Re: [RADIATOR] Question about TACACS group assignment based on AD groups
Hi Daniel, we generate the Client config blocks using ClientListSQL from our NMS database. The identifier is the hostname and we use the OSC-Group-Identifier set to the support group name for further distinguishment in the handlers. We also add other metadata like OSC-Customer-Identifier for logging this way. Best regards, Alex On 2016-09-08 07:12, Hugh Irvine wrote: > Hello Daniel - > > You can use Identifiers in your Client clauses to indicate what sort of > device they are, then use those identifiers in your Handlers. > > Something like this: > > …… > > > Identifier Firewall > ….. > > > > Identifier Firewall > ….. > > > > Identifier Switch > ….. > > > > Identifier Switch > ….. > > > ….. > > > AuthByPolicy ContinueUntilAccept > AuthBy CheckReadOnlyAccessForFirewall > AuthBy CheckFullAccessForFirewall > > > > AuthByPolicy ContinueUntilAccept > AuthBy CheckReadOnlyAccessForSwitch > AuthBy CheckFullAccessForSwitch > > > > hope that helps > > regards > > Hugh > > > >> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote: >> >> Hi all, >> >> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, >> including command level authorization. Based on some posts on this list I >> got both the active directory and the TACACS server module up and running, >> but struggle with the configuration of both. >> >> If I understand correctly, the TACACS module simply converts the TACACS >> authentication requests to radius requests and passes them to Radiator for >> ordinary execution. Authorization requests are handled within the TACACS >> module. >> >> My configuration currently looks as follows: >> >> --- begin --- >> >> # Define DC to connect to >> Hostdc-b.ad.x.com >> >> # Identifier to use this AuthBy Clause later >> Identifier AuthByAD >> >> # Administrative user used to perform LDAP queries >> AuthDN >> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de >> AuthPassword >> >> # Where to search for users >> BaseDN OU= User,DC=ad,DC=xxx,DC=xxx,DC=de >> ServerChecksPassword >> >> # Add Check for group membership >> AuthAttrDef memberOf, ADGroup, check >> >> # Reply should include the group names for further processing >> AuthAttrDef memberOf, ADGroups, reply >> >> # There will be no default User >> NoDefault >> >> # LDAP attribute to check the UserName on >> UsernameAttrsAMAccountName >> >> >> >> Port 49 >> AddToRequest NAS-Identifier=TACACS >> GroupMemberAttr tacacsgroup >> >> AuthorizeGroup network_ro deny service=shell cmd=show >> cmd-arh=tech-support >> AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.* >> AuthorizeGroup network_ro deny .* >> >> # This is for authorized users for full access. Place in lvl 15 >> immediately, no restrictions apply >> AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15} >> AuthorizeGroup full_access permit .* >> >> # Default deny to prevent accidents when something is misconfigured >> AuthorizeGroup DEFAULT deny .* >> >> >> >> # Include client definition >> include %D/radius-clients.cfg >> # Include Active Directory AuthBy Handler >> include %D/authby-ad.cfg >> # Include configuration for the built-in TACACS server >> include %D/tacacs.cfg >> >> # TACACS Handler >> >> AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de" >> AuthBy AuthByAD >> >> # Try read-only access >> # AddToRequest >> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de" >> # AuthBy AuthByAD >> >> --- end --- >> >> My problem now is how to tie both clues together in the handler. Ideally I >> would also like to distinguish based on the TACACS client which is asking. >> If it is a firewall (IPs known), then use command sets full_access_fw and >> firewall_ro based on AD groups. >> >> Basically I need something like this: >> >> -Firewall is TACACS client, and the user is member of group >> netadmin-security, return request with tacacsgroup=full_access_fw >> -Switch is TACACS client, and the user is member of group netadmin, >> return request with tacacsgroup=full_access >> -Firewall is TACACS client, and the user is member of group >> netadmin-security-ro, return request with tacacsgroup=firewall_ro >> -Switch is TACACS client, and the user is member of group netadmin-ro, >> return request with tacacsgroup=network_ro >> >> How would I do this mapping? >> >> Many thanks and best regards >> Daniel >> >> >> ___ >> radiator mailing list >>
Re: [RADIATOR] Question about TACACS group assignment based on AD groups
Hello Daniel - You can use Identifiers in your Client clauses to indicate what sort of device they are, then use those identifiers in your Handlers. Something like this: …… Identifier Firewall ….. Identifier Firewall ….. Identifier Switch ….. Identifier Switch ….. ….. AuthByPolicy ContinueUntilAccept AuthBy CheckReadOnlyAccessForFirewall AuthBy CheckFullAccessForFirewall AuthByPolicy ContinueUntilAccept AuthBy CheckReadOnlyAccessForSwitch AuthBy CheckFullAccessForSwitch hope that helps regards Hugh > On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote: > > Hi all, > > I want to use Radiator both for RADIUS and for TACACS for Cisco devices, > including command level authorization. Based on some posts on this list I got > both the active directory and the TACACS server module up and running, but > struggle with the configuration of both. > > If I understand correctly, the TACACS module simply converts the TACACS > authentication requests to radius requests and passes them to Radiator for > ordinary execution. Authorization requests are handled within the TACACS > module. > > My configuration currently looks as follows: > > --- begin --- > > # Define DC to connect to > Hostdc-b.ad.x.com > > # Identifier to use this AuthBy Clause later > Identifier AuthByAD > > # Administrative user used to perform LDAP queries > AuthDN > cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de > AuthPassword > > # Where to search for users > BaseDN OU= User,DC=ad,DC=xxx,DC=xxx,DC=de > ServerChecksPassword > > # Add Check for group membership > AuthAttrDef memberOf, ADGroup, check > > # Reply should include the group names for further processing > AuthAttrDef memberOf, ADGroups, reply > > # There will be no default User > NoDefault > > # LDAP attribute to check the UserName on > UsernameAttrsAMAccountName > > > >Port 49 >AddToRequest NAS-Identifier=TACACS >GroupMemberAttr tacacsgroup > >AuthorizeGroup network_ro deny service=shell cmd=show > cmd-arh=tech-support >AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.* >AuthorizeGroup network_ro deny .* > ># This is for authorized users for full access. Place in lvl 15 > immediately, no restrictions apply >AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15} >AuthorizeGroup full_access permit .* > ># Default deny to prevent accidents when something is misconfigured >AuthorizeGroup DEFAULT deny .* > > > > # Include client definition > include %D/radius-clients.cfg > # Include Active Directory AuthBy Handler > include %D/authby-ad.cfg > # Include configuration for the built-in TACACS server > include %D/tacacs.cfg > > # TACACS Handler > >AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de" >AuthBy AuthByAD > ># Try read-only access ># AddToRequest > ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de" ># AuthBy AuthByAD > > --- end --- > > My problem now is how to tie both clues together in the handler. Ideally I > would also like to distinguish based on the TACACS client which is asking. If > it is a firewall (IPs known), then use command sets full_access_fw and > firewall_ro based on AD groups. > > Basically I need something like this: > > - Firewall is TACACS client, and the user is member of group > netadmin-security, return request with tacacsgroup=full_access_fw > - Switch is TACACS client, and the user is member of group netadmin, > return request with tacacsgroup=full_access > - Firewall is TACACS client, and the user is member of group > netadmin-security-ro, return request with tacacsgroup=firewall_ro > - Switch is TACACS client, and the user is member of group netadmin-ro, > return request with tacacsgroup=network_ro > > How would I do this mapping? > > Many thanks and best regards > Daniel > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list
Re: [RADIATOR] Question about regex matching realm in handlers
On 10.2.2016 23.31, David Rose wrote: > However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers > and associated statements (i.e. no other changes to client config or > anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches > the regex and the inner request is then caught by "NO_REALM". Here is > the debug from a request where things stop working as expected (I think > the key is that in the packet dump, the username is in the "EAP-Message" > field and not the "User-Name" field): Yes, you are correct. The key is the empty User-Name in the tunnelled request. Here's the tunnelled request: > Tue Feb 9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/ > Attributes: > EAP-Message = <2><0><0><18><1>tu...@iit.edu > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > User-Name = "" > > Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler > 'Realm=/^$/', Identifier 'NO_REALM' This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. This tells Radiator to add User-Name in the inner request with the value that is the inner EAP identity. When the inner EAP starts, the first request is the EAP Identity response shown above. The identity (the username) is then extracted by the AuthBy within the Handler that matches the inner request. Because the innner request becomes known only after the first tunnelled request has been processed, it's not available when the first tunnelled request is dispatched to the Handlers. In other words, we have a chicken and egg situation: the inner identity is needed before the request that carries it is processed. You could consider this: This should match usern...@iit.edu, username@, username and empty username. Or then you could use simply just Since the outer username is used to route the RADIUS request to the correct home organisation, for example with eduroam, what matters is that the RADIUS request has the correct realm. The inner request's realm can have the home realm but it could as well be empty since the inner username is not used for RADIUS request routing. If you want to force the inner realm to always be @iit.edu, you could do this: Identifier PEAP_INNER_IITdEDU AuthBy NTLM_MSCHAP_NoRealm Identifier PEAP_INNER_No_Realm Filename /dev/null EAPType EAP-MSCHAP-V2 Even if the first request with the empty User-Name always matches the second Handler, it will just extract the identity and challenge the client to start EAP-MSCHAP-V2. The next request from the client will match the correct Handler unless their identity (username) does not end with @iit.edu. If this happens, they will fail the authentication. However, it might be a good idea to allow the inner username to be realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler. You could think the second Handler as an anchor that bootstraps EAP-MSCHAP-V2 and handles unknown realms. We have planned solving the chicken egg problem by taking a look at the inner request when the inner identity is not known yet. If the inner EAP-Message contains the identity, then it could be used for the first message when EAPAnonymous %0 is configured. However, this is not in Radiator or Radiator patches yet. I hope the above clarifies how EAPAnonymous %0 works currently and why you will see empty User-Name with it. Thanks, Heikki -- Heikki VatiainenRadiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Question about regex matching realm in handlers
Heikki, Now that you assembled the pieces for me, it makes perfect sense. I figured I had to be missing something. Thank you! David On 2/11/2016 5:17 AM, Heikki Vatiainen wrote: > On 10.2.2016 23.31, David Rose wrote: > >> However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers >> and associated statements (i.e. no other changes to client config or >> anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches >> the regex and the inner request is then caught by "NO_REALM". Here is >> the debug from a request where things stop working as expected (I think >> the key is that in the packet dump, the username is in the "EAP-Message" >> field and not the "User-Name" field): > Yes, you are correct. The key is the empty User-Name in the tunnelled > request. Here's the tunnelled request: > >> Tue Feb 9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump: >> Code: Access-Request >> Identifier: UNDEF >> Authentic: <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/ >> Attributes: >> EAP-Message = <2><0><0><18><1>tu...@iit.edu >> Message-Authenticator = >> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >> User-Name = "" >> >> Tue Feb 9 23:21:42 2016: DEBUG: Handling request with Handler >> 'Realm=/^$/', Identifier 'NO_REALM' > This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. > This tells Radiator to add User-Name in the inner request with the value > that is the inner EAP identity. > > When the inner EAP starts, the first request is the EAP Identity > response shown above. The identity (the username) is then extracted by > the AuthBy within the Handler that matches the inner request. > > Because the innner request becomes known only after the first tunnelled > request has been processed, it's not available when the first tunnelled > request is dispatched to the Handlers. In other words, we have a chicken > and egg situation: the inner identity is needed before the request that > carries it is processed. > > You could consider this: > > > This should match usern...@iit.edu, username@, username and empty > username. Or then you could use simply just > > Since the outer username is used to route the RADIUS request to the > correct home organisation, for example with eduroam, what matters is > that the RADIUS request has the correct realm. The inner request's realm > can have the home realm but it could as well be empty since the inner > username is not used for RADIUS request routing. > > If you want to force the inner realm to always be @iit.edu, you could do > this: > > > Identifier PEAP_INNER_IITdEDU > AuthBy NTLM_MSCHAP_NoRealm > > > Identifier PEAP_INNER_No_Realm > > Filename /dev/null > EAPType EAP-MSCHAP-V2 > > > > Even if the first request with the empty User-Name always matches the > second Handler, it will just extract the identity and challenge the > client to start EAP-MSCHAP-V2. The next request from the client will > match the correct Handler unless their identity (username) does not end > with @iit.edu. If this happens, they will fail the authentication. > However, it might be a good idea to allow the inner username to be > realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler. > > You could think the second Handler as an anchor that bootstraps > EAP-MSCHAP-V2 and handles unknown realms. > > We have planned solving the chicken egg problem by taking a look at the > inner request when the inner identity is not known yet. If the inner > EAP-Message contains the identity, then it could be used for the first > message when EAPAnonymous %0 is configured. However, this is not in > Radiator or Radiator patches yet. > > I hope the above clarifies how EAPAnonymous %0 works currently and why > you will see empty User-Name with it. > > Thanks, > Heikki > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL
Hello Heikki Thanks for your answer, indeed that was the problem!. Now I can insert in both databases perfect! We're in the middle of the process to upgrade to Radiator 4.9! Thanks for your support! Regards, Ricardo.- -Mensaje original- De: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] En nombre de Heikki Vatiainen Enviado el: miércoles, 27 de junio de 2012 17:35 Para: radiator@open.com.au Asunto: Re: [RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL On 06/27/2012 11:23 PM, Ricardo Martinez wrote: I’m using Radiator 3.1.13 Version 3.x is quite old, so you could consider upgrading in case they are more problems. I have this configuration file : I think the main problem is this: DBusername user The option is slightly incorrect. You should have: DBUsername user Notice the capital U. Radiator should log an error about this when it starts up. Since the parameters are incorrect, it can not initialise DBD::Oracle and Oracle specific string value quoting will fail. This is why you see blanks. Also note that the AcctColumnDefs are not equal in both AuthBys. For example Acct-Input-Octets has 'integer' type in one AuthBy but not in the other. Please let us know if this solves the problem, Heikki Handler Request-Type = Accounting-Request, Acct-Status-Type = Stop AuthBy GROUP AuthByPolicy anything else AuthBy SQL DBSourcedbi:Oracle:DEV DBusername user DBAuth pass FailureBackoffTime 60 AccountingTable VOIPACCOUNTING2 AcctColumnDef LOGGEDAT,%{GlobalVar:DBsysdate},literal AcctColumnDef CALL_LEG_SETUP_TIME,h323-setup-time AcctColumnDef GATEWAY_IDENTIFIER,h323-gw-id AcctColumnDef CONNECTION_ID,h323-conf-id AcctColumnDef CALL_LEG_DIRECTION,h323-call-origin AcctColumnDef CALL_LEG_TYPE,h323-call-type AcctColumnDef CALL_LEG_CONNECT_TIME,h323-connect-time AcctColumnDef CALL_LEG_DISCONNECT_TIME,h323-disconnect-time AcctColumnDef CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause AcctColumnDef REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address AcctColumnDef VOICE_QUALITY,h323-voice-quality AcctColumnDef USER_NAME,User-Name AcctColumnDef CALLED_STATION_ID,Called-Station-Id AcctColumnDef CALLING_STATION_ID,Calling-Station-Id AcctColumnDef ACCT_STATUS_TYPE,Acct-Status-Type,integer AcctColumnDef ACCT_DELAY_TIME,Acct-Delay-Time,integer AcctColumnDef ACCT_INPUT_OCTETS,Acct-Input-Octets,integer AcctColumnDef ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer AcctColumnDef ACCT_SESSION_ID,Acct-Session-Id AcctColumnDef ACCT_SESSION_TIME,Acct-Session-Time,integer AcctColumnDef ACCT_INPUT_PACKETS,Acct-Input-Packets,integer AcctColumnDef ACCT_OUTPUT_PACKETS,Acct-Output-Packets,integer AcctColumnDef NAS_PORT_TYPE,NAS-Port-Type,integer AcctColumnDef ACCESS_DEVICE,h323-gw-id AcctColumnDef NETWORK_DEVICE_GROUP,Acct-Status-Type,intege /AuthBy AuthBy SQL DBSourcedbi:Oracle:SID1 DBUsername user DBAuthpass FailureBackoffTime 60 AccountingTable VOIPACCOUNTING2 AcctColumnDef LOGGEDAT,%{GlobalVar:DBsysdate},literal AcctColumnDef CALL_LEG_SETUP_TIME,h323-setup-time AcctColumnDef GATEWAY_IDENTIFIER,h323-gw-id AcctColumnDef CONNECTION_ID,h323-conf-id AcctColumnDef CALL_LEG_DIRECTION,h323-call-origin AcctColumnDef CALL_LEG_TYPE,h323-call-type AcctColumnDef CALL_LEG_CONNECT_TIME,h323-connect-time AcctColumnDef CALL_LEG_DISCONNECT_TIME,h323-disconnect-time AcctColumnDef CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause AcctColumnDef REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address AcctColumnDef VOICE_QUALITY,h323-voice-quality AcctColumnDef
Re: [RADIATOR] question about machine based authentication
Ok, that's what I was looking for! putting DEFAULT in the file yields the desired behavior. Thanks! Joy On 12/8/11 5:47 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/09/2011 12:31 AM, Joy Veronneau wrote: Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches the computer name. Seems like I would want the cert name checked? Is there a way I can still check the cert name? In this case you could try not enabling EAPTLS_NoCheckId and use Filename %D/tls_anon with this single line: DEFAULT Since NoDefault is not on, the DEFAULT entry will match and user lookup should be successful. Another option is to have EAPTLS_NoCheckId enabled and do name matching with EAPTLS_CertificateVerifyHook Thanks! Heikki Sorry to have so many questionsŠ Thanks, Joy On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/09/2011 12:15 AM, Joy Veronneau wrote: But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I? Good point, I overlooked that part. Please see ref.pdf section 5.20.46 EAPTLS_NoCheckId. You can turn off the name check. Thanks! Heikki Thanks, Joy On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/07/2011 11:42 PM, Joy Veronneau wrote: Hello Joy, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. Try with something like this: Handler ... AuthByPolicy ContinueWhileAccept AuthBy file-tls AuthBy external-adcert /Handler With the above EAP-TLS will run first and when it is done and returns ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome of the whole authentication process. Please let us know of your results -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
On 12/07/2011 11:42 PM, Joy Veronneau wrote: Hello Joy, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. Try with something like this: Handler ... AuthByPolicy ContinueWhileAccept AuthBy file-tls AuthBy external-adcert /Handler With the above EAP-TLS will run first and when it is done and returns ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome of the whole authentication process. Please let us know of your results I need to modify this config so that I do not need to maintain a list of host names on the radiator server and so that I can execute an external script that formats a Filter-Id for a VLAN name to return with the ACCEPT. I thought this would be pretty straight forward, see config2 below. The problem is that just this minor change causes the client to hang or something during the negotiation. Once the accept is sent, nothing else happens - we've verified this looking at the traffic on the AP. I've included a debug log as well. I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong or I just can't use AuthBy EXTERNAL in combination with TLS? TIA, Joy --- config1: (works if names of computers are in tis_anon file) AuthBy FILE Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys /AuthBy AuthBy EXTERNAL Identifier ADCERT Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns Filter-Id) /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log /Handler config2 (doesn't work. see log below.) #AuthBy FILE AuthBy EXTERNAL Identifier TLS #Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 Command /app/radius/scripts/authby.ADCERT AutoMPPEKeys /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls # AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log AuthLog QRadar_WIRELESS /Handler --- the debug log *** Received from 132.236.115.218 port 33004 Code: Access-Request Identifier: 186 Authentic: 201217161218164173b22924147163G#30]179 Attributes: User-Name = host/CIT-JV11GTEST2.cit.cornell.edu NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = cit.redrover.secure NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = 0014D1EA856B Called-Station-Id = 000B866222B0 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = eduroam-test Aruba-Location-Id = test-rhodes-745-ap Message-Authenticator = 1391493145153Z4192210[,170g1521p Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler 'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier '' Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls Wed Dec 7 16:32:46 2011: DEBUG: Running command: /app/radius/scripts/authby.ADCERT Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Accept Identifier: 186 Authentic: 2341623*2152525021t149129168202204 Attributes: Filter-Id = eduroam-correct (That's all that's in the logsŠ) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au
Re: [RADIATOR] question about machine based authentication
On 12/09/2011 12:15 AM, Joy Veronneau wrote: But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I? Good point, I overlooked that part. Please see ref.pdf section 5.20.46 EAPTLS_NoCheckId. You can turn off the name check. Thanks! Heikki Thanks, Joy On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/07/2011 11:42 PM, Joy Veronneau wrote: Hello Joy, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. Try with something like this: Handler ... AuthByPolicy ContinueWhileAccept AuthBy file-tls AuthBy external-adcert /Handler With the above EAP-TLS will run first and when it is done and returns ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome of the whole authentication process. Please let us know of your results I need to modify this config so that I do not need to maintain a list of host names on the radiator server and so that I can execute an external script that formats a Filter-Id for a VLAN name to return with the ACCEPT. I thought this would be pretty straight forward, see config2 below. The problem is that just this minor change causes the client to hang or something during the negotiation. Once the accept is sent, nothing else happens - we've verified this looking at the traffic on the AP. I've included a debug log as well. I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong or I just can't use AuthBy EXTERNAL in combination with TLS? TIA, Joy --- config1: (works if names of computers are in tis_anon file) AuthBy FILE Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys /AuthBy AuthBy EXTERNAL Identifier ADCERT Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns Filter-Id) /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log /Handler config2 (doesn't work. see log below.) #AuthBy FILE AuthBy EXTERNAL Identifier TLS #Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 Command /app/radius/scripts/authby.ADCERT AutoMPPEKeys /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls # AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log AuthLog QRadar_WIRELESS /Handler --- the debug log *** Received from 132.236.115.218 port 33004 Code: Access-Request Identifier: 186 Authentic: 201217161218164173b22924147163G#30]179 Attributes: User-Name = host/CIT-JV11GTEST2.cit.cornell.edu NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = cit.redrover.secure NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = 0014D1EA856B Called-Station-Id = 000B866222B0 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = eduroam-test Aruba-Location-Id = test-rhodes-745-ap Message-Authenticator = 1391493145153Z4192210[,170g1521p Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler 'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier '' Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls Wed Dec 7 16:32:46 2011: DEBUG: Running command: /app/radius/scripts/authby.ADCERT Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code:
Re: [RADIATOR] question about machine based authentication
Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches the computer name. Seems like I would want the cert name checked? Is there a way I can still check the cert name? Sorry to have so many questionsŠ Thanks, Joy On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/09/2011 12:15 AM, Joy Veronneau wrote: But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I? Good point, I overlooked that part. Please see ref.pdf section 5.20.46 EAPTLS_NoCheckId. You can turn off the name check. Thanks! Heikki Thanks, Joy On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/07/2011 11:42 PM, Joy Veronneau wrote: Hello Joy, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. Try with something like this: Handler ... AuthByPolicy ContinueWhileAccept AuthBy file-tls AuthBy external-adcert /Handler With the above EAP-TLS will run first and when it is done and returns ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome of the whole authentication process. Please let us know of your results ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
On 12/09/2011 12:31 AM, Joy Veronneau wrote: Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches the computer name. Seems like I would want the cert name checked? Is there a way I can still check the cert name? In this case you could try not enabling EAPTLS_NoCheckId and use Filename %D/tls_anon with this single line: DEFAULT Since NoDefault is not on, the DEFAULT entry will match and user lookup should be successful. Another option is to have EAPTLS_NoCheckId enabled and do name matching with EAPTLS_CertificateVerifyHook Thanks! Heikki Sorry to have so many questionsŠ Thanks, Joy On 12/8/11 5:26 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/09/2011 12:15 AM, Joy Veronneau wrote: But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I? Good point, I overlooked that part. Please see ref.pdf section 5.20.46 EAPTLS_NoCheckId. You can turn off the name check. Thanks! Heikki Thanks, Joy On 12/8/11 5:07 PM, Heikki Vatiainen h...@open.com.au wrote: On 12/07/2011 11:42 PM, Joy Veronneau wrote: Hello Joy, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. Try with something like this: Handler ... AuthByPolicy ContinueWhileAccept AuthBy file-tls AuthBy external-adcert /Handler With the above EAP-TLS will run first and when it is done and returns ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome of the whole authentication process. Please let us know of your results -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hi, I am still working on my machine based authentication config. Config1 (below) works fine but requires that the names of the machines be listed in the file tls_anon. I need to modify this config so that I do not need to maintain a list of host names on the radiator server and so that I can execute an external script that formats a Filter-Id for a VLAN name to return with the ACCEPT. I thought this would be pretty straight forward, see config2 below. The problem is that just this minor change causes the client to hang or something during the negotiation. Once the accept is sent, nothing else happens - we've verified this looking at the traffic on the AP. I've included a debug log as well. I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong or I just can't use AuthBy EXTERNAL in combination with TLS? TIA, Joy --- config1: (works if names of computers are in tis_anon file) AuthBy FILE Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys /AuthBy AuthBy EXTERNAL Identifier ADCERT Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns Filter-Id) /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log /Handler config2 (doesn't work. see log below.) #AuthBy FILE AuthBy EXTERNAL Identifier TLS #Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 Command /app/radius/scripts/authby.ADCERT AutoMPPEKeys /AuthBy AuthBy GROUP Identifier dot1x_tls AuthByPolicy ContinueWhileAccept AuthBy TLS /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy dot1x_tls # AuthBy ADCERT AcctLogFileName %L/%y%m%d-eduroam.log AuthLog QRadar_WIRELESS /Handler --- the debug log *** Received from 132.236.115.218 port 33004 Code: Access-Request Identifier: 186 Authentic: 201217161218164173b22924147163G#30]179 Attributes: User-Name = host/CIT-JV11GTEST2.cit.cornell.edu NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = cit.redrover.secure NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = 0014D1EA856B Called-Station-Id = 000B866222B0 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = eduroam-test Aruba-Location-Id = test-rhodes-745-ap Message-Authenticator = 1391493145153Z4192210[,170g1521p Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler 'Aruba-Essid-Name=eduroam-test, User-Name = /^host/i', Identifier '' Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls Wed Dec 7 16:32:46 2011: DEBUG: Running command: /app/radius/scripts/authby.ADCERT Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for CIT-JV11GTEST2.cit.cornell.edu Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Accept Identifier: 186 Authentic: 2341623*2152525021t149129168202204 Attributes: Filter-Id = eduroam-correct (That's all that's in the logsŠ) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
On 11/19/2011 12:18 AM, Joy Veronneau wrote: I think I need some more help with my config. It is working ok for my machine cert based authentication, but only if I put the name of the machine in a file on the radius server. Here is my config snippet: You could experiment using AuthBy LDAP2. Instead of using file as user database, the config would lookup user (machine name) and group information from LDAP. See goodies/ad-ldap.cfg and goodies/ldap.cfg for hints. For example using global catalog port and NoCheckPassword. NoCheckPassword should be used since you are not interested in password, but attributes the machine account has in AD. Please let us know how it goes. Heikki AuthBy FILE Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy TLS /Handler and %D/tls_anon contains: CIT-JV11GTEST2.cit.cornell.edu I would like to avoid having to maintain all the machine names on the radius server. I would prefer to do some sort of NTLM auth that would read the machine cert and then check to see if the machine is in a certain group. I tried using AuthBy NTLM but that really broke everything... I do have NTLM working for username/pw based authn but I need to do that AND machine based… I'd appreciate a hint. Thanks- Joy On 11/10/11 5:21 PM, Heikki Vatiainen h...@open.com.au mailto:h...@open.com.au wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hi, I think I need some more help with my config. It is working ok for my machine cert based authentication, but only if I put the name of the machine in a file on the radius server. Here is my config snippet: AuthBy FILE Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys /AuthBy Handler Aruba-Essid-Name=eduroam-test, User-Name = /^host/i AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy TLS /Handler and %D/tls_anon contains: CIT-JV11GTEST2.cit.cornell.edu I would like to avoid having to maintain all the machine names on the radius server. I would prefer to do some sort of NTLM auth that would read the machine cert and then check to see if the machine is in a certain group. I tried using AuthBy NTLM but that really broke everything... I do have NTLM working for username/pw based authn but I need to do that AND machine based… I'd appreciate a hint. Thanks- Joy On 11/10/11 5:21 PM, Heikki Vatiainen h...@open.com.aumailto:h...@open.com.au wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
Hi, I've made some progress on this. The windows 7 machine is now contacting the radius server, but its username starts with host/ and radiator doesn't seem to like that. Should the machine be sending some sort of different username? I don't think I can get the request to the correct handler until I fix this problem? The network settings on the windows 7 machine are: Security type: WPA2 Enterprise encryption type: TKIP Network authentication method: microsoft: smartcard or other certificate (Settings- Use a certificate on this computer, use simple certificate selection) advanced settings: 802.1x Specify authentication mode: Computer authentication. Here is what I see on the radius logs: User-Name = host/CIT-JV11GTEST2.cit.cornell.edu NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = cit.redrover.secure NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = 0014D1EA856B Called-Station-Id = 000B866222B0 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = eduroam-test Aruba-Location-Id = test-rhodes-745-ap Message-Authenticator = ]179:f223241242Z13:204222150130J181 Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier '' Tue Nov 15 12:41:42 2011: INFO: Access rejected for host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name Tue Nov 15 12:41:42 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Reject Identifier: 219 Authentic: 138592542361313184xLU?N4139225 Attributes: Reply-Message = Request Denied Thanks again, Joy On 11/10/11 5:21 PM, Heikki Vatiainen h...@open.com.aumailto:h...@open.com.au wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. -- Heikki Vatiainen h...@open.com.aumailto:h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
On 11/15/2011 07:43 PM, Joy Veronneau wrote: I've made some progress on this. The windows 7 machine is now contacting the radius server, but its username starts with host/ and radiator doesn't seem to like that. Should the machine be sending some sort of different username? I don't think I can get the request to the correct handler until I fix this problem? Radiator will recognize host/ and do the authentication with correct username. The machine seems to be sending the username correctly, so that's not the problem. Tue Nov 15 12:41:42 2011: INFO: Access rejected for host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name Your configuration file has UsernameCharset specified so that it does not include / If you change UsernameCharset this problem will go away. Thanks! Heikki The network settings on the windows 7 machine are: Security type: WPA2 Enterprise encryption type: TKIP Network authentication method: microsoft: smartcard or other certificate (Settings- Use a certificate on this computer, use simple certificate selection) advanced settings: 802.1x Specify authentication mode: Computer authentication. Here is what I see on the radius logs: User-Name = host/CIT-JV11GTEST2.cit.cornell.edu NAS-IP-Address = 132.236.115.218 NAS-Port = 1 NAS-Identifier = cit.redrover.secure NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = 0014D1EA856B Called-Station-Id = 000B866222B0 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 210(1host/CIT-JV11GTEST2.cit.cornell.edu Aruba-Essid-Name = eduroam-test Aruba-Location-Id = test-rhodes-745-ap Message-Authenticator = ]179:f223241242Z13:204222150130J181 Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier '' Tue Nov 15 12:41:42 2011: INFO: Access rejected for host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name Tue Nov 15 12:41:42 2011: DEBUG: Packet dump: *** Sending to 132.236.115.218 port 33004 Code: Access-Reject Identifier: 219 Authentic: 138592542361313184xLU?N4139225 Attributes: Reply-Message = Request Denied Thanks again, Joy -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] question about machine based authentication
On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Question on FarmSize, SocketQueueLength, and net.core.rmem_max on Linux
On 08/23/2011 05:52 PM, Frank Danielson wrote: We are currently running Radiator 4.7 under Redhat 5.5 and I am trying to make sure I understand the effect that the FarmSize setting has on the amount of memory allocated for the SocketQueue. If Radiator is configured with some FarmSize does each worker have its own SocketQueue with the effect of making the total amount of memory allocated = FarmSize * SocketQueueLength? I think the allocated memory is always 1*SocketQueueLength. This is based on the fact that the socket is shared between the clients and the assumption that the socket queue is part of kernel and the fan out to the workers happens on the OS/user space boundary. In other words, my take is one socket queue servers one or multiple readers. If someone know better, please let me know. For example if my SocketQueueLength is 100 and the FarmSize is 4, is there a total of 400 bytes allocated or is it just 100? In either instance I am assuming that the net.core.rmem_max size needs to be at least as large as that number, is that correct? If my theory holds, then it might be a good idea to increase rmem_max because there are multiple readers that can dequeue packets and smooth incoming bursts. An alternate view is, if there are always workers that are ready to process messages, then they should be able to drain normal size queue even if the queue input rate is high. There's also /proc/sys/net/ipv4/udp_mem which migh be useful to tune UDP queues only. http://www.kernel.org/doc/man-pages/online/pages/man7/udp.7.html This is an interesting question. If you decide to experiment with different settings, maybe you could let us know of results. Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Question about IP Pool.
On 08/20/2011 09:07 PM, Faisal Imtiaz wrote: Hello Faisal, I am currently using Raditor configured with mysql for authenticating DSL Subscribers. So far we have been allocating fixed IP addresses framed routes as needed for the subscribers. We have bunch of subscribers who need to be on dynamic IP's. There is a RADPOOL table, that I can add addresses to either manually or via AddressPool... What I am having trouble with is on What do I need to 'define' for the user so that Radiator will get an IP address from the RADPOOL Table ? and What code if any I need to put in radius.cfg for this to happen. Please see goodies/addressallocator.cfg in Radiator distribution package for an example. The idea is to run the normal authentication first followed by AuthBy DYNADDRESS. The AuthByPolicy should be set so that DYNADDRESS is only used if the normal authentication first succeeds. You should probably keep your existing Handler and AuthBy as they are and add a new Handler to match the dynaddress users. This new Handler would have two AuthBys where the first does normal authentication followed by the second AuthBy that does address allocation from AddressPool. You can also have more AuthBys if needed, but the above is a simple extension of your current setup shown below. Best regards, Heikki Many Thanks in advance. === here is what my AuthBy looks like AuthBy SQL # MySQL DB, DB radius, host localhost DBSource dbi:mysql:xxx DBUsername x DBAuth xxx # Define Table and Columns for Authentication AuthSelect select PASSWORD, SERVICETYPE, FRAMEDPROTOCOL, TRAFFICSHAPE, ACL, PORTLIMIT, TIMELEFT, IPPOOL, FRAMEDI$ from SUBSCRIBERS where USERNAME = %0 AuthColumnDef 0, Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply AuthColumnDef 3, GENERIC, reply AuthColumnDef 4, GENERIC, reply AuthColumnDef 5, GENERIC, reply AuthColumnDef 6, GENERIC, reply AuthColumnDef 7, GENERIC, reply AuthColumnDef 8, GENERIC, reply AuthColumnDef 9, GENERIC, reply AuthColumnDef 10, GENERIC, reply AuthColumnDef 11, GENERIC, reply AuthColumnDef 12, GENERIC, reply # Define Table and Columns for Accounting AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,formatted-date,\ '%Y/%m/%e %H:%M:%S' AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIPADDRESS,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address /AuthBy = -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
RE: (RADIATOR) Question in AuthBy EXTERNAL
Hi Do i need to pass any parameter to testcommand.pl ? MAN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike McCauley Sent: Thursday, October 02, 2003 12:36 PM To: Hugh Irvine; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL Hi Hugh, If you look at godies/external.cfg, you will see he needs something like this: Command c:/perl/bin/perl ./goodies/testcommand.pl DOS does not know how to interpret #!/usr/bin/perl so it cant run C:\Perl\bin\testcommand.pl without some cluues. Cheers. On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote: Hello Man Meng Fei - I suspect that Radiator is not able to run the external command. What happens when you run the following in a MS-DOS window: C:\Perl\bin\testcommand.pl There is probably something wrong with either the path or the contents of the file. regards Hugh On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei wrote: Hi Currently i am using a sample configuration (external.cfg) and perl script (testcommand.pl) which can be retrieved from goodies directory to understand the implementation of AuthBy EXTERNAL. But after i executed it, i can't get the expected test result. I got No Reply at Radius client. I hope someone can help me to make this AuthBy EXTERNAL sample working. Lastly i attached Radius Configration file which i used for the testing and Radius Server and Radius Client's output result Man Meng Fei --radius.cfg--- # external.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # EXTERNAL authentication. # # There is an example external program called testcommand.pl # in the goodies directory, whichthe example below uses. It # will accept the request if the username is fred otherwise reject # it. # # So if you run Radiator with this config file, then do # radpwtst -noacct -trace -user fred # you will see something like: # sending Access-Request... # OK # Code: Access-Accept # Identifier: 109 # Authentic: 12_B2152=149140kBM13022110.S # Attributes: # Reply-Message = you are fred # # # And if you do: # radpwtst -noacct -trace -user someoneelse # you will see something like: # sending Access-Request... # Rejected # Code: Access-Reject # Identifier: 70 # Authentic: 165206RiJ208139245129@17013623s2423 # Attributes: # Reply-Message = you are NOT fred, you are 'someoneelse' # Reply-Message = Request Denied # # You should consider this file to be a starting point only # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Trace 4 # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy EXTERNAL # For NT, you might want something like this Command C:\Perl\bin\testcommand.pl # For Unix, maybe something like this # #Command ./goodies/testcommand.pl # This will cause the User-Password # to be decrypted before being passed to the # external program DecryptPassword # You might prefer use this to tell AuthBy EXTERNAL # to get the result from the first line of the # output. The permitted values are ACCEPT, REJECT # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98 # its the only way to get it to work. # We recommend you use this method ResultInOutput /AuthBy /Realm ---Radius Server Output-- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu Oct 2 01:16:58 2003: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg' This Radiator license will expire on 2004-02-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] Thu Oct 2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program Files/Radia tor/dictionary' Thu Oct 2 01:16:58 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Thu Oct 2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Thu Oct 2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man (EVALUATIO N) Thu Oct 2 01:18:52 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3006 Code: Access-Request Identifier: 67
RE: (RADIATOR) Question in AuthBy EXTERNAL
Hi Mke and Hugh May i know how should i pass the parameter into the perl script when i execute AUTH EXTERNAL and how can get the result after execute the perl script ? Thank MAN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Man Meng Fei Sent: Thursday, October 02, 2003 1:58 PM To: 'Mike McCauley'; 'Hugh Irvine' Cc: [EMAIL PROTECTED] Subject: RE: (RADIATOR) Question in AuthBy EXTERNAL Hi Do i need to pass any parameter to testcommand.pl ? MAN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike McCauley Sent: Thursday, October 02, 2003 12:36 PM To: Hugh Irvine; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL Hi Hugh, If you look at godies/external.cfg, you will see he needs something like this: Command c:/perl/bin/perl ./goodies/testcommand.pl DOS does not know how to interpret #!/usr/bin/perl so it cant run C:\Perl\bin\testcommand.pl without some cluues. Cheers. On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote: Hello Man Meng Fei - I suspect that Radiator is not able to run the external command. What happens when you run the following in a MS-DOS window: C:\Perl\bin\testcommand.pl There is probably something wrong with either the path or the contents of the file. regards Hugh On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei wrote: Hi Currently i am using a sample configuration (external.cfg) and perl script (testcommand.pl) which can be retrieved from goodies directory to understand the implementation of AuthBy EXTERNAL. But after i executed it, i can't get the expected test result. I got No Reply at Radius client. I hope someone can help me to make this AuthBy EXTERNAL sample working. Lastly i attached Radius Configration file which i used for the testing and Radius Server and Radius Client's output result Man Meng Fei --radius.cfg--- # external.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # EXTERNAL authentication. # # There is an example external program called testcommand.pl # in the goodies directory, whichthe example below uses. It # will accept the request if the username is fred otherwise reject # it. # # So if you run Radiator with this config file, then do # radpwtst -noacct -trace -user fred # you will see something like: # sending Access-Request... # OK # Code: Access-Accept # Identifier: 109 # Authentic: 12_B2152=149140kBM13022110.S # Attributes: # Reply-Message = you are fred # # # And if you do: # radpwtst -noacct -trace -user someoneelse # you will see something like: # sending Access-Request... # Rejected # Code: Access-Reject # Identifier: 70 # Authentic: 165206RiJ208139245129@17013623s2423 # Attributes: # Reply-Message = you are NOT fred, you are 'someoneelse' # Reply-Message = Request Denied # # You should consider this file to be a starting point only # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Trace 4 # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy EXTERNAL # For NT, you might want something like this Command C:\Perl\bin\testcommand.pl # For Unix, maybe something like this # #Command ./goodies/testcommand.pl # This will cause the User-Password # to be decrypted before being passed to the # external program DecryptPassword # You might prefer use this to tell AuthBy EXTERNAL # to get the result from the first line of the # output. The permitted values are ACCEPT, REJECT # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98 # its the only way to get it to work. # We recommend you use this method ResultInOutput /AuthBy /Realm ---Radius Server Output-- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu Oct 2 01:16:58 2003: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg' This Radiator license will expire on 2004-02-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] Thu Oct 2 01:16:58 2003: DEBUG: Reading dictionary file
Re: (RADIATOR) Question in AuthBy EXTERNAL
Hello MAN - All of the attributes in the current radius request are passed to the external command on standard input, and the results are returned on standard output. Please refer to section 6.26 in the Radiator manual (doc/ref.html). If you want to add any parameters to be passed to the external program you should add them as attributes to the current request before calling the AuthBy EXTERNAL clause. You should also look at the source code in the file Radius/AuthEXTERNAL.pm to see exactly what happens. regards Hugh On Friday, Oct 3, 2003, at 11:22 Australia/Melbourne, Man Meng Fei wrote: Hi Mke and Hugh May i know how should i pass the parameter into the perl script when i execute AUTH EXTERNAL and how can get the result after execute the perl script ? Thank MAN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Man Meng Fei Sent: Thursday, October 02, 2003 1:58 PM To: 'Mike McCauley'; 'Hugh Irvine' Cc: [EMAIL PROTECTED] Subject: RE: (RADIATOR) Question in AuthBy EXTERNAL Hi Do i need to pass any parameter to testcommand.pl ? MAN -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike McCauley Sent: Thursday, October 02, 2003 12:36 PM To: Hugh Irvine; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Question in AuthBy EXTERNAL Hi Hugh, If you look at godies/external.cfg, you will see he needs something like this: Command c:/perl/bin/perl ./goodies/testcommand.pl DOS does not know how to interpret #!/usr/bin/perl so it cant run C:\Perl\bin\testcommand.pl without some cluues. Cheers. On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote: Hello Man Meng Fei - I suspect that Radiator is not able to run the external command. What happens when you run the following in a MS-DOS window: C:\Perl\bin\testcommand.pl There is probably something wrong with either the path or the contents of the file. regards Hugh On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei wrote: Hi Currently i am using a sample configuration (external.cfg) and perl script (testcommand.pl) which can be retrieved from goodies directory to understand the implementation of AuthBy EXTERNAL. But after i executed it, i can't get the expected test result. I got No Reply at Radius client. I hope someone can help me to make this AuthBy EXTERNAL sample working. Lastly i attached Radius Configration file which i used for the testing and Radius Server and Radius Client's output result Man Meng Fei --radius.cfg--- # external.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # EXTERNAL authentication. # # There is an example external program called testcommand.pl # in the goodies directory, whichthe example below uses. It # will accept the request if the username is fred otherwise reject # it. # # So if you run Radiator with this config file, then do # radpwtst -noacct -trace -user fred # you will see something like: # sending Access-Request... # OK # Code: Access-Accept # Identifier: 109 # Authentic: 12_B2152=149140kBM13022110.S # Attributes: # Reply-Message = you are fred # # # And if you do: # radpwtst -noacct -trace -user someoneelse # you will see something like: # sending Access-Request... # Rejected # Code: Access-Reject # Identifier: 70 # Authentic: 165206RiJ208139245129@17013623s2423 # Attributes: # Reply-Message = you are NOT fred, you are 'someoneelse' # Reply-Message = Request Denied # # You should consider this file to be a starting point only # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Trace 4 # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy EXTERNAL # For NT, you might want something like this Command C:\Perl\bin\testcommand.pl # For Unix, maybe something like this # #Command ./goodies/testcommand.pl # This will cause the User-Password # to be decrypted before being passed to the # external program DecryptPassword # You might prefer use this to tell AuthBy EXTERNAL # to get the result from the first line of the # output. The permitted values are ACCEPT, REJECT # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98 # its the only way to get it to work. # We recommend you use this method ResultInOutput /AuthBy /Realm ---Radius Server Output-- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu Oct 2 01:16:58
Re: (RADIATOR) Question in AuthBy EXTERNAL
Hello Man Meng Fei - I suspect that Radiator is not able to run the external command. What happens when you run the following in a MS-DOS window: C:\Perl\bin\testcommand.pl There is probably something wrong with either the path or the contents of the file. regards Hugh On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei wrote: Hi Currently i am using a sample configuration (external.cfg) and perl script (testcommand.pl) which can be retrieved from goodies directory to understand the implementation of AuthBy EXTERNAL. But after i executed it, i can't get the expected test result. I got No Reply at Radius client. I hope someone can help me to make this AuthBy EXTERNAL sample working. Lastly i attached Radius Configration file which i used for the testing and Radius Server and Radius Client's output result Man Meng Fei --radius.cfg--- # external.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # EXTERNAL authentication. # # There is an example external program called testcommand.pl # in the goodies directory, whichthe example below uses. It # will accept the request if the username is fred otherwise reject # it. # # So if you run Radiator with this config file, then do # radpwtst -noacct -trace -user fred # you will see something like: # sending Access-Request... # OK # Code: Access-Accept # Identifier: 109 # Authentic: 12_B2152=149140kBM13022110.S # Attributes: # Reply-Message = you are fred # # # And if you do: # radpwtst -noacct -trace -user someoneelse # you will see something like: # sending Access-Request... # Rejected # Code: Access-Reject # Identifier: 70 # Authentic: 165206RiJ208139245129@17013623s2423 # Attributes: # Reply-Message = you are NOT fred, you are 'someoneelse' # Reply-Message = Request Denied # # You should consider this file to be a starting point only # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Trace 4 # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy EXTERNAL # For NT, you might want something like this Command C:\Perl\bin\testcommand.pl # For Unix, maybe something like this # #Command ./goodies/testcommand.pl # This will cause the User-Password # to be decrypted before being passed to the # external program DecryptPassword # You might prefer use this to tell AuthBy EXTERNAL # to get the result from the first line of the # output. The permitted values are ACCEPT, REJECT # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98 # its the only way to get it to work. # We recommend you use this method ResultInOutput /AuthBy /Realm ---Radius Server Output-- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu Oct 2 01:16:58 2003: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg' This Radiator license will expire on 2004-02-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] Thu Oct 2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program Files/Radia tor/dictionary' Thu Oct 2 01:16:58 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Thu Oct 2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Thu Oct 2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man (EVALUATIO N) Thu Oct 2 01:18:52 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3006 Code: Access-Request Identifier: 67 Authentic: 1234567890123456 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 159249:201175\424618889160216}x153 Thu Oct 2 01:18:52 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Oct 2 01:18:52 2003: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Thu Oct 2 01:18:52 2003: DEBUG: Running command: C:\Perl\bin\testcommand.pl Thu Oct 2 01:25:09 2003: ERR: ResultInOutput is enabled, but the first line of from the E XTRNAL command is an unknown result code Thu Oct 2 01:25:09 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3006 Code: Accounting-Request Identifier: 68
Re: (RADIATOR) Question in AuthBy EXTERNAL
Hi Hugh, If you look at godies/external.cfg, you will see he needs something like this: Command c:/perl/bin/perl ./goodies/testcommand.pl DOS does not know how to interpret #!/usr/bin/perl so it cant run C:\Perl\bin\testcommand.pl without some cluues. Cheers. On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote: Hello Man Meng Fei - I suspect that Radiator is not able to run the external command. What happens when you run the following in a MS-DOS window: C:\Perl\bin\testcommand.pl There is probably something wrong with either the path or the contents of the file. regards Hugh On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei wrote: Hi Currently i am using a sample configuration (external.cfg) and perl script (testcommand.pl) which can be retrieved from goodies directory to understand the implementation of AuthBy EXTERNAL. But after i executed it, i can't get the expected test result. I got No Reply at Radius client. I hope someone can help me to make this AuthBy EXTERNAL sample working. Lastly i attached Radius Configration file which i used for the testing and Radius Server and Radius Client's output result Man Meng Fei --radius.cfg--- # external.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # EXTERNAL authentication. # # There is an example external program called testcommand.pl # in the goodies directory, whichthe example below uses. It # will accept the request if the username is fred otherwise reject # it. # # So if you run Radiator with this config file, then do # radpwtst -noacct -trace -user fred # you will see something like: # sending Access-Request... # OK # Code: Access-Accept # Identifier: 109 # Authentic: 12_B2152=149140kBM13022110.S # Attributes: # Reply-Message = you are fred # # # And if you do: # radpwtst -noacct -trace -user someoneelse # you will see something like: # sending Access-Request... # Rejected # Code: Access-Reject # Identifier: 70 # Authentic: 165206RiJ208139245129@17013623s2423 # Attributes: # Reply-Message = you are NOT fred, you are 'someoneelse' # Reply-Message = Request Denied # # You should consider this file to be a starting point only # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Trace 4 # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Realm DEFAULT AuthBy EXTERNAL # For NT, you might want something like this Command C:\Perl\bin\testcommand.pl # For Unix, maybe something like this # #Command ./goodies/testcommand.pl # This will cause the User-Password # to be decrypted before being passed to the # external program DecryptPassword # You might prefer use this to tell AuthBy EXTERNAL # to get the result from the first line of the # output. The permitted values are ACCEPT, REJECT # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98 # its the only way to get it to work. # We recommend you use this method ResultInOutput /AuthBy /Realm ---Radius Server Output-- Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\man\DesktopPERL c:\perl\bin\radiusd Thu Oct 2 01:16:58 2003: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg' This Radiator license will expire on 2004-02-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] Thu Oct 2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program Files/Radia tor/dictionary' Thu Oct 2 01:16:58 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Thu Oct 2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Thu Oct 2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man (EVALUATIO N) Thu Oct 2 01:18:52 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3006 Code: Access-Request Identifier: 67 Authentic: 1234567890123456 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password =
Re: (RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use
Hello Troy - I suggest you write a PreClientHook that will add the pseudo-attributes shown below to the incoming request packet. There is an example that does something quite similar for Cisco pseudo-attributes in the file goodies/hooks.txt. regards Hugh On Friday, Aug 22, 2003, at 06:49 Australia/Melbourne, Troy Holder wrote: We have a DB table with all of our network equipment in it and plan to use that to determine what Authby to use for different types of equipment ( got to love how Cisco wants different reply values to allow a user into enable mode). I plan to have a Handler call an AuthBy SQL to do a query for the Auth-Type the device needs use and then run that AuthBy clause. The problem that I am running into is that we have the equipment's IP address broken up into the octets. I know that I can use %N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as in %N = %IP1.%IP2.%IP3.%IP4) instead? -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about AuthBy ADSI
Hugh, Layers 8 9 prevent me from running Radiator on anything but a Linux box, I have no bias. :-) I am not very familiar with AD. My understanding is that policies can be managed for users, machines, etc. In our environment, we are mapping drives and limiting machines/user rights to resources. We would like for these policies to be passed down from the AD server. In the meantime...I have been trying to get it working via LDAP2. Unfortunately, I must be missing something because it does not look like AuthBy LDAP 2 is ever being used. I attached my config and a debug of an attempt to connect from a machine logging into the domain. Can you tell me what I am missing? Notice that I have the Tunnelled by TTLS and PEAP commented out, *do not* have an anonymous user in my password file, but, I can authenticate wireless users via TTLS sucessfully. Am I mistaken or should this be happening? - Just not those trying to authenticate to the domain. Thanks, Steve Hugh Irvine wrote: Hello Steve - You can use the AuthBy RADIUS clause to forward radius requests to a remote radius server. The exact configuration will depend on what else you are already doing in your configuration file. I am not sure I understand what you mean by domain policies - can you give me a bit more detail? BTW - Radiator runs just fine on W2K server. regards Hugh On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi wrote: Running radiator on a W2K server does not appear to be an option for us...I need to forward any domain logins ie, domain\username to a Windows radius server, but only if they try to login to the domain. Has anyone done this and be willing to share their methodology? Can the domain policies be passed down to the machine as well using AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or disadvantages, between these? Thanks, Steve Hugh Irvine wrote: Hello Steve - Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases. You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it. You will find details on AuthBy NT in section 6.27 of the manual (doc/ref.html). regards Hugh On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote: I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 AuthBy ADSI it has the statement, snip It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm /snip I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 # radius.cfg # #Foreground #LogStdout LogFile /var/log/radius/%m%d%y.log LogDir /var/log/radius DbDir /etc/radiusserver PidFile /var/run/radius.pid DictionaryFile /etc/radiusserver/dictionary # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 AuthPort 1645,1812 AcctPort 1646,1813 # Add Clients below... Client xxx.xxx.xxx.1 Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client xxx.xxx.xxx.2 Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client xxx.xxx.xxx.1 Identifier vpn Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client DEFAULT Identifier wlan Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private IgnoreAcctSignature /Client # # PPP Config ## Handler Client-Identifier=ppp # AuthByPolicy ContinueAlways AuthByPolicy ContinueWhileIgnore # Default AuthBy SQL DBSourcedbi:mysql:radius
Re: (RADIATOR) Question about AuthBy ADSI
Hello Steve - Your configuration file is incorrect. You cannot have Realms inside Handlers. If you are using Handlers, you must use only Handlers and they cannot be placed inside other Handlers. You cannot have Log ... clauses inside AuthBy ... clauses either. regards Hugh On Thursday, Jul 31, 2003, at 02:29 Australia/Melbourne, Steve Caporossi wrote: Hugh, Layers 8 9 prevent me from running Radiator on anything but a Linux box, I have no bias. :-) I am not very familiar with AD. My understanding is that policies can be managed for users, machines, etc. In our environment, we are mapping drives and limiting machines/user rights to resources. We would like for these policies to be passed down from the AD server. In the meantime...I have been trying to get it working via LDAP2. Unfortunately, I must be missing something because it does not look like AuthBy LDAP 2 is ever being used. I attached my config and a debug of an attempt to connect from a machine logging into the domain. Can you tell me what I am missing? Notice that I have the Tunnelled by TTLS and PEAP commented out, *do not* have an anonymous user in my password file, but, I can authenticate wireless users via TTLS sucessfully. Am I mistaken or should this be happening? - Just not those trying to authenticate to the domain. Thanks, Steve Hugh Irvine wrote: Hello Steve - You can use the AuthBy RADIUS clause to forward radius requests to a remote radius server. The exact configuration will depend on what else you are already doing in your configuration file. I am not sure I understand what you mean by domain policies - can you give me a bit more detail? BTW - Radiator runs just fine on W2K server. regards Hugh On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi wrote: Running radiator on a W2K server does not appear to be an option for us...I need to forward any domain logins ie, domain\username to a Windows radius server, but only if they try to login to the domain. Has anyone done this and be willing to share their methodology? Can the domain policies be passed down to the machine as well using AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or disadvantages, between these? Thanks, Steve Hugh Irvine wrote: Hello Steve - Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases. You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it. You will find details on AuthBy NT in section 6.27 of the manual (doc/ref.html). regards Hugh On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote: I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 AuthBy ADSI it has the statement, snip It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm /snip I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 # radius.cfg # #Foreground #LogStdout LogFile /var/log/radius/%m%d%y.log LogDir /var/log/radius DbDir /etc/radiusserver PidFile /var/run/radius.pid DictionaryFile /etc/radiusserver/dictionary # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 AuthPort 1645,1812 AcctPort 1646,1813 # Add Clients below... Client xxx.xxx.xxx.1 Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client xxx.xxx.xxx.2 Identifier ppp Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client xxx.xxx.xxx.1 Identifier vpn Secret mysecret DupInterval 2 NasType Cisco SNMPCommunity private /Client Client DEFAULT Identifier wlan
Re: (RADIATOR) Question about configuration file
Hello Geoffrey, On Fri, 25 Jul 2003 09:42 am, Hugh Irvine wrote: Hello Geoffrey - On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR Geoffrey wrote: Hello, As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ? Correct - but see below. Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, ) without restarting it ? No. Although you can use a HUP signal to cause a warm restart during which the configuration file is reread. I would also like to know if it is possible to store realms/handlers configuration information in a SQL database instead of in a flat file (the same way you can do it for RADIUS clients with ClientListSQL). No there isn't. However, I have seen some cases using an include statement in the config file that opens a pipe to custom program that contructs Radiator clauses on the fly from an SQL database. Cheers. regards Hugh NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about configuration file
Hello Geoffrey - On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR Geoffrey wrote: Hello, ? As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ? Correct - but see below. ? Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, ) without restarting it ? No. Although you can use a HUP signal to cause a warm restart during which the configuration file is reread. ? I would also like to know if it is possible to store realms/handlers configuration information in a SQL database instead of in a flat file (the same way you can do it for RADIUS clients with ClientListSQL). No there isn't. regards Hugh NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
Re: (RADIATOR) Question about configuration file
On Thu, 24 Jul 2003, DUFOUR Geoffrey wrote: As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ? AFAIK Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, ...) without restarting it ? You can get it to reload every x mins by sending SIGHUP from cron. If you want it to happen when the config file changes you could either make the cron job check modification times of the file and still check ever x minutes or use a program like wait_on. Andrew === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about AuthBy ADSI
Running radiator on a W2K server does not appear to be an option for us...I need to forward any domain logins ie, domain\username to a Windows radius server, but only if they try to login to the domain. Has anyone done this and be willing to share their methodology? Can the domain policies be passed down to the machine as well using AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or disadvantages, between these? Thanks, Steve Hugh Irvine wrote: Hello Steve - Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases. You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it. You will find details on AuthBy NT in section 6.27 of the manual (doc/ref.html). regards Hugh On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote: I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 AuthBy ADSI it has the statement, snip It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm /snip I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about AuthBy ADSI
Hello Steve - You can use the AuthBy RADIUS clause to forward radius requests to a remote radius server. The exact configuration will depend on what else you are already doing in your configuration file. I am not sure I understand what you mean by domain policies - can you give me a bit more detail? BTW - Radiator runs just fine on W2K server. regards Hugh On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi wrote: Running radiator on a W2K server does not appear to be an option for us...I need to forward any domain logins ie, domain\username to a Windows radius server, but only if they try to login to the domain. Has anyone done this and be willing to share their methodology? Can the domain policies be passed down to the machine as well using AuthBy LDAP, AuthBy Radius or AuthBy NT? Are there any advantages, or disadvantages, between these? Thanks, Steve Hugh Irvine wrote: Hello Steve - Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases. You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it. You will find details on AuthBy NT in section 6.27 of the manual (doc/ref.html). regards Hugh On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote: I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 AuthBy ADSI it has the statement, snip It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm /snip I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question -- solved I think =)
- Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Chris Garzon [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 7:59 AM Subject: Re: (RADIATOR) question You should test your SQL statements by hand with your database tools first before putting them in the configuration file. Hi I've managed to get things working, thought I might share, thanks for the tips for all those who helped especially to Hugh and Mike I used mysql's UNIX_TIMESTAMP() function. since the VALIDFROM='now' returns a NULL value it was more appropriate to use: VALIDFROM=UNIX_TIMESTAMP(NOW()) cheers! chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about AuthBy ADSI
Hello Steve - Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported on recent Windows releases. You can either try the AuthBy NT clause, or you can run an instance of Radiator on the Windows host and proxy requests to it. You will find details on AuthBy NT in section 6.27 of the manual (doc/ref.html). regards Hugh On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve Caporossi wrote: I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into AD for domain login and username/password checking. In the reference manual section 6.40 AuthBy ADSI it has the statement, snip It is only available on Windows 2000 platforms. It is implemented in AuthADSI.pm /snip I am a little confused...does this mean that radiator needs to be running on W2K? Thanks, -- Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hi, I've set up my AcctSQLStatement to look like this: AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Ac \ ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n' AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL now the second statement returns this error in the logfile: Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field list' -chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hello Chris - You should test your SQL statements by hand with your database tools first before putting them in the configuration file. regards Hugh On Monday, Jul 21, 2003, at 20:10 Australia/Melbourne, Chris Garzon wrote: Hi, I've set up my AcctSQLStatement to look like this: AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Ac \ ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n' AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL now the second statement returns this error in the logfile: Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field list' -chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hello Chris, On Fri, 18 Jul 2003 12:05 pm, Chris wrote: Hello list, I'm using radmin + radiator, Right now I want to do these to my system, please point me out to some examples or possible solutions: 1. How do I make first time users to base their starting usage from the moment they first logged into the system? You could use an AcctSQLStatement that sets thir expiry date if it is currently NULL. The the first successful session start will set their expiry date to, say the current date + 30 days (or whatever your policy is). 2. I want to implement an off peak time wherein when users login from 12am to 7am that their usage won't be deducted during those specified time. You could set up multiple Handlers, each with a different Time check items: # off peak Handler Time=Al-0700 AuthBy RADMIN # no AccountingTable or AcctColumnDef entries here # means no accounting data inserted /AuthBy /Handler # all the rest Handler AuthBy RADMIN /AuthBy /Handler The AuthBy RADMIN clauses would be thanks, chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003 -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hi Chris, My advice for different time zone u should be using a stored procedure to process the accounting event. The person might be said surfing 11pm and end @2am. u will be charging 11-12am and the rest free. We have implementing the rating using the stored procedure and it allows flexibility as well. Hope it help. Mike McCauley [EMAIL PROTECTED] 18/07/2003 03:57 PM Sent by: [EMAIL PROTECTED] To: Chris [EMAIL PROTECTED], [EMAIL PROTECTED] cc: (bcc: QUEK Steven/Prod Dev Dir/STSunPage/ST Group) Subject: Re: (RADIATOR) question Hello Chris, On Fri, 18 Jul 2003 12:05 pm, Chris wrote: Hello list, I'm using radmin + radiator, Right now I want to do these to my system, please point me out to some examples or possible solutions: 1. How do I make first time users to base their starting usage from the moment they first logged into the system? You could use an AcctSQLStatement that sets thir expiry date if it is currently NULL. The the first successful session start will set their expiry date to, say the current date + 30 days (or whatever your policy is). 2. I want to implement an off peak time wherein when users login from 12am to 7am that their usage won't be deducted during those specified time. You could set up multiple Handlers, each with a different Time check items: # off peak Handler Time=Al-0700 AuthBy RADMIN # no AccountingTable or AcctColumnDef entries here # means no accounting data inserted /AuthBy /Handler # all the rest Handler AuthBy RADMIN /AuthBy /Handler The AuthBy RADMIN clauses would be thanks, chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003 -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
You could use an AcctSQLStatement that sets thir expiry date if it is currently NULL. The the first successful session start will set their expiry date to, say the current date + 30 days (or whatever your policy is). thanks mike should I be safe then if I add this to my AcctSQLStatement to update my VALIDFROM table: AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0', TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc. thanks, Chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hello Chris, On Fri, 18 Jul 2003 09:56 pm, Chris wrote: You could use an AcctSQLStatement that sets thir expiry date if it is currently NULL. The the first successful session start will set their expiry date to, say the current date + 30 days (or whatever your policy is). thanks mike should I be safe then if I add this to my AcctSQLStatement to update my VALIDFROM table: AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0', TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc. It might be more common to let the starting value of VALIDFROM be NULL (which means Radiator would ignore it first time around), and then set it with: AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL and ... thanks, Chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL and Oh, ok thanks I get it, now how can my Radmin database set VALIDFROM initially to NULL, I tried to test it using radmin editUser.pl web script and it gave out this error: Not updated because: Invalid date/time format in 'Valid from' thanks, chris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003 This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about configuration
Hello William - Thanks for your mail. As far as I can see from what you show below, Radiator is running correctly. When you start the radiusd process, it prints out the messages as shown and then it waits until it receives a radius request from a client device. It looks like radiusd is starting correctly, but it is not receiving any requests. You will need to configure the router to do radius authentication and accounting, so you should check with your router vendor to find out what configuration is required. regards Hugh On Thursday, Jul 17, 2003, at 00:38 Australia/Melbourne, William Palencia wrote: Hi. I'm installing radiator by first time, and can't get it start. I don't know was wrong. Here is the configuration file. / *** */ Foreground LogStdout AuthPort1645 AcctPort1646 LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator Client 192.168.1.1 Secret cisco DupInterval 0 /Client Client DEFAULT Secret cisco DupInterval 0 /Client ClientListSQL DBSourcedbi:mysql:radius DBUsername root DBAuth admin2003 /ClientListSQL Realm DEFAULT AuthBy SQL DBSourcedbi:mysql:radius DBUsername root DBAuth admin2003 AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctFailedLogFileName missedaccounting /AuthBy /Realm / *** */ I want to authenticate users from and router. The router has the ip address 192.168.1.1, I'm usng the database shema included in the radiator distruibution. When i tell radius to start , get the following message : This Radiator license will expire on 2003-10-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] And don't get any more messages. Can some body tell me was wrong. Thanks. William Palencia Ingeniero de Operaciones Colombiatel S.A. Tel: 6743080 - 6743026 Cel: 315 3626346 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about AutyBy LSA module?
Hello John, On Thu, 19 Jun 2003 01:27 am, John McFadden wrote: Saw the annoucement on the AuthBy LSA module and I wanted to make sure I understood it's implications. Does this module allow us to authenticate MSCHAP passwords against an ActiveDirectory of NT domain controller? Yes. This has been a big issue up to now and one reason why we've been ignoring PEAP and Microsoft's built in VPN client. Yes, few Radius servers can support this combination of PEAP or MSCHAP and windows passwords. Comments? Try it :-) Cheers. Thanks in advance. John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question about Radiator and Orinoco AP-2500
Hello Primoz - You should probably use a packet sniffer (snoop, tcpdump, ethereal...)to check on exactly what radius reply attributes are being sent back by Cisco ACS and then configure Radiator to send the same ones. In general you will need at least the following: Realm DEFAULT AuthBy FILE Filename /radiator/conf/users AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP /AuthBy /Realm regards Hugh On Wednesday, Mar 19, 2003, at 20:24 Australia/Melbourne, Primoz Jeroncic wrote: Hi there I was trying to find something about this in mailing list archive but I didn't have to much luck so I hope you won't mind to much if this question was answered already. I have Orinoco (Proxim) AP-2500 which I configured for getting authorization about allowed users from external Radius. My problem is that when I use Cisco Secure ACS as Radius it works fine and clients can browse web, send mails, use telnet etc. without problems once when they sign with their username and password. As soon as I change Cisco Secure ACS with Radiator only thing which still works is browsing web. Sending mail, telneting etc. stop working. I'm almost 100% sure there's just one small thing which should be configured with Radiator to send back to Orinoco some attributes and everything would work, but I really don't have any idea what those attributes would be, since even on Cisco Secure ACS I didn't configure anythnig special except username and password for user and client IP address and authentication key (using Radius IETF authentication not some vendor specific one). Problem is that I would really like to use Radiator for this and not something else, since I can write some aplication which will be maintaining users file, much easier then playing with some SQL for same purpose. And not to mention that I would rather have it run on some Unix box and not Windows server. Cisco ACS runs on Solaris too but for this project I don't have budget for Sun machine and Cisco ACS doesn't run on Solaris for Intel. Btw.. current config is this: Radius.cfg Client 10.0.0.10 Secret test DupInterval 0 /Client Realm DEFAULT AuthBy FILE Filename /radiator/conf/users /AuthBy /Realm /radiator/conf/users user1 Password = test1, Expiration = 25/03/03 Idle-Timeout = 5, Session-Timeout = 5, Fall-Through = yes Thanks in advance for any help. Best regards, Primoz Jeroncic Support - IP/VoIP Connectivity Routing --- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin mailto:[EMAIL PROTECTED] | for larger values of 1 Slovenija http://www.softnet.si/primoz --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on Make Test error [Radiator 3.5 on Solaris 2.8]
Hello Kiaran - Could you please send me the name of the registered company that has purchased this copy of Radiator? Please reply to me directly and include the username that you use to access the web site. thanks and regards Hugh On Tuesday, Feb 25, 2003, at 14:05 Australia/Melbourne, [EMAIL PROTECTED] wrote: Hello, I run into several not ok when doing the Make Test for Radiator 3.5 on Solaris 2.8 not ok 5a not ok 5d not ok 5f Can you tell me what could be the cause? am I missing a particular file? Thanks in advance, Kiaran # /usr/local/ActivePerl-5.6/bin/perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Radius # # /usr/local/ActivePerl-5.6/bin/perl test.pl Starting tests... Starting 2 test servers. Please wait... This Radiator license will expire on 2003-06-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] This Radiator license will expire on 2003-06-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] ok 1a ok 1b ok 1c ok 1d ok 1e ok 2a ok 2b ok 2c ok 2d ok 2e ok 2f ok 2g ok 2h ok 2i ok 2j ok 2k ok 2l ok 2m ok 2n ok 2o ok 2p ok 2q ok 2r ok 2s ok 2t ok 2u ok 2v ok 2x ok 2y ok 2z ok 3a ok 3b ok 3c ok 3d ok 3e ok 3f ok 3g ok 3h ok 4a ok 4b ok 4c not ok 5a ok 5b ok 5c not ok 5d ok 5e not ok 5f ok 5g ok 6a ok 6b ok 6c ok 6d ok 6e ok 6f ok 6g ok 6h ok 7a ok 7b ok 7c ok 8a ok 8b Tests completed sh: kill: no such process # NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
Re: (RADIATOR) question on AuthSQLStatement
Hello Seung Park - There is no mechanism currently to access the results of an AuthSQLStatement later during packet processing. This is why I suggested a PostAuthHook to post-process the results of the AuthSelect/AuthColumnDef in my other mail. Of course, you can also run SQL statements directly in a hook as well. regards Hugh On Monday, Dec 30, 2002, at 22:50 Australia/Melbourne, Seung Park wrote: I understand that the AuthSQLStatement allows arbitrary sql statements to be run at sundry points in the request process. Is there any way to access the results of those AuthSQLStatements? For example, if my AuthSQLStatement executes: select data1, data2, data3 from table_XX where data1 = ABC, how do I get at the returned value of the select? Thank you, S.Park === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question
Hello Chris - Keep in mind that there are two different things going on in this scenario. The first is authentication which checks the username and password (and does whatever checks are required), and the second is accounting which is used to manage the session database. You should get the information from the database and return it to the NAS in the accept in a Class attribute. Then you can use the contents of the Class attribute which is included in the accounting requests in your own session database queries. Have a look at sections 6.7 and 6.28 in the Radiator 3.3.1 reference manual (doc/ref.html). regards Hugh On Tuesday, Nov 12, 2002, at 18:14 Canada/Eastern, Chris Kay wrote: Questions is... I wish to pull some information for a db while auth and then set that Information in the session db Would I set this then pull it and enter it, or can I make it global or something? Any help is grateful - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: (02) 9970 5788 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about Calls table
Hello Lin - This is because the default format for integer-date is being used. If you want to change it you should specify your own DateFromat. See sections 6.28.14 and 6.3 in the Radiator 3.3.1 reference manual. regards Hugh On Wednesday, November 6, 2002, at 07:55 AM, Huaikun Lin wrote: Hi Hugh Here is my radius configuration: Foreground LogStdout LogDir /var/log/radius DbDir /local/etc/radius PidFile /var/run/radiusd.pid SnmpgetProg /local/bin/snmpget AuthPort1645 AcctPort1646 Trace 3 client xxx ... /client Handler Request-Type = Accounting-Request RewriteUsername s/^([^@]+).*/$1/ AuthBy EMERALD # You can use this to force Radiator to limit # maximum session times to how many minutes # are left in subaccounts.timeleft DefaultSimultaneousUse 1 TimeBanking # Change DBSource, DBUsername, DBAuth for your database # See the reference manual DBSourcedbi:Sybase:server=xxx;database=xxx DBUsername DBAuth # You can add to or change these if you want. AccountingTable Calls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Ascend-Disconnect-Cause,integ er # AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer # AcctColumnDef NASIdentifier,NAS-Identifier AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer AddATDefaults AuthSelect ,sa.LoginLimit AuthColumnDef 0,Simultaneous-Use,check /AuthBy # Log all accounting into daily log files AcctLogFileName /var/log/radius/log/%Y%m%d.act /Handler Handler RewriteUsername s/^([^@]+).*/$1/ # If Platypus rejects the login, forward it to the old Radius server #AuthByPolicy ContinueUntilAccept PasswordLogFileName %L/password.log AuthBy EMERALD # You can use this to force Radiator to limit # maximum session times to how many minutes # are left in subaccounts.timeleft DefaultSimultaneousUse 1 TimeBanking # Change DBSource, DBUsername, DBAuth for your database # See the reference manual DBSourcedbi:Sybase:server=;database=xxx DBUsername xx DBAuth xx AddATDefaults AuthSelect ,sa.LoginLimit AuthColumnDef 0,Simultaneous-Use,check /AuthBy AuthBy DBFILE Filename %D/users /AuthBy AuthBy FILE Filename %D/users /AuthBy /Handler The following is one example of trace 4 debug: Thu Sep 5 23:00:03 2002: DEBUG: Packet dump: *** Received from 203.96.xx.xx port 39577 Code: Access-Request Identifier: 167 Authentic: 00X24200t00,400B173 Attributes: Proxy-Action = AUTHENTICATE User-Name = andy.hema User-Password = 184/2139gG192374177232252250223 NAS-IP-Address = 192.168.8.253 NAS-Port = 278 Acct-Session-Id = 18159809 USR-Interface-Index = 1534 Service-Type = Framed-User Framed-Protocol = PPP Chassis-Call-Slot = 2 Chassis-Call-Span = 1 Chassis-Call-Channel = 22 Calling-Station-Id = Called-Station-Id = 1900 Connect-Speed = NONE NAS-Port-Type = Async User-Id = andy.hema NAS-Identifier = ipw1-n1-15.ipnet.telecom.co.nz User-Realm = actrix Proxy-State = 0 Thu Sep 5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz should be use d to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler Request-Type = Accounting-Requ est should be used to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler should be used to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Handling request with Handler '' Thu Sep 5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema Thu Sep 5 23:00:03 2002: DEBUG: Deleting session for andy.hema, 192.168.8.253, 278 Thu Sep 5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE where NASIDE NTIFIER='192.168.8.253'
Re: (RADIATOR) Question about Calls table
Hi Hugh Here is my radius configuration: Foreground LogStdout LogDir /var/log/radius DbDir /local/etc/radius PidFile /var/run/radiusd.pid SnmpgetProg /local/bin/snmpget AuthPort1645 AcctPort1646 Trace 3 client xxx ... /client Handler Request-Type = Accounting-Request RewriteUsername s/^([^]+).*/$1/ AuthBy EMERALD # You can use this to force Radiator to limit # maximum session times to how many minutes # are left in subaccounts.timeleft DefaultSimultaneousUse 1 TimeBanking # Change DBSource, DBUsername, DBAuth for your database # See the reference manual DBSourcedbi:Sybase:server=xxx;database=xxx DBUsername DBAuth # You can add to or change these if you want. AccountingTable Calls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Ascend-Disconnect-Cause,integ er # AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer # AcctColumnDef NASIdentifier,NAS-Identifier AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer AddATDefaults AuthSelect ,sa.LoginLimit AuthColumnDef 0,Simultaneous-Use,check /AuthBy # Log all accounting into daily log files AcctLogFileName /var/log/radius/log/%Y%m%d.act /Handler Handler RewriteUsername s/^([^]+).*/$1/ # If Platypus rejects the login, forward it to the old Radius server #AuthByPolicy ContinueUntilAccept PasswordLogFileName %L/password.log AuthBy EMERALD # You can use this to force Radiator to limit # maximum session times to how many minutes # are left in subaccounts.timeleft DefaultSimultaneousUse 1 TimeBanking # Change DBSource, DBUsername, DBAuth for your database # See the reference manual DBSourcedbi:Sybase:server=;database=xxx DBUsername xx DBAuth xx AddATDefaults AuthSelect ,sa.LoginLimit AuthColumnDef 0,Simultaneous-Use,check /AuthBy AuthBy DBFILE Filename %D/users /AuthBy AuthBy FILE Filename %D/users /AuthBy /Handler The following is one example of trace 4 debug: Thu Sep 5 23:00:03 2002: DEBUG: Packet dump: *** Received from 203.96.xx.xx port 39577 Code: Access-Request Identifier: 167 Authentic: 00X24200t00,400B173 Attributes: Proxy-Action = AUTHENTICATE User-Name = andy.hema User-Password = 184/2139gG192374177232252250223 NAS-IP-Address = 192.168.8.253 NAS-Port = 278 Acct-Session-Id = 18159809 USR-Interface-Index = 1534 Service-Type = Framed-User Framed-Protocol = PPP Chassis-Call-Slot = 2 Chassis-Call-Span = 1 Chassis-Call-Channel = 22 Calling-Station-Id = Called-Station-Id = 1900 Connect-Speed = NONE NAS-Port-Type = Async User-Id = andy.hema NAS-Identifier = ipw1-n1-15.ipnet.telecom.co.nz User-Realm = actrix Proxy-State = 0 Thu Sep 5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz should be use d to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler Request-Type = Accounting-Requ est should be used to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Check if Handler should be used to handle this request Thu Sep 5 23:00:03 2002: DEBUG: Handling request with Handler '' Thu Sep 5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema Thu Sep 5 23:00:03 2002: DEBUG: Deleting session for andy.hema, 192.168.8.253, 278 Thu Sep 5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE where NASIDE NTIFIER='192.168.8.253' and NASPORT=0278 Thu Sep 5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD Thu Sep 5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD Thu Sep 5 23:00:03 2002: DEBUG: Query is: select DateAdd(Day, ma.extension+ma.o verdue, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID,
Re: (RADIATOR) Question about Calls table
Hello Lin - I will need to see a copy of your Radiator configuration file (no secrets) together with a trace 4 debug showing what is happening. regards Hugh On Tuesday, November 5, 2002, at 10:21 AM, Huaikun Lin wrote: Hi I am using SQL server and radiator 3.1 radius. In SQL server,we have a table calls which records the accounting data. Recently,I found the data in one of the field CallDate (data type:datetime) is not exactly acurate. This data type should record data like 2002-11-05 12:05:23. But the actual data is something like 2002-11-05 12:05:00 which the second field is alway 0. (The year,month,day,hour,min are right.) When I check the radius debug, I can see the Insert statement doesn't include the second field and make the data is not 100% acurate: insert into Calls (UserName,AcctStatusType,NASPort,CallDate,AcctSessionId,AcctInputOctets ,AcctSessionTime, AcctOutputOctets) values ('test',2,541262250,'Nov 5, 2002 12:10','204301AA-3DC6C5C6',25 45013,14466,66242572) I think the insert statement in radius script causes the inacurate. If there is no second field in there,the SQL database makes it to be 00. Is there anywhere to fix that? How to fix it. Lin --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 10/31/2002 NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hello Arnulfo - How are you programming the amount of time that a user is allowed to use? Most Radiator users employ an SQL database for user definitions and accounting and it is relatively easy to provide pre-paid services such as you describe in this way. This topic has been discussed many times on the mailing list, so have a look at the archive site and do a search. http://www.open.com.au/archives/radiator regards Hugh On Mon, 22 Apr 2002 16:10, Arnulfo Rojas Yanquen wrote: Hugh our company offer services of Internet acces, the users hire this service by time determined, when has finished this time the Radiator must avoid that the user may connect again. This function is not doing the Radiator, and I not find the cause possible. Radiator is setup over RedHat 7, and use for authetication passwd-shadow and the version is Radiator 2.18.1 THANKS Arnulfo _ Chat with friends online, try MSN Messenger: http://messenger.msn.com === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Hello Arnulfo - I am not exactly sure what you mean, as Radiator does not normally expire user accounts. Can you give me a bit more information about what you want to have happen? regards Hugh On Sat, 20 Apr 2002 13:52, Arnulfo Rojas Yanquen wrote: Hello, I work an ISP and I have a problem with Radiator. The problem is that the Radiator is not expired the account of the users. Radiator is sertup over RedHat 7, and use for authetication passwd-shadow and the version is Radiator 2.18.1 THANKS Atentamente, = Arnulfo Rojas Yanquen. Asistente Técnico ExpressNet S.A. [EMAIL PROTECTED] Tel: (571) 5 404090 Fax: (571) 2 491432 Santafé de Bogotá D.C. - Colombia -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question Time
Hello Mick - You would use an AuthLog SQL for authentication logging. See section 6.50 in the Radiator 3.0 reference manual. For your proxy question I will need to see a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Mon, 22 Apr 2002 15:02, Michael Saunders wrote: I would like to log. When users type in the wrong password. So I can explain to them how to type there own name correctly. I have found in the documentation how to do this with a log file. Is there anyway to do this into the database instead. As we have to many operators for a log file. Also when you proxy requests across to another radius server does radiator strip any reply attributes you may send. Because I am sending a request off to a third party using radiator but my reply attributes never make it to the other end. But they have nothing in there config that would make me think it is being stripped === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question
Hello Stephen - To assign static addresses, you would normally specify the address in the reply attributes for the user in whatever user database you have. In a flat file it would look like this: # define users # check attributes on the first line (no trailing comma) # reply attributes on second and subsequent lines someuser Password = ., . Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 1.2.3.4, Framed-IP-Netmask = ., .. anotheruser Password = .., . ... If you have any other questions, please contact me. regards Hugh ps - the contents of the goodies directory like wimscomplex example are contributed by Radiator users and are not supported directly by us On Wed, 27 Mar 2002 08:44, Stephen Malenshek wrote: I am trying to implement a new installation of Radiator 3.0 on Red Hat 7.2 with a Postgres backend on a separate machine. I have searched through the archives and have a list in regards to static ip address assignment from radius and I have yet to find anything regarding this. Also, I have taken the wimscomplex example in the goodies and tried to adapt it to our environment. My biggest problem is that I do not understand the mappings for the tables in the radius.cfg file for the database. I will admit this, I do not have an extreme amount of knowledge of databases and all my experience with radius is with the Cistron version, which we have been running for three years. Everything else we are doing is pretty normal and all pools are assigned by the nas, but I would be interested in looking at some type of configuration to where it issues the assignments. As a future development plan, I have expectations of converting everything for authentication to radius (Exim, ProFTP Apache) to where we have a database of the information instead of local flat files and logs of everything. This to me is our ultimate goal to achieve, and I am mentioning this to asses opinions from everyone on what the best way to plan for this implementation without slowing the initial down. Please let me know. I would be more than happy to send any information necessary on if anyone is interested in helping me with this endeavor. Thanks in advance. Stephen Malenshek President/CEO Valuelinx Corporation [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Question
Hi Steve, A handler like the one below will not perform any authentication: Handler Called-Station-Id=apn.gprs.net AuthByPolicy ContinueWhileAccept AuthBy AllocateIPAddressForGPRS AcctLogFileName %L/%N-gprs-%{GlobalVar:HostId}-detail%Y%m%d.log PostAuthHook file:filename /Handler However remember that you may still need to send back some appropriate reply attributes which you could do with an 'AddToReply' as per below: AuthBy DYNADDRESS Identifier AllocateIPAddressForGPRS Allocator ORACLEallocatorGPRS PoolHint pool-%{Called-Station-Id}-%N MapAttributeyiaddr, Framed-IP-Address StripFromReply PoolHint AddToReply Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None /AuthBy These are just examples, you'll will need to tailor them to your specific needs. Hope this helps. Paul ___ Paul O'Shea Level9 Networks ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Rainbow Sent: Friday, February 01, 2002 4:44 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Question 1. Are there any training courses for Radiator in the UK. 2. All calls that come into my NAS are automatically forwarded to the radius for authentication. Normally, I set up the username/pasword in a User file but also now need to authenticate without a username/password. If I set up a User file with DEFAULT will that allow calls through. Thanks, Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question
Hello Steve - We offer on-site training and consulting services on a contract basis. I have copied Joanne on this mail and she will send you the details. You can set up a users file with a DEFAULT entry like this: # define DEFAULT to accept everything DEFAULT Auth-Type = Accept regards Hugh On Sat, 2 Feb 2002 03:44, Steve Rainbow wrote: 1. Are there any training courses for Radiator in the UK. 2. All calls that come into my NAS are automatically forwarded to the radius for authentication. Normally, I set up the username/pasword in a User file but also now need to authenticate without a username/password. If I set up a User file with DEFAULT will that allow calls through. Thanks, Steve === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about Radius and SQL
Hello Martin - Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database. Requ est is ignored. Backing off for 10 seconds Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for 'Sp_fetchUserPassword ' clouston'': SQL Timeout Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for The problem shown above is that you can't connect to the database at all. Also, in the timestamps shown above the number following the year is the number of microseconds. It is a six digit number, so the first digit is tenths of a second. Ie: Fri Jan 25 17:42:28 2002 911157: the number 911157 is the number of microseconds. regards Hugh On Fri, 25 Jan 2002 18:33, Martin Edge wrote: Hey Guys, Having a few issues, as we are unable to easily find out where the cause of the slowdown's we get when a avalanche scenario occurs. (where the amount of requests coming in, is faster than the processing power to complete them..) Is this necessarily an SQL timeout, or could there be other attributing factors to these errors: If so, how would we go about finding these out.. I tried LogMicroseconds in a Log FILE routine, and this is the output below.. (although I dont see any milliseconds results..) Thanks for your help, Martin snip Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database. Requ est is ignored. Backing off for 10 seconds Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for 'Sp_fetchUserPassword ' clouston'': SQL Timeout Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for 'Sp_fetchUserPassword ' clouston'': SQL Timeout Fri Jan 25 17:42:36 2002 960943: ERR: Could not connect to SQL database with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2 000: timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507. Fri Jan 25 17:42:36 2002 982364: ERR: Could not connect to any SQL database. Req uest is ignored. Backing off for 10 seconds Fri Jan 25 17:42:50 2002 371277: ERR: Execute failed for 'Sp_fetchUserPassword ' office'': SQL Timeout Fri Jan 25 17:42:52 2002 391393: ERR: Could not connect to SQL database with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2 000: timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507. Fri Jan 25 17:42:52 2002 421577: ERR: Could not connect to any SQL database. Req uest is ignored. Backing off for 10 seconds Fri Jan 25 17:43:07 2002 361641: ERR: Could not connect to SQL database with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2 000: timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507. Fri Jan 25 17:43:07 2002 411189: ERR: Could not connect to any SQL database. Req uest is ignored. Backing off for 10 seconds Fri Jan 25 17:43:21 2002 671671: ERR: Execute failed for 'Sp_fetchUserPassword ' simona'': SQL Timeout Fri Jan 25 17:43:23 2002 691896: ERR: Could not connect to SQL database with DBI -connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2 000: timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507. Fri Jan 25 17:43:23 2002 716376: ERR: Could not connect to any SQL database. Req uest is ignored. Backing off for 10 seconds Fri Jan 25 17:43:39 2002 561994: ERR: Execute failed for 'Sp_fetchUserPassword ' themoodies'': SQL Timeout Fri Jan 25 17:43:42 2002 501985: ERR: Execute failed for 'Sp_fetchUserPassword ' themoodies'': SQL Timeout Fri Jan 25 17:43:45 2002 382053: ERR: Execute failed for 'Sp_fetchUserPassword ' clouston'': SQL Timeout Fri Jan 25 17:43:47 2002 972065: ERR: Execute failed for 'Sp_fetchUserPassword ' clouston'': SQL Timeout Fri Jan 25 17:43:50 2002 742074: ERR: Execute failed for 'Sp_fetchUserPassword ' themoodies'': SQL Timeout Fri Jan 25 17:43:53 2002 321952: ERR: Execute failed for 'Sp_fetchUserPassword ' themoodies'': SQL Timeout Fri Jan 25 17:43:55 2002 722314: ERR: Execute failed for 'Sp_fetchUserPassword ' shields'': SQL Timeout Fri Jan 25 17:43:58 2002 32217: ERR: Execute failed for 'Sp_fetchUserPassword 's hields'': SQL Timeout Fri Jan 25 17:44:00 2002 532429: ERR: Execute failed for 'Sp_fetchUserPassword ' blp04395'': SQL Timeout Fri Jan 25 17:44:02 2002 832373: ERR: Execute failed for 'Sp_fetchUserPassw - Martin Edge Technical Services Co-ordinator Phoneware Online eMail: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Phone: +613 9640 4140 ext. 193 In the end, it's speed, price and customer service. - -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/
Re: (RADIATOR) Question about DBM Auth...
Hello Fernando - There are no limits on the number of AuthBy clauses you can use (unless there is some underlying operating system limit on the number of files a single process can have open). Perhaps you can send me a copy of the complete configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Fri, 18 Jan 2002 02:53, Fernando Caranton Cruz wrote: Hi, I use the DBM Auth, but i wanna know if this type of authentication have any type of limit. I explain this This is the actual Realm in the radius.cfg Realm DEFAULT MaxSessions 1 AcctLogFileName /usr/local/etc/radacct/%N/detail RejectHasReason AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy DBFILE Filename /etc/raddb/radiator/plus/users /AuthBy AuthBy DBFILE Filename /etc/raddb/radiator/rdsigeneral/users /AuthBy /AuthBy AuthBy FILE Filename /etc/raddb/radiator/prepago/users /AuthBy AuthBy RADIUS Host Secret RetryTimeout 10 AuthPort 1645 AcctPort 1646 /AuthBy /AuthBy /Realm but if I make some changes, the DB options not work Ej: Realm DEFAULT MaxSessions 1 AcctLogFileName /usr/local/etc/radacct/%N/detail RejectHasReason AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy DBFILE Filename /etc/raddb/radiator/plus/users /AuthBy AuthBy DBFILE Filename /etc/raddb/radiator/rdsigeneral/users /AuthBy AuthBy DBFILE Filename /etc/raddb/radiator/otherdir/users /AuthBy AuthBy DBFILE Filename /etc/raddb/radiator/otherdir/users /AuthBy AuthBy DBFILE Filename /etc/raddb/radiator/otherdir/users /AuthBy /AuthBy AuthBy FILE Filename /etc/raddb/radiator/prepago/users /AuthBy AuthBy RADIUS Host Secret RetryTimeout 10 AuthPort 1645 AcctPort 1646 /AuthBy /AuthBy /Realm exist some kind of limit in the AuthBy option? how many can I use? can use another type of config, Ej using AuthBy GROUP or others? tnx FCC -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question about debug
Hello David - It looks like you have specified an AuthBy RADIUS clause without specifying which ports to send to. Here is an example: AuthBy RADIUS Host . Secret . AuthPort 1812 AcctPort 1813 . /AuthBy Have a look at section 6.29 in the Radiator 2.19 reference manual (doc/ref.html). regards Hugh On Wed, 16 Jan 2002 00:27, kramar wrote: Hi Im pretty delighted about Radiator, but I woud like ot ask for part of debug log. So , why I see in debug file Sending to 172.26.1.51 port 1646... if I use in config files 1812,1813 ports (on both side - Radius and RAS ) and nowhere I use 1645, 1646 ports. here is deb. file.. Tue Jan 15 06:50:17 2002: DEBUG: Accounting accepted Tue Jan 15 06:50:17 2002: DEBUG: Packet dump: *** Sending to 172.26.1.51 port 1646 Code: Accounting-Response Identifier: 195 Authentic: %~2481832192552532081272482352051301331914 Attributes: Thanks for answer David === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on defining realms
Hello Elias - On Tuesday 20 November 2001 16:14, [EMAIL PROTECTED] wrote: Hi Hugh, I defined a realm abc in my config file. So far Radiator has been running great but now I have several users logging in as user@abc@abc. How can I stop this? Thanks! Realm abc . . . /Realm The answer to your question depends somewhat on the rest of your configuration file and what else you are doing with the usernames. Could you please send me a copy of the configuration file (no secrets) together with a trace 4 debug showing what happens with one of these users? Could you also tell me exactly why this is a problem? I want to know because we may want to apply a fix to Radiator itself. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question: Log SYSLOG
Though replying to my own email is bad form, I just decided to create a hook for this and it worked. Regards, Neil D. Quiogue - Original Message - From: neil d. quiogue [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 8:01 PM Subject: (RADIATOR) Question: Log SYSLOG Greetings, I would like to know if there's a way for me to send through Syslog the User-Name and Framed-IP-Address (and some others) fields without resorting to a Trace 4 and configuring Log SYSLOG I understand there's AuthLog SYSLOG but whenever I test it using radpwtst, it doesn't log it. Much thanks. Regards, Neil D. Quiogue === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on Encrypted-Password/User-Password
Hello Viraj - Section 13.1.2 in the Radiator 2.18.4 reference manual. regards Hugh On Friday 14 September 2001 00:05, Viraj Alankar wrote: Hello, Is there a functional difference between the following: AuthBy SQL ... AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n' AuthColumnDef 0, User-Password, check /AuthBy and this: AuthBy SQL ... AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n' AuthColumnDef 0, Encrypted-Password, check /AuthBy when the result of the select returns '{crypt}crypted_password' ? In other workds, I can use either AuthBy and it should work right? Thanks, Viraj. Content-Type: application/pgp-signature; charset=us-ascii; name=Attachment: 1 Content-Transfer-Encoding: 7bit Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hi Hugh, Yes, NAS will use Voice over IP. How it would be in this case? Ganbold Hugh Irvine wrote: Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hi, Also there some billing systems we are interesting. MIND CTI, Portal etc. Are there anybody knows about these system on Radiator? Please let me know. thanks in advance, Ganbold Hugh Irvine wrote: Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question
Here are UU.nets instructions, does anyone know how to change the length from 28 to 26?? Hi! I wanted to let you know of some clarifications on the anti-spam filter we've received from engineering. The only one that we will need to start keeping an eye out for that we weren't specifically watching before is the length field of each line in the 242 filter: The maximum length for each line is 26. Here's the summary of the clarications we received that I wanted to pass to you immediately: 1. New realms must have a [242] length of 26. 2. New realms must have 10 or less [242] filter lines. 3. Existing realms must have a [242] length of 26 before we can make any proxy changes. 4. Existing realms must have 10 or less [242] filter lines before we can make any proxy changes. Please note in some of the realms we tested that the lengths were varying lengths some up to 34. Here is one line from the filter to show you where the length len field is indicating 26: attr: type Ascend-Data-Filter [242], len 26 data = 01 01 01 00 00 00 00 00 00 00 00 00 00 00 06 01 00 00 00 00 00 00 00 00 - Original Message - From: Brandon [EMAIL PROTECTED] To: Pascal Robert [EMAIL PROTECTED] Sent: Monday, July 23, 2001 10:28 AM Subject: Re: (RADIATOR) question Same here. Can anyone help us out? Brandon - Original Message - From: Pascal Robert [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED]; Brandon [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, July 23, 2001 7:57 AM Subject: Re: (RADIATOR) question We are connecting with Uunet and they are asking for the same thing. They want the length of Ascend-Data-Filter to be 26 instead of 28. Hello Brandon - If UUnet is mandating this, they must have a specification of what they mean. You will have to check with UUnet directly. regards Hugh At 3:09 AM -0700 6/26/01, Brandon wrote: Wish I knew too. I tried emailing the list and know one seemed to know. The only response I got back was that it was possible in PostAuthHooks. UU.net is now requiring this to use their system. Brandon - Original Message - From: mailto:[EMAIL PROTECTED]admin To: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Sent: Tuesday, June 26, 2001 2:14 PM Subject: (RADIATOR) question I need to reduce my Ascend-Data-Filter from length 28 to 26 Any ideas how? Thanks Eric -- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about Rodopi?
Hello Chairarth - It only makes sense to keep your user definitions in a single database, so if you are going to use Rodopi you should keep all your users there. regards Hugh On Friday 13 July 2001 21:23, Chairarth K wrote: Hello Hugh, Maybe only in Rodopi , maybe in Ropopi and Radmin . Please advise us in both case . Thanks, Chairath Hugh Irvine wrote: Hello Chairarth - Where are you going to maintain your customer definitions? In Radmin, Rodopi, or both? regards Hugh At 13:49 +0700 01/7/12, Chairarth K wrote: There is any problem if we will use Radmin, Radiator and Rodopi billing at the same time. Regards, Chairath -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. Content-Type: text/html; charset=us-ascii; name=Attachment: 1 Content-Transfer-Encoding: 7bit Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about Rodopi?
Title: Re: (RADIATOR) Question about Rodopi? Hello Chairarth - Where are you going to maintain your customer definitions? In Radmin, Rodopi, or both? regards Hugh At 13:49 +0700 01/7/12, Chairarth K wrote: There is any problem if we will use Radmin, Radiator and Rodopi billing at the same time. Regards, Chairath -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
Re: (RADIATOR) question
Title: Re: (RADIATOR) question Hello Brandon - If UUnet is mandating this, they must have a specification of what they mean. You will have to check with UUnet directly. regards Hugh At 3:09 AM -0700 6/26/01, Brandon wrote: Wish I knew too. I tried emailing the list and know one seemed to know. The only response I got back was that it was possible in PostAuthHooks. UU.net is now requiring this to use their system. Brandon - Original Message - From: admin To: [EMAIL PROTECTED] Sent: Tuesday, June 26, 2001 2:14 PM Subject: (RADIATOR) question I need to reduce my Ascend-Data-Filter from length 28 to 26 Any ideas how? Thanks Eric -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
Re: (RADIATOR) question (failed insert in accounting)
Hello Andy - As usual, a copy of the configuration file (no secrets) and a trace 4 debug from Radiator are neccessary for us to be able to help you. thanks Hugh On Thursday 03 May 2001 19:29, Andy De Petter wrote: Hello, I have AcctFailedLogFileName configured, in my radius accounting daemon, but whenever there is a SQL Timeout detected between the SQL server, and the radius server, radiusd doesn't seem to be saving the failed query in the AcctFailedLogFileName file... When there are errors, like duplicates, or anything similar, it seems to work fine. Shouldn't radiusd save timed out queries also in this file? Or isn't it saving that query on purpose? In that case, how can I make it save a timed out query in a file, so I have less chance of losing accounting tickets? Thanks, -Andy -- For nothing can seem foul to those that win. - Henry IV, Pt1, Act 5, Sc 1 *** DISCLAIMER *** This e-mail and any attachments thereto may contain information, which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about SessionDatabase
Hello Alexey - On Fri, 17 Nov 2000, Alexey A. Shavaldin wrote: Hello ! I have experienced a problem with simultaneous logins of such a case. I have global RewriteUsername defined in my radius.cfg: RewriteUsername tr/[A-Z]/[a-z]/ RewriteUsername s/^(.*)\/(.*)/$2/ RewriteUsername s/^(.*)\\(.*)/$2/ RewriteUsername tr/A-Za-z0-9_@,\\\ \.\-/\*/c Simultaneous login limits work OK for users, who enter their usernames in low register, but not for users, who try to mix upper and lower register symbols. Their Access-Requests are accepted everywhere. Here is part of my trace4 log: This is really a business policy issue, rather than a technical Radiator issue. You have two opposing views being expressed: 1. do you allow "naive" users to misspell their login names and still be accepted? 2. do you forbid "clever" users from abusing multiple use limits? You have to decide which policy to implement - you can't do both. As to checking simultaneous use - the problem is that the NAS keeps the username string that was entered by the user, so the session database also needs to keep that string to be able to query the NAS. In this case (and others as discussed on the list) I tend towards the strict view, that simply rejects unacceptable login attempts. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question for the list...remote timeouts.
Hello Blake - On Wed, 18 Oct 2000, Blake Golliher wrote: I have a database of users in Oracle, we arent' keeping track of accounting data, and the only thing I have control over are the endpoint radius servers. I need to be able to limit users to a set time out. all users in a realm will have this attribute set to them. Anyone have a good idea to handle this? Is there a built in fucntion to use for this? Easy - just use an AddToReply in your AuthBy clause: AuthBy SQL AddToReply Session-Timeout = nnn, Idle-Timeout = mm /AuthBy hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about Client clause
Hello Matt - On Thu, 06 Jul 2000, Matt Nichols wrote: Hello, If I specify a Client DEFAULT clause in Radiator without specifying DefaultRealm, will all the usernames be appended with 'username@' or will they simply remain 'username'? Typically we have always had 'DefaultRealm local' which would write the 'username' as 'username@local'. The reason I ask is because I have to send all Accounting records to another server using a radius proxy but I have to also pass all authentication and accounting records to our current radius servers which should then append the DefaultRealm clause specified in the Client statement. I don't think I understand the question. Do you want to replace all of your Client clauses with a single Client DEFAULT? Otherwise, I don't see what adding the Client DEFAULT is going to achieve. In any case, if you don't specify a DefaultRealm, the username will remain unchanged (modulo any RewriteUsername's of course). hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question about
Hello Christian - On Sat, 10 Jun 2000, [EMAIL PROTECTED] wrote: hi there, we are using one part of radiator as radius-proxy. for some reason we get all the time such errors.. any idea where it comes from ? does the authenticator mean the accesserver or the clientradiusserver ? Fri Jun 9 19:28:32 2000: WARNING: Bad authenticator received in reply to ID 6 Fri Jun 9 19:28:34 2000: WARNING: Bad authenticator received in reply to ID 7 Fri Jun 9 19:28:40 2000: WARNING: Bad authenticator received in reply to ID 4 This is either due to an incorrect shared secret between the two Radius servers, or if it is only for accounting packets you can use the IgnoreAcctSignature parameter in the Client clause for whatever device is the source of the problem. BTW - the authenticator is the name of a particular field in a Radius packet, not a particular device. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) question about radiator - mysql -- static ip assingment
Hello Christian - On Mon, 22 May 2000, [EMAIL PROTECTED] wrote: hi there, just have tried to install radiator with mysql-authentication. everything works fine, except the assingnment of static ips and the "login time left". - last one is probably a bug in the prg ? i found out that i does not stop counting and also still authorize users. (sure i did the select statment for that variable include :)) can please give someone me an idea how i reply the user with his static ip (sql-table) to get really that ip assigned ? the default reply-message i have entered in the radius.cfg as following: Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.254,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP of course for dynamic ips it works fine... so how is the procedure for static ip-assignment ? You would typically return a Framed-IP-Address specifying what IP address to use for the connection. the other thing, in that combination we bought the Radmin, especially for the better usermaintainance (dialin and adsl) there is a file called "editRadconfig.pl" seems to expect other tables as recommendet which came with the radmin. does someone have any useful examples that we can maintain (if i right understood) the configuration of the radiator ? No. This script is only used to set Radius attributes for users maintained by RAdmin. We have recently beta-released a cgi script designed for maintaining the Radiator configuration file. It is called "radconfig.cgi" and there is a beta copy in the patches area. This script will be included in the next release of Radiator. the last thing: is there somewhere an archiv of this list? Yes - http://www.starport.net/~radiator. There is also an FAQ in the release and on the Open System web site. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding DupInterval
Hi Christophe, My advice is to reduce the DupInterval to something like 2 seconds. It is really only intended to catch genuine duplicate packets (ie packets sent along duplicate parallel network paths, or from some other pathological network problem). Its really not supposed to catch _retransmissions_ by the NAS. As you have found, when it starts to catch _retransmissions_ (as opposed to duplicates), you start to have problems. Hope that helps. Cheers. On Feb 9, 8:35pm, Christophe Wolfhugel wrote: Subject: (RADIATOR) Question regarding DupInterval From the documentation, DupInterval is applied to the client, ie the host sending the request, eventually an intermediate proxy. From reading the Client.pm source code I see following : $self-{RecentIdentifiers}-{$nas_id . $code}[$p-identifier] $nas_id is there supposed to be the NAS-IP-Address, or if not available NAS-Identifier, which is possibly not the proxy. Only if none of these attributes are present $nas_id will contain the IP address of the Client. The $code identifies the type of request, so on a standard setup that gives a 256 packets history for each kind of request. If my understanding is correct this is somewhat different from what the documentation as well as the comment at the beginning of Client.pm say. Now let's go to my particular situation : I have an central accountng Radius server which gets all accounting packets from the proxys. Whenever this machine gets really odd (or just out of CPU) the proxies start doing retransmissions, and then the NASes also start retransmitting (via a different proxy). By having a really high DupInterval (19) on this accounting Radius I reduce the number of duplicate records in the accounting files on that machine, but my clients won't get their Accounting-Accept because Radiator believes it comes from the same client. I would conclude that my design is wrong and that I should reduce the DupInterval on the accounting Radius a lot and have the scripts who handle the accounting files manage to eliminate the duplicate. Can someone more knowledgable confirm me this is the way I should go ? -- Christophe Wolfhugel -+- [EMAIL PROTECTED] -+- France Telecom Oleane === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Christophe Wolfhugel -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about accounting
Hello John - On Wed, 29 Dec 1999, [EMAIL PROTECTED] wrote: Hi; Our system is working just fine (authentication wise), but I need to be able to send accounting packets to two seperate locations for a particular realm. For example: Authentication packets for a certain realm are proxied (AuthBy Realm) to another Radius server which works fine. Accounting packets should be sent there too, this seems to be happening as well (it is not our radius server so I don't know for sure). I also want to be able to stuff the contents of the accounting packets into an SQL database, which I am currently doing for realms that authenticate of the same database. You will want to do something like this: # note AuthByPolicy ContinueAlways # and empty AuthSelect to turn off authentication Realm regional.com AuthByPolicy ContinueAlways RewriteUsername tr/A-Za-z0-9\-\_\\.\@/ /cs RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS Host Hidden Secret Hidden /AuthBy AuthBy SQL DBSourcedbi:mysql:Hidden DBUsername Hidden DBAuth Hidden AuthSelect AccountingStopsOnly AccountingTable ACCOUNTING_NATIONAL AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address,ipaddr /AuthBy # Log accounting to the detail file in LogDir MaxSessions 1 AcctLogFileName %L/detail-%m%d%Y SessionDatabase SDB2 /Realm PS Something else, with the sessiondatabase like it is, somethime the re-written user-name is inserted into the database sometimes the origional username is inserted this is just strange. Can you send me the complete configuration file and a trace 4 debug showing the session database inserts? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Question about setup
You say, "everything works fine...". Looking at your Calls table in the database, are there any entries in the "Username" column? Or are they just NULL? Dave On Monday, November 22, 1999 2:24 PM, Kelly Hamlin [SMTP:[EMAIL PROTECTED]] wrote: Im using Ascend 6000 series NAS's and im using radiator to authenticate off the platypus database, everything works fine, cept i get a lot of errors in the window. Im using the ascend dictionary file and below i have my config and below that, are the errors im getting in log window. Any help would be great!! thanks.. ---config--- Foreground LogStdout LogDir . DbDir . # You will probably want to change this to suit your site. Client DEFAULT Secret mysecret DupInterval 0 /Client Client 209.xx.xxx.xx Secret /Client Client 209.xx.xxx.xx Secret x /Client Realm DEFAULT AuthBy EMERALD DBSourcedbi:ODBC:Platypus DBUsername xx DBAuth # You can add to or change these if you want. AccountingTable Calls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Ascend-Disconnect-Cause ,integer AcctColumnDef NASIdentifier,NAS-Identifier AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer TimeBanking # AuthSelect ,sa.maxsessions # AuthColumnDef 0,Simultaneous-Use,check /AuthBy /Realm ---/Config ---Errors--- C:\Radiatorperl radiusd -config_file emerald.cfg DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot i nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000) [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line 228. Mon Nov 22 14:05:56 1999: ERR: do failed for 'insert into Calls (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId, NASIden tifier) values ('Nov 22, 1999 14:5', 7, 0, '919990609', '209.26.171.130')': [Mi crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into co lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000) [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot i nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000) [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line 228. Mon Nov 22 14:05:57 1999: ERR: do failed for 'insert into Calls (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId, NASIden tifier) values ('Nov 22, 1999 14:5', 7, 0, '919990609', '209.26.171.130')': [Mi crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into co lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000) [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) Mon Nov 22 14:06:17 1999: ERR: Attribute number 62 (vendor ) is not defined in y our dictionary Mon Nov 22 14:06:20 1999: ERR: Attribute number 62 (vendor ) is not defined in y our dictionary Mon Nov 22 14:06:23 1999: ERR: Attribute number 62 (vendor ) is not defined in y our dictionary DBD::ODBC::db do failed: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot i nsert the value NULL into column 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000) [Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated . (SQL-01000)(DBD: st_execute/SQLExecute err=-1) at Radius/SqlDb.pm line 228. Mon Nov 22 14:06:29 1999: ERR: do failed for 'insert into Calls (CallDate, AcctStatusType, AcctDelayTime, AcctSessionId, NASIden tifier) values ('Nov 22, 1999 14:6', 7, 0, '919991612', '209.26.171.1 38')': [Mi crosoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into co lumn 'UserName', table 'platypus.dbo.Calls'; column does not allow nulls. INSERT fails. (SQL-23000)
Re: (RADIATOR) Question about setup
Hello Kelly - On Tue, 23 Nov 1999, Kelly Hamlin wrote: Im using Ascend 6000 series NAS's and im using radiator to authenticate off the platypus database, everything works fine, cept i get a lot of errors in the window. Im using the ascend dictionary file and below i have my config and below that, are the errors im getting in log window. It would be useful to see a trace 4 debug showing what is happening inside Radiator when you get these errors. The cause of the first error is the fact that you are getting accounting records with no User-Name in them and of course the database is complaining about them. The other problem is that attribute 62 (vendor ) is not defined in your dictionary. I suspect the first problem is due to some special accounting packets that the ascend is sending (perhaps incomplete logins?). I am not sure what the second one is all about, as attribute 62 is usually Port-Limit (and used for replies). If you are using the newer Ascend vendor-specific attributes for radius, you should use the dictionary.ascend2 file. Check in the patches area: http://www.open.com.au/radiator/downloads/patches-2.14.1/dictionary.ascend2 hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about group
Hello Jason, On Nov 16, 10:21pm, Jason Kao wrote: Subject: (RADIATOR) Question about group After reading Radiator radius server manual and searching the FAQ and mail archives, I still can not get the clear picture. My question is If I am planning to use group in order to reply different reply items for different group, do I have to use AuthBy Unix which in turn will use /etc/group file in the box which I am running the radius server? I will use AuthBy File or AuthBy PAM on SUN solarius 7. According to the manual 13.1.6 group can only work with AuthBy Unix or AuthBy NT. Actually, we omitted to mention that AuthBy SYSTEM also understands groups (we have now added it to the docs for the next release). On Solaris, SYSTEM is probably the best solution. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on auth by sql setup
Hello Jay - On Thu, 11 Nov 1999, Jay West wrote: - Original Message - From: Jay West [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 1999 6:44 AM Subject: Question on auth by sql setup We're trying to switch from DBM user files to mySQL user files. I have one simple question... The script that is given to build the tables initially from flat files mentions something to the effect that it is a bare-bones sample, and that you will probably want to add additional fields, etc. Being fairly new to msSQL, I was wondering if it's easy to add these fields later after user records and accounting records are active in SQL, or - is it a much better idea to get all the requisit fields built initially. I thought someone with operational experience might have answered, but in any case here are my thoughts. This depends to a certain extent on the database you are using (and I don't know anything about msSQL). Some databases (like mysql) will allow you to modify tables on the fly, while others don't. You should probably try to get close to what you want to begin with, and even if you can't modify the tables on the fly, all that is required to make a modification is to dump the database, redefine the tables, and reload the data. Its a pretty normal exercise to dump and reload a database. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Session-Limit database
Hello David - On Thu, 02 Sep 1999, David Lloyd wrote: Hello, I'm considering using the Session-Limit feature to limit simultanious usage, with an external MySQL seesion-database and user-database to allow me to run two Radiator servers (one primary, one backup). We have 4 different NAS types, and I would like to set them each up to 'talk' to Radiator to keep the database current. I was wondering, have other people run a setup like this? Has anyone had any problems with the reliability of the Session-Limit (letting people on when they shouldn't, or blocking access unneccissarily)? Has anyone had success with multiple NAS types? Many Radiator customers are using this feature successfully. You will need to configure the following: # Configure SessionDatabase SessionDatabase SQL DBSource ... DBUsername ... DBAuth ... ... /SessionDatabase # Add NasType to Clients Client ... NasType ... ... /Client And then you will have to configure whatever is required for the NasType checking ie. SNMP communities, etc. You may also be interested in the radacct.cgi and radwho.cgi scripts that will query the SQL database and display the results in a web browser. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question on radiator
On Thu, Aug 19, 1999 at 09:25:20AM +, Alexander Koch wrote: Hallo. As I am evaluating a new radius daemon to chose I have some questions on Radiator. We have several Ascend Max 4k and 6k, all doing radius auth to special hosts (several, no real redundancy and backup), we are running the Ascend radius daemon (oh well, no comments, please) and we would need one feature: Have several (2+) radius servers that respond differently (however that is achieved, config-wise, fall-through or something) depending on the source IP of the request. So far we have two radius daemons on the same box, each is listening to another port. This works, but if it can be just one radius daemon, this would be really fine. Is anything like this possible? And, if so, how (roughly)? Mind you, this is no roaming... How do you mean differently? Radiator is able to use NAS-IP-Address (or similar) and Handlers to use different authentication sources etc. Handler NAS-IP-Address=/10.1.1.2|10.1.1.3/ # whatever ... /Handler Handler NAS-IP-Address=/10.2.2.2|10.2.2.3/ # something else ... /Handler You could do it at another level with NAS-IP-Address check items as well. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question - Radiator Log Billing - Access Server
Hello Marcia, On May 31, 5:28pm, =?iso-8859-1?Q?M=E1rcia_Maroni?= wrote: Subject: (RADIATOR) Question - Radiator Log Billing - Access Server Hi, Where can I find the information in log billing of Radiator about Access Server that was used for authentication of user ?. In the accounting detail file, its usually NAS-IP-Address that tells the IP address of the NAS where the user is logged in. Hope that helps. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question: Problems with forwarding accounting requests to a second radiator
Hi Karl, On Apr 30, 12:22pm, Karl Gaissmaier wrote: Subject: Re: (RADIATOR) Question: Problems with forwarding accounting requ Hi Mike, Mike McCauley schrieb: [...] 2. Question: Is it possible, that the first host already sends the Accounting-Response to the NAS, and the second host just stores the records and nothing else? Yes, that should be fine. The question is how? Is this done with the AuthByPolicy or how can I do this? Can't find anything in the docu how to do this. Sure, it is not the default behavior by 98% users needed. OK, I see your question now. Sorry. Normally, you would put the AuthBy RADIUS as the last AuthBy. It would then forward (just accounting in your case) to the other radius. And when that radius acknowledged, the first server would send that ack back to the original NAS. Why do I get two replies only in this configuration and not always when I have the "AuthByPolicy ContinueWhileAccept"? My problem is the documentation under 6.18.1 AuthByPolicy: The default is clearly described, but what happens with "ContinueWhileAccept". If the first Auth Modul Accepts and the second and so one, how many ACCESS-ACCEPTs are sent to the NAS, or what module sends it, the first one, the last one or all? What happens if only one modul (not the first) rejects, what is sent to the NAS? This is how Radiator handles multiple AuthBys: Radiator will always accept, reject or ignore according to the result of the _last_ AuthBy. Also, if _any_ of the AuthBys are RADIUS, then Radiator will also reply with whatever is received from the remote Radius, (when and if one is received). In the case where RADIUS is the last, you get the behaviour you expect, because AuthBy RADIUS always returns a result of IGNORE, and then (some time later) it will reply to the NAS with whatever comes back from the remote radius server. But you are wondering how can you make the first server ack immediately, without waiting for the remote server to reply? Well, we dont really recommend it, but you could put your AuthBy RADIUS as not the last AuthBy. That would make it forward to the remote server and then fall through to the next AuthBy (depending onthe AuthByPolicy, of course). The disadvantage of this is that _every_ accounting request from the NAS will get 2 acknowledgements (one from the last AuthBy, and one from the AuthBy RADIUS when it gets its reply from the remote server) We dont really recomend this, since it better that if the accounting server dies, that the NAS gets no response and can try its secondard radius server. [...] You solved my problem, but perhaps for you is this a hint that something is strange with this behavior. Well, its a standard dictionary attribute. I dont really understand why it was not in your dictionary. Which one were you using? I concatenated Ascend and the newest RFC, in order to have first the Ascend specific part and then overwrite the RFC defined Attributes. But again, this is not the problem, I think the problem is my bad english, therefore you don't understand it. I'll try again to explain it: Before I started to forward the accounting requests I had no WARNINGS in the logfile, the AuthBy FILE didn't complain about missing attributes, even there was no such attribute in the dictionary. After I inserted the additional AuthBy RADIUS I've seen the WARNINGS about the missing ATTRIBUTE. The academic question is: Why do I see no such warnings with AuthBy File and only with AuthBy RADIUS? Because when the packet is sent to the remote radius, Radiator tries to convert the 'Timestamp' attribute to a radius attribute number. 'Timestamp' is appended to the request by Radiator (as per the RFC) when it proxies, and it is usually not in the incoming request. Therefore, if Timestamp is not in your dictionary, you will only see the complaint when Radiator tries to proxy. hope you understand it despite my english :-( I do. You English is fine. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question
I suspect a trick question, so here's a trick answer. :) If you run on Solaris 2.6, make sure you have the latest /kernel/drv/ip patch and do an 'ndd -set /dev/ip ip_enable_group_ifs 0' at boot time. Jason Spears On Thu, 22 Apr 1999, Dialup USA Sales Dept wrote: Question: When Radiator is used on a machine with more then one IP address, will it sends its replies with a source addr of the IP address it recieved the request on? === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?
HI Mike, You sure can. Do something like this : (For an ODBC DB...but similar for others) AuthByPolicy ContinueUntilReject AuthBy SQL AuthSelect DBSourcedbi:ODBC: DBUsername xxx DBAuth AccountingTable %Y%m AccountingStopsOnly ## TABLE COLUMN ## NAS RESPONSE ##type AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef USERNAME,User-Name ... AcctColumnDef ASCENDXMITRATE,Ascend-Xmit-Rate,integer AcctColumnDef ASCENDDATARATE,Ascend-Data-Rate,integer /AuthBy AuthBy NT Identifier NTSystem Domain .xxx.xxx /AuthBy (Or replace the last one with Unix or File or whatever) Regards, Anton Sparrius --- Smarter Wayhttp://www.smart.net.au Email[EMAIL PROTECTED] Phone (03) 9846 1711 Melb 1800-240-829 Sydn 1800-888-761 -Original Message- From: mike grommet [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, March 11, 1999 4:12 AM Subject: (RADIATOR) Question: Authenticate by unix, but use SQL accounting? For management purposes, I would like to be able to keep my authentication working as it is with my unix users file, but I would like to store all accounting information, and session limit stuff in a SQL database... From reading the docs, it seems radiator can do this if I am doing authby SQL, but doesnt seem to include possibilities for this scenario... Am I missing something? It sure would be nice to be able to do queries to an sql database to check customer usage and such. I realize I could make an SQL database out of the unix password file, but I would prefer to not have to do this to achieve this functionality... === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?
On Wed, 10 Mar 1999, mike grommet wrote: For management purposes, I would like to be able to keep my authentication working as it is with my unix users file, but I would like to store all accounting information, and session limit stuff in a SQL database... 'Tis what I'm doing at the moment, albeit I have my previous radius server still doing authentication on another machineRadiator doesn't even see the auth requests at this point in time. Basically, I'm giving Radiator (and the server I constructed for it) a 'shakedown cruise' prior to making it do mission-critical work. So my config is fairly simple since all my Radiator is seeing is accounting packets and stuffing them in a SQL (Postgres) database. Further, as soon as I'm satisfied with the stability of my new server, I'll be doing auth on it too, but the auth will be by another SQL database...I want to get away from that unix passwd file crap asap. From reading the docs, it seems radiator can do this if I am doing authby SQL, but doesnt seem to include possibilities for this scenario... Am I missing something? I'm shooting in the dark kinda as a newbie to the Radiator configuration, but I suspect that you'd have two authby clauses and a ContinueWhileAccept keyword or somesuch. The first authby clause deals with your passwd file authentication and doesn't do any accounting. The second authby clause doesn't do auth but stuffs the accounting in a SQL database. The Continue* keyword (whichever one it really is) ensures that a packet has to pass thru both. I'm sure there's a way to config it, but if all else fails, you could always just run two instances of Radiator on different ip's on the server in question, and config one to do authby unix for your auth stuff and the other to do authby sql for your acco stuff. Messy and inelegant if you ask me, but it's always nice to have a last-resort that is sure to work. (: It sure would be nice to be able to do queries to an sql database to check customer usage and such. That's what I thought, and boy did I underestimate how nice it really is. I knew it'd be nice, but I really had no idea how great it was until the db was there and AnyDataIWanted suddenly became no more of an issue than how to properly word my sql query. I've spent a couple of entire nights playing with all the queries that I can now do and finding out all kinds of stuff about my statistics. I can only say that I shoulda been doing this from the beginning. I realize I could make an SQL database out of the unix password file, but I would prefer to not have to do this to achieve this functionality... That's my current plan, as soon as my new server with its linux, radiator, postgres, perl and apache shows me a month of continous troublefree uptime, I'm switching to doing my auth via sql as well. Same reason; having data in a *real* database makes everything easier. No more greppin' through a passwd file to find out who's on that server or how many accounts or or or. Especially when it comes to interesting things like having different check/reply items. I'm seeing a web page my customers can go to and specify that their child's account can't log in after 11pm, or that all their packets get routed thru our in-house filtering software. I'm also seeing policies such as 'if your bill is 30 days past due, you can only log on if 10% of my modems are idle; if you're 60 days past due, you can only access email and local resources...no surfin for you ya bum, and if you're 90 everything you do takes you to a 'pay your bill' webpage. And at 120...well, the results of a simple sql query gets auto-emailed to my lawyer. *grin*) Lon Stockton MoonStar === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Question: Authenticate by unix, but use SQL accounting?
Looks a little like my question a couple of weeks back - 26/02/99 Do something like this: Realm AuthByPolicy ContinueWhileIgnore AuthBy SQL DBSource . # This disables SQL auth AuthSelect # This enables SQL accounting AccountingTable yyy ActColumnDef /AuthBy AuthBy FILE Filename whatever /AuthBy AcctLogFileName youracctdetailflatfilename /Realm -- Stephen Ollis [EMAIL PROTECTED] Ph: +61 2 9911 1606(BH) Team Leader, Server Systems - Network Engineering +61 2 9911 1555(FAX) ATT EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066 Australia 'There is no traffic jam on the extra mile.' - Zig Ziegler -Original Message- From: Lon R. Stockton, Jr. [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 11, 1999 9:33 AM To: mike grommet Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Question: Authenticate by unix, but use SQL accounting? On Wed, 10 Mar 1999, mike grommet wrote: For management purposes, I would like to be able to keep my authentication working as it is with my unix users file, but I would like to store all accounting information, and session limit stuff in a SQL database... 'Tis what I'm doing at the moment, albeit I have my previous radius server still doing authentication on another machineRadiator doesn't even see the auth requests at this point in time. Basically, I'm giving Radiator (and the server I constructed for it) a 'shakedown cruise' prior to making it do mission-critical work. So my config is fairly simple since all my Radiator is seeing is accounting packets and stuffing them in a SQL (Postgres) database. Further, as soon as I'm satisfied with the stability of my new server, I'll be doing auth on it too, but the auth will be by another SQL database...I want to get away from that unix passwd file crap asap. From reading the docs, it seems radiator can do this if I am doing authby SQL, but doesnt seem to include possibilities for this scenario... Am I missing something? I'm shooting in the dark kinda as a newbie to the Radiator configuration, but I suspect that you'd have two authby clauses and a ContinueWhileAccept keyword or somesuch. The first authby clause deals with your passwd file authentication and doesn't do any accounting. The second authby clause doesn't do auth but stuffs the accounting in a SQL database. The Continue* keyword (whichever one it really is) ensures that a packet has to pass thru both. I'm sure there's a way to config it, but if all else fails, you could always just run two instances of Radiator on different ip's on the server in question, and config one to do authby unix for your auth stuff and the other to do authby sql for your acco stuff. Messy and inelegant if you ask me, but it's always nice to have a last-resort that is sure to work. (: It sure would be nice to be able to do queries to an sql database to check customer usage and such. That's what I thought, and boy did I underestimate how nice it really is. I knew it'd be nice, but I really had no idea how great it was until the db was there and AnyDataIWanted suddenly became no more of an issue than how to properly word my sql query. I've spent a couple of entire nights playing with all the queries that I can now do and finding out all kinds of stuff about my statistics. I can only say that I shoulda been doing this from the beginning. I realize I could make an SQL database out of the unix password file, but I would prefer to not have to do this to achieve this functionality... That's my current plan, as soon as my new server with its linux, radiator, postgres, perl and apache shows me a month of continous troublefree uptime, I'm switching to doing my auth via sql as well. Same reason; having data in a *real* database makes everything easier. No more greppin' through a passwd file to find out who's on that server or how many accounts or or or. Especially when it comes to interesting things like having different check/reply items. I'm seeing a web page my customers can go to and specify that their child's account can't log in after 11pm, or that all their packets get routed thru our in-house filtering software. I'm also seeing policies such as 'if your bill is 30 days past due, you can only log on if 10% of my modems are idle; if you're 60 days past due, you can only access email and local resources...no surfin for you ya bum, and if you're 90 everything you do takes you to a 'pay your bill' webpage. And at 120...well, the results of a simple sql query gets auto-emailed to my lawyer. *grin*) Lon Stockton MoonStar === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe
Re: (RADIATOR) Question about Radiator/Platypus
O Hello Kelly - n Thu, 18 Nov 1999, Kelly Hamlin wrote: I have successfully setup Radiator to Authenticate off the Plat database, however, When I assign static IP's and pools of IP's to certain users in the RadiusNT section of platypus I add all the attributes and all the proper setup just as I did for the Livingston Radius server. Those users can login with no problem but are unable to do anything once connection. They have static IP's assigned on thier end and its being assigned dynamically and to me that would explain why they cant do anything once connected. Also I noticed that when I was authenticating off the plat database, I would check calls online and it would be blank. I setup server to point to the SQL Server running all the radius/plat database information. Is there a setting that I need to include in one of the config files for Radiator to have it assign IP's from platypus user attributes or should it do that be default since it is authenticating from it? Could you please send me a copy of a trace 4 debug output showing what is happening when you authenticate a user? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.