(RADIATOR) Static IP address/Framed-IP-Address Simultaneous-Use = 1 attribute
Steve Hardin
steveh at hpcisp.com
Sun Jun 3 21:36:27 CDT 2001
Actually I did try and add the Authselect statements just like the example
in the manual (your reply also had the same exact statements) after I
emailed the radiator list. I still failed to authenticate correctly.
I'm not sending the static ip in a check attribute it is in a reply
attribute. Here are the results of a select * from SUBSCRIBER statement of
the subscribe table. The user xyz is a static ip and the user fred is a
simultaneous use statement. I do like your suggestion of using the:
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Again here is my sub table with some data in it:
USERNAME PASSWORD
fred xxx
CHECKATTR
Simultaneous-Use = 1, Service-Type = Framed-User
REPLYATTR
Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.254,Service-Type =
Framed-User,Framed-Routing = None,Framed-MTU = 1500,Framed-Compression =
Van-Jacobson-TCP-IP
USERNAME PASSWORD
xyz xxx
CHECKATTR
Service-Type = Framed-User
REPLYATTR
Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.254,Framed-IP-Address
= 208.149.144.160,Service-Type = Framed-User,Framed-Routing =
None,Framed-MTU = 1500,Framed-Compression = Van-Jacobson-TCP-IP
I will try this again and send a debug session to you however I can't do it
currently because I can't slice off a port for testing. I will have to give
it to you in the next 15 hours or so. Unless I made a mistake previously I
don't think it will work but I hope so!
Thanks for all your help,
Steve
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Sunday, June 03, 2001 7:32 PM
To: pop; radiator at open.com.au
Cc: rick at hpcisp.com; joanne at open.com.au
Subject: Re: (RADIATOR) Static IP address/Framed-IP-Address Simultaneous-Use
= 1 attribute
Hello Steve -
Thanks for sending the information.
On Sunday 03 June 2001 08:01, pop wrote:
> Hi,
>
> We are testing out Radiator and so far it seems easy to set up and get
> working. I seem to be having a problem with a few items however I
believe
> they are all connected.
>
> I'm trying a simple set up with one realm (DEFAULT) with cisco 5300. I
> would like to use Simultaneous-Use only for most users but not all. I
> would like to add static ip's for some users with Framed-IP-Address
> Simultaneous-Use = 1 authentication from SQL Database.
>
Note that Simultaneous-Use is a check item, and Framed-IP-Address is a reply
item (usually). See below for details.
> The basic username password authentication is working fine only when
> forcing the AddToReplyIfNotExist directive in the config file.
>
> It seems that the reply attributes are not being sent back to the 5300 so
> the same users can log on multiple times. When using the
> DefaultSimultaneousUse statement only one user at a time can log on.
> However when setting that attribute and value in the SQL database and
> removing DefaultSimultaneousUse from the config file, the same user can
> log on multiple times.
>
> I'm seeing a similar problem with assigning a static ip. Defined in the
> database does not get assigned to the access server.
>
> Additionally I must use the AddToReplyIfNotExist in my config or else I
get
> a no appropriate authorization type for user.
> Here is my sql.config and some debugs. One for a the user fred and one
for
> the user xyz. Xyz is a user set up for static ip and fred is a basic user
> that can only log on once.
>
The problem you have is that you have not indicated to the AuthBy SQL clause
that you want to use the CHECKATTR and REPLYATTR fields from the database.
You will need to add an AuthSelect statement together with the appropriate
AuthColumnDef's to do what you require - something like this:
AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
from SUBSCRIBERS \
where USERNAME = '%n'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
Have a look at sections 6.26.6 and 6.26.7 in the Radiator 2.18.1 reference
manual.
BTW - you will also need the DefaultSimultaneousUse 1 in the Authby SQL
clause (it is currently commented out) if you want to set a default.
>
> # This will authenticate users from SUBSCRIBERS
> <Realm DEFAULT>
> <AuthBy SQL>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
>
> DBSource dbi:mysql:xxx
> DBUsername xxx
> DBAuth xxxxx
>
> #DefaultSimultaneousUse 1
>
> # You may want to tailor these for your ACCOUNTING table
> # You can add your own columns to store whatever you like
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> # added would like to take this out!
>
> AddToReplyIfNotExist Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> # end added
>
> # You can arrange to log accounting to a file if the
> # SQL insert fails with AcctFailedLogFileName
> # That way you could recover from a broken SQL
> # server
> AcctFailedLogFileName %D/missedaccounting
>
>
> </AuthBy>
>
>
> </Realm>
>
Also note that if you want to set a number of default reply attributes,
rather than defining them for every user, you can use an AddToReply
statement
in the AuthBy SQL clause:
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
.....
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list