(RADIATOR) ipass Config Question
Hugh Irvine
hugh at open.com.au
Mon Sep 2 16:36:14 CDT 2002
Hello Tunde -
Your Handler is not being used because the username string does not look
like "user at myipass" which is what you have specified. I will need to see
a trace 4 debug to see what form the iPass requests look like.
And if you are not reliably receiving the Framed-IP-Address attribute in
the accounting requests, using the Class attribute as a backup is a good
idea.
regards
Hugh
On Tuesday, September 3, 2002, at 04:09 AM, Ayotunde Itayemi wrote:
>
> Hi All, Hi hugh,
>
> My config is as below. In the past when "we" discussed about the state
> column of the RADONLINE
> database not being reset appropriately resulting in IP-address pool
> being exhausted, you told me to
> add the following lines to my config:
> DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0'
> or YIADDR='%{Class}'
> to the AdressAllocator SQL clause and the following line to AuthBy
> DYNAADDRESS clause
> AddToReply Class = %{Reply:Framed-IP-Address}
> Okay, I removed them later when things seemed to have "stabilised" but
> I am thinking of reintroducing them again
> - please let me have your views based on the config file below.
> MAIN PROBLEMS.
> I installed ipass NetServer 3.9 as stated in the instructions and also
> configured radiator (below) based on ipass
> instruction for configuring radiator.
> The problem is that somehow, radiator is still using the handler for my
> client rather than the special handler for ipass
> - <Handler Realm=myipass> which should cause it to proxy the request
> to the local ipass NetServer running on same
> system.
> Please note that the IP address I have radiator running on is
> e.d.f.211 .
>
> I have also disabled the apache client I had running before because I
> guess there would be a conflict between apache
> authentication and ipass NetServer since they both use localhost
> (127.0.0.1) in the client definitions for them?
>
> Regards,
> Tunde I.
>
>
> # --- RADAR -------------------------
> <Monitor>
> Username radar
> Password <mypassword>
> </Monitor>
> # Programs for Simultaneous-Use
> SnmpgetProg /usr/bin/snmpget
> # SNMP access to radiator
> <SNMPAgent>
> ROCommunity mysnmpRADsecret
> Port 162
> Managers 127.0.0.1, 192.168.10.8
> </SNMPAgent>
> # Online users
> <SessionDatabase SQL>
> Identifier SDB1
> DBSource dbi:Oracle:radius00
> DBUsername radius
> DBAuth radius
> # DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
> # where YIADDR='%0' or YIADDR='%{Class}'
> </SessionDatabase>
> # =======================================================
> <AddressAllocator SQL>
> Identifier mySQLallocator
> DBSource dbi:Oracle:radius00
> DBUsername radiusgold
> DBAuