "ip:dns-servers=xxx.xxx.xxx.xxx", \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy> Handler Realm=myrealm> AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System Software IOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 08-Dec-99 20:25 by phanguye Image text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 33554 Code: Access-Request Identifier: 174 Authentic:
(RADIATOR) cisco avpair questions
Hello again, Making some progress on this issue but have run into a problem. We are trying to assign IP static addresses via radius, and also have radius reference a dynamic IP pool on a cisco 7206vxr router. We have followed the advice given by cisco TAC and suggestions by Hugh here, but still quite haven't got it resolved. We have the following configuration on our cisco: ! interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip mtu 1492 no peer default ip address pool ppp authentication pap centurytel ! ip local pool centurytel 64.119.12.1 64.119.15.254 And this is a portion of our Radius users file for the cisco authenticated users. DEFAULT Client-Identifier = dsl, Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.0, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500, cisco-avpair = ip:addr-pool=centurytel However when we implement this DSL users will not authenticate and receive an IP address. What are we missing here? - Mike Rock Island Communications, Inc. (360)-378-5884 http://www.rockisland.com/ San Juan Islands, WA === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco avpair questions
Hello Mike - As usual, I will need to see a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is going on. You should also run a debug on the Cisco to see what it is doing. thanks Hugh On Fri, 18 Jan 2002 08:10, Mike Greene wrote: Hello again, Making some progress on this issue but have run into a problem. We are trying to assign IP static addresses via radius, and also have radius reference a dynamic IP pool on a cisco 7206vxr router. We have followed the advice given by cisco TAC and suggestions by Hugh here, but still quite haven't got it resolved. We have the following configuration on our cisco: ! interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip mtu 1492 no peer default ip address pool ppp authentication pap centurytel ! ip local pool centurytel 64.119.12.1 64.119.15.254 And this is a portion of our Radius users file for the cisco authenticated users. DEFAULT Client-Identifier = dsl, Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.0, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500, cisco-avpair = ip:addr-pool=centurytel However when we implement this DSL users will not authenticate and receive an IP address. What are we missing here? - Mike Rock Island Communications, Inc. (360)-378-5884 http://www.rockisland.com/ San Juan Islands, WA === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco avpair
Hugh, Running radiator 2.2.18, and I need to return cisco-avpair attributes for IP address and netmask. I'm not to familiar with how to do this. Right now my config looks like this: Realm bnsi.net AuthByPolicyContinueWhileAccept ## ReWrite the username to take off everything after the '@' RewriteUsername s/^([^@]+).*/$1/ AuthBy SQL # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql:radius DBUsername radius DBAuth s3$5#G5b Timeout 30 FailureBackoffTime 300 RejectEmptyPassword AuthSelect select PASSWORD, ENCRYPTEDPASSWORD, \ IPADDRESS, IPNETMASK from DSLSUBSCRIBERS \ where USERNAME='%n' and STATUS='A' AuthColumnDef 0, User-Password, check AuthColumnDef 1, Encrypted-Password, check AuthColumnDef 2, Framed-IP-Address, reply AuthColumnDef 3, Framed-Netmask, reply # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CSID,Calling-Station-Id AcctColumnDef RXSPEED,Ascend-Data-Rate AcctColumnDef TXSPEED,Ascend-Xmit-Rate AcctColumnDef INOCTETS,Acct-Input-Octets AcctColumnDef OUTOCTETS,Acct-Output-Octets AcctColumnDef INPACKETS,Acct-Input-Packets AcctColumnDef OUTPACKETS,Acct-Output-Packets AcctColumnDef NASPORTTYPE,NAS-Port-Type AcctColumnDef PATTONACCTTERMINATE,Acct-Terminate-Cause AcctColumnDef ASCENDACCTTERMINATE,Ascend-Disconnect-Cause # You can arrange to log accounting to a file if the # SQL insert fails with AcctFailedLogFileName # That way you could recover from a broken SQL # server #AcctFailedLogFileName %D/missedaccounting /AuthBy AuthBy DYNADDRESS # Point to the address allocator Allocator DSLallocator /AuthBy SessionDatabase SDBDSL AuthLog AuthLogDSL /Realm The reply packet sends back Framed-IP-Address and Framed-IP-Netmask as the reply attributes, the Address allocator works fine if a static Ip is not assigned in the customer profile. I just need to return in cisco-avpair -- Kyle Hultman [EMAIL PROTECTED] Senior Network Engineer Broadband Networks (434) 817-7300 ext 305 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco avpair
Hello Kyle - Do you want to return cisco-avpairs for the static addresses in the user records, or the dynamic addresses from the address allocator (or both)? thanks Hugh On Fri, 21 Dec 2001 10:13, Kyle wrote: Hugh, Running radiator 2.2.18, and I need to return cisco-avpair attributes for IP address and netmask. I'm not to familiar with how to do this. Right now my config looks like this: Realm bnsi.net AuthByPolicyContinueWhileAccept ## ReWrite the username to take off everything after the '@' RewriteUsername s/^([^@]+).*/$1/ AuthBy SQL # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql:radius DBUsername radius DBAuth s3$5#G5b Timeout 30 FailureBackoffTime 300 RejectEmptyPassword AuthSelect select PASSWORD, ENCRYPTEDPASSWORD, \ IPADDRESS, IPNETMASK from DSLSUBSCRIBERS \ where USERNAME='%n' and STATUS='A' AuthColumnDef 0, User-Password, check AuthColumnDef 1, Encrypted-Password, check AuthColumnDef 2, Framed-IP-Address, reply AuthColumnDef 3, Framed-Netmask, reply # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CSID,Calling-Station-Id AcctColumnDef RXSPEED,Ascend-Data-Rate AcctColumnDef TXSPEED,Ascend-Xmit-Rate AcctColumnDef INOCTETS,Acct-Input-Octets AcctColumnDef OUTOCTETS,Acct-Output-Octets AcctColumnDef INPACKETS,Acct-Input-Packets AcctColumnDef OUTPACKETS,Acct-Output-Packets AcctColumnDef NASPORTTYPE,NAS-Port-Type AcctColumnDef PATTONACCTTERMINATE,Acct-Terminate-Cause AcctColumnDef ASCENDACCTTERMINATE,Ascend-Disconnect-Cause # You can arrange to log accounting to a file if the # SQL insert fails with AcctFailedLogFileName # That way you could recover from a broken SQL # server #AcctFailedLogFileName %D/missedaccounting /AuthBy AuthBy DYNADDRESS # Point to the address allocator Allocator DSLallocator /AuthBy SessionDatabase SDBDSL AuthLog AuthLogDSL /Realm The reply packet sends back Framed-IP-Address and Framed-IP-Netmask as the reply attributes, the Address allocator works fine if a static Ip is not assigned in the customer profile. I just need to return in cisco-avpair -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco avpair problem
On Tuesday 20 November 2001 05:30, Gustavo Moreira wrote: I have problems when wanting to permit only the access only to certain HOSTS and DNS in a Cisco 7500. AddToReply \ cisco-avpair = ip:inacl#0=permit ip any any precedence immediate,\ cisco-avpair = ip:inacl#1=permit udp any host 200.45.0.115 eq 53,\ cisco-avpair = ip:inacl#2=permit udp any host 200.45.191.35 eq 53,\ cisco-avpair = ip:inacl#3=permit tcp any any established,\ cisco-avpair = ip:inacl#4=permit tcp any host 200.45.0.42 eq 80,\ cisco-avpair = ip:inacl#5=permit tcp any host 200.45.190.149 eq 80,\ cisco-avpair = ip:inacl#6=permit tcp any host 200.45.190.150 eq 80,\ cisco-avpair = ip:inacl#7=permit tcp any host 200.45.0.35 eq 80,\ cisco-avpair = ip:inacl#99=deny ip any any Would it to be ok? Have look at www.cisco.com: E.g. http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csn t24/csnt24ug/ap_rads.htm http://www.cisco.com/warp/public/131/4.html Cheers, Alexander === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco avpair problem
I have problems when wanting to permit only the accessonly to certain HOSTS and DNS in a Cisco 7500. AddToReply \ cisco-avpair = "ip:inacl#0=permit ip any any precedence immediate",\ cisco-avpair = "ip:inacl#1=permit udp any host 200.45.0.115 eq 53",\ cisco-avpair = "ip:inacl#2=permit udp any host 200.45.191.35 eq 53",\ cisco-avpair = "ip:inacl#3=permit tcp any any established",\ cisco-avpair = "ip:inacl#4=permit tcp any host 200.45.0.42 eq 80",\ cisco-avpair = "ip:inacl#5=permit tcp any host 200.45.190.149 eq 80",\ cisco-avpair = "ip:inacl#6=permit tcp any host 200.45.190.150 eq 80",\ cisco-avpair = "ip:inacl#7=permit tcp any host 200.45.0.35 eq 80",\ cisco-avpair = "ip:inacl#99=deny ip any any" Would it to be ok?
Re: (RADIATOR) Cisco avpair problem
Hello Gustavo - On Tuesday 20 November 2001 05:30, Gustavo Moreira wrote: I have problems when wanting to permit only the access only to certain HOSTS and DNS in a Cisco 7500. AddToReply \ cisco-avpair = ip:inacl#0=permit ip any any precedence immediate,\ cisco-avpair = ip:inacl#1=permit udp any host 200.45.0.115 eq 53,\ cisco-avpair = ip:inacl#2=permit udp any host 200.45.191.35 eq 53,\ cisco-avpair = ip:inacl#3=permit tcp any any established,\ cisco-avpair = ip:inacl#4=permit tcp any host 200.45.0.42 eq 80,\ cisco-avpair = ip:inacl#5=permit tcp any host 200.45.190.149 eq 80,\ cisco-avpair = ip:inacl#6=permit tcp any host 200.45.190.150 eq 80,\ cisco-avpair = ip:inacl#7=permit tcp any host 200.45.0.35 eq 80,\ cisco-avpair = ip:inacl#99=deny ip any any Would it to be ok? This is more a Cisco question than a Radiator question. Perhaps someone else on the list can answer? regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) cisco-avpair = ip:dns-servers=xxx.xxx.xxx.xxx
My ADSL radwho is working now thanks to Gareth's suggestion. I am trying to use cisco-avpair = ip:dns-servers=xxx.xxx.xxx.xxx but radiator log tells me this is a bad attribute. Anyone know what I need to do to get these values to be pass from my radius to my 7206? Wayne === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair = ip:dns-servers=xxx.xxx.xxx.xxx
Hello Wayne - The correct syntax for a cisco-avpair is as follows: cisco-avpair = ip:dns-servers=xxx.xxx.xxx.xxx note the quotes. regards Hugh My ADSL radwho is working now thanks to Gareth's suggestion. I am trying to use cisco-avpair = ip:dns-servers=xxx.xxx.xxx.xxx but radiator log tells me this is a bad attribute. Anyone know what I need to do to get these values to be pass from my radius to my 7206? Wayne === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair
Hi, try at the cisco: debug aaa per-user debug aaa authentication debig aaa negotiation it usually is helpfull rgds. On Fri, 6 Apr 2001 09:44:25 -0500, Mike McCauley wrote: --- Forwarded mail from [EMAIL PROTECTED] Date: Fri, 6 Apr 2001 01:10:25 +1000 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Andrew [EMAIL PROTECTED]] From mikem Fri Apr 6 01:10:16 2001 Received: by oscar.open.com.au (8.9.0/8.9.0) id BAA02483 for [EMAIL PROTECTED]; Fri, 6 Apr 2001 01:10:16 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from logic.bm (liquid.logic.bm [207.228.176.214]) (authenticated as andrew with PLAIN) by outgoing.logic.bm (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f35EmBS05536 for [EMAIL PROTECTED]; Thu, 5 Apr 2001 11:48:11 -0300 Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 05 Apr 2001 11:47:24 -0300 From: Andrew [EMAIL PROTECTED] X-Mailer: Mozilla 4.73 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: cisco-avpair Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hello, Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Jesus M Diaz [EMAIL PROTECTED] Telia Iberia, S.A. Planificacin y Diseo de Red Tfno: +34 91 623 2909 Fax: +34 91 623 2911 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair
Hello Andrew - I will need to see a trace 4 debug from Radiator, but I agree with you - it looks like Radiator is doing the right thing and sending the attribute. You will probably need to run a debug on the Cisco to see what is happening at that end, and you may have to configure something to make the Cisco listen to the radius reply. hth Hugh Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair
Actually the only problem was I wasnt sending the "service-type" back to the cisco, it appears to be very picky about that vsa in the reply - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "Andrew" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, April 06, 2001 3:51 AM Subject: Re: (RADIATOR) cisco-avpair Hello Andrew - I will need to see a trace 4 debug from Radiator, but I agree with you - it looks like Radiator is doing the right thing and sending the attribute. You will probably need to run a debug on the Cisco to see what is happening at that end, and you may have to configure something to make the Cisco listen to the radius reply. hth Hugh Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) cisco-avpair
--- Forwarded mail from [EMAIL PROTECTED] Date: Fri, 6 Apr 2001 01:10:25 +1000 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Andrew [EMAIL PROTECTED]] From mikem Fri Apr 6 01:10:16 2001 Received: by oscar.open.com.au (8.9.0/8.9.0) id BAA02483 for [EMAIL PROTECTED]; Fri, 6 Apr 2001 01:10:16 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from outgoing.logic.bm (logic-web-c.logic.bm [199.172.192.9]) by perki.connect.com.au with ESMTP id AAA22421 (8.8.8/IDA-1.7 for [EMAIL PROTECTED]); Fri, 6 Apr 2001 00:47:58 +1000 (EST) Received: from logic.bm (liquid.logic.bm [207.228.176.214]) (authenticated as andrew with PLAIN) by outgoing.logic.bm (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f35EmBS05536 for [EMAIL PROTECTED]; Thu, 5 Apr 2001 11:48:11 -0300 Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 05 Apr 2001 11:47:24 -0300 From: Andrew [EMAIL PROTECTED] X-Mailer: Mozilla 4.73 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: cisco-avpair Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hello, Im just trying to send dns server information back to the client. The logfile from radius looks fine and appears to be sending the avpair to the nas but, the dns server addresses are not apearing to the client. I cant even see the dns servers being sent when debbugging ICP negotiation. any ideas..? Thanks users file test1@testUser-Password=test, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask=255.255.255.255, Framed-Routing = None, cisco-avpair ="ip:dns-servers=19.2.2.2 19.7.7.7" aaa authentication login local group radius aaa authentication ppp default group radius aaa authentication ppp vpdn group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius radius-server configure-nas radius-server host radius server auth-port 1812 acct-port 1813 radius-server key ** radius-server vsa send accounting radius-server vsa send authentication ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) cisco-avpair and 5300
You have to use virtual profiles in the AS5300. Usually, you do this by entering the following config aaa authentication ppp default radius aaa authorization network default radius aaa accounting network start-stop radius virtual-profile aaa virtual-profile virtual-template 1 ! interface virtual-template 1 ip unnumbered fastethernet 0 encapsulation ppp ! Doing this will allow you to pass the per-user config onto a virtual access interface which will peer from the ip pool you want. Remember that you virtual-template interface will have to have the same authentication information in it as your group-async. Also, be careful not just to put the config sample above in, research it and make sure it will not break anything. We have been using this config for some months now and it is extremely flexible. This document will help http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_ c/dcvprof.htm Hope this helps Matt At 11:42 AM 18/01/00 +0530, you wrote: Hi I am consulting for an ISP in india who are using radiator. They are using a 5300 with two ip pools on the ras. Now when users dial in, certain users have a prticular realm, and so drop into adiff authentication realm, the reply cisco-avpair = "ip:addr-pool=mypool" is added to this. After debugging the radius i think that the reply is being sent to the box, however the cisco always seems to pick the ip from the first pool instead of theone I am telling it to goto. I have also tried to use FramedGroup item, and again in the radius accounting all is fine, but when it gets back through cisco all is changed again. Has anyone done this kind of a setup with cisco, I have read through just about all the docs on the cisco website, but still no luck. Iqbal === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. --- Matthew Nichols - CCNA Network / Systems Engineer HunterLink Pty Ltd Newcastle NSW Australia Phone: +61 2 4969 0122 Fax: +61 2 4969 0133 Reply To: [EMAIL PROTECTED] PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html HunterLink Web Site: http://www.hunterlink.net.au === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) cisco-avpair and 5300
Hi I am consulting for an ISP in india who are using radiator. They are using a 5300 with two ip pools on the ras. Now when users dial in, certain users have a prticular realm, and so drop into adiff authentication realm, the reply cisco-avpair = "ip:addr-pool=mypool" is added to this. After debugging the radius i think that the reply is being sent to the box, however the cisco always seems to pick the ip from the first pool instead of theone I am telling it to goto. I have also tried to use FramedGroup item, and again in the radius accounting all is fine, but when it gets back through cisco all is changed again. Has anyone done this kind of a setup with cisco, I have read through just about all the docs on the cisco website, but still no luck. Iqbal === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
