Re: (RADIATOR) Proxy pbs
Salut Hugh, thank you for your help, the proxy works fine now. But is this normal that the proxy sends an empty acounting-response packet before the real one ? Is there a way to avoid this ? Romain VERGNIOL CEGEDIM Service Réseau Boulogne Fax : +33 01 46 03 45 95 Tel : +33 01 49 09 84 02 [EMAIL PROTECTED] - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Gustavo Moreira [EMAIL PROTECTED]; Romain Vergniol [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, October 13, 2001 5:23 AM Subject: Re: (RADIATOR) Proxy pbs Salut Romain - The correct answer to your question is to reverse the order of your AuthBy RADIUS clauses so the result of the last AuthBy is the result of the authentication. # define accounting before authentication Realm DEFAULT AuthByPolicy ContinueAlways AuthBy RADIUS Host 172.29.xx.zz NoForwardAuthentication AcctPort 1646 Secret LocalAddress 172.29.yy.yy /AuthBy AuthBy RADIUS Host 172.29.xx.xx Host 172.29.xx.yy AuthPort 1645 NoForwardAccounting LocalAddress 172.29.yy.yy Host 172.29.xx.xx Secret xxx /Host Host 172.29.xx.yy Secret xx /Host /AuthBy /Realm hth Hugh PS - you really should not use Synchronous with an AuthBy RADIUS, as the impact on performance can be extreme. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Proxy pbs
Salut Romain - On Monday 15 October 2001 20:15, Romain Vergniol wrote: Salut Hugh, thank you for your help, the proxy works fine now. But is this normal that the proxy sends an empty acounting-response packet before the real one ? Is there a way to avoid this ? I am not sure I understand your question. In the case you describe, you are sending the same accounting record to two different target radius hosts. In this situation, which one is the real one? If you have a different requirement, I am sure we can come up with a suitable configuration for you. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Proxy pbs
Sorry, my last message wasn't clear... In fact, the proxy replies twice to the NAS, the first accounting-response packet is empty, the other contains the appropriate attributes. Ex (with tcpdump listening trafic only between the proxy and the NAS): 172.29.xx.xx = NAS 172.29.yy.yy = Proxy 172.29.xx.xx.1028 172.29.yy.yy.1646: rad-account-req 97 [id 236] Attr[ NAS_ipaddr{172.29.yy.yy} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649.} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} ] 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 20 [id 236] 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 109 [id 236] Attr[ NAS_ipaddr{172.29.xx.xx} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} NAS_id{172.29.xx.xx} ] Is there a way to avoid sending the first reply (rad-account-resp 20) ? Regards Romain VERGNIOL CEGEDIM Service Réseau Boulogne Fax : +33 01 46 03 45 95 Tel : +33 01 49 09 84 02 [EMAIL PROTECTED] I am not sure I understand your question. In the case you describe, you are sending the same accounting record to two different target radius hosts. In this situation, which one is the real one? If you have a different requirement, I am sure we can come up with a suitable configuration for you. regards Hugh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Proxy pbs
Precisions about my last post : 172.29.xx.xx.1028 172.29.yy.yy.1646: rad-account-req 97 [id 236] Attr[ NAS_ipaddr{172.29.yy.yy} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649.} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} ] 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 20 [id 236] This packet is generated by the proxy 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 109 [id 236] Attr[ NAS_ipaddr{172.29.xx.xx} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} NAS_id{172.29.xx.xx} ] This packet is the response generated by the Radius server (and forwarded to the NAS). Is there a way to avoid sending the first reply (rad-account-resp 20) ? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Proxy pbs
