subject:"Re\: \(RADIATOR\) question"

Re: [RADIATOR] Question about TACACS group assignment based on AD groups

2016-10-12 Thread Hartmaier Alexander

Hi Daniel,

we generate the Client config blocks using ClientListSQL from our NMS
database. The identifier is the hostname and we use the
OSC-Group-Identifier set to the support group name for further
distinguishment in the handlers.

We also add other metadata like OSC-Customer-Identifier for logging this
way.

Best regards, Alex


On 2016-09-08 07:12, Hugh Irvine wrote:
> Hello Daniel -
>
> You can use Identifiers in your Client clauses to indicate what sort of 
> device they are, then use those identifiers in your Handlers.
>
> Something like this:
>
> ……
>
> 
>   Identifier Firewall
>   …..
> 
>
> 
>   Identifier Firewall
>   …..
> 
>
> 
>   Identifier Switch
>   …..
> 
>
> 
>   Identifier Switch
>   …..
> 
>
> …..
>
> 
>   AuthByPolicy ContinueUntilAccept
>   AuthBy CheckReadOnlyAccessForFirewall
>   AuthBy CheckFullAccessForFirewall
> 
>
> 
>   AuthByPolicy ContinueUntilAccept
>   AuthBy CheckReadOnlyAccessForSwitch
>   AuthBy CheckFullAccessForSwitch
> 
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
>
>> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
>>
>> Hi all,
>>
>> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
>> including command level authorization. Based on some posts on this list I 
>> got both the active directory and the TACACS server module up and running, 
>> but struggle with the configuration of both.
>>
>> If I understand correctly, the TACACS module simply converts the TACACS 
>> authentication requests to radius requests and passes them to Radiator for 
>> ordinary execution. Authorization requests are handled within the TACACS 
>> module.
>>
>> My configuration currently looks as follows:
>>
>> --- begin ---
>> 
>>  # Define DC to connect to
>>  Hostdc-b.ad.x.com
>>
>>  # Identifier to use this AuthBy Clause later
>>  Identifier AuthByAD
>>
>>  # Administrative user used to perform LDAP queries
>>  AuthDN  
>> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
>>  AuthPassword
>>
>>  # Where to search for users
>>  BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
>>  ServerChecksPassword
>>
>>  # Add Check for group membership
>>  AuthAttrDef memberOf, ADGroup, check
>>
>>  # Reply should include the group names for further processing
>>  AuthAttrDef memberOf, ADGroups, reply
>>
>>  # There will be no default User
>>  NoDefault
>>
>>  # LDAP attribute to check the UserName on
>>  UsernameAttrsAMAccountName
>> 
>>
>> 
>> Port 49
>> AddToRequest NAS-Identifier=TACACS
>> GroupMemberAttr tacacsgroup
>>
>> AuthorizeGroup network_ro deny service=shell cmd=show 
>> cmd-arh=tech-support
>> AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>> AuthorizeGroup network_ro deny .*
>>
>> # This is for authorized users for full access. Place in lvl 15 
>> immediately, no restrictions apply
>> AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>> AuthorizeGroup full_access permit .*
>>
>> # Default deny to prevent accidents when something is misconfigured
>> AuthorizeGroup DEFAULT deny .*
>>
>> 
>>
>> # Include client definition
>> include %D/radius-clients.cfg
>> # Include Active Directory AuthBy Handler
>> include %D/authby-ad.cfg
>> # Include configuration for the built-in TACACS server
>> include %D/tacacs.cfg
>>
>> # TACACS Handler
>> 
>> AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>> AuthBy AuthByAD
>>
>> # Try read-only access
>> # AddToRequest 
>> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
>> # AuthBy AuthByAD
>> 
>> --- end ---
>>
>> My problem now is how to tie both clues together in the handler. Ideally I 
>> would also like to distinguish based on the TACACS client which is asking. 
>> If it is a firewall (IPs known), then use command sets full_access_fw and 
>> firewall_ro based on AD groups.
>>
>> Basically I need something like this:
>>
>> -Firewall is TACACS client, and the user is member of group 
>> netadmin-security, return request with tacacsgroup=full_access_fw
>> -Switch is TACACS client, and the user is member of group netadmin, 
>> return request with tacacsgroup=full_access
>> -Firewall is TACACS client, and the user is member of group 
>> netadmin-security-ro, return request with tacacsgroup=firewall_ro
>> -Switch is TACACS client, and the user is member of group netadmin-ro, 
>> return request with tacacsgroup=network_ro
>>
>> How would I do this mapping?
>>
>> Many thanks and best regards
>> Daniel
>>
>>
>> ___
>> radiator mailing list
>>

Re: [RADIATOR] Question about TACACS group assignment based on AD groups

2016-09-07 Thread Hugh Irvine


Hello Daniel -

You can use Identifiers in your Client clauses to indicate what sort of device 
they are, then use those identifiers in your Handlers.

Something like this:

……


Identifier Firewall
…..



Identifier Firewall
…..



Identifier Switch
…..



Identifier Switch
…..


…..


AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForFirewall
AuthBy CheckFullAccessForFirewall



AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForSwitch
AuthBy CheckFullAccessForSwitch



hope that helps

regards

Hugh



> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
> 
> Hi all,
> 
> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
> including command level authorization. Based on some posts on this list I got 
> both the active directory and the TACACS server module up and running, but 
> struggle with the configuration of both.
> 
> If I understand correctly, the TACACS module simply converts the TACACS 
> authentication requests to radius requests and passes them to Radiator for 
> ordinary execution. Authorization requests are handled within the TACACS 
> module.
> 
> My configuration currently looks as follows:
> 
> --- begin ---
> 
> # Define DC to connect to 
> Hostdc-b.ad.x.com
> 
> # Identifier to use this AuthBy Clause later
> Identifier AuthByAD
> 
> # Administrative user used to perform LDAP queries
> AuthDN  
> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
> AuthPassword
> 
> # Where to search for users
> BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
> ServerChecksPassword
> 
> # Add Check for group membership
> AuthAttrDef memberOf, ADGroup, check
> 
> # Reply should include the group names for further processing
> AuthAttrDef memberOf, ADGroups, reply
> 
> # There will be no default User
> NoDefault
> 
> # LDAP attribute to check the UserName on
> UsernameAttrsAMAccountName
> 
> 
> 
>Port 49
>AddToRequest NAS-Identifier=TACACS
>GroupMemberAttr tacacsgroup
> 
>AuthorizeGroup network_ro deny service=shell cmd=show 
> cmd-arh=tech-support
>AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>AuthorizeGroup network_ro deny .*
> 
># This is for authorized users for full access. Place in lvl 15 
> immediately, no restrictions apply
>AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>AuthorizeGroup full_access permit .*
> 
># Default deny to prevent accidents when something is misconfigured
>AuthorizeGroup DEFAULT deny .*
> 
> 
> 
> # Include client definition
> include %D/radius-clients.cfg
> # Include Active Directory AuthBy Handler
> include %D/authby-ad.cfg
> # Include configuration for the built-in TACACS server
> include %D/tacacs.cfg
> 
> # TACACS Handler
> 
>AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>AuthBy AuthByAD
> 
># Try read-only access
># AddToRequest 
> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
># AuthBy AuthByAD
> 
> --- end ---
> 
> My problem now is how to tie both clues together in the handler. Ideally I 
> would also like to distinguish based on the TACACS client which is asking. If 
> it is a firewall (IPs known), then use command sets full_access_fw and 
> firewall_ro based on AD groups.
> 
> Basically I need something like this:
> 
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security, return request with tacacsgroup=full_access_fw
> - Switch is TACACS client, and the user is member of group netadmin, 
> return request with tacacsgroup=full_access
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security-ro, return request with tacacsgroup=firewall_ro
> - Switch is TACACS client, and the user is member of group netadmin-ro, 
> return request with tacacsgroup=network_ro
> 
> How would I do this mapping?
> 
> Many thanks and best regards
> Daniel
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list

Re: [RADIATOR] Question about regex matching realm in handlers

2016-02-11 Thread Heikki Vatiainen

On 10.2.2016 23.31, David Rose wrote:

> However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
> and associated statements (i.e. no other changes to client config or
> anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
> the regex and the inner request is then caught by "NO_REALM". Here is
> the debug from a request where things stop working as expected (I think
> the key is that in the packet dump, the username is in the "EAP-Message"
> field and not the "User-Name" field):

Yes, you are correct. The key is the empty User-Name in the tunnelled 
request. Here's the tunnelled request:

> Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
> Attributes:
>  EAP-Message = <2><0><0><18><1>tu...@iit.edu
>  Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = ""
>
> Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
> 'Realm=/^$/', Identifier 'NO_REALM'

This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. 
This tells Radiator to add User-Name in the inner request with the value 
that is the inner EAP identity.

When the inner EAP starts, the first request is the EAP Identity 
response shown above. The identity (the username) is then extracted by 
the AuthBy within the Handler that matches the inner request.

Because the innner request becomes known only after the first tunnelled 
request has been processed, it's not available when the first tunnelled 
request is dispatched to the Handlers. In other words, we have a chicken 
and egg situation: the inner identity is needed before the request that 
carries it is processed.

You could consider this:

This should match usern...@iit.edu, username@, username and empty 
username. Or then you could use simply just 

Since the outer username is used to route the RADIUS request to the 
correct home organisation, for example with eduroam, what matters is 
that the RADIUS request has the correct realm. The inner request's realm 
can have the home realm but it could as well be empty since the inner 
username is not used for RADIUS request routing.

If you want to force the inner realm to always be @iit.edu, you could do 
this:

 Identifier PEAP_INNER_IITdEDU
 AuthBy NTLM_MSCHAP_NoRealm

 Identifier PEAP_INNER_No_Realm

 Filename /dev/null
 EAPType EAP-MSCHAP-V2

Even if the first request with the empty User-Name always matches the 
second Handler, it will just extract the identity and challenge the 
client to start EAP-MSCHAP-V2. The next request from the client will 
match the correct Handler unless their identity (username) does not end 
with @iit.edu. If this happens, they will fail the authentication. 
However, it might be a good idea to allow the inner username to be 
realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler.

You could think the second Handler as an anchor that bootstraps 
EAP-MSCHAP-V2 and handles unknown realms.

We have planned solving the chicken egg problem by taking a look at the 
inner request when the inner identity is not known yet. If the inner 
EAP-Message contains the identity, then it could be used for the first 
message when EAPAnonymous %0 is configured. However, this is not in 
Radiator or Radiator patches yet.

I hope the above clarifies how EAPAnonymous %0 works currently and why 
you will see empty User-Name with it.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about regex matching realm in handlers

2016-02-11 Thread David Rose

Heikki,

Now that you assembled the pieces for me, it makes perfect sense. I
figured I had to be missing something.

Thank you!

David

On 2/11/2016 5:17 AM, Heikki Vatiainen wrote:
> On 10.2.2016 23.31, David Rose wrote:
>
>> However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
>> and associated statements (i.e. no other changes to client config or
>> anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
>> the regex and the inner request is then caught by "NO_REALM". Here is
>> the debug from a request where things stop working as expected (I think
>> the key is that in the packet dump, the username is in the "EAP-Message"
>> field and not the "User-Name" field):
> Yes, you are correct. The key is the empty User-Name in the tunnelled 
> request. Here's the tunnelled request:
>
>> Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
>> Code:   Access-Request
>> Identifier: UNDEF
>> Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
>> Attributes:
>>  EAP-Message = <2><0><0><18><1>tu...@iit.edu
>>  Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>  User-Name = ""
>>
>> Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
>> 'Realm=/^$/', Identifier 'NO_REALM'
> This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. 
> This tells Radiator to add User-Name in the inner request with the value 
> that is the inner EAP identity.
>
> When the inner EAP starts, the first request is the EAP Identity 
> response shown above. The identity (the username) is then extracted by 
> the AuthBy within the Handler that matches the inner request.
>
> Because the innner request becomes known only after the first tunnelled 
> request has been processed, it's not available when the first tunnelled 
> request is dispatched to the Handlers. In other words, we have a chicken 
> and egg situation: the inner identity is needed before the request that 
> carries it is processed.
>
> You could consider this:
>
>
> This should match usern...@iit.edu, username@, username and empty 
> username. Or then you could use simply just 
>
> Since the outer username is used to route the RADIUS request to the 
> correct home organisation, for example with eduroam, what matters is 
> that the RADIUS request has the correct realm. The inner request's realm 
> can have the home realm but it could as well be empty since the inner 
> username is not used for RADIUS request routing.
>
> If you want to force the inner realm to always be @iit.edu, you could do 
> this:
>
> 
>  Identifier PEAP_INNER_IITdEDU
>  AuthBy NTLM_MSCHAP_NoRealm
> 
> 
>  Identifier PEAP_INNER_No_Realm
>  
>  Filename /dev/null
>  EAPType EAP-MSCHAP-V2
>  
> 
>
> Even if the first request with the empty User-Name always matches the 
> second Handler, it will just extract the identity and challenge the 
> client to start EAP-MSCHAP-V2. The next request from the client will 
> match the correct Handler unless their identity (username) does not end 
> with @iit.edu. If this happens, they will fail the authentication. 
> However, it might be a good idea to allow the inner username to be 
> realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler.
>
> You could think the second Handler as an anchor that bootstraps 
> EAP-MSCHAP-V2 and handles unknown realms.
>
> We have planned solving the chicken egg problem by taking a look at the 
> inner request when the inner identity is not known yet. If the inner 
> EAP-Message contains the identity, then it could be used for the first 
> message when EAPAnonymous %0 is configured. However, this is not in 
> Radiator or Radiator patches yet.
>
> I hope the above clarifies how EAPAnonymous %0 works currently and why 
> you will see empty User-Name with it.
>
> Thanks,
> Heikki
>

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL

2012-06-27 Thread Ricardo Martinez

Hello Heikki
Thanks for your answer, indeed that was the problem!.  Now I can insert in
both databases perfect!
We're in the middle of the process to upgrade to Radiator 4.9!

Thanks for your support!
Regards,
Ricardo.-

-Mensaje original-
De: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] En
nombre de Heikki Vatiainen
Enviado el: miércoles, 27 de junio de 2012 17:35
Para: radiator@open.com.au
Asunto: Re: [RADIATOR] Question about AuthByPolicy anything else and
AuthBy SQL

On 06/27/2012 11:23 PM, Ricardo Martinez wrote:

 I’m using Radiator 3.1.13

Version 3.x is quite old, so you could consider upgrading in case they are
more problems.

 I have this configuration file :

I think the main problem is this:

   DBusername  user

The option is slightly incorrect. You should have:

   DBUsername  user

Notice the capital U. Radiator should log an error about this when it
starts up.

Since the parameters are incorrect, it can not initialise DBD::Oracle and
Oracle specific string value quoting will fail. This is why you see
blanks.

Also note that the AcctColumnDefs are not equal in both AuthBys. For
example Acct-Input-Octets has 'integer' type in one AuthBy but not in the
other.

Please let us know if this solves the problem, Heikki



 Handler Request-Type = Accounting-Request, Acct-Status-Type = Stop

 AuthBy GROUP

 AuthByPolicy anything else

 AuthBy SQL

 DBSourcedbi:Oracle:DEV

 DBusername  user

 DBAuth  pass

 FailureBackoffTime  60



 AccountingTable VOIPACCOUNTING2

 AcctColumnDef
 LOGGEDAT,%{GlobalVar:DBsysdate},literal

 AcctColumnDef
CALL_LEG_SETUP_TIME,h323-setup-time

 AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id

 AcctColumnDef   CONNECTION_ID,h323-conf-id

 AcctColumnDef
CALL_LEG_DIRECTION,h323-call-origin

 AcctColumnDef   CALL_LEG_TYPE,h323-call-type

 AcctColumnDef
 CALL_LEG_CONNECT_TIME,h323-connect-time

 AcctColumnDef
 CALL_LEG_DISCONNECT_TIME,h323-disconnect-time

 AcctColumnDef
 CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause

 AcctColumnDef
 REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address

 AcctColumnDef   VOICE_QUALITY,h323-voice-quality

 AcctColumnDef   USER_NAME,User-Name

 AcctColumnDef
CALLED_STATION_ID,Called-Station-Id

 AcctColumnDef
 CALLING_STATION_ID,Calling-Station-Id

 AcctColumnDef
 ACCT_STATUS_TYPE,Acct-Status-Type,integer

 AcctColumnDef
 ACCT_DELAY_TIME,Acct-Delay-Time,integer

 AcctColumnDef
 ACCT_INPUT_OCTETS,Acct-Input-Octets,integer

 AcctColumnDef
 ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer

 AcctColumnDef   ACCT_SESSION_ID,Acct-Session-Id

 AcctColumnDef
 ACCT_SESSION_TIME,Acct-Session-Time,integer

 AcctColumnDef
 ACCT_INPUT_PACKETS,Acct-Input-Packets,integer

 AcctColumnDef
 ACCT_OUTPUT_PACKETS,Acct-Output-Packets,integer

 AcctColumnDef
NAS_PORT_TYPE,NAS-Port-Type,integer

 AcctColumnDef   ACCESS_DEVICE,h323-gw-id

 AcctColumnDef
 NETWORK_DEVICE_GROUP,Acct-Status-Type,intege

 /AuthBy

 AuthBy SQL

 DBSourcedbi:Oracle:SID1

 DBUsername  user

 DBAuthpass

 FailureBackoffTime  60



 AccountingTable VOIPACCOUNTING2

 AcctColumnDef
 LOGGEDAT,%{GlobalVar:DBsysdate},literal

 AcctColumnDef
CALL_LEG_SETUP_TIME,h323-setup-time

 AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id

 AcctColumnDef   CONNECTION_ID,h323-conf-id

 AcctColumnDef
CALL_LEG_DIRECTION,h323-call-origin

 AcctColumnDef   CALL_LEG_TYPE,h323-call-type

 AcctColumnDef
 CALL_LEG_CONNECT_TIME,h323-connect-time

 AcctColumnDef
 CALL_LEG_DISCONNECT_TIME,h323-disconnect-time

 AcctColumnDef
 CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause

 AcctColumnDef
 REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address

 AcctColumnDef   VOICE_QUALITY,h323-voice-quality

 AcctColumnDef

Re: [RADIATOR] question about machine based authentication

2011-12-09 Thread Joy Veronneau

Ok, that's what I was looking for! putting DEFAULT in the file yields the
desired behavior.

Thanks!

Joy

On 12/8/11 5:47 PM, Heikki Vatiainen h...@open.com.au wrote:

On 12/09/2011 12:31 AM, Joy Veronneau wrote:
 Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
 the computer name. Seems like I would want the cert name checked?
 Is there a way I can still check the cert name?

In this case you could try not enabling EAPTLS_NoCheckId and use
Filename %D/tls_anon with this single line:
DEFAULT

Since NoDefault is not on, the DEFAULT entry will match and user lookup
should be successful.

Another option is to have EAPTLS_NoCheckId enabled and do name matching
with EAPTLS_CertificateVerifyHook

Thanks!
Heikki


 Sorry to have so many questionsŠ
 
 Thanks,
 Joy
 
 On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote:
 
 On 12/09/2011 12:15 AM, Joy Veronneau wrote:

 But if I do that, I will still have to have the names of the machines
in
 the tls_anon file, wouldn't I?

 Good point, I overlooked that part. Please see ref.pdf section 5.20.46
 EAPTLS_NoCheckId. You can turn off the name check.

 Thanks!
 Heikki

 Thanks,

 Joy

 On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote:

 On 12/07/2011 11:42 PM, Joy Veronneau wrote:

 Hello Joy,

 I am still working on my machine based authentication config.

 Config1 (below) works fine but requires that the names of the
machines
 be
 listed in the file tls_anon.

 Try with something like this:
 Handler ...
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
 /Handler

 With the above EAP-TLS will run first and when it is done and returns
 ACCEPT, the AuthBy EXTERNAL extra check will run determining the
 outcome
 of the whole authentication process.

 Please let us know of your results
 


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-12-08 Thread Heikki Vatiainen

On 12/07/2011 11:42 PM, Joy Veronneau wrote:

Hello Joy,

 I am still working on my machine based authentication config.
 
 Config1 (below) works fine but requires that the names of the machines be
 listed in the file tls_anon.

Try with something like this:
Handler ...
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
/Handler

With the above EAP-TLS will run first and when it is done and returns
ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
of the whole authentication process.

Please let us know of your results

 I need to modify this config so that I do not need to maintain a list of
 host names on the radiator server and so that I can execute an external
 script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
 I thought this would be pretty straight forward, see config2 below. The
 problem is that just this minor change causes the client to hang or
 something during the negotiation. Once the accept is sent, nothing else
 happens - we've verified this looking at the traffic on the AP. I've
 included a debug log as well.
 
 I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
 or I just can't use AuthBy EXTERNAL in combination with TLS?
 
 TIA,
 Joy
 
 ---
 config1: (works if names of computers are in tis_anon file)
 AuthBy FILE
   Identifier TLS
   Filename %D/tls_anon
   EAPType TLS
   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
   EAPTLS_CertificateType PEM
   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
   EAPTLS_MaxFragmentSize 1000
   AutoMPPEKeys
 /AuthBy
 
 AuthBy EXTERNAL
   Identifier ADCERT
   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
 Filter-Id)
 /AuthBy
 
 
 
 AuthBy GROUP
   Identifier dot1x_tls
   AuthByPolicy ContinueWhileAccept
   AuthBy TLS
 /AuthBy
 
 Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
   AuthByPolicy ContinueAlways
   RewriteUsername s/^host\///
   AuthBy dot1x_tls
   AuthBy ADCERT
   AcctLogFileName %L/%y%m%d-eduroam.log
 /Handler
 
 config2 (doesn't work. see log below.)
 #AuthBy FILE
 AuthBy EXTERNAL
   Identifier TLS
 #Filename %D/tls_anon
   EAPType TLS
   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
   EAPTLS_CertificateType PEM
   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
   EAPTLS_MaxFragmentSize 1000
   Command /app/radius/scripts/authby.ADCERT
   AutoMPPEKeys
 /AuthBy
 
 AuthBy GROUP
   Identifier dot1x_tls
   AuthByPolicy ContinueWhileAccept
   AuthBy TLS
 /AuthBy
 
 
 Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
   AuthByPolicy ContinueAlways
   RewriteUsername s/^host\///
   AuthBy dot1x_tls
 #   AuthBy ADCERT
   AcctLogFileName %L/%y%m%d-eduroam.log
   AuthLog QRadar_WIRELESS
 /Handler
 
 ---
 
 the debug log
 
 *** Received from 132.236.115.218 port 33004 
 Code:   Access-Request
 Identifier: 186
 Authentic:  201217161218164173b22924147163G#30]179
 Attributes:
 User-Name = host/CIT-JV11GTEST2.cit.cornell.edu
 NAS-IP-Address = 132.236.115.218
 NAS-Port = 1
 NAS-Identifier = cit.redrover.secure
 NAS-Port-Type = Wireless-IEEE-802-11
 Calling-Station-Id = 0014D1EA856B
 Called-Station-Id = 000B866222B0
 Service-Type = Login-User
 Framed-MTU = 1100
 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu
 Aruba-Essid-Name = eduroam-test
 Aruba-Location-Id = test-rhodes-745-ap
 Message-Authenticator =
 1391493145153Z4192210[,170g1521p
 
 Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
 'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier ''
 Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
 CIT-JV11GTEST2.cit.cornell.edu
 Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
 host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
 Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
 Wed Dec  7 16:32:46 2011: DEBUG: Running command:
 /app/radius/scripts/authby.ADCERT
 Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
 Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
 Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
 CIT-JV11GTEST2.cit.cornell.edu
 Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
 *** Sending to 132.236.115.218 port 33004 
 Code:   Access-Accept
 Identifier: 186
 Authentic:  2341623*2152525021t149129168202204
 Attributes:
 Filter-Id = eduroam-correct
 
 (That's all that's in the logsŠ)
 
 
 
 
 
 
 
 
 
 
 ___
 radiator mailing list
 radiator@open.com.au
 http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen h...@open.com.au

Re: [RADIATOR] question about machine based authentication

2011-12-08 Thread Heikki Vatiainen

On 12/09/2011 12:15 AM, Joy Veronneau wrote:

 But if I do that, I will still have to have the names of the machines in
 the tls_anon file, wouldn't I?

Good point, I overlooked that part. Please see ref.pdf section 5.20.46
EAPTLS_NoCheckId. You can turn off the name check.

Thanks!
Heikki

 Thanks,
 
 Joy
 
 On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote:
 
 On 12/07/2011 11:42 PM, Joy Veronneau wrote:

 Hello Joy,

 I am still working on my machine based authentication config.

 Config1 (below) works fine but requires that the names of the machines
 be
 listed in the file tls_anon.

 Try with something like this:
 Handler ...
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
 /Handler

 With the above EAP-TLS will run first and when it is done and returns
 ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
 of the whole authentication process.

 Please let us know of your results

 I need to modify this config so that I do not need to maintain a list of
 host names on the radiator server and so that I can execute an external
 script that formats a Filter-Id for a VLAN name to return with the
 ACCEPT.
 I thought this would be pretty straight forward, see config2 below. The
 problem is that just this minor change causes the client to hang or
 something during the negotiation. Once the accept is sent, nothing else
 happens - we've verified this looking at the traffic on the AP. I've
 included a debug log as well.

 I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
 or I just can't use AuthBy EXTERNAL in combination with TLS?

 TIA,
 Joy

 ---
 config1: (works if names of computers are in tis_anon file)
 AuthBy FILE
   Identifier TLS
   Filename %D/tls_anon
   EAPType TLS
   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
   EAPTLS_CertificateType PEM
   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
   EAPTLS_MaxFragmentSize 1000
   AutoMPPEKeys
 /AuthBy

 AuthBy EXTERNAL
   Identifier ADCERT
   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
 Filter-Id)
 /AuthBy



 AuthBy GROUP
   Identifier dot1x_tls
   AuthByPolicy ContinueWhileAccept
   AuthBy TLS
 /AuthBy

 Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
   AuthByPolicy ContinueAlways
   RewriteUsername s/^host\///
   AuthBy dot1x_tls
   AuthBy ADCERT
   AcctLogFileName %L/%y%m%d-eduroam.log
 /Handler
 
 config2 (doesn't work. see log below.)
 #AuthBy FILE
 AuthBy EXTERNAL
   Identifier TLS
 #Filename %D/tls_anon
   EAPType TLS
   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
   EAPTLS_CertificateType PEM
   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
   EAPTLS_MaxFragmentSize 1000
   Command /app/radius/scripts/authby.ADCERT
   AutoMPPEKeys
 /AuthBy

 AuthBy GROUP
   Identifier dot1x_tls
   AuthByPolicy ContinueWhileAccept
   AuthBy TLS
 /AuthBy


 Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
   AuthByPolicy ContinueAlways
   RewriteUsername s/^host\///
   AuthBy dot1x_tls
 #   AuthBy ADCERT
   AcctLogFileName %L/%y%m%d-eduroam.log
   AuthLog QRadar_WIRELESS
 /Handler

 ---

 the debug log

 *** Received from 132.236.115.218 port 33004 
 Code:   Access-Request
 Identifier: 186
 Authentic:  
 201217161218164173b22924147163G#30]179
 Attributes:
 User-Name = host/CIT-JV11GTEST2.cit.cornell.edu
 NAS-IP-Address = 132.236.115.218
 NAS-Port = 1
 NAS-Identifier = cit.redrover.secure
 NAS-Port-Type = Wireless-IEEE-802-11
 Calling-Station-Id = 0014D1EA856B
 Called-Station-Id = 000B866222B0
 Service-Type = Login-User
 Framed-MTU = 1100
 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu
 Aruba-Essid-Name = eduroam-test
 Aruba-Location-Id = test-rhodes-745-ap
 Message-Authenticator =
 1391493145153Z4192210[,170g1521p

 Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
 'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier ''
 Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
 CIT-JV11GTEST2.cit.cornell.edu
 Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
 host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
 Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP:
 dot1x_tls
 Wed Dec  7 16:32:46 2011: DEBUG: Running command:
 /app/radius/scripts/authby.ADCERT
 Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
 Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
 Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
 CIT-JV11GTEST2.cit.cornell.edu
 Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
 *** Sending to 132.236.115.218 port 33004 
 Code:

Re: [RADIATOR] question about machine based authentication

2011-12-08 Thread Joy Veronneau

Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
the computer name. Seems like I would want the cert name checked?
Is there a way I can still check the cert name?

Sorry to have so many questionsŠ

Thanks,
Joy

On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote:

On 12/09/2011 12:15 AM, Joy Veronneau wrote:

 But if I do that, I will still have to have the names of the machines in
 the tls_anon file, wouldn't I?

Good point, I overlooked that part. Please see ref.pdf section 5.20.46
EAPTLS_NoCheckId. You can turn off the name check.

Thanks!
Heikki

 Thanks,
 
 Joy
 
 On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote:
 
 On 12/07/2011 11:42 PM, Joy Veronneau wrote:

 Hello Joy,

 I am still working on my machine based authentication config.

 Config1 (below) works fine but requires that the names of the machines
 be
 listed in the file tls_anon.

 Try with something like this:
 Handler ...
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
 /Handler

 With the above EAP-TLS will run first and when it is done and returns
 ACCEPT, the AuthBy EXTERNAL extra check will run determining the
outcome
 of the whole authentication process.

 Please let us know of your results

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-12-08 Thread Heikki Vatiainen

On 12/09/2011 12:31 AM, Joy Veronneau wrote:
 Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
 the computer name. Seems like I would want the cert name checked?
 Is there a way I can still check the cert name?

In this case you could try not enabling EAPTLS_NoCheckId and use
Filename %D/tls_anon with this single line:
DEFAULT

Since NoDefault is not on, the DEFAULT entry will match and user lookup
should be successful.

Another option is to have EAPTLS_NoCheckId enabled and do name matching
with EAPTLS_CertificateVerifyHook

Thanks!
Heikki


 Sorry to have so many questionsŠ
 
 Thanks,
 Joy
 
 On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote:
 
 On 12/09/2011 12:15 AM, Joy Veronneau wrote:

 But if I do that, I will still have to have the names of the machines in
 the tls_anon file, wouldn't I?

 Good point, I overlooked that part. Please see ref.pdf section 5.20.46
 EAPTLS_NoCheckId. You can turn off the name check.

 Thanks!
 Heikki

 Thanks,

 Joy

 On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote:

 On 12/07/2011 11:42 PM, Joy Veronneau wrote:

 Hello Joy,

 I am still working on my machine based authentication config.

 Config1 (below) works fine but requires that the names of the machines
 be
 listed in the file tls_anon.

 Try with something like this:
 Handler ...
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
 /Handler

 With the above EAP-TLS will run first and when it is done and returns
 ACCEPT, the AuthBy EXTERNAL extra check will run determining the
 outcome
 of the whole authentication process.

 Please let us know of your results
 


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-12-07 Thread Joy Veronneau

Hi,

I am still working on my machine based authentication config.

Config1 (below) works fine but requires that the names of the machines be
listed in the file tls_anon.

I need to modify this config so that I do not need to maintain a list of
host names on the radiator server and so that I can execute an external
script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
I thought this would be pretty straight forward, see config2 below. The
problem is that just this minor change causes the client to hang or
something during the negotiation. Once the accept is sent, nothing else
happens - we've verified this looking at the traffic on the AP. I've
included a debug log as well.

I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
or I just can't use AuthBy EXTERNAL in combination with TLS?

TIA,
Joy

---
config1: (works if names of computers are in tis_anon file)
AuthBy FILE
  Identifier TLS
  Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
/AuthBy

AuthBy EXTERNAL
  Identifier ADCERT
  Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
Filter-Id)
/AuthBy



AuthBy GROUP
  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS
/AuthBy

Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
  AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log
/Handler

config2 (doesn't work. see log below.)
#AuthBy FILE
AuthBy EXTERNAL
  Identifier TLS
#Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  Command /app/radius/scripts/authby.ADCERT
  AutoMPPEKeys
/AuthBy

AuthBy GROUP
  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS
/AuthBy


Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
#   AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log
  AuthLog QRadar_WIRELESS
/Handler

---

the debug log

*** Received from 132.236.115.218 port 33004 
Code:   Access-Request
Identifier: 186
Authentic:  201217161218164173b22924147163G#30]179
Attributes:
User-Name = host/CIT-JV11GTEST2.cit.cornell.edu
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = cit.redrover.secure
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = 0014D1EA856B
Called-Station-Id = 000B866222B0
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = eduroam-test
Aruba-Location-Id = test-rhodes-745-ap
Message-Authenticator =
1391493145153Z4192210[,170g1521p

Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier ''
Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
Wed Dec  7 16:32:46 2011: DEBUG: Running command:
/app/radius/scripts/authby.ADCERT
Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 
Code:   Access-Accept
Identifier: 186
Authentic:  2341623*2152525021t149129168202204
Attributes:
Filter-Id = eduroam-correct

(That's all that's in the logsŠ)










___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-11-19 Thread Heikki Vatiainen

On 11/19/2011 12:18 AM, Joy Veronneau wrote:

 I think I need some more help with my config. It is working ok for my
 machine cert based authentication, but only if I put the name of the
 machine in a file on the radius server. Here is my config snippet:

You could experiment using AuthBy LDAP2. Instead of using file as user
database, the config would lookup user (machine name) and group
information from LDAP.

See goodies/ad-ldap.cfg and goodies/ldap.cfg for hints. For example
using global catalog port and NoCheckPassword. NoCheckPassword should be
used since you are not interested in password, but attributes the
machine account has in AD.

Please let us know how it goes.
Heikki

 AuthBy FILE
 
 Identifier TLS
 Filename %D/tls_anon
 EAPType TLS
 EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
 EAPTLS_CertificateFile /app/radius/keys/agate1.pem
 EAPTLS_CertificateType PEM
 EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
 EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
 EAPTLS_MaxFragmentSize 1000
 AutoMPPEKeys
 
 /AuthBy
 Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
 
 AuthByPolicy ContinueAlways
 RewriteUsername s/^host\///
 AuthBy TLS
 
 /Handler
 
 
 and %D/tls_anon contains:
 CIT-JV11GTEST2.cit.cornell.edu
 
 I would like to avoid having to maintain all the machine names on the
 radius server. I would prefer to do some sort of NTLM auth that would
 read the machine cert and then check to see if the machine is in a
 certain group.
 
 I tried using AuthBy NTLM but that really broke everything... I do
 have NTLM working for username/pw based authn but I need to do that AND
 machine based…
 
 I'd appreciate a hint. Thanks-
 
 Joy
 
 On 11/10/11 5:21 PM, Heikki Vatiainen h...@open.com.au
 mailto:h...@open.com.au wrote:
 
 On 11/09/2011 09:46 PM, Joy Veronneau wrote:
 
 Is it possible for the radiator server to do machine-based
 authentication (via certificate) to an Active Directory domain?
 
 
 You may want to check if the really mean certificates, since machine
 based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
 machine joins to domain, a password and username is automatically
 created and these can be used for machine based authentication. This is
 also supported by Radiator by default too.
 
 I have MSCHAPv2 working to our AD domain with username/password, but
 now someone is asking about machine-based authentication. They are
 currently doing this with an MS radius server and would like to
 switch to our centrally managed radius server and central AD system.
 I know that we would have to issue a new cert to the machine
 from the
 central AD domain… but I'm not finding much about how to set up
 radiator in my on-line research so far.
 
 
 EAP-TLS, see goodies too, can be used here. Radiator can also do extra
 checks for certs besides just checking if the cert is valid or not.
 
 
 
 ___
 radiator mailing list
 radiator@open.com.au
 http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-11-18 Thread Joy Veronneau

Hi,
I think I need some more help with my config. It is working ok for my machine 
cert based authentication, but only if I put the name of the machine in a file 
on the radius server. Here is my config snippet:

AuthBy FILE
Identifier TLS
Filename %D/tls_anon
EAPType TLS
EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
EAPTLS_CertificateFile /app/radius/keys/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
/AuthBy
Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i
AuthByPolicy ContinueAlways
RewriteUsername s/^host\///
AuthBy TLS
/Handler


and %D/tls_anon contains:
CIT-JV11GTEST2.cit.cornell.edu

I would like to avoid having to maintain all the machine names on the radius 
server. I would prefer to do some sort of NTLM auth that would read the machine 
cert and then check to see if the machine is in a certain group.

I tried using AuthBy NTLM but that really broke everything... I do have NTLM 
working for username/pw based authn but I need to do that AND machine based…

I'd appreciate a hint. Thanks-

Joy

On 11/10/11 5:21 PM, Heikki Vatiainen 
h...@open.com.aumailto:h...@open.com.au wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-11-15 Thread Joy Veronneau

Hi,

I've made some progress on this. The windows 7 machine is now contacting the 
radius server, but its username starts with host/ and radiator doesn't seem 
to like that. Should the machine be sending some sort of different username? I 
don't think I can get the request to the correct handler until I fix this 
problem?

The network settings on the windows 7 machine are:
Security type: WPA2 Enterprise
encryption type: TKIP
Network authentication method: microsoft: smartcard or other certificate 
(Settings- Use a certificate on this computer, use simple certificate 
selection)
advanced settings: 802.1x Specify authentication mode: Computer authentication.


Here is what I see on the radius logs:

User-Name = host/CIT-JV11GTEST2.cit.cornell.edu
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = cit.redrover.secure
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = 0014D1EA856B
Called-Station-Id = 000B866222B0
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = eduroam-test
Aruba-Location-Id = test-rhodes-745-ap
Message-Authenticator = 
]179:f223241242Z13:204222150130J181

Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier ''
Tue Nov 15 12:41:42 2011: INFO: Access rejected for 
host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 
Code:   Access-Reject
Identifier: 219
Authentic:  138592542361313184xLU?N4139225
Attributes:
Reply-Message = Request Denied

Thanks again,

Joy


On 11/10/11 5:21 PM, Heikki Vatiainen 
h...@open.com.aumailto:h...@open.com.au wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

--
Heikki Vatiainen h...@open.com.aumailto:h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-11-15 Thread Heikki Vatiainen

On 11/15/2011 07:43 PM, Joy Veronneau wrote:

 I've made some progress on this. The windows 7 machine is now contacting
 the radius server, but its username starts with host/ and radiator
 doesn't seem to like that. Should the machine be sending some sort of
 different username? I don't think I can get the request to the correct
 handler until I fix this problem?

Radiator will recognize host/ and do the authentication with correct
username. The machine seems to be sending the username correctly, so
that's not the problem.

Tue Nov 15 12:41:42 2011: INFO: Access rejected for
host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name

Your configuration file has UsernameCharset specified so that it does
not include /

If you change UsernameCharset this problem will go away.

Thanks!
Heikki


 The network settings on the windows 7 machine are:
 Security type: WPA2 Enterprise
 encryption type: TKIP
 Network authentication method: microsoft: smartcard or other certificate
 (Settings- Use a certificate on this computer, use simple certificate
 selection)
 advanced settings: 802.1x Specify authentication mode: Computer
 authentication.
 
 
 Here is what I see on the radius logs:
 
 User-Name = host/CIT-JV11GTEST2.cit.cornell.edu
 NAS-IP-Address = 132.236.115.218
 NAS-Port = 1
 NAS-Identifier = cit.redrover.secure
 NAS-Port-Type = Wireless-IEEE-802-11
 Calling-Station-Id = 0014D1EA856B
 Called-Station-Id = 000B866222B0
 Service-Type = Login-User
 Framed-MTU = 1100
 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu
 Aruba-Essid-Name = eduroam-test
 Aruba-Location-Id = test-rhodes-745-ap
 Message-Authenticator =
 ]179:f223241242Z13:204222150130J181
 
 Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '',
 Identifier ''
 Tue Nov 15 12:41:42 2011: INFO: Access rejected for
 host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
 Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
 *** Sending to 132.236.115.218 port 33004 
 Code:   Access-Reject
 Identifier: 219
 Authentic:  138592542361313184xLU?N4139225
 Attributes:
 Reply-Message = Request Denied
 
 Thanks again,
 
 Joy


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

2011-11-10 Thread Heikki Vatiainen

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

 Is it possible for the radiator server to do machine-based 
 authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

 I have MSCHAPv2 working to our AD domain with username/password, but
 now someone is asking about machine-based authentication. They are
 currently doing this with an MS radius server and would like to
 switch to our centrally managed radius server and central AD system.
 I know that we would have to issue a new cert to the machine from the
 central AD domain… but I'm not finding much about how to set up
 radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question on FarmSize, SocketQueueLength, and net.core.rmem_max on Linux

2011-08-24 Thread Heikki Vatiainen

On 08/23/2011 05:52 PM, Frank Danielson wrote:

 We are currently running Radiator 4.7 under Redhat 5.5 and I am 
 trying to make sure I understand the effect that the FarmSize
 setting has on the amount of memory allocated for the SocketQueue.

 If Radiator is configured with some FarmSize does each worker have
 its own SocketQueue with the effect of making the total amount of
 memory allocated = FarmSize * SocketQueueLength?

I think the allocated memory is always 1*SocketQueueLength. This is
based on the fact that the socket is shared between the clients and the
assumption that the socket queue is part of kernel and the fan out to
the workers happens on the OS/user space boundary. In other words, my
take is one socket queue servers one or multiple readers.

If someone know better, please let me know.

 For example if my SocketQueueLength is 100 and the FarmSize is 4,
 is there a total of 400 bytes allocated or is it just 100? In
 either instance I am assuming that the net.core.rmem_max size needs
 to be at least as large as that number, is that correct?

If my theory holds, then it might be a good idea to increase rmem_max
because there are multiple readers that can dequeue packets and smooth
incoming bursts.

An alternate view is, if there are always workers that are ready to
process messages, then they should be able to drain normal size queue
even if the queue input rate is high.

There's also /proc/sys/net/ipv4/udp_mem which migh be useful to tune UDP
queues only.

http://www.kernel.org/doc/man-pages/online/pages/man7/udp.7.html

This is an interesting question. If you decide to experiment with
different settings, maybe you could let us know of results.

Thanks!
Heikki

-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about IP Pool.

2011-08-21 Thread Heikki Vatiainen

On 08/20/2011 09:07 PM, Faisal Imtiaz wrote:

Hello Faisal,

 I am currently using Raditor configured with mysql for authenticating 
 DSL Subscribers. So far we have been allocating fixed IP addresses  
 framed routes as needed for the subscribers.
 
 We have  bunch of subscribers who need to be on dynamic IP's.   There is 
 a RADPOOL table, that I can add  addresses to either manually or via 
 AddressPool...
 
 What I am having trouble with is on What do I need to 'define' for the 
 user so that Radiator will get an IP address from the RADPOOL Table ?
 and What code if any I need to put in radius.cfg for this to happen.

Please see goodies/addressallocator.cfg in Radiator distribution package
for an example.

The idea is to run the normal authentication first followed by AuthBy
DYNADDRESS. The AuthByPolicy should be set so that DYNADDRESS is only
used if the normal authentication first succeeds.

You should probably keep your existing Handler and AuthBy as they are
and add a new Handler to match the dynaddress users. This new Handler
would have two AuthBys where the first does normal authentication
followed by the second AuthBy that does address allocation from AddressPool.

You can also have more AuthBys if needed, but the above is a simple
extension of your current setup shown below.

Best regards,
Heikki

 Many Thanks in advance.
 ===
 here is what my AuthBy looks like
 
 AuthBy SQL
  # MySQL DB, DB radius, host localhost
  DBSource dbi:mysql:xxx
  DBUsername x
  DBAuth xxx
 
  # Define Table and Columns for Authentication
  AuthSelect select PASSWORD, SERVICETYPE, 
 FRAMEDPROTOCOL, TRAFFICSHAPE, ACL, PORTLIMIT, TIMELEFT, IPPOOL, FRAMEDI$
  from SUBSCRIBERS where USERNAME = %0
  AuthColumnDef 0, Password, check
  AuthColumnDef 1, GENERIC, check
  AuthColumnDef 2, GENERIC, reply
  AuthColumnDef 3, GENERIC, reply
  AuthColumnDef 4, GENERIC, reply
  AuthColumnDef 5, GENERIC, reply
  AuthColumnDef 6, GENERIC, reply
  AuthColumnDef 7, GENERIC, reply
  AuthColumnDef 8, GENERIC, reply
  AuthColumnDef 9, GENERIC, reply
  AuthColumnDef 10, GENERIC, reply
  AuthColumnDef 11, GENERIC, reply
  AuthColumnDef 12, GENERIC, reply
 
  # Define Table and Columns for Accounting
  AccountingTable ACCOUNTING
  AcctColumnDef   USERNAME,User-Name
  AcctColumnDef   TIME_STAMP,Timestamp,formatted-date,\
  '%Y/%m/%e %H:%M:%S'
  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
  AcctColumnDef   NASIPADDRESS,NAS-IP-Address
  AcctColumnDef   NASPORT,NAS-Port,integer
  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
 /AuthBy
 =
 


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

RE: (RADIATOR) Question in AuthBy EXTERNAL

2003-10-02 Thread Man Meng Fei

Hi
Do i need to pass any parameter to testcommand.pl ?


MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL


Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like
this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
 Hello Man Meng Fei -

 I suspect that Radiator is not able to run the external command.

 What happens when you run the following in a MS-DOS window:

   C:\Perl\bin\testcommand.pl

 There is probably something wrong with either the path or the contents

 of the file.

 regards

 Hugh


 On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei

 wrote:
  Hi
  Currently i am using a sample configuration (external.cfg) and perl 
  script (testcommand.pl) which can be retrieved from goodies 
  directory to understand the implementation of AuthBy EXTERNAL.
  But after i executed it, i can't get the expected test result. I got
No
  Reply at Radius client. I hope someone can help me to make this
AuthBy
  EXTERNAL sample working.
 
  Lastly i attached Radius Configration file which i used for the 
  testing and Radius Server and Radius Client's output result
 
  Man Meng Fei
 
 
 
  --radius.cfg---
  # external.cfg
  #
  # Example Radiator configuration file.
  # This very simple file will allow you to get started with # 
  EXTERNAL authentication. #
  # There is an example external program called testcommand.pl
  # in the goodies directory, whichthe example below uses. It
  # will accept the request if the username is fred otherwise reject
  # it.
  #
  # So if you run Radiator with this config file, then do
  # radpwtst -noacct -trace -user fred
  # you will see something like:
  # sending Access-Request...
  # OK
  # Code:   Access-Accept
  # Identifier: 109
  # Authentic:  12_B2152=149140kBM13022110.S
  # Attributes:
  # Reply-Message = you are fred
  #
  #
  # And if you do:
  # radpwtst -noacct -trace -user someoneelse
  # you will see something like:
  # sending Access-Request...
  # Rejected
  # Code:   Access-Reject
  # Identifier: 70
  # Authentic:
165206RiJ208139245129@17013623s2423
  # Attributes:
  # Reply-Message = you are NOT fred, you are 'someoneelse'
  # Reply-Message = Request Denied
 
 
  #
  # You should consider this file to be a starting point only # $Id: 
  external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
 
  Foreground
  LogStdout
  LogDir  c:/Program Files/Radiator
  DbDir   c:/Program Files/Radiator
 
  Trace   4
 
  # You will probably want to change this to suit your site. Client 
  DEFAULT
  Secret  mysecret
  DupInterval 0
  /Client
 
  Realm DEFAULT
  AuthBy EXTERNAL
  # For NT, you might want something like this
  Command C:\Perl\bin\testcommand.pl
 
  # For Unix, maybe something like this
  #   #Command ./goodies/testcommand.pl
 
  # This will cause the User-Password
  # to be decrypted before being passed to the
  # external program
  DecryptPassword
 
  # You might prefer use this to tell AuthBy EXTERNAL
  # to get the result from the first line of the
  # output. The permitted values are ACCEPT, REJECT
  # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
  # its the only way to get it to work.
  # We recommend you use this method
  ResultInOutput
  /AuthBy
  /Realm
 
 
 
 
 
  ---Radius Server Output--
 
  Microsoft Windows 2000 [Version 5.00.2195]
  (C) Copyright 1985-2000 Microsoft Corp.
 
  C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu 
  Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file 
  'C:\Program  Files\Radiator\radius.cfg'
  This Radiator license will expire on 2004-02-01
  This Radiator license will stop operating after 1000 requests
  To purchase an unlimited full source version of Radiator, see
  http://www.open.com.au/ordering.html
  To extend your evaluation period, contact [EMAIL PROTECTED]
 
  Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program

  Files/Radia tor/dictionary'
  Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
  0.0.0.0:1645
  Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port
0.0.0.0:1646
  Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on
man
  (EVALUATIO
  N)
  Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
  *** Received from 127.0.0.1 port 3006 
  Code:   Access-Request
  Identifier: 67

RE: (RADIATOR) Question in AuthBy EXTERNAL

2003-10-02 Thread Man Meng Fei

Hi Mke and Hugh
May i know how should i pass the parameter into the perl script when i
execute AUTH EXTERNAL and how can get the result after execute the
perl script ?

Thank 

MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Man Meng Fei
Sent: Thursday, October 02, 2003 1:58 PM
To: 'Mike McCauley'; 'Hugh Irvine'
Cc: [EMAIL PROTECTED]
Subject: RE: (RADIATOR) Question in AuthBy EXTERNAL


Hi
Do i need to pass any parameter to testcommand.pl ?


MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL


Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like
this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
 Hello Man Meng Fei -

 I suspect that Radiator is not able to run the external command.

 What happens when you run the following in a MS-DOS window:

   C:\Perl\bin\testcommand.pl

 There is probably something wrong with either the path or the contents

 of the file.

 regards

 Hugh


 On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei

 wrote:
  Hi
  Currently i am using a sample configuration (external.cfg) and perl
  script (testcommand.pl) which can be retrieved from goodies 
  directory to understand the implementation of AuthBy EXTERNAL.
  But after i executed it, i can't get the expected test result. I got
No
  Reply at Radius client. I hope someone can help me to make this
AuthBy
  EXTERNAL sample working.
 
  Lastly i attached Radius Configration file which i used for the
  testing and Radius Server and Radius Client's output result
 
  Man Meng Fei
 
 
 
  --radius.cfg---
  # external.cfg
  #
  # Example Radiator configuration file.
  # This very simple file will allow you to get started with #
  EXTERNAL authentication. #
  # There is an example external program called testcommand.pl
  # in the goodies directory, whichthe example below uses. It
  # will accept the request if the username is fred otherwise reject
  # it.
  #
  # So if you run Radiator with this config file, then do
  # radpwtst -noacct -trace -user fred
  # you will see something like:
  # sending Access-Request...
  # OK
  # Code:   Access-Accept
  # Identifier: 109
  # Authentic:  12_B2152=149140kBM13022110.S
  # Attributes:
  # Reply-Message = you are fred
  #
  #
  # And if you do:
  # radpwtst -noacct -trace -user someoneelse
  # you will see something like:
  # sending Access-Request...
  # Rejected
  # Code:   Access-Reject
  # Identifier: 70
  # Authentic:
165206RiJ208139245129@17013623s2423
  # Attributes:
  # Reply-Message = you are NOT fred, you are 'someoneelse'
  # Reply-Message = Request Denied
 
 
  #
  # You should consider this file to be a starting point only # $Id:
  external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
 
  Foreground
  LogStdout
  LogDir  c:/Program Files/Radiator
  DbDir   c:/Program Files/Radiator
 
  Trace   4
 
  # You will probably want to change this to suit your site. Client
  DEFAULT
  Secret  mysecret
  DupInterval 0
  /Client
 
  Realm DEFAULT
  AuthBy EXTERNAL
  # For NT, you might want something like this
  Command C:\Perl\bin\testcommand.pl
 
  # For Unix, maybe something like this
  #   #Command ./goodies/testcommand.pl
 
  # This will cause the User-Password
  # to be decrypted before being passed to the
  # external program
  DecryptPassword
 
  # You might prefer use this to tell AuthBy EXTERNAL
  # to get the result from the first line of the
  # output. The permitted values are ACCEPT, REJECT
  # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
  # its the only way to get it to work.
  # We recommend you use this method
  ResultInOutput
  /AuthBy
  /Realm
 
 
 
 
 
  ---Radius Server Output--
 
  Microsoft Windows 2000 [Version 5.00.2195]
  (C) Copyright 1985-2000 Microsoft Corp.
 
  C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu
  Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file 
  'C:\Program  Files\Radiator\radius.cfg'
  This Radiator license will expire on 2004-02-01
  This Radiator license will stop operating after 1000 requests
  To purchase an unlimited full source version of Radiator, see
  http://www.open.com.au/ordering.html
  To extend your evaluation period, contact [EMAIL PROTECTED]
 
  Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file

Re: (RADIATOR) Question in AuthBy EXTERNAL

2003-10-02 Thread Hugh Irvine

Hello MAN -

All of the attributes in the current radius request are passed to the 
external command on standard input, and the results are returned on 
standard output. Please refer to section 6.26 in the Radiator manual 
(doc/ref.html). If you want to add any parameters to be passed to the 
external program you should add them as attributes to the current 
request before calling the AuthBy EXTERNAL clause.

You should also look at the source code in the file 
Radius/AuthEXTERNAL.pm to see exactly what happens.

regards

Hugh

On Friday, Oct 3, 2003, at 11:22 Australia/Melbourne, Man Meng Fei 
wrote:

Hi Mke and Hugh
May i know how should i pass the parameter into the perl script when i
execute AUTH EXTERNAL and how can get the result after execute the
perl script ?
Thank

MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Man Meng Fei
Sent: Thursday, October 02, 2003 1:58 PM
To: 'Mike McCauley'; 'Hugh Irvine'
Cc: [EMAIL PROTECTED]
Subject: RE: (RADIATOR) Question in AuthBy EXTERNAL
Hi
Do i need to pass any parameter to testcommand.pl ?
MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL
Hi Hugh,

If you look at godies/external.cfg, you will see he needs something 
like
this:

		Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run
C:\Perl\bin\testcommand.pl without some cluues.
Cheers.

On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
Hello Man Meng Fei -

I suspect that Radiator is not able to run the external command.

What happens when you run the following in a MS-DOS window:

	C:\Perl\bin\testcommand.pl

There is probably something wrong with either the path or the contents

of the file.

regards

Hugh

On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei

wrote:
Hi
Currently i am using a sample configuration (external.cfg) and perl
script (testcommand.pl) which can be retrieved from goodies
directory to understand the implementation of AuthBy EXTERNAL.
But after i executed it, i can't get the expected test result. I got
No
Reply at Radius client. I hope someone can help me to make this
AuthBy
EXTERNAL sample working.

Lastly i attached Radius Configration file which i used for the
testing and Radius Server and Radius Client's output result
Man Meng Fei



--radius.cfg---
# external.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with #
EXTERNAL authentication. #
# There is an example external program called testcommand.pl
# in the goodies directory, whichthe example below uses. It
# will accept the request if the username is fred otherwise reject
# it.
#
# So if you run Radiator with this config file, then do
# radpwtst -noacct -trace -user fred
# you will see something like:
# sending Access-Request...
# OK
# Code:   Access-Accept
# Identifier: 109
# Authentic:  12_B2152=149140kBM13022110.S
# Attributes:
# Reply-Message = you are fred
#
#
# And if you do:
# radpwtst -noacct -trace -user someoneelse
# you will see something like:
# sending Access-Request...
# Rejected
# Code:   Access-Reject
# Identifier: 70
# Authentic:
165206RiJ208139245129@17013623s2423
# Attributes:
# Reply-Message = you are NOT fred, you are 'someoneelse'
# Reply-Message = Request Denied
#
# You should consider this file to be a starting point only # $Id:
external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator
Trace 		4

# You will probably want to change this to suit your site. Client
DEFAULT
Secret  mysecret
DupInterval 0
/Client
Realm DEFAULT
AuthBy EXTERNAL
# For NT, you might want something like this
Command C:\Perl\bin\testcommand.pl
# For Unix, maybe something like this
#   #Command ./goodies/testcommand.pl
# This will cause the User-Password
# to be decrypted before being passed to the
# external program
DecryptPassword
# You might prefer use this to tell AuthBy EXTERNAL
# to get the result from the first line of the
# output. The permitted values are ACCEPT, REJECT
# IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
# its the only way to get it to work.
# We recommend you use this method
ResultInOutput
/AuthBy
/Realm




---Radius Server Output--

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu
Oct  2 01:16:58

Re: (RADIATOR) Question in AuthBy EXTERNAL

2003-10-01 Thread Hugh Irvine

Hello Man Meng Fei -

I suspect that Radiator is not able to run the external command.

What happens when you run the following in a MS-DOS window:

	C:\Perl\bin\testcommand.pl

There is probably something wrong with either the path or the contents 
of the file.

regards

Hugh

On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei 
wrote:

Hi
Currently i am using a sample configuration (external.cfg) and perl
script (testcommand.pl) which can be retrieved from goodies directory 
to
understand the implementation of AuthBy EXTERNAL.
But after i executed it, i can't get the expected test result. I got No
Reply at Radius client. I hope someone can help me to make this AuthBy
EXTERNAL sample working.

Lastly i attached Radius Configration file which i used for the testing
and Radius Server and Radius Client's output result
Man Meng Fei



--radius.cfg---
# external.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# EXTERNAL authentication.
#
# There is an example external program called testcommand.pl
# in the goodies directory, whichthe example below uses. It
# will accept the request if the username is fred otherwise reject
# it.
#
# So if you run Radiator with this config file, then do
# radpwtst -noacct -trace -user fred
# you will see something like:
# sending Access-Request...
# OK
# Code:   Access-Accept
# Identifier: 109
# Authentic:  12_B2152=149140kBM13022110.S
# Attributes:
# Reply-Message = you are fred
#
#
# And if you do:
# radpwtst -noacct -trace -user someoneelse
# you will see something like:
# sending Access-Request...
# Rejected
# Code:   Access-Reject
# Identifier: 70
# Authentic:  165206RiJ208139245129@17013623s2423
# Attributes:
# Reply-Message = you are NOT fred, you are 'someoneelse'
# Reply-Message = Request Denied
#
# You should consider this file to be a starting point only
# $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator
Trace 		4

# You will probably want to change this to suit your site.
Client DEFAULT
Secret  mysecret
DupInterval 0
/Client
Realm DEFAULT
AuthBy EXTERNAL
# For NT, you might want something like this
Command C:\Perl\bin\testcommand.pl

# For Unix, maybe something like this
#   #Command ./goodies/testcommand.pl
# This will cause the User-Password
# to be decrypted before being passed to the
# external program
DecryptPassword
# You might prefer use this to tell AuthBy EXTERNAL
# to get the result from the first line of the
# output. The permitted values are ACCEPT, REJECT
# IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
# its the only way to get it to work.
# We recommend you use this method
ResultInOutput
/AuthBy
/Realm




---Radius Server Output--

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd
Thu Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file
'C:\Program
 Files\Radiator\radius.cfg'
This Radiator license will expire on 2004-02-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]
Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
Files/Radia
tor/dictionary'
Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
0.0.0.0:1645
Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
(EVALUATIO
N)
Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Access-Request
Identifier: 67
Authentic:  1234567890123456
Attributes:
User-Name = mikem
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 987654321
NAS-Port-Type = Async
User-Password =
159249:201175\424618889160216}x153
Thu Oct  2 01:18:52 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Oct  2 01:18:52 2003: DEBUG:  Deleting session for mikem,
203.63.154.1, 1234
Thu Oct  2 01:18:52 2003: DEBUG: Running command:
C:\Perl\bin\testcommand.pl
Thu Oct  2 01:25:09 2003: ERR: ResultInOutput is enabled, but the first
line of from the E
XTRNAL command is an unknown result code
Thu Oct  2 01:25:09 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Accounting-Request
Identifier: 68

Re: (RADIATOR) Question in AuthBy EXTERNAL

2003-10-01 Thread Mike McCauley

Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
 Hello Man Meng Fei -

 I suspect that Radiator is not able to run the external command.

 What happens when you run the following in a MS-DOS window:

   C:\Perl\bin\testcommand.pl

 There is probably something wrong with either the path or the contents
 of the file.

 regards

 Hugh


 On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei

 wrote:
  Hi
  Currently i am using a sample configuration (external.cfg) and perl
  script (testcommand.pl) which can be retrieved from goodies directory
  to
  understand the implementation of AuthBy EXTERNAL.
  But after i executed it, i can't get the expected test result. I got No
  Reply at Radius client. I hope someone can help me to make this AuthBy
  EXTERNAL sample working.
 
  Lastly i attached Radius Configration file which i used for the testing
  and Radius Server and Radius Client's output result
 
  Man Meng Fei
 
 
 
  --radius.cfg---
  # external.cfg
  #
  # Example Radiator configuration file.
  # This very simple file will allow you to get started with
  # EXTERNAL authentication.
  #
  # There is an example external program called testcommand.pl
  # in the goodies directory, whichthe example below uses. It
  # will accept the request if the username is fred otherwise reject
  # it.
  #
  # So if you run Radiator with this config file, then do
  # radpwtst -noacct -trace -user fred
  # you will see something like:
  # sending Access-Request...
  # OK
  # Code:   Access-Accept
  # Identifier: 109
  # Authentic:  12_B2152=149140kBM13022110.S
  # Attributes:
  # Reply-Message = you are fred
  #
  #
  # And if you do:
  # radpwtst -noacct -trace -user someoneelse
  # you will see something like:
  # sending Access-Request...
  # Rejected
  # Code:   Access-Reject
  # Identifier: 70
  # Authentic:  165206RiJ208139245129@17013623s2423
  # Attributes:
  # Reply-Message = you are NOT fred, you are 'someoneelse'
  # Reply-Message = Request Denied
 
 
  #
  # You should consider this file to be a starting point only
  # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
 
  Foreground
  LogStdout
  LogDir  c:/Program Files/Radiator
  DbDir   c:/Program Files/Radiator
 
  Trace   4
 
  # You will probably want to change this to suit your site.
  Client DEFAULT
  Secret  mysecret
  DupInterval 0
  /Client
 
  Realm DEFAULT
  AuthBy EXTERNAL
  # For NT, you might want something like this
  Command C:\Perl\bin\testcommand.pl
 
  # For Unix, maybe something like this
  #   #Command ./goodies/testcommand.pl
 
  # This will cause the User-Password
  # to be decrypted before being passed to the
  # external program
  DecryptPassword
 
  # You might prefer use this to tell AuthBy EXTERNAL
  # to get the result from the first line of the
  # output. The permitted values are ACCEPT, REJECT
  # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
  # its the only way to get it to work.
  # We recommend you use this method
  ResultInOutput
  /AuthBy
  /Realm
 
 
 
 
 
  ---Radius Server Output--
 
  Microsoft Windows 2000 [Version 5.00.2195]
  (C) Copyright 1985-2000 Microsoft Corp.
 
  C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd
  Thu Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file
  'C:\Program
   Files\Radiator\radius.cfg'
  This Radiator license will expire on 2004-02-01
  This Radiator license will stop operating after 1000 requests
  To purchase an unlimited full source version of Radiator, see
  http://www.open.com.au/ordering.html
  To extend your evaluation period, contact [EMAIL PROTECTED]
 
  Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
  Files/Radia
  tor/dictionary'
  Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
  0.0.0.0:1645
  Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
  Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
  (EVALUATIO
  N)
  Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
  *** Received from 127.0.0.1 port 3006 
  Code:   Access-Request
  Identifier: 67
  Authentic:  1234567890123456
  Attributes:
  User-Name = mikem
  Service-Type = Framed-User
  NAS-IP-Address = 203.63.154.1
  NAS-Port = 1234
  Called-Station-Id = 123456789
  Calling-Station-Id = 987654321
  NAS-Port-Type = Async
  User-Password =

Re: (RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use

2003-08-22 Thread Hugh Irvine

Hello Troy -

I suggest you write a PreClientHook that will add the pseudo-attributes 
shown below to the incoming request packet.

There is an example that does something quite similar for Cisco 
pseudo-attributes in the file goodies/hooks.txt.

regards

Hugh

On Friday, Aug 22, 2003, at 06:49 Australia/Melbourne, Troy Holder 
wrote:

We have a DB table with all of our network equipment in it and plan to
use that to determine what Authby to use for different types of
equipment ( got to love how Cisco wants different reply values to allow
a user into enable mode). I plan to have a Handler call an AuthBy SQL 
to
do a query for the Auth-Type the device needs use and then run that
AuthBy clause. The problem that I am running into is that we have the
equipment's IP address broken up into the octets. I know that I can use
%N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as
in %N = %IP1.%IP2.%IP3.%IP4) instead?

--
---
| Troy Holder[EMAIL PROTECTED] |
| Senior Network Engineer |
|   Communication Technologies|
| North Carolina State University |
---

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

2003-07-30 Thread Steve Caporossi

Hugh,
Layers 8  9 prevent me from running Radiator on anything but a Linux 
box, I have no bias. :-)

I am not very familiar with AD.  My understanding is that policies can 
be managed for users, machines, etc.  In our environment, we are mapping 
drives and limiting machines/user rights to resources.  We would like 
for these policies to be passed down from the AD server.

In the meantime...I have been trying to get it working via LDAP2.

Unfortunately, I must be missing something because it does not look like 
AuthBy LDAP 2 is ever being used.

I attached my config and a debug of an attempt to connect from a machine 
logging into the domain.  Can you tell me what I am missing?

Notice that I have the Tunnelled by TTLS and PEAP commented out, *do 
not* have an anonymous user in my password file, but, I can authenticate 
wireless users via TTLS sucessfully.  Am I mistaken or should this be 
happening? - Just not those trying to authenticate to the domain.

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -

You can use the AuthBy RADIUS clause to forward radius requests to a 
remote radius server. The exact configuration will depend on what else 
you are already doing in your configuration file. I am not sure I 
understand what you mean by domain policies - can you give me a bit 
more detail?

BTW - Radiator runs just fine on W2K server.

regards

Hugh

On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi 
wrote:

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, 
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only 
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance 
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual 
(doc/ref.html).
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40 AuthBy ADSI it has the statement,

snip
It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm
/snip

I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?


--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#

#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir  /var/log/radius
DbDir   /etc/radiusserver
PidFile /var/run/radius.pid
DictionaryFile  /etc/radiusserver/dictionary

# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace   4

AuthPort 1645,1812
AcctPort 1646,1813


# Add Clients below... 

Client xxx.xxx.xxx.1
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client

Client xxx.xxx.xxx.2 
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client

Client xxx.xxx.xxx.1
Identifier vpn
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client

Client DEFAULT
Identifier wlan
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature
/Client

#
#
 PPP Config ##

Handler Client-Identifier=ppp
 
# AuthByPolicy ContinueAlways
AuthByPolicy ContinueWhileIgnore  # Default

AuthBy SQL

DBSourcedbi:mysql:radius

Re: (RADIATOR) Question about AuthBy ADSI

2003-07-30 Thread Hugh Irvine

Hello Steve -

Your configuration file is incorrect.

You cannot have Realms inside Handlers. If you are using Handlers, you  
must use only Handlers and they cannot be placed inside other Handlers.  
You cannot have Log ... clauses inside AuthBy ... clauses either.

regards

Hugh

On Thursday, Jul 31, 2003, at 02:29 Australia/Melbourne, Steve  
Caporossi wrote:

Hugh,
Layers 8  9 prevent me from running Radiator on anything but a Linux  
box, I have no bias. :-)

I am not very familiar with AD.  My understanding is that policies can  
be managed for users, machines, etc.  In our environment, we are  
mapping drives and limiting machines/user rights to resources.  We  
would like for these policies to be passed down from the AD server.

In the meantime...I have been trying to get it working via LDAP2.

Unfortunately, I must be missing something because it does not look  
like AuthBy LDAP 2 is ever being used.

I attached my config and a debug of an attempt to connect from a  
machine logging into the domain.  Can you tell me what I am missing?

Notice that I have the Tunnelled by TTLS and PEAP commented out, *do  
not* have an anonymous user in my password file, but, I can  
authenticate wireless users via TTLS sucessfully.  Am I mistaken or  
should this be happening? - Just not those trying to authenticate to  
the domain.

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
You can use the AuthBy RADIUS clause to forward radius requests to a  
remote radius server. The exact configuration will depend on what  
else you are already doing in your configuration file. I am not sure  
I understand what you mean by domain policies - can you give me a  
bit more detail?
BTW - Radiator runs just fine on W2K server.
regards
Hugh
On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve  
Caporossi wrote:
Running radiator on a W2K server does not appear to be an option for  
us...I need to forward any domain logins ie, domain\username to a  
Windows radius server, but only if they try to login to the domain.   
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using  
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages,  
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only  
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance  
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual  
(doc/ref.html).
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve  
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie  
into AD for domain login and username/password checking.  In the  
reference manual section 6.40 AuthBy ADSI it has the statement,

snip
It is only available on Windows 2000 platforms. It is implemented  
in AuthADSI.pm
/snip

I am a little confused...does this mean that radiator needs to be  
running on W2K?

Thanks,
--  
Steve

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no  
secrets),
together with a trace 4 debug showing what is happening?


--  
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--  
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#

#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir  /var/log/radius
DbDir   /etc/radiusserver
PidFile /var/run/radius.pid
DictionaryFile  /etc/radiusserver/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace   4
AuthPort 1645,1812
AcctPort 1646,1813
# Add Clients below...

Client xxx.xxx.xxx.1
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client
Client xxx.xxx.xxx.2
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client
Client xxx.xxx.xxx.1
Identifier vpn
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
/Client
Client DEFAULT
Identifier wlan

Re: (RADIATOR) Question about configuration file

2003-07-25 Thread Mike McCauley

Hello Geoffrey,


On Fri, 25 Jul 2003 09:42 am, Hugh Irvine wrote:
 Hello Geoffrey -

 On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR

 Geoffrey wrote:
  Hello,
 
   
 
  As far as I understand, radiusd reads the configuration file only once
  (when it starts). Correct ?

 Correct - but see below.

   
 
  Is there a way to force radiusd to read the file every x min. or every
  time the file is updated (new realm, RADIUS client, ) without
  restarting it ?

 No. Although you can use a HUP signal to cause a warm restart during
 which the configuration file is reread.

   
 
  I would also like to know if it is possible to store realms/handlers
  configuration information in a SQL database instead of in a flat file
  (the same way you can do it for RADIUS clients with ClientListSQL).

 No there isn't.

However, I have seen some cases using an include statement in the config file 
that opens a pipe to custom program that contructs Radiator clauses on the 
fly from an SQL database.

Cheers.


 regards

 Hugh


 NB: have you included a copy of your configuration file (no secrets),
 together with a trace 4 debug showing what is happening?

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about configuration file

2003-07-24 Thread Hugh Irvine


Hello Geoffrey -

On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR Geoffrey wrote:

Hello,

?

As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ?


Correct - but see below.

?

Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, ) without restarting it ?


No. Although you can use a HUP signal to cause a warm restart during which the configuration file is reread.

?

I would also like to know if it is possible to store realms/handlers configuration information in a SQL database instead of in a flat file (the same way you can do it for RADIUS clients with ClientListSQL).


No there isn't.

regards

Hugh


NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

Re: (RADIATOR) Question about configuration file

2003-07-24 Thread Andrew Stevenson

On Thu, 24 Jul 2003, DUFOUR Geoffrey wrote:

 As far as I understand, radiusd reads the configuration file only once
 (when it starts). Correct ?

AFAIK

 Is there a way to force radiusd to read the file every x min. or every
 time the file is updated (new realm, RADIUS client, ...) without
 restarting it ?

You can get it to reload every x mins by sending SIGHUP from cron. If you
want it to happen when the config file changes you could either make the
cron job check modification times of the file and still check ever x
minutes or use a program like wait_on.

Andrew
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

2003-07-23 Thread Steve Caporossi

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  Has 
anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, or 
disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -

Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported 
on recent Windows releases.

You can either try the AuthBy NT clause, or you can run an instance of 
Radiator on the Windows host and proxy requests to it.

You will find details on AuthBy NT in section 6.27 of the manual 
(doc/ref.html).

regards

Hugh

On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40 AuthBy ADSI it has the statement,

snip
It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm
/snip

I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

2003-07-23 Thread Hugh Irvine

Hello Steve -

You can use the AuthBy RADIUS clause to forward radius requests to a 
remote radius server. The exact configuration will depend on what else 
you are already doing in your configuration file. I am not sure I 
understand what you mean by domain policies - can you give me a bit 
more detail?

BTW - Radiator runs just fine on W2K server.

regards

Hugh

On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve 
Caporossi wrote:

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, 
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only 
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance 
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual 
(doc/ref.html).
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40 AuthBy ADSI it has the statement,

snip
It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm
/snip

I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question -- solved I think =)

2003-07-22 Thread Chris Garzon

- Original Message - 
From: Hugh Irvine [EMAIL PROTECTED]
To: Chris Garzon [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 22, 2003 7:59 AM
Subject: Re: (RADIATOR) question

 You should test your SQL statements by hand with your database tools
 first before putting them in the configuration file.

Hi I've managed to get things working, thought I might share, thanks for the
tips for all those who helped especially to Hugh and Mike
I used mysql's UNIX_TIMESTAMP() function. since the VALIDFROM='now' returns
a NULL value it was more appropriate to
use: VALIDFROM=UNIX_TIMESTAMP(NOW())

cheers!

chris

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

2003-07-22 Thread Hugh Irvine

Hello Steve -

Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported 
on recent Windows releases.

You can either try the AuthBy NT clause, or you can run an instance of 
Radiator on the Windows host and proxy requests to it.

You will find details on AuthBy NT in section 6.27 of the manual 
(doc/ref.html).

regards

Hugh

On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40 AuthBy ADSI it has the statement,

snip
It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm
/snip

I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-21 Thread Chris Garzon

Hi,

I've set up my AcctSQLStatement to look like this:

AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Ac \
ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where
USERNAME='%n'

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL

now the second statement returns this error in the logfile:

Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set
VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field list'


-chris


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-21 Thread Hugh Irvine

Hello Chris -

You should test your SQL statements by hand with your database tools 
first before putting them in the configuration file.

regards

Hugh

On Monday, Jul 21, 2003, at 20:10 Australia/Melbourne, Chris Garzon 
wrote:

Hi,

I've set up my AcctSQLStatement to look like this:

AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, 
OCTETSINLEFT=OCTETSINLEFT-0%{Ac \
ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} 
where
USERNAME='%n'

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS 
NULL

now the second statement returns this error in the logfile:

Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set
VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field 
list'

-chris

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003
This Email is protected by RAV AntiVirus Security Software for SuSE 
Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-18 Thread Mike McCauley

Hello Chris,


On Fri, 18 Jul 2003 12:05 pm, Chris wrote:
 Hello list,

 I'm using radmin + radiator, Right now I want to do these to my system,
 please point me out to some examples or possible solutions:

 1. How do I make first time users to base their starting usage from the
 moment they first logged into the system? 

You could use an AcctSQLStatement that sets thir expiry date if it is 
currently NULL. The the first successful session start will set their expiry 
date to, say the current date + 30 days (or whatever your policy is).


 2. I want to implement an off
 peak time wherein when users login from 12am to 7am that their usage won't
 be deducted during those specified time.

You could set up multiple Handlers, each with a different Time check items:

# off peak
Handler Time=Al-0700
AuthBy RADMIN
# no AccountingTable or AcctColumnDef entries here
# means no accounting data inserted

/AuthBy
/Handler

# all the rest
Handler
AuthBy RADMIN

/AuthBy
/Handler

The AuthBy RADMIN clauses would be 

 thanks,
 chris


 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-18 Thread queksteven


Hi Chris,

My advice for different time zone u should be using a stored procedure to
process the accounting event. The person might be said surfing 11pm and end
@2am. u will be charging 11-12am and the rest free.

We have implementing the rating using the stored procedure and it allows
flexibility as well.


Hope it help.



Mike McCauley [EMAIL PROTECTED]   18/07/2003 03:57 PM
Sent by: [EMAIL PROTECTED]

   
   
  To:  Chris [EMAIL PROTECTED], [EMAIL PROTECTED]
  
  cc:  (bcc: QUEK Steven/Prod Dev Dir/STSunPage/ST Group)  
   
  Subject: Re: (RADIATOR) question 
   
   
   
   
   
   
   






Hello Chris,


On Fri, 18 Jul 2003 12:05 pm, Chris wrote:
 Hello list,

 I'm using radmin + radiator, Right now I want to do these to my system,
 please point me out to some examples or possible solutions:

 1. How do I make first time users to base their starting usage from the
 moment they first logged into the system?

You could use an AcctSQLStatement that sets thir expiry date if it is
currently NULL. The the first successful session start will set their
expiry
date to, say the current date + 30 days (or whatever your policy is).


 2. I want to implement an off
 peak time wherein when users login from 12am to 7am that their usage
won't
 be deducted during those specified time.

You could set up multiple Handlers, each with a different Time check items:

# off peak
Handler Time=Al-0700
 AuthBy RADMIN
 # no AccountingTable or AcctColumnDef entries here
 # means no accounting data inserted
 
 /AuthBy
/Handler

# all the rest
Handler
 AuthBy RADMIN
 
 /AuthBy
/Handler

The AuthBy RADMIN clauses would be

 thanks,
 chris


 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

--
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.




[This e-mail is confidential and may also be privileged. If you are not the
intended recipient, please delete it and notify us immediately; you should
not copy or use it for any purpose, nor disclose its contents to any other
person. Thank you.]


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-18 Thread Chris


 You could use an AcctSQLStatement that sets thir expiry date if it is
 currently NULL. The the first successful session start will set their
expiry
 date to, say the current date + 30 days (or whatever your policy is).

thanks mike should I be safe then if  I add this to my AcctSQLStatement to
update my VALIDFROM table:

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0',
TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc.

thanks,
Chris


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-18 Thread Mike McCauley

Hello Chris,

On Fri, 18 Jul 2003 09:56 pm, Chris wrote:
  You could use an AcctSQLStatement that sets thir expiry date if it is
  currently NULL. The the first successful session start will set their

 expiry

  date to, say the current date + 30 days (or whatever your policy is).

 thanks mike should I be safe then if  I add this to my AcctSQLStatement to
 update my VALIDFROM table:

 AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0',
 TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc.

It might be more common to let the starting value of VALIDFROM be NULL (which 
means Radiator would ignore it first time around), and then set it with:

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL and 
...


 thanks,
 Chris


 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

 This Email is protected by RAV AntiVirus Security Software for SuSE Linux
 eMail Server

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2003-07-18 Thread Chris


 AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL
and

Oh, ok thanks I get it, now how can my Radmin database set VALIDFROM
initially to NULL, I tried to test it using radmin editUser.pl web script
and it gave out this error: Not updated because: Invalid date/time format in
'Valid from'

thanks,
chris




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about configuration

2003-07-16 Thread Hugh Irvine

Hello William -

Thanks for your mail.

As far as I can see from what you show below, Radiator is running  
correctly.

When you start the radiusd process, it prints out the messages as  
shown and then it waits until it receives a radius request from a  
client device. It looks like radiusd is starting correctly, but it is  
not receiving any requests.

You will need to configure the router to do radius authentication and  
accounting, so you should check with your router vendor to find out  
what configuration is required.

regards

Hugh

On Thursday, Jul 17, 2003, at 00:38 Australia/Melbourne, William  
Palencia wrote:

Hi. I'm installing radiator by first time, and can't get it start. I  
don't
know was wrong. Here is the configuration file.

/ 
*** 
*/

Foreground
LogStdout
AuthPort1645
AcctPort1646
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator
Client 192.168.1.1
Secret  cisco
DupInterval 0
/Client
Client DEFAULT
Secret  cisco
DupInterval 0
/Client
ClientListSQL
DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003
/ClientListSQL
Realm DEFAULT
AuthBy SQL
DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003
AccountingTable ACCOUNTING
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef   NASIDENTIFIER,NAS-Identifier
AcctColumnDef   NASPORT,NAS-Port,integer
AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName missedaccounting
/AuthBy
/Realm
/ 
*** 
*/

I want to authenticate users from and router. The router has the ip
address 192.168.1.1, I'm usng the database shema included in the  
radiator
distruibution.

When i tell radius to start , get the following message :

This Radiator license will expire on 2003-10-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]
And don't get any more messages.

Can some body tell me was wrong.

Thanks.

William Palencia
Ingeniero de Operaciones
Colombiatel S.A.
Tel: 6743080 - 6743026
Cel: 315 3626346
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AutyBy LSA module?

2003-06-18 Thread Mike McCauley

Hello John,


On Thu, 19 Jun 2003 01:27 am, John McFadden wrote:
 Saw the annoucement on the AuthBy LSA module and I wanted to make sure I
 understood it's implications.

 Does this module allow us to authenticate MSCHAP passwords against an
 ActiveDirectory of NT domain controller?

Yes.


 This has been a big issue up to now and one reason why we've been
 ignoring PEAP and Microsoft's built in VPN client.

Yes, few Radius servers can support this combination of PEAP or MSCHAP and 
windows passwords.


 Comments?

Try it :-)

Cheers.



 Thanks in advance.
 John McFadden

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question about Radiator and Orinoco AP-2500

2003-03-19 Thread Hugh Irvine

Hello Primoz -

You should probably use a packet sniffer (snoop, tcpdump, 
ethereal...)to check on exactly what radius reply attributes are being 
sent back by Cisco ACS and then configure Radiator to send the same 
ones.

In general you will need at least the following:

Realm DEFAULT
  AuthBy FILE
 Filename /radiator/conf/users
 AddToReply Service-Type = Framed-User, \
  Framed-Protocol = PPP
  /AuthBy
/Realm
regards

Hugh

On Wednesday, Mar 19, 2003, at 20:24 Australia/Melbourne, Primoz 
Jeroncic wrote:

Hi there

I was trying to find something about this in mailing list archive but
I didn't have to much luck so I hope you won't mind to much if this
question was answered already.
I have Orinoco (Proxim) AP-2500 which I configured for getting
authorization about allowed users from external Radius. My problem
is that when I use Cisco Secure ACS as Radius it works fine and
clients can browse web, send mails, use telnet etc. without problems
once when they sign with their username and password. As soon as I
change Cisco Secure ACS with Radiator only thing which still works
is browsing web. Sending mail, telneting etc. stop working. I'm
almost 100% sure there's just one small thing which should be
configured with Radiator to send back to Orinoco some attributes
and everything would work, but I really don't have any idea what
those attributes would be, since even on Cisco Secure ACS I didn't
configure anythnig special except username and password for user
and client IP address and authentication key (using Radius IETF
authentication not some vendor specific one).
Problem is that I would really like to use Radiator for this
and not something else, since I can write some aplication which will
be maintaining users file, much easier then playing with some SQL
for same purpose. And not to mention that I would rather have it
run on some Unix box and not Windows server. Cisco ACS runs on Solaris
too but for this project I don't have budget for Sun machine and
Cisco ACS doesn't run on Solaris for Intel.
Btw.. current config is this:
Radius.cfg
Client 10.0.0.10
  Secret test
  DupInterval 0
/Client
Realm DEFAULT
  AuthBy FILE
 Filename /radiator/conf/users
  /AuthBy
/Realm
/radiator/conf/users
user1 Password = test1, Expiration = 25/03/03
Idle-Timeout = 5,
Session-Timeout = 5,
Fall-Through = yes
Thanks in advance for any help.

Best regards,
Primoz Jeroncic
Support - IP/VoIP Connectivity  Routing
---
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2   fax:  +386 1 562 18 55   |   1 + 1 = 3
1236 Trzin  mailto:[EMAIL PROTECTED] | for larger values of 1
Slovenija   http://www.softnet.si/primoz
---
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on Make Test error [Radiator 3.5 on Solaris 2.8]

2003-02-24 Thread Hugh Irvine


Hello Kiaran -

Could you please send me the name of the registered company that has purchased this copy of Radiator?

Please reply to me directly and include the username that you use to access the web site.

thanks and regards

Hugh


On Tuesday, Feb 25, 2003, at 14:05 Australia/Melbourne, [EMAIL PROTECTED] wrote:

Hello,

I run into several not ok when doing the Make Test for Radiator 3.5 on Solaris 2.8
not ok 5a
not ok 5d
not ok 5f

Can you tell me what could be the cause? am I missing a particular file?

Thanks in advance,
Kiaran


# /usr/local/ActivePerl-5.6/bin/perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for Radius
#
# /usr/local/ActivePerl-5.6/bin/perl test.pl
Starting tests...
Starting 2 test servers. Please wait...
This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

ok 1a
ok 1b
ok 1c
ok 1d
ok 1e
ok 2a
ok 2b
ok 2c
ok 2d
ok 2e
ok 2f
ok 2g
ok 2h
ok 2i
ok 2j
ok 2k
ok 2l
ok 2m
ok 2n
ok 2o
ok 2p
ok 2q
ok 2r
ok 2s
ok 2t
ok 2u
ok 2v
ok 2x
ok 2y
ok 2z
ok 3a
ok 3b
ok 3c
ok 3d
ok 3e
ok 3f
ok 3g
ok 3h
ok 4a
ok 4b
ok 4c
not ok 5a
ok 5b
ok 5c
not ok 5d
ok 5e
not ok 5f
ok 5g
ok 6a
ok 6b
ok 6c
ok 6d
ok 6e
ok 6f
ok 6g
ok 6h
ok 7a
ok 7b
ok 7c
ok 8a
ok 8b
Tests completed
sh: kill: no such process
#



NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

Re: (RADIATOR) question on AuthSQLStatement

2002-12-30 Thread Hugh Irvine


Hello Seung Park -

There is no mechanism currently to access the results of an 
AuthSQLStatement later during packet processing.

This is why I suggested a PostAuthHook to post-process the results of 
the AuthSelect/AuthColumnDef in my other mail.

Of course, you can also run SQL statements directly in a hook as well.

regards

Hugh


On Monday, Dec 30, 2002, at 22:50 Australia/Melbourne, Seung Park wrote:

I understand that the AuthSQLStatement allows arbitrary sql statements 
to be run at sundry points in the request process. Is there any way to 
access the results of those AuthSQLStatements?

For example, if my AuthSQLStatement  executes: select data1, data2, 
data3 from table_XX where data1 = ABC, how do I get at the returned 
value of the select?


Thank you,
S.Park


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

2002-11-12 Thread Hugh Irvine


Hello Chris -

Keep in mind that there are two different things going on in this 
scenario. The first is authentication which checks the username and 
password (and does whatever checks are required), and the second is 
accounting which is used to manage the session database.

You should get the information from the database and return it to the 
NAS in the accept in a Class attribute. Then you can use the contents 
of the Class attribute which is included in the accounting requests in 
your own session database queries.

Have a look at sections 6.7 and 6.28 in the Radiator 3.3.1 reference 
manual (doc/ref.html).

regards

Hugh


On Tuesday, Nov 12, 2002, at 18:14 Canada/Eastern, Chris Kay wrote:


Questions is...

I wish to pull some information for a db while auth and then set that
Information in the session db

Would I set this then pull it and enter it, or can I make it global or
something?

Any help is grateful


-
Chris Kay (Systems Development)
Techex Communications
Website: www.techex.com.au Email: [EMAIL PROTECTED]
Telephone: 1300 88 111 2 - Fax: (02) 9970 5788
-

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.




NB: I am travelling this week, so there may be delays in our 
correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Calls table

2002-11-06 Thread Hugh Irvine


Hello Lin -

This is because the default format for integer-date is being used.

If you want to change it you should specify your own DateFromat.

See sections 6.28.14 and 6.3 in the Radiator 3.3.1 reference manual.

regards

Hugh


On Wednesday, November 6, 2002, at 07:55 AM, Huaikun Lin wrote:


Hi Hugh

Here is my radius configuration:
Foreground
LogStdout
LogDir  /var/log/radius
DbDir   /local/etc/radius
PidFile /var/run/radiusd.pid
SnmpgetProg /local/bin/snmpget
AuthPort1645
AcctPort1646
Trace 3

client xxx
...
/client

Handler Request-Type = Accounting-Request
RewriteUsername s/^([^@]+).*/$1/
AuthBy EMERALD
# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=xxx;database=xxx
DBUsername  
DBAuth  

# You can add to or change these if you want.
AccountingTable Calls
AcctColumnDef   UserName,User-Name
AcctColumnDef   CallDate,Timestamp,integer-date
AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef
AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef   AcctSessionId,Acct-Session-Id
AcctColumnDef
AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef  
AcctTerminateCause,Ascend-Disconnect-Cause,integ
er
#   AcctColumnDef
AcctTerminateCause,Acct-Terminate-Cause,integer
#   AcctColumnDef   NASIdentifier,NAS-Identifier
AcctColumnDef   NASIdentifier,NAS-IP-Address
AcctColumnDef   NASPort,NAS-Port,integer

AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
/AuthBy
# Log all accounting into daily log files
AcctLogFileName /var/log/radius/log/%Y%m%d.act
/Handler

Handler
RewriteUsername s/^([^@]+).*/$1/
# If Platypus rejects the login, forward it to the old Radius  
server
#AuthByPolicy ContinueUntilAccept
PasswordLogFileName %L/password.log


AuthBy EMERALD
# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=;database=xxx
DBUsername  xx
DBAuth  xx
AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
/AuthBy

AuthBy DBFILE
Filename %D/users
/AuthBy
AuthBy FILE
Filename %D/users
/AuthBy

/Handler


The following is one example of trace 4 debug:

Thu Sep  5 23:00:03 2002: DEBUG: Packet dump:
*** Received from 203.96.xx.xx port 39577 
Code:   Access-Request
Identifier: 167
Authentic:  00X24200t00,400B173
Attributes:
Proxy-Action = AUTHENTICATE
User-Name = andy.hema
User-Password =  
184/2139gG192374177232252250223 
NAS-IP-Address = 192.168.8.253
NAS-Port = 278
Acct-Session-Id = 18159809
USR-Interface-Index = 1534
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 2
Chassis-Call-Span = 1
Chassis-Call-Channel = 22
Calling-Station-Id = 
Called-Station-Id = 1900
Connect-Speed = NONE
NAS-Port-Type = Async
User-Id = andy.hema
NAS-Identifier = ipw1-n1-15.ipnet.telecom.co.nz
User-Realm = actrix
Proxy-State = 0

Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz  
should be use
d to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Request-Type =  
Accounting-Requ
est should be used to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler  should be used to  
handle this
 request
Thu Sep  5 23:00:03 2002: DEBUG: Handling request with Handler ''
Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG:  Deleting session for andy.hema,  
192.168.8.253,
 278
Thu Sep  5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE  
where NASIDE
NTIFIER='192.168.8.253'

Re: (RADIATOR) Question about Calls table

2002-11-05 Thread Huaikun Lin

Hi Hugh

Here is my radius configuration:
Foreground
LogStdout
LogDir  /var/log/radius
DbDir   /local/etc/radius
PidFile /var/run/radiusd.pid
SnmpgetProg /local/bin/snmpget
AuthPort1645
AcctPort1646
Trace 3

client xxx
...
/client

Handler Request-Type = Accounting-Request
RewriteUsername s/^([^]+).*/$1/
AuthBy EMERALD
# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=xxx;database=xxx
DBUsername  
DBAuth  

# You can add to or change these if you want.
AccountingTable Calls
AcctColumnDef   UserName,User-Name
AcctColumnDef   CallDate,Timestamp,integer-date
AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef   AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef   AcctSessionId,Acct-Session-Id
AcctColumnDef   AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef 
AcctTerminateCause,Ascend-Disconnect-Cause,integ
er
#   AcctColumnDef   AcctTerminateCause,Acct-Terminate-Cause,integer
#   AcctColumnDef   NASIdentifier,NAS-Identifier
AcctColumnDef   NASIdentifier,NAS-IP-Address
AcctColumnDef   NASPort,NAS-Port,integer

AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
/AuthBy
# Log all accounting into daily log files
AcctLogFileName /var/log/radius/log/%Y%m%d.act
/Handler

Handler
RewriteUsername s/^([^]+).*/$1/
# If Platypus rejects the login, forward it to the old Radius server
#AuthByPolicy ContinueUntilAccept
PasswordLogFileName %L/password.log


AuthBy EMERALD
# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=;database=xxx
DBUsername  xx
DBAuth  xx
AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
/AuthBy

AuthBy DBFILE
Filename %D/users
/AuthBy
AuthBy FILE
Filename %D/users
/AuthBy

/Handler


The following is one example of trace 4 debug:

Thu Sep  5 23:00:03 2002: DEBUG: Packet dump:
*** Received from 203.96.xx.xx port 39577 
Code:   Access-Request
Identifier: 167
Authentic:  00X24200t00,400B173
Attributes:
Proxy-Action = AUTHENTICATE
User-Name = andy.hema
User-Password = 
184/2139gG192374177232252250223 
NAS-IP-Address = 192.168.8.253
NAS-Port = 278
Acct-Session-Id = 18159809
USR-Interface-Index = 1534
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 2
Chassis-Call-Span = 1
Chassis-Call-Channel = 22
Calling-Station-Id = 
Called-Station-Id = 1900
Connect-Speed = NONE
NAS-Port-Type = Async
User-Id = andy.hema
NAS-Identifier = ipw1-n1-15.ipnet.telecom.co.nz
User-Realm = actrix
Proxy-State = 0

Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz should 
be use
d to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Request-Type = 
Accounting-Requ
est should be used to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler  should be used to handle 
this
 request
Thu Sep  5 23:00:03 2002: DEBUG: Handling request with Handler ''
Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG:  Deleting session for andy.hema, 
192.168.8.253,
 278
Thu Sep  5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE where 
NASIDE
NTIFIER='192.168.8.253' and NASPORT=0278

Thu Sep  5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD
Thu Sep  5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD
Thu Sep  5 23:00:03 2002: DEBUG: Query is: select DateAdd(Day, 
ma.extension+ma.o
verdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID,

Re: (RADIATOR) Question about Calls table

2002-11-04 Thread Hugh Irvine


Hello Lin -

I will need to see a copy of your Radiator configuration file (no  
secrets) together with a trace 4 debug showing what is happening.

regards

Hugh


On Tuesday, November 5, 2002, at 10:21 AM, Huaikun Lin wrote:

Hi

I am using SQL server and radiator 3.1 radius.

In SQL server,we have a table calls which records the accounting  
data.

Recently,I found the data in one of the field CallDate (data  
type:datetime) is not exactly
acurate. This data type should record data like 2002-11-05 12:05:23.  
But the actual
data is something like 2002-11-05 12:05:00 which the second field  
is alway 0.
(The year,month,day,hour,min are right.)

When I check the radius debug, I can see the Insert statement  
doesn't include
the second field and make the data is not 100% acurate:

insert into Calls  
(UserName,AcctStatusType,NASPort,CallDate,AcctSessionId,AcctInputOctets 
,AcctSessionTime,
AcctOutputOctets) values ('test',2,541262250,'Nov  5, 2002  
12:10','204301AA-3DC6C5C6',25 45013,14466,66242572)

I think the insert statement in radius script causes the inacurate.

If there is no second field in there,the SQL database makes it to be  
00.

Is there anywhere to fix that?

How to fix it.

Lin

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 10/31/2002


NB: I am travelling this week, so there may be delays in our  
correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2002-04-22 Thread Hugh Irvine



Hello Arnulfo -

How are you programming the amount of time that a user is allowed to use? 
Most Radiator users employ an SQL database for user definitions and 
accounting and it is relatively easy to provide pre-paid services such as you 
describe in this way.

This topic has been discussed many times on the mailing list, so have a look 
at the archive site and do a search.

http://www.open.com.au/archives/radiator

regards

Hugh


On Mon, 22 Apr 2002 16:10, Arnulfo Rojas Yanquen wrote:
 Hugh
 our company offer services of Internet acces, the users hire this service
 by time determined, when has finished this time the Radiator must avoid
 that the user may connect again. This function is not doing the Radiator,
 and I not find the cause possible.

 Radiator is setup over RedHat 7, and use for authetication passwd-shadow
 and the version is Radiator 2.18.1
 THANKS

 Arnulfo


 _
 Chat with friends online, try MSN Messenger: http://messenger.msn.com

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2002-04-21 Thread Hugh Irvine



Hello Arnulfo -

I am not exactly sure what you mean, as Radiator does not normally expire 
user accounts. Can you give me a bit more information about what you want to 
have happen?

regards

Hugh


On Sat, 20 Apr 2002 13:52, Arnulfo Rojas Yanquen wrote:
 Hello,

 I work an ISP and  I have a problem with Radiator.

 The problem is that the Radiator is not expired the account of the users.

 Radiator is sertup over RedHat 7, and use for authetication passwd-shadow
 and the version is Radiator 2.18.1

 THANKS


 Atentamente,

 =
 Arnulfo Rojas Yanquen.
 Asistente Técnico
 ExpressNet S.A.
 [EMAIL PROTECTED]
 Tel: (571) 5 404090
 Fax: (571) 2 491432
 Santafé de Bogotá D.C. - Colombia

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question Time

2002-04-21 Thread Hugh Irvine



Hello Mick -

You would use an AuthLog SQL for authentication logging.
See section 6.50 in the Radiator 3.0 reference manual.

For your proxy question I will need to see a copy of your configuration file 
(no secrets) together with a trace 4 debug from Radiator showing what is 
happening.

regards

Hugh


On Mon, 22 Apr 2002 15:02, Michael Saunders wrote:
 I would like to log. When users type in the wrong password.
 So I can explain to them how to type there own name correctly.
 I have found in the documentation how to do this with a log file.
 Is there anyway to do this into the database instead. As we have to
 many operators for a log file.

 Also when you proxy requests across to another radius server does
 radiator strip any reply attributes you may send. Because I am sending a
 request off
 to a third party using radiator but my reply attributes never make it to
 the other end.
 But they have nothing in there config that would make me think it is being
 stripped

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

2002-03-26 Thread Hugh Irvine



Hello Stephen -

To assign static addresses, you would normally specify the address in the 
reply attributes for the user in whatever user database you have.

In a flat file it would look like this:

# define users
# check attributes on the first line (no trailing comma)
# reply attributes on second and subsequent lines

someuser Password = ., .
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 1.2.3.4,
Framed-IP-Netmask = .,
..

anotheruser Password = .., .
...

If you have any other questions, please contact me.

regards

Hugh

ps - the contents of the goodies directory like wimscomplex example are 
contributed by Radiator users and are not supported directly by us


On Wed, 27 Mar 2002 08:44, Stephen Malenshek wrote:
 I am trying to implement a new installation of Radiator 3.0 on Red Hat
 7.2 with a Postgres backend on a separate machine.  I have searched
 through the archives and have a list in regards to static ip address
 assignment from radius and I have yet to find anything regarding this.
 Also, I have taken the wimscomplex example in the goodies and tried to
 adapt it to our environment.  My biggest problem is that I do not
 understand the mappings for the tables in the radius.cfg file for the
 database.  I will admit this, I do not have an extreme amount of
 knowledge of databases and all my experience with radius is with the
 Cistron version, which we have been running for three years.  Everything
 else we are doing is pretty normal and all pools are assigned by the
 nas, but I would be interested in looking at some type of configuration
 to where it issues the assignments.

 As a future development plan, I have expectations of converting
 everything for authentication to radius (Exim, ProFTP  Apache) to where
 we have a database of the information instead of local flat files and
 logs of everything.  This to me is our ultimate goal to achieve, and I
 am mentioning this to asses opinions from everyone on what the best way
 to plan for this implementation without slowing the initial down.
 Please let me know.  I would be more than happy to send any information
 necessary on if anyone is interested in helping me with this endeavor.
 Thanks in advance.


 Stephen Malenshek
 President/CEO
 Valuelinx Corporation
 [EMAIL PROTECTED]




 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Question

2002-02-01 Thread Paul


Hi Steve,

A handler like the one below will not perform any authentication:

Handler Called-Station-Id=apn.gprs.net

AuthByPolicy ContinueWhileAccept
AuthBy AllocateIPAddressForGPRS

AcctLogFileName %L/%N-gprs-%{GlobalVar:HostId}-detail%Y%m%d.log
PostAuthHook file:filename

/Handler

However remember that you may still need to send back some appropriate reply
attributes which you could do with an 'AddToReply' as per below:

AuthBy DYNADDRESS
   Identifier AllocateIPAddressForGPRS
   Allocator ORACLEallocatorGPRS
   PoolHint pool-%{Called-Station-Id}-%N
   MapAttributeyiaddr, Framed-IP-Address
   StripFromReply PoolHint
   AddToReply  Service-Type = Framed-User, Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500,
Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None
/AuthBy

These are just examples, you'll will need to tailor them to your specific
needs.

Hope this helps.



Paul

___

Paul O'Shea
Level9 Networks
___







-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Steve Rainbow
Sent: Friday, February 01, 2002 4:44 PM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Question


1. Are there any training courses for Radiator in the UK.

2. All calls that come into my NAS are automatically forwarded to the radius
for authentication. Normally, I set up the username/pasword in a User file
but also now need to authenticate without a username/password. If I set up a
User file with DEFAULT will that allow calls through.

Thanks,

Steve

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

2002-02-01 Thread Hugh Irvine



Hello Steve -

We offer on-site training and consulting services on a contract basis. I have 
copied Joanne on this mail and she will send you the details.

You can set up a users file with a DEFAULT entry like this:

# define DEFAULT to accept everything

DEFAULT Auth-Type = Accept


regards

Hugh


On Sat, 2 Feb 2002 03:44, Steve Rainbow wrote:
 1. Are there any training courses for Radiator in the UK.

 2. All calls that come into my NAS are automatically forwarded to the
 radius for authentication. Normally, I set up the username/pasword in a
 User file but also now need to authenticate without a username/password. If
 I set up a User file with DEFAULT will that allow calls through.

 Thanks,

 Steve

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Radius and SQL

2002-01-25 Thread Hugh Irvine



Hello Martin -

 Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database.
 Requ est is ignored. Backing off for 10 seconds
 Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for
 'Sp_fetchUserPassword ' clouston'': SQL Timeout
 Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for

The problem shown above is that you can't connect to the database at all.

Also, in the timestamps shown above the number following the year is the 
number of microseconds. It is a six digit number, so the first digit is 
tenths of a second.

Ie: Fri Jan 25 17:42:28 2002 911157: 

the number 911157 is the number of microseconds.

regards

Hugh


On Fri, 25 Jan 2002 18:33, Martin Edge wrote:
 Hey Guys,

 Having a few issues, as we are unable to easily find out where the cause of
 the slowdown's we get when a avalanche scenario occurs.

 (where the amount of requests coming in, is faster than the processing
 power to complete them..)

 Is this necessarily an SQL timeout, or could there be other attributing
 factors to these errors:

 If so, how would we go about finding these out..

 I tried LogMicroseconds in a Log FILE routine, and this is the output
 below.. (although I dont see any milliseconds results..)

 Thanks for your help,
 Martin


  snip 
 Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database.
 Requ est is ignored. Backing off for 10 seconds
 Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for
 'Sp_fetchUserPassword ' clouston'': SQL Timeout
 Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for
 'Sp_fetchUserPassword ' clouston'': SQL Timeout
 Fri Jan 25 17:42:36 2002 960943: ERR: Could not connect to SQL database
 with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
 netbeans, beans2 000: timeout at
 /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.

 Fri Jan 25 17:42:36 2002 982364: ERR: Could not connect to any SQL
 database. Req uest is ignored. Backing off for 10 seconds
 Fri Jan 25 17:42:50 2002 371277: ERR: Execute failed for
 'Sp_fetchUserPassword ' office'': SQL Timeout
 Fri Jan 25 17:42:52 2002 391393: ERR: Could not connect to SQL database
 with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
 netbeans, beans2 000: timeout at
 /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.

 Fri Jan 25 17:42:52 2002 421577: ERR: Could not connect to any SQL
 database. Req uest is ignored. Backing off for 10 seconds
 Fri Jan 25 17:43:07 2002 361641: ERR: Could not connect to SQL database
 with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
 netbeans, beans2 000: timeout at
 /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.

 Fri Jan 25 17:43:07 2002 411189: ERR: Could not connect to any SQL
 database. Req uest is ignored. Backing off for 10 seconds
 Fri Jan 25 17:43:21 2002 671671: ERR: Execute failed for
 'Sp_fetchUserPassword ' simona'': SQL Timeout
 Fri Jan 25 17:43:23 2002 691896: ERR: Could not connect to SQL database
 with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
 netbeans, beans2 000: timeout at
 /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.

 Fri Jan 25 17:43:23 2002 716376: ERR: Could not connect to any SQL
 database. Req uest is ignored. Backing off for 10 seconds
 Fri Jan 25 17:43:39 2002 561994: ERR: Execute failed for
 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
 Fri Jan 25 17:43:42 2002 501985: ERR: Execute failed for
 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
 Fri Jan 25 17:43:45 2002 382053: ERR: Execute failed for
 'Sp_fetchUserPassword ' clouston'': SQL Timeout
 Fri Jan 25 17:43:47 2002 972065: ERR: Execute failed for
 'Sp_fetchUserPassword ' clouston'': SQL Timeout
 Fri Jan 25 17:43:50 2002 742074: ERR: Execute failed for
 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
 Fri Jan 25 17:43:53 2002 321952: ERR: Execute failed for
 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
 Fri Jan 25 17:43:55 2002 722314: ERR: Execute failed for
 'Sp_fetchUserPassword ' shields'': SQL Timeout
 Fri Jan 25 17:43:58 2002 32217: ERR: Execute failed for
 'Sp_fetchUserPassword 's hields'': SQL Timeout
 Fri Jan 25 17:44:00 2002 532429: ERR: Execute failed for
 'Sp_fetchUserPassword ' blp04395'': SQL Timeout
 Fri Jan 25 17:44:02 2002 832373: ERR: Execute failed for 'Sp_fetchUserPassw
 -
 Martin Edge
 Technical Services Co-ordinator
 Phoneware Online
 eMail:  mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
 Phone: +613 9640 4140 ext. 193

 In the end, it's speed, price and customer service.
 -

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/

Re: (RADIATOR) Question about DBM Auth...

2002-01-17 Thread Hugh Irvine



Hello Fernando -

There are no limits on the number of AuthBy clauses you can use (unless there 
is some underlying operating system limit on the number of files a single 
process can have open).

Perhaps you can send me a copy of the complete configuration file (no 
secrets) together with a trace 4 debug from Radiator showing what is 
happening.

regards

Hugh


On Fri, 18 Jan 2002 02:53, Fernando Caranton Cruz wrote:
 Hi,

 I use the DBM Auth, but i wanna know if this type of authentication have
 any type of limit. I explain this

 This is the actual Realm in the radius.cfg


 Realm DEFAULT
 MaxSessions 1
 AcctLogFileName /usr/local/etc/radacct/%N/detail
 RejectHasReason
 AuthBy GROUP
 AuthByPolicy ContinueWhileReject
 AuthBy GROUP
 AuthByPolicy ContinueWhileReject
 AuthBy DBFILE
 Filename /etc/raddb/radiator/plus/users
 /AuthBy
 AuthBy DBFILE
 Filename
 /etc/raddb/radiator/rdsigeneral/users /AuthBy
 /AuthBy
 AuthBy FILE
 Filename /etc/raddb/radiator/prepago/users
 /AuthBy
 AuthBy RADIUS
 Host
 Secret
 RetryTimeout 10
 AuthPort 1645
 AcctPort 1646
 /AuthBy
 /AuthBy
 /Realm

 but if I make some changes, the DB options not work

 Ej:

 Realm DEFAULT
 MaxSessions 1
 AcctLogFileName /usr/local/etc/radacct/%N/detail
 RejectHasReason
 AuthBy GROUP
 AuthByPolicy ContinueWhileReject
 AuthBy GROUP
 AuthByPolicy ContinueWhileReject
 AuthBy DBFILE
 Filename /etc/raddb/radiator/plus/users
 /AuthBy
 AuthBy DBFILE
 Filename
 /etc/raddb/radiator/rdsigeneral/users /AuthBy
 AuthBy DBFILE
 Filename /etc/raddb/radiator/otherdir/users
 /AuthBy
 AuthBy DBFILE
 Filename /etc/raddb/radiator/otherdir/users
 /AuthBy
 AuthBy DBFILE
 Filename /etc/raddb/radiator/otherdir/users
 /AuthBy
 /AuthBy
 AuthBy FILE
 Filename /etc/raddb/radiator/prepago/users
 /AuthBy
 AuthBy RADIUS
 Host
 Secret
 RetryTimeout 10
 AuthPort 1645
 AcctPort 1646
 /AuthBy
 /AuthBy
 /Realm

 exist some kind of limit in the AuthBy option? how many can I use?  can use
 another type of config, Ej using AuthBy GROUP or others?

 tnx

 FCC

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question about debug

2002-01-15 Thread Hugh Irvine



Hello David -

It looks like you have specified an AuthBy RADIUS clause without specifying 
which ports to send to.

Here is an example:

AuthBy RADIUS
Host .
Secret .
AuthPort 1812
AcctPort 1813
.
/AuthBy

Have a look at section 6.29 in the Radiator 2.19 reference manual 
(doc/ref.html).

regards

Hugh


On Wed, 16 Jan 2002 00:27, kramar wrote:
 Hi
 Im pretty delighted about Radiator, but I woud like ot ask for part of
 debug log.
 So , why I see in debug  file Sending to 172.26.1.51 port 1646...
 if I use in config files 1812,1813 ports (on both side  - Radius and RAS )
 and nowhere I use 1645, 1646 ports.

 here is deb. file..

 Tue Jan 15 06:50:17 2002: DEBUG: Accounting accepted
 Tue Jan 15 06:50:17 2002: DEBUG: Packet dump:
 *** Sending to 172.26.1.51 port 1646 
 Code:   Accounting-Response
 Identifier: 195
 Authentic:
 %~2481832192552532081272482352051301331914
 Attributes:

 Thanks for answer
 David
 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on defining realms

2001-11-19 Thread Hugh Irvine



Hello Elias -

On Tuesday 20 November 2001 16:14, [EMAIL PROTECTED] wrote:
 Hi Hugh,

 I defined a realm abc in my config file. So far Radiator has been
 running great but now I have several users logging in as user@abc@abc.
 How can I stop this? Thanks!

 Realm abc
 .
 .
 .
 /Realm


The answer to your question depends somewhat on the rest of your 
configuration file and what else you are doing with the usernames.

Could you please send me a copy of the configuration file (no secrets) 
together with a trace 4 debug showing what happens with one of these users?

Could you also tell me exactly why this is a problem? I want to know because 
we may want to apply a fix to Radiator itself.

thanks

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question: Log SYSLOG

2001-10-17 Thread neil d. quiogue

Though replying to my own email is bad form, I just decided to create a hook
for this and it worked.

Regards,

Neil D. Quiogue
- Original Message -
From: neil d. quiogue [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 17, 2001 8:01 PM
Subject: (RADIATOR) Question: Log SYSLOG

 Greetings,

 I would like to know if there's a way for me to send through Syslog the
 User-Name and Framed-IP-Address (and some others) fields without resorting
 to a Trace 4 and configuring Log SYSLOG

 I understand there's AuthLog SYSLOG but whenever I test it using
radpwtst,
 it doesn't log it.

 Much thanks.

 Regards,

 Neil D. Quiogue

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on Encrypted-Password/User-Password

2001-09-14 Thread Hugh Irvine



Hello Viraj -

Section 13.1.2 in the Radiator 2.18.4 reference manual.

regards

Hugh


On Friday 14 September 2001 00:05, Viraj Alankar wrote:

  Hello,

 Is there a functional difference between the following:

 AuthBy SQL
 ...
 AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
 AuthColumnDef 0, User-Password, check
 /AuthBy

 and this:

 AuthBy SQL
 ...
 AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
 AuthColumnDef 0, Encrypted-Password, check
 /AuthBy

 when the result of the select returns '{crypt}crypted_password' ? In other
 workds, I can use either AuthBy and it should work right?

 Thanks,

 Viraj.


Content-Type: application/pgp-signature; charset=us-ascii; 
name=Attachment: 1
Content-Transfer-Encoding: 7bit
Content-Description: 


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question regarding Internet phone

2001-09-05 Thread Hugh Irvine



Hello Ganbold -

Radiator can be used for any application that uses the radius protocol.

The question to ask is what protocol does the NAS use to authenticate 
Voice-Over-IP?.

As you rightly point out, Radiator is not a billing system, so you will still 
have to address that aspect, either by developing it yourself or by 
purchasing something.

regards

Hugh


On Thursday 06 September 2001 04:02, ganbold wrote:
 Hi,

 We want to use Radiator for Internet phone. Is it possible to use
 Radiator in this purpose? If possible how will be difficult to write
 Internet phone billing software for Radiator?
 Also I would like to know about compatibility issue with Radiator if we
 buy some other Internet phone billing software.

 thanks in advance,

 Ganbold Ts.

 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question regarding Internet phone

2001-09-05 Thread ganbold


Hi Hugh,


Yes, NAS will use Voice over IP.
How it would be in this case?


Ganbold



Hugh Irvine wrote:
 Hello Ganbold -
 
 Radiator can be used for any application that uses the radius protocol.
 
 The question to ask is what protocol does the NAS use to authenticate 
 Voice-Over-IP?.
 
 As you rightly point out, Radiator is not a billing system, so you will still 
 have to address that aspect, either by developing it yourself or by 
 purchasing something.
 
 regards
 
 Hugh
 
 
 On Thursday 06 September 2001 04:02, ganbold wrote:
 
Hi,

We want to use Radiator for Internet phone. Is it possible to use
Radiator in this purpose? If possible how will be difficult to write
Internet phone billing software for Radiator?
Also I would like to know about compatibility issue with Radiator if we
buy some other Internet phone billing software.

thanks in advance,

Ganbold Ts.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

 



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question regarding Internet phone

2001-09-05 Thread ganbold


Hi,

Also there some billing systems we are interesting.

MIND CTI, Portal etc.

Are there anybody knows about these system on Radiator?
Please let me know.


thanks in advance,

Ganbold


Hugh Irvine wrote:
 Hello Ganbold -
 
 Radiator can be used for any application that uses the radius protocol.
 
 The question to ask is what protocol does the NAS use to authenticate 
 Voice-Over-IP?.
 
 As you rightly point out, Radiator is not a billing system, so you will still 
 have to address that aspect, either by developing it yourself or by 
 purchasing something.
 
 regards
 
 Hugh
 
 
 On Thursday 06 September 2001 04:02, ganbold wrote:
 
Hi,

We want to use Radiator for Internet phone. Is it possible to use
Radiator in this purpose? If possible how will be difficult to write
Internet phone billing software for Radiator?
Also I would like to know about compatibility issue with Radiator if we
buy some other Internet phone billing software.

thanks in advance,

Ganbold Ts.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

 



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

2001-07-23 Thread Brandon


Here are UU.nets instructions,
does anyone know how to change the length from 28 to 26??



Hi!  I wanted to let you know of some clarifications on the anti-spam filter
we've received from engineering.   The only one that we will need to start
keeping an eye out for that we weren't specifically watching before is the
length field of each line in the 242 filter:  The maximum length for each
line is 26.

Here's the summary of the clarications we received that I wanted to pass
to you immediately:

1.  New realms must have a [242] length of 26.
2.  New realms must have 10 or less [242] filter lines.
3.  Existing realms must have a [242] length of 26 before we can make any
proxy changes.
4.  Existing realms must have 10 or less [242] filter lines before we can
make any proxy changes.

Please note in some of the realms we tested that the lengths were varying
lengths some up to 34.   Here is one line from the filter to show you where
the
length len field is indicating 26:

attr: type Ascend-Data-Filter [242], len 26
data = 01 01 01 00 00 00 00 00 00 00 00 00 00 00 06 01 00 00 00 00 00 00 00
00

- Original Message -
From: Brandon [EMAIL PROTECTED]
To: Pascal Robert [EMAIL PROTECTED]
Sent: Monday, July 23, 2001 10:28 AM
Subject: Re: (RADIATOR) question


 Same here.
 Can anyone help us out?

 Brandon

 - Original Message -
 From: Pascal Robert [EMAIL PROTECTED]
 To: Hugh Irvine [EMAIL PROTECTED]; Brandon [EMAIL PROTECTED];
 [EMAIL PROTECTED]
 Sent: Monday, July 23, 2001 7:57 AM
 Subject: Re: (RADIATOR) question


  We are connecting with Uunet and they are asking for the same thing.
They
  want the length of Ascend-Data-Filter to be 26 instead of 28.
 
  
   Hello Brandon -
  
   If UUnet is mandating this, they must have a specification of what
they
 mean.
  
   You will have to check with UUnet directly.
  
   regards
  
   Hugh
  
  
   At 3:09 AM -0700 6/26/01, Brandon wrote:
   Wish I knew too.  I tried emailing the list and know one seemed to
   know.  The only response
   I got back was that it was possible in PostAuthHooks.  UU.net is now
   requiring this to use
   their system.
  
   Brandon
  
   - Original Message -
   From: mailto:[EMAIL PROTECTED]admin
   To: mailto:[EMAIL PROTECTED][EMAIL PROTECTED]
   Sent: Tuesday, June 26, 2001 2:14 PM
   Subject: (RADIATOR) question
  
   I need to reduce my Ascend-Data-Filter from length 28 to 26 Any
 ideas
   how?
  
  
   Thanks
  
   Eric
 
  --
 
 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Rodopi?

2001-07-13 Thread Hugh Irvine



Hello Chairarth -

It only makes sense to keep your user definitions in a single database, so if 
you are going to use Rodopi you should keep all your users there.

regards

Hugh


On Friday 13 July 2001 21:23, Chairarth K wrote:

  Hello Hugh,

 Maybe only in Rodopi , maybe in Ropopi and Radmin  .  Please advise us
 in both case .

 Thanks,
 Chairath
  

 Hugh Irvine wrote:
   Hello Chairarth - Where are you going to maintain your customer
  definitions? In Radmin, Rodopi, or both? regards Hugh  At 13:49 +0700
 
  01/7/12, Chairarth K wrote:
  There is any problem if we will use Radmin, Radiator and Rodopi
  billing at the same time.
 
  Regards,
  Chairath
 
   
 
  --
 
  NB: I am travelling this week, so there may be delays in our
  correspondence.
 
   
  Radiator: the most portable, flexible and configurable RADIUS server
 
  anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
 
  Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
 
  Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.


Content-Type: text/html; charset=us-ascii; name=Attachment: 1
Content-Transfer-Encoding: 7bit
Content-Description: 


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Rodopi?

2001-07-12 Thread Hugh Irvine

Title: Re: (RADIATOR) Question about
Rodopi?



Hello Chairarth -

Where are you going to maintain your customer definitions? In
Radmin, Rodopi, or both?

regards

Hugh


At 13:49 +0700 01/7/12, Chairarth K wrote:
There is
any problem if we will use Radmin, Radiator and Rodopi billing at the
same time.

Regards,
Chairath


--


NB:
I am travelling this week, so there may be delays in our
correspondence.

Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc,
etc.
Available on Unix, Linux,
FreeBSD, Windows 95/98/2000, NT, MacOS X.

Re: (RADIATOR) question

2001-06-28 Thread Hugh Irvine

Title: Re: (RADIATOR) question



Hello Brandon -

If UUnet is mandating this, they must have a specification of
what they mean.

You will have to check with UUnet directly.

regards

Hugh


At 3:09 AM -0700 6/26/01, Brandon wrote:
Wish I knew
too. I tried emailing the list and know one seemed to
know. The only response
I got back
was that it was possible in PostAuthHooks. UU.net is now
requiring this to use
their
system.

Brandon
- Original Message -
From: admin
To: [EMAIL PROTECTED]
Sent: Tuesday, June 26, 2001 2:14 PM
Subject: (RADIATOR) question

I need to reduce my
Ascend-Data-Filter from length 28 to 26 Any ideas
how?


Thanks

Eric



--


NB:
I am travelling this week, so there may be delays in our
correspondence.

Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc,
etc.
Available on Unix, Linux,
FreeBSD, Windows 95/98/2000, NT, MacOS X.

Re: (RADIATOR) question (failed insert in accounting)

2001-05-03 Thread Hugh Irvine



Hello Andy -

As usual, a copy of the configuration file (no secrets) and a trace 4 debug 
from Radiator are neccessary for us to be able to help you.

thanks

Hugh

On Thursday 03 May 2001 19:29, Andy De Petter wrote:
 Hello,

 I have AcctFailedLogFileName configured, in my radius accounting daemon,
 but whenever there is a SQL Timeout detected between the SQL server, and
 the radius server, radiusd doesn't seem to be saving the failed query in
 the AcctFailedLogFileName file...

 When there are errors, like duplicates, or anything similar, it seems to
 work fine.

 Shouldn't radiusd save timed out queries also in this file?  Or isn't it
 saving that query on purpose?  In that case, how can I make it save a timed
 out query in a file, so I have less chance of losing accounting tickets?

 Thanks,

 -Andy


 --
 For nothing can seem foul to those that win.
   - Henry IV, Pt1, Act 5, Sc 1

 *** DISCLAIMER ***
 This e-mail and any attachments thereto may contain information, which
 is confidential and/or protected by intellectual property rights and
 are intended for the sole use of the recipient(s) named above. Any use
 of the information contained herein (including, but not limited to,
 total or partial reproduction, communication or distribution in any
 form) by persons other than the designated recipient(s) is prohibited.
 If you have received this e-mail in error, please notify the sender
 either by telephone or by e-mail and delete the material from any
 computer. Thank you for your cooperation.


 ===
 Archive at http://www.starport.net/~radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about SessionDatabase

2000-11-17 Thread Hugh Irvine



Hello Alexey -

On Fri, 17 Nov 2000, Alexey A. Shavaldin wrote:
 Hello !
 
 I have experienced a problem with simultaneous logins of such a case.
 I have global RewriteUsername defined in my radius.cfg:
 
 RewriteUsername tr/[A-Z]/[a-z]/
 RewriteUsername s/^(.*)\/(.*)/$2/
 RewriteUsername s/^(.*)\\(.*)/$2/
 RewriteUsername tr/A-Za-z0-9_@,\\\ \.\-/\*/c
 
 Simultaneous login limits work OK for users, who enter their usernames in low 
 register, but not for users, who try to mix upper and lower register symbols. 
 Their Access-Requests are accepted everywhere. Here is part of my trace4 log:
 

This is really a business policy issue, rather than a technical Radiator issue.

You have two opposing views being expressed:

1. do you allow "naive" users to misspell their login names and still be
accepted?

2. do you forbid "clever" users from abusing multiple use limits?

You have to decide which policy to implement - you can't do both.

As to checking simultaneous use - the problem is that the NAS keeps the
username string that was entered by the user, so the session database also
needs to keep that string to be able to query the NAS.

In this case (and others as discussed on the list) I tend towards the strict
view, that simply rejects unacceptable login attempts.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question for the list...remote timeouts.

2000-10-17 Thread Hugh Irvine



Hello Blake -

On Wed, 18 Oct 2000, Blake Golliher wrote:
 
 I have a database of users in Oracle, we arent' keeping track of accounting
 data, and the only thing I have control over are the endpoint radius
 servers.  I need to be able to limit users to a set time out.  all users in
 a realm will have this attribute set to them.  Anyone have a good idea to
 handle this?  Is there a built in fucntion to use for this?
 

Easy - just use an AddToReply in your AuthBy clause:

AuthBy SQL

AddToReply Session-Timeout = nnn, Idle-Timeout = mm
/AuthBy

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Client clause

2000-07-06 Thread Hugh Irvine



Hello Matt -

On Thu, 06 Jul 2000, Matt Nichols wrote:
 Hello,
 
 If I specify a Client DEFAULT clause in Radiator without specifying 
 DefaultRealm, will all the usernames be appended with 'username@' or will 
 they simply remain 'username'? Typically we have always had 'DefaultRealm 
 local' which would write the 'username' as 'username@local'.
 
 The reason I ask is because I have to send all Accounting records to 
 another server using a radius proxy but I have to also pass all 
 authentication and accounting records to our current radius servers which 
 should then append the DefaultRealm clause specified in the Client statement.
 

I don't think I understand the question. Do you want to replace all of your
Client clauses with a single Client DEFAULT? Otherwise, I don't see what
adding the Client DEFAULT is going to achieve. In any case, if you don't
specify a DefaultRealm, the username will remain unchanged (modulo any
RewriteUsername's of course).

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question about

2000-06-09 Thread Hugh Irvine



Hello Christian -

On Sat, 10 Jun 2000, [EMAIL PROTECTED] wrote:
 hi there,
 
 we are using one part of radiator as radius-proxy.
 
 for some reason we get all the time such errors.. any idea where it comes from ?
 
 does the authenticator mean the accesserver or the clientradiusserver ?
 
 Fri Jun  9 19:28:32 2000: WARNING: Bad authenticator received in reply to ID 6
 Fri Jun  9 19:28:34 2000: WARNING: Bad authenticator received in reply to ID 7
 Fri Jun  9 19:28:40 2000: WARNING: Bad authenticator received in reply to ID 4
 

This is either due to an incorrect shared secret between the two Radius
servers, or if it is only for accounting packets you can use the
IgnoreAcctSignature parameter in the Client clause for whatever device is the
source of the problem.

BTW - the authenticator is the name of a particular field in a Radius packet,
not a particular device.

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question about radiator - mysql -- static ip assingment

2000-05-22 Thread Hugh Irvine



Hello Christian -

On Mon, 22 May 2000, [EMAIL PROTECTED] wrote:
 hi there,
 
 just have tried to install radiator with mysql-authentication.
 everything works fine, except the assingnment of static ips
 and the "login time left". - last one is probably a bug in the prg ?
 i found out that i does not stop counting and also still authorize users.
 (sure i did the select statment for that variable include :))
 
 can please give someone me an idea how i reply the user with his static ip
 (sql-table) to get really that ip assigned ?
 
 the default reply-message i have entered in the radius.cfg as following:
 
 Service-Type = Framed-User,\
 Framed-Protocol = PPP,\
 Framed-IP-Netmask = 255.255.255.254,\
 Framed-Routing = None,\
 Framed-MTU = 1500,\
 Framed-Compression = Van-Jacobson-TCP-IP
 
 of course for dynamic ips it works fine... so how is the procedure for
 static ip-assignment ?
 

You would typically return a Framed-IP-Address specifying what IP address to
use for the connection.


 the other thing, in that combination we bought the Radmin, especially for
 the better usermaintainance (dialin and adsl) there is a file called
 "editRadconfig.pl" seems to expect other tables as recommendet which came
 with the radmin. does someone have any useful examples that we can
 maintain (if i right understood) the configuration of the radiator ?
 

No. This script is only used to set Radius attributes for users maintained by
RAdmin. We have recently beta-released a cgi script designed for maintaining
the Radiator configuration file. It is called "radconfig.cgi" and there is a
beta copy in the patches area. This script will be included in the next release
of Radiator.

 the last thing:
 is there somewhere an archiv of this list?
 

Yes - http://www.starport.net/~radiator.

There is also an FAQ in the release and on the Open System web site.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question regarding DupInterval

2000-02-09 Thread Mike McCauley


Hi Christophe,

My advice is to reduce the DupInterval to something like 2 seconds. It is
really only intended to catch genuine duplicate packets (ie packets sent along
duplicate parallel network paths, or from some other pathological network
problem). Its really not supposed to catch _retransmissions_ by the NAS. As you
have found, when it starts to catch _retransmissions_ (as opposed to
duplicates), you start to have problems.

Hope that helps.
Cheers.

On Feb 9,  8:35pm, Christophe Wolfhugel wrote:
 Subject: (RADIATOR) Question regarding DupInterval
 From the documentation, DupInterval is applied to the client, ie the
 host sending the request, eventually an intermediate proxy.

 From reading the Client.pm source code I see following :

   $self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier]

 $nas_id is there supposed to be the NAS-IP-Address, or if not
 available NAS-Identifier, which is possibly not the proxy. Only
 if none of these attributes are present $nas_id will contain the IP
 address of the Client. The $code identifies the type of request, so
 on a standard setup that gives a 256 packets history for each kind of
 request.

 If my understanding is correct this is somewhat different from what
 the documentation as well as the comment at the beginning of Client.pm
 say.

 Now let's go to my particular situation : I have an central accountng Radius
 server which gets all accounting packets from the proxys. Whenever this
 machine gets really odd (or just out of CPU) the proxies start doing
 retransmissions, and then the NASes also start retransmitting (via
 a different proxy). By having a really high DupInterval (19) on this
 accounting Radius I reduce the number of duplicate records in the
 accounting files on that machine, but my clients won't get their
 Accounting-Accept because Radiator believes it comes from the same client.

 I would conclude that my design is wrong and that I should reduce the
 DupInterval on the accounting Radius a lot and have the scripts who
 handle the accounting files manage to eliminate the duplicate. Can
 someone more knowledgable confirm me this is the way I should go ?

 --
 Christophe Wolfhugel  -+-  [EMAIL PROTECTED]  -+-  France Telecom Oleane

 ===
 Archive at http://www.thesite.com.au/~radiator/
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.
-- End of excerpt from Christophe Wolfhugel



-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about accounting

1999-12-29 Thread Hugh Irvine



Hello John -

On Wed, 29 Dec 1999, [EMAIL PROTECTED] wrote:
 Hi;
 
 Our system is working just fine (authentication wise), but I need to be able 
to send accounting packets to two seperate locations for a particular realm.
 
 For example:
 
 Authentication packets for a certain realm are proxied (AuthBy Realm) to another 
Radius server which works fine.
 Accounting packets should be sent there too, this seems to be happening as well 
(it is not our radius server so I don't know for sure).
 I also want to be able to stuff the contents of the accounting packets into an SQL 
database, which I am currently doing for realms that authenticate of the same
database. 
 

You will want to do something like this:

# note AuthByPolicy ContinueAlways
# and empty AuthSelect to turn off authentication

Realm regional.com
AuthByPolicy ContinueAlways
RewriteUsername tr/A-Za-z0-9\-\_\\.\@/ /cs
RewriteUsername s/^([^@]+).*/$1/

AuthBy RADIUS
Host Hidden
Secret Hidden
/AuthBy

AuthBy SQL
DBSourcedbi:mysql:Hidden
DBUsername  Hidden
DBAuth  Hidden
AuthSelect 
AccountingStopsOnly
AccountingTable ACCOUNTING_NATIONAL
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address,ipaddr
/AuthBy

# Log accounting to the detail file in LogDir
MaxSessions 1
AcctLogFileName %L/detail-%m%d%Y
SessionDatabase SDB2
/Realm


 
 
 PS Something else, with the sessiondatabase like it is, somethime the re-written 
user-name is inserted into the database sometimes the origional username is
inserted this is just strange. 

Can you send me the complete configuration file and a trace 4 debug showing the
session database inserts?

thanks 

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Question about setup

1999-11-22 Thread Dave Kitabjian



You say, "everything works fine...". Looking at your Calls table in the 
database, are there any entries in the "Username" column? Or are they just 
NULL?

Dave

On Monday, November 22, 1999 2:24 PM, Kelly Hamlin 
[SMTP:[EMAIL PROTECTED]] wrote:
 Im using Ascend 6000 series NAS's and im using radiator to authenticate 
off
 the platypus database, everything works fine, cept i get a lot of errors 
in
 the window. Im using the ascend dictionary file and below i have my 
config
 and below that, are the errors im getting in log window.
 Any help would be great!! thanks..
 ---config---

 Foreground
 LogStdout
 LogDir  .
 DbDir   .


 # You will probably want to change this to suit your site.
 Client DEFAULT
  Secret  mysecret
  DupInterval 0
 /Client

 Client 209.xx.xxx.xx
  Secret 
 /Client

 Client 209.xx.xxx.xx
  Secret x
 /Client
 Realm DEFAULT
  AuthBy EMERALD
   DBSourcedbi:ODBC:Platypus
   DBUsername  xx
   DBAuth  
   # You can add to or change these if you want.
   AccountingTable Calls
   AcctColumnDef   UserName,User-Name
   AcctColumnDef   CallDate,Timestamp,integer-date
   AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
   AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
   AcctColumnDef   AcctInputOctets,Acct-Input-Octets,integer
   AcctColumnDef   AcctOutputOctets,Acct-Output-Octets,integer
   AcctColumnDef   AcctSessionId,Acct-Session-Id
   AcctColumnDef   AcctSessionTime,Acct-Session-Time,integer
   AcctColumnDef   AcctTerminateCause,Ascend-Disconnect-Cause ,integer
   AcctColumnDef   NASIdentifier,NAS-Identifier
   AcctColumnDef   NASIdentifier,NAS-IP-Address
   AcctColumnDef   NASPort,NAS-Port,integer
   TimeBanking
 #   AuthSelect ,sa.maxsessions
 #   AuthColumnDef 0,Simultaneous-Use,check
  /AuthBy
 /Realm
 ---/Config
 ---Errors---
 C:\Radiatorperl radiusd -config_file emerald.cfg
 DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL
 Server]Cannot i
 nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls';
 column
 does not allow nulls. INSERT fails. (SQL-23000)
 [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been
 terminated
 . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line
 228.
 Mon Nov 22 14:05:56 1999: ERR: do failed for 'insert into Calls
 (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId,
 NASIden
 tifier)
 values
 ('Nov 22, 1999 14:5', 7, 0, '919990609', 
'209.26.171.130')':
 [Mi
 crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL
 into co
 lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls.
 INSERT
  fails. (SQL-23000)
 [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been
 terminated
 . (SQL-01000)(DBD: st_execute/SQLExecute err=-1)
 DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL
 Server]Cannot i
 nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls';
 column
 does not allow nulls. INSERT fails. (SQL-23000)
 [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been
 terminated
 . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line
 228.
 Mon Nov 22 14:05:57 1999: ERR: do failed for 'insert into Calls
 (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId,
 NASIden
 tifier)
 values
 ('Nov 22, 1999 14:5', 7, 0, '919990609', 
'209.26.171.130')':
 [Mi
 crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL
 into co
 lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls.
 INSERT
  fails. (SQL-23000)
 [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been
 terminated
 . (SQL-01000)(DBD: st_execute/SQLExecute err=-1)
 Mon Nov 22 14:06:17 1999: ERR: Attribute number 62 (vendor ) is not 
defined
 in y
 our dictionary
 Mon Nov 22 14:06:20 1999: ERR: Attribute number 62 (vendor ) is not 
defined
 in y
 our dictionary
 Mon Nov 22 14:06:23 1999: ERR: Attribute number 62 (vendor ) is not 
defined
 in y
 our dictionary
 DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL
 Server]Cannot i
 nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls';
 column
 does not allow nulls. INSERT fails. (SQL-23000)
 [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been
 terminated
 . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line
 228.
 Mon Nov 22 14:06:29 1999: ERR: do failed for 'insert into Calls
 (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId,
 NASIden
 tifier)
 values
 ('Nov 22, 1999 14:6', 7, 0, '919991612', '209.26.171.1  
38')':
 [Mi
 crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL
 into co
 lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls.
 INSERT
  fails. (SQL-23000)

Re: (RADIATOR) Question about setup

1999-11-22 Thread Hugh Irvine



Hello Kelly -

On Tue, 23 Nov 1999, Kelly Hamlin wrote:
 Im using Ascend 6000 series NAS's and im using radiator to authenticate off
 the platypus database, everything works fine, cept i get a lot of errors in
 the window. Im using the ascend dictionary file and below i have my config
 and below that, are the errors im getting in log window.

It would be useful to see a trace 4 debug showing what is happening inside
Radiator when you get these errors. The cause of the first error is the fact
that you are getting accounting records with no User-Name in them and of course
the database is complaining about them. The other problem is that attribute 62
(vendor ) is not defined in your dictionary. 

I suspect the first problem is due to some special accounting packets that the
ascend is sending (perhaps incomplete logins?). I am not sure what the second
one is all about, as attribute 62 is usually Port-Limit (and used for replies).

If you are using the newer Ascend vendor-specific attributes for radius, you
should use the dictionary.ascend2 file. Check in the patches area:

http://www.open.com.au/radiator/downloads/patches-2.14.1/dictionary.ascend2

hth

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about group

1999-11-17 Thread Mike McCauley


Hello Jason,

On Nov 16, 10:21pm, Jason Kao wrote:
 Subject: (RADIATOR) Question about group

 After reading Radiator radius server manual and searching the FAQ and mail
 archives, I still can not get the clear picture. My question is

 If I am planning to use group in order to reply different reply items for
 different group, do I have to use AuthBy Unix which in turn will
 use /etc/group file in the box which I am running the radius server?

 I will use AuthBy File or AuthBy PAM on SUN solarius 7. According to the
 manual 13.1.6 group can only work with AuthBy Unix or AuthBy NT.

Actually, we omitted to mention that AuthBy SYSTEM also understands groups (we
have now added it to the docs for the next release). On Solaris, SYSTEM is
probably the best solution.

Cheers.

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on auth by sql setup

1999-11-11 Thread Hugh Irvine

Hello Jay -

On Thu, 11 Nov 1999, Jay West wrote:
 - Original Message -
 From: Jay West [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, November 09, 1999 6:44 AM
 Subject: Question on auth by sql setup

  We're trying to switch from DBM user files to mySQL user files. I have one
  simple question...

  The script that is given to build the tables initially from flat files
  mentions something to the effect that it is a bare-bones sample, and that
  you will probably want to add additional fields, etc.

  Being fairly new to msSQL, I was wondering if it's easy to add these
 fields
  later after user records and accounting records are active in SQL, or - is
  it a much better idea to get all the requisit fields built initially.

I thought someone with operational experience might have answered, but in any
case here are my thoughts. 

This depends to a certain extent on the database you are using (and I don't
know anything about msSQL). Some databases (like mysql) will allow you to
modify tables on the fly, while others don't. You should probably try to get
close to what you want to begin with, and even if you can't modify the tables
on the fly, all that is required to make a modification is to dump the
database, redefine the tables, and reload the data. Its a pretty normal
exercise to dump and reload a database.

hth

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question regarding Session-Limit database

1999-09-01 Thread Hugh Irvine



Hello David -

On Thu, 02 Sep 1999, David Lloyd wrote:
 Hello, I'm considering using the Session-Limit feature to limit
 simultanious usage, with an external MySQL seesion-database and
 user-database to allow me to run two Radiator servers (one primary, one
 backup).
 
 We have 4 different NAS types, and I would like to set them each up to
 'talk' to Radiator to keep the database current.
 
 I was wondering, have other people run a setup like this?  Has anyone had
 any problems with the reliability of the Session-Limit (letting people on
 when they shouldn't, or blocking access unneccissarily)?  Has anyone had
 success with multiple NAS types?
 

Many Radiator customers are using this feature successfully. You will need to
configure the following:

# Configure SessionDatabase

SessionDatabase SQL
DBSource ...
DBUsername ...
DBAuth ...
...
/SessionDatabase

# Add NasType to Clients

Client ...
NasType ...
...
/Client

And then you will have to configure whatever is required for the NasType
checking ie. SNMP communities, etc.

You may also be interested in the radacct.cgi and radwho.cgi scripts that will
query the SQL database and display the results in a web browser.

hth

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on radiator

1999-08-19 Thread tom minchin


On Thu, Aug 19, 1999 at 09:25:20AM +, Alexander Koch wrote:
 Hallo.
 
 As I am evaluating a new radius daemon to chose I have some
 questions on Radiator.
 
 We have several Ascend Max 4k and 6k, all doing radius auth
 to special hosts (several, no real redundancy and backup),
 we are running the Ascend radius daemon (oh well, no comments,
 please) and we would need one feature:
 
 Have several (2+) radius servers that respond differently
 (however that is achieved, config-wise, fall-through or
 something) depending on the source IP of the request.
 So far we have two radius daemons on the same box, each is
 listening to another port. This works, but if it can be just
 one radius daemon, this would be really fine.
 Is anything like this possible? And, if so, how (roughly)?
 Mind you, this is no roaming...
 

How do you mean differently? Radiator is able to use NAS-IP-Address
(or similar) and Handlers to use different authentication sources
etc.

Handler NAS-IP-Address=/10.1.1.2|10.1.1.3/
# whatever
...
/Handler

Handler NAS-IP-Address=/10.2.2.2|10.2.2.3/
# something else
...
/Handler

You could do it at another level with NAS-IP-Address check items as well.

[EMAIL PROTECTED]

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question - Radiator Log Billing - Access Server

1999-05-31 Thread Mike McCauley


Hello Marcia,

On May 31,  5:28pm, =?iso-8859-1?Q?M=E1rcia_Maroni?= wrote:
 Subject: (RADIATOR) Question - Radiator Log Billing - Access Server

 Hi,

 Where can I find the information in log billing of Radiator about Access
 Server that was used for authentication of user ?.
In the accounting detail file, its usually NAS-IP-Address that tells the IP
address of the NAS where the user is logged in.

Hope that helps.

Cheers.

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question: Problems with forwarding accounting requests to a second radiator

1999-05-02 Thread Mike McCauley


Hi Karl,

On Apr 30, 12:22pm, Karl Gaissmaier wrote:
 Subject: Re: (RADIATOR) Question: Problems with forwarding accounting requ
 Hi Mike,

 Mike McCauley schrieb:
 
 [...]
 2. Question:
 Is it possible, that the first host already sends the
Accounting-Response
 to the NAS, and the second host just stores the records and nothing
else?
Yes, that should be fine.
  
   The question is how? Is this done with the AuthByPolicy or how
   can I do this? Can't find anything in the docu how to do this.
   Sure, it is not the default behavior by 98% users needed.
 
  OK, I see your question now. Sorry.
 
  Normally, you would put the AuthBy RADIUS as the last AuthBy. It would then
  forward (just accounting in your case) to the other radius. And when that
  radius acknowledged, the first server would send that ack back to the
original
  NAS.
 

 Why do I get two replies only in this configuration and not always when
 I have the "AuthByPolicy ContinueWhileAccept"?

 My problem is the documentation under 6.18.1 AuthByPolicy:

 The default is clearly described, but what happens
 with "ContinueWhileAccept". If the first Auth Modul Accepts and the
 second and so one, how many ACCESS-ACCEPTs are sent to the NAS,
 or what module sends it, the first one, the last one or all?

 What happens if only one modul (not the first) rejects,
 what is sent to the NAS?

This is how Radiator handles multiple AuthBys:

Radiator will always accept, reject or ignore according to the result of the
_last_ AuthBy.

Also, if _any_ of the AuthBys are RADIUS, then Radiator will also reply with
whatever is received from the remote Radius, (when and if one is received).

In the case where RADIUS is the last, you get the behaviour you expect, because
AuthBy RADIUS always returns a result of IGNORE, and then (some time later) it
will reply to the NAS with whatever comes back from the remote radius server.




  But you are wondering how can you make the first server ack immediately,
  without waiting for the remote server to reply?
 
  Well, we dont really recommend it, but you could put your AuthBy RADIUS
as
  not the last AuthBy. That would make it forward to the remote server and
then
  fall through to the next AuthBy (depending onthe AuthByPolicy, of course).
The
  disadvantage of this is that _every_ accounting request from the NAS will
get 2
  acknowledgements (one from the last AuthBy, and one from the AuthBy RADIUS
when
  it gets its reply from the remote server)
  We dont really recomend this, since it better that if the accounting server
  dies, that the NAS gets no response and can try its secondard radius
server.
 
  [...]
  
   You solved my problem, but perhaps for you is this a hint that something
   is strange with this behavior.
 
  Well, its a standard dictionary attribute. I dont really understand why it
was
  not in your dictionary. Which one were you using?

 I concatenated Ascend and the newest RFC, in order to have first the Ascend
specific
 part and then overwrite the RFC defined Attributes.

 But again, this is not the problem, I think the problem is my
 bad english, therefore you don't understand it.

 I'll try again to explain it:

 Before I started to forward the accounting requests I had no
 WARNINGS in the logfile, the AuthBy FILE didn't complain
 about missing attributes, even there was no such attribute
 in the dictionary. After I inserted the additional
 AuthBy RADIUS I've seen the WARNINGS about the missing
 ATTRIBUTE.

 The academic question is: Why do I see no such
 warnings with AuthBy File and only with
 AuthBy RADIUS?

Because when the packet is sent to the remote radius, Radiator tries to convert
the 'Timestamp' attribute to a radius attribute number. 'Timestamp' is appended
to the request by Radiator (as per the RFC) when it proxies, and it is  usually
not in the incoming request. Therefore, if Timestamp is not in your dictionary,
you will only see the complaint when Radiator tries to proxy.



 hope you understand it despite my english :-(
I do. You English is fine.


Cheers.


-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

1999-04-22 Thread Jason Spears


I suspect a trick question, so here's a trick answer. :)

If you run on Solaris 2.6, make sure you have the latest /kernel/drv/ip
patch and do an 'ndd -set /dev/ip ip_enable_group_ifs 0' at boot time.

Jason Spears


On Thu, 22 Apr 1999, Dialup USA Sales Dept wrote:

 Question:
 
 When Radiator is used on a machine with more then one IP address, will it
 sends its replies with a source addr of the IP address it recieved the
 request on?
 
 
 
 ===
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.
 


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?

1999-03-10 Thread Anton Sparrius


HI Mike,

You sure can.  Do something like this : (For an ODBC DB...but similar for
others)



 AuthByPolicy ContinueUntilReject


AuthBy SQL
  AuthSelect
  DBSourcedbi:ODBC:
  DBUsername  xxx
  DBAuth  

  AccountingTable %Y%m
  AccountingStopsOnly

## TABLE COLUMN  ## NAS RESPONSE ##type
  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
  AcctColumnDef   USERNAME,User-Name
...
  AcctColumnDef   ASCENDXMITRATE,Ascend-Xmit-Rate,integer
  AcctColumnDef   ASCENDDATARATE,Ascend-Data-Rate,integer
 /AuthBy

AuthBy NT
  Identifier NTSystem
  Domain .xxx.xxx
 /AuthBy

(Or replace the last one with Unix or File or whatever)

Regards,

Anton Sparrius
---
Smarter Wayhttp://www.smart.net.au
Email[EMAIL PROTECTED]
Phone  (03) 9846 1711
 Melb   1800-240-829
 Sydn   1800-888-761


-Original Message-
From: mike grommet [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Thursday, March 11, 1999 4:12 AM
Subject: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?


For management purposes, I would like to be able to keep my authentication
working as it is with my unix users file, but I would like to
store all accounting information, and session limit stuff in a SQL
database...

From reading the docs, it seems radiator can do this if I am doing authby
SQL,
but doesnt seem to include possibilities for this scenario...  Am I missing
something?


It sure would be nice to be able to do queries to an sql database to check
customer usage and such.

I realize I could make an SQL database out of the unix password file, but I
would prefer to not
have to do this to achieve this functionality...





===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?

1999-03-10 Thread Lon R. Stockton, Jr.



On Wed, 10 Mar 1999, mike grommet wrote:

 For management purposes, I would like to be able to keep my authentication
 working as it is with my unix users file, but I would like to
 store all accounting information, and session limit stuff in a SQL
 database...

'Tis what I'm doing at the moment, albeit I have my previous radius
server still doing authentication on another machineRadiator doesn't
even see the auth requests at this point in time. Basically, I'm
giving Radiator (and the server I constructed for it) a 'shakedown
cruise' prior to making it do mission-critical work. So my config
is fairly simple since all my Radiator is seeing is accounting packets
and stuffing them in a SQL (Postgres) database.

Further, as soon as I'm satisfied with the stability of my new server,
I'll be doing auth on it too, but the auth will be by another SQL
database...I want to get away from that unix passwd file crap asap.

 From reading the docs, it seems radiator can do this if I am doing authby
 SQL,
 but doesnt seem to include possibilities for this scenario...  Am I missing
 something?

I'm shooting in the dark kinda as a newbie to the Radiator configuration,
but I suspect that you'd have two authby clauses and a ContinueWhileAccept
keyword or somesuch. The first authby clause deals with your passwd file
authentication and doesn't do any accounting. The second authby clause
doesn't do auth but stuffs the accounting in a SQL database. The Continue*
keyword (whichever one it really is) ensures that a packet has to pass
thru both.

I'm sure there's a way to config it, but if all else fails, you could
always just run two instances of Radiator on different ip's on the
server in question, and config one to do authby unix for your auth
stuff and the other to do authby sql for your acco stuff. Messy and
inelegant if you ask me, but it's always nice to have a last-resort
that is sure to work. (:

 It sure would be nice to be able to do queries to an sql database to check
 customer usage and such.

That's what I thought, and boy did I underestimate how nice it really
is. I knew it'd be nice, but I really had no idea how great it was
until the db was there and AnyDataIWanted suddenly became no more of
an issue than how to properly word my sql query. I've spent a couple
of entire nights playing with all the queries that I can now do and
finding out all kinds of stuff about my statistics. I can only say
that I shoulda been doing this from the beginning.
 
 I realize I could make an SQL database out of the unix password file, but I
 would prefer to not
 have to do this to achieve this functionality...

That's my current plan, as soon as my new server with its linux, radiator,
postgres, perl and apache shows me a month of continous troublefree
uptime, I'm switching to doing my auth via sql as well. Same reason;
having data in a *real* database makes everything easier. No more
greppin' through a passwd file to find out who's on that server or
how many accounts or or or.

Especially when it comes to interesting things like having different
check/reply items. I'm seeing a web page my customers can go to and
specify that their child's account can't log in after 11pm, or that
all their packets get routed thru our in-house filtering software. I'm
also seeing policies such as 'if your bill is 30 days past due, you
can only log on if 10% of my modems are idle; if you're 60 days past
due, you can only access email and local resources...no surfin for
you ya bum, and if you're 90 everything you do takes you to a 'pay
your bill' webpage. And at 120...well, the results of a simple
sql query gets auto-emailed to my lawyer. *grin*)

Lon Stockton
MoonStar



===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?

1999-03-10 Thread Stephen Ollis


Looks a little like my question a couple of weeks back - 26/02/99

Do something like this:

Realm 
   AuthByPolicy ContinueWhileIgnore
   AuthBy SQL
   DBSource 
   .

   # This disables SQL auth
   AuthSelect
   # This enables SQL accounting
   AccountingTable yyy
   ActColumnDef 
   
   /AuthBy
   AuthBy FILE
   Filename whatever
   /AuthBy
   AcctLogFileName youracctdetailflatfilename
/Realm


--
Stephen Ollis [EMAIL PROTECTED]   Ph: +61 2 9911 1606(BH)  
Team Leader, Server Systems - Network Engineering  +61 2 9911 1555(FAX)
ATT EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066
Australia
'There is no traffic jam on the extra mile.' - Zig Ziegler 
 

 -Original Message-
 From: Lon R. Stockton, Jr. [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, March 11, 1999 9:33 AM
 To: mike grommet
 Cc: [EMAIL PROTECTED]
 Subject: Re: (RADIATOR) Question: Authenticate by unix, but use SQL
 accounting?
 
 
 
 On Wed, 10 Mar 1999, mike grommet wrote:
 
  For management purposes, I would like to be able to keep my 
 authentication
  working as it is with my unix users file, but I would like to
  store all accounting information, and session limit stuff in a SQL
  database...
 
 'Tis what I'm doing at the moment, albeit I have my previous radius
 server still doing authentication on another 
 machineRadiator doesn't
 even see the auth requests at this point in time. Basically, I'm
 giving Radiator (and the server I constructed for it) a 'shakedown
 cruise' prior to making it do mission-critical work. So my config
 is fairly simple since all my Radiator is seeing is accounting packets
 and stuffing them in a SQL (Postgres) database.
 
 Further, as soon as I'm satisfied with the stability of my new server,
 I'll be doing auth on it too, but the auth will be by another SQL
 database...I want to get away from that unix passwd file crap asap.
 
  From reading the docs, it seems radiator can do this if I 
 am doing authby
  SQL,
  but doesnt seem to include possibilities for this 
 scenario...  Am I missing
  something?
 
 I'm shooting in the dark kinda as a newbie to the Radiator 
 configuration,
 but I suspect that you'd have two authby clauses and a 
 ContinueWhileAccept
 keyword or somesuch. The first authby clause deals with your 
 passwd file
 authentication and doesn't do any accounting. The second authby clause
 doesn't do auth but stuffs the accounting in a SQL database. 
 The Continue*
 keyword (whichever one it really is) ensures that a packet has to pass
 thru both.
 
 I'm sure there's a way to config it, but if all else fails, you could
 always just run two instances of Radiator on different ip's on the
 server in question, and config one to do authby unix for your auth
 stuff and the other to do authby sql for your acco stuff. Messy and
 inelegant if you ask me, but it's always nice to have a last-resort
 that is sure to work. (:
 
  It sure would be nice to be able to do queries to an sql 
 database to check
  customer usage and such.
 
 That's what I thought, and boy did I underestimate how nice it really
 is. I knew it'd be nice, but I really had no idea how great it was
 until the db was there and AnyDataIWanted suddenly became no more of
 an issue than how to properly word my sql query. I've spent a couple
 of entire nights playing with all the queries that I can now do and
 finding out all kinds of stuff about my statistics. I can only say
 that I shoulda been doing this from the beginning.
  
  I realize I could make an SQL database out of the unix 
 password file, but I
  would prefer to not
  have to do this to achieve this functionality...
 
 That's my current plan, as soon as my new server with its 
 linux, radiator,
 postgres, perl and apache shows me a month of continous troublefree
 uptime, I'm switching to doing my auth via sql as well. Same reason;
 having data in a *real* database makes everything easier. No more
 greppin' through a passwd file to find out who's on that server or
 how many accounts or or or.
 
 Especially when it comes to interesting things like having different
 check/reply items. I'm seeing a web page my customers can go to and
 specify that their child's account can't log in after 11pm, or that
 all their packets get routed thru our in-house filtering software. I'm
 also seeing policies such as 'if your bill is 30 days past due, you
 can only log on if 10% of my modems are idle; if you're 60 days past
 due, you can only access email and local resources...no surfin for
 you ya bum, and if you're 90 everything you do takes you to a 'pay
 your bill' webpage. And at 120...well, the results of a simple
 sql query gets auto-emailed to my lawyer. *grin*)
 
 Lon Stockton
 MoonStar
 
 
 
 ===
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.
 

===
To unsubscribe

Re: (RADIATOR) Question about Radiator/Platypus

1999-01-15 Thread Hugh Irvine


O
Hello Kelly -

n Thu, 18 Nov 1999, Kelly Hamlin wrote:
 I have successfully setup Radiator to Authenticate off the Plat database,
 however, When I assign static IP's and pools of IP's to certain users in the
 RadiusNT section of platypus I add all the attributes and all the proper
 setup just as I did for the Livingston Radius server. Those users can login
 with no problem but are unable to do anything once connection. They have
 static IP's assigned on thier end and its being assigned dynamically and to
 me that would explain why they cant do anything once connected. Also I
 noticed that when I was authenticating off the plat database, I would check
 calls online and it would be blank. I setup server to point to the SQL
 Server running all the radius/plat database information.
 
 Is there a setting that I need to include in one of the config files for
 Radiator to have it assign IP's from platypus user attributes or should it
 do that be default since it is authenticating from it?

Could you please send me a copy of a trace 4 debug output showing what is
happening when you authenticate a user?

thanks

Hugh


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

89 matches

Mail list logo