(RADIATOR) Continuous looping of Radiator after config change
Hugh Irvine
hugh at open.com.au
Tue Feb 19 23:10:03 CST 2002
Hi Tim -
The thing that I am not clear on is this:
> > <AuthBy SQL>
> > DBSource dbi:mysql:serauser
> > DBUsername radius
> > DBAuth blah
> > AuthSelect select password, 'Service-Type = Login-User,
> > Auth-Type = System' \
> > from serauser where serauser='%u'
As I don't understand what is meant to happen with 'Service-Type = Login-User,
Auth-Type = System'? I can't see any way that they would be returned as
reply attributes, and indeed Auth-Type is not defined in the Radiator
dictionary.
Any clarification would be helpful.
thanks
Hugh
On Wed, 20 Feb 2002 04:39, Young, Tim wrote:
> Hugh,
>
> Thanks for the quick response.
>
> Let me apologize ahead of time for any rambling I do on this. It has been
> many years since I have had to deal with this config and I have had many
> different positions as well. (Some of them management which may explain my
> decreased technical skills).
>
> I will try and annotate the config file as best I can.
>
> <snip>
>
> Below is the pertinent Client portion of the config:
> > # Client config for natasha
> > <Client natasha.compuware.com>
> > Secret blah6
> > DefaultRealm vpn.compuware.com
> > </Client>
>
> <snip>
>
> > <Realm vpn.compuware.com>
> > # <AuthBy FILE>
> > # Filename %D/VPN_User
> > # Nocache
> > # DynamicCheck Group
> > # </AuthBy>
> > AuthByPolicy ContinueWhileAccept
>
> We do the AuthByPolicy to make sure that both AuthBy SQL statements return
> accepts before allowing access.
>
> > <AuthBy SQL>
> > DBSource dbi:mysql:serauser
> > DBUsername radius
> > DBAuth blah
> > AuthSelect select password, 'Service-Type = Login-User,
> > Auth-Type = System' \
> > from serauser where serauser='%u'
>
> I am quite clear on this but I believe we needed to return not only the
> password but the two attached attributes in order for the authentication
> process through the (Isolation System InfoCrypt server => Shiva VPN
> LanRover gateway => Intel LanRover Gateway) to work correctly. The VPN
> product has, as noted above, gone through several owners since our initial
> configuration. The password is stored encrypted in the SQL server.
>
> > EncryptedPassword
> > </AuthBy>
> > <AuthBy SQL>
> > # DynamicCheck Group
> > DBSource dbi:mysql:serauser
> > DBUsername radius
> > DBAuth blah
> > AuthSelect select seragroup from seragroup where
> > serauser='%u' and seragroup = '%{Shiva-VPN-Group}'
>
> This AuthSelect checks another table in the SQL server to verify that the
> user is in a group that matches the "Shiva-VPN-Group" attribute that is
> passed along with the authentication request. I remember working at length
> with Mike on this. It is mentioned in the History notes for Rev 2.12.
>
> > AuthColumnDef 0, Shiva-VPN-Group, check
> > </AuthBy>
> > AcctLogFileName %L/Natasha.%Y%m%d
> > </Realm>
>
> </snip>
> </snip>
>
> Hope this helps clear some things up about my problem.
>
> Many thanks to Damir for his suggestion on how to prevent the looping from
> happening. I have looked under the hood of Radiator which is why I was
> sooooo happy to convince my company to purchase it instead of many other
> more expensive commercial versions our there.
>
> Regards,
>
> Tim Young
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list