Salut Romain - On Tuesday 16 October 2001 00:12, Romain Vergniol wrote: Precisions about my last post : 172.29.xx.xx.1028 172.29.yy.yy.1646: rad-account-req 97 [id 236] Attr[ NAS_ipaddr{172.29.yy.yy} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649.} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} ] 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 20 [id 236] This packet is generated by the proxy Correct. 172.29.yy.yy.1646 172.29.xx.xx.1028: rad-account-resp 109 [id 236] Attr[ NAS_ipaddr{172.29.xx.xx} NAS_port{20106} NAS_port_type{#40} Acct_status{#297} Acct_delay{00 secs} Acct_session_id{318361649} Acct_authentic{#376}#120#121 Calling_station{143845245} Called_station{5137} NAS_id{172.29.xx.xx} ] This packet is the response generated by the Radius server (and forwarded to the NAS). Is there a way to avoid sending the first reply (rad-account-resp 20) ? As mentioned in a previous mail, the answer to this depends on what else you are wanting to do in the Radiator configuration file, so if you can give me a clear description of your requirements I will be able to make some suggestions on how best to implement them. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Proxy pbs
Romain: If youlikewait the reply and then to respond to the NAS. You would have to see the 6.29.17 item Synchronous Gustavo Moreira. - Original Message - From: Romain Vergniol To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, October 12, 2001 12:23 PM Subject: (RADIATOR) Proxy pbs Hello, I'm trying to set up a proxy that would be able to forward accounting to a different server. So I tried something like this (described in the reference manual) : Realm DEFAULT AuthByPolicy ContinueAlways AuthBy RADIUS Host 172.29.xx.xx Host 172.29.xx.yy AuthPort 1645 NoForwardAccounting LocalAddress 172.29.yy.yy Host 172.29.xx.xx Secretxxx /Host Host 172.29.xx.yy Secretxx /Host /AuthBy AuthBy RADIUS Host 172.29.xx.zz NoForwardAuthentication AcctPort 1646 Secret LocalAddress 172.29.yy.yy /AuthBy /Realm The problem is that authentication is always accepted ... So I tried with "IgnoreAuth..." and "IgnoreAcct..." but it doesn't seem to work. What's the way to properly configure this proxy ? Thanx Romain VERGNIOL CEGEDIMService Réseau BoulogneFax : 33 01 46 03 45 95Tel : 33 01 49 09 84 02 [EMAIL PROTECTED]
Re: (RADIATOR) Proxy pbs
Salut Romain - The correct answer to your question is to reverse the order of your AuthBy RADIUS clauses so the result of the last AuthBy is the result of the authentication. # define accounting before authentication Realm DEFAULT AuthByPolicy ContinueAlways AuthBy RADIUS Host 172.29.xx.zz NoForwardAuthentication AcctPort 1646 Secret LocalAddress 172.29.yy.yy /AuthBy AuthBy RADIUS Host 172.29.xx.xx Host 172.29.xx.yy AuthPort 1645 NoForwardAccounting LocalAddress 172.29.yy.yy Host 172.29.xx.xx Secret xxx /Host Host 172.29.xx.yy Secret xx /Host /AuthBy /Realm hth Hugh PS - you really should not use Synchronous with an AuthBy RADIUS, as the impact on performance can be extreme. On Saturday 13 October 2001 04:35, Gustavo Moreira wrote: Romain: If you like wait the reply and then to respond to the NAS. You would have to see the 6.29.17 item Synchronous Gustavo Moreira. - Original Message - From: Romain Vergniol To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, October 12, 2001 12:23 PM Subject: (RADIATOR) Proxy pbs Hello, I'm trying to set up a proxy that would be able to forward accounting to a different server. So I tried something like this (described in the reference manual) : Realm DEFAULT AuthByPolicy ContinueAlways AuthBy RADIUS Host 172.29.xx.xx Host 172.29.xx.yy AuthPort 1645 NoForwardAccounting LocalAddress 172.29.yy.yy Host 172.29.xx.xx Secret xxx /Host Host 172.29.xx.yy Secret xx /Host /AuthBy AuthBy RADIUS Host 172.29.xx.zz NoForwardAuthentication AcctPort 1646 Secret LocalAddress 172.29.yy.yy /AuthBy /Realm The problem is that authentication is always accepted ... So I tried with IgnoreAuth... and IgnoreAcct... but it doesn't seem to work. What's the way to properly configure this proxy ? Thanx Romain VERGNIOL CEGEDIM Service Réseau Boulogne Fax : 33 01 46 03 45 95 Tel : 33 01 49 09 84 02 [EMAIL PROTECTED] Content-Type: text/html; charset=iso-8859-1; name=Attachment: 1 Content-Transfer-Encoding: quoted-printable Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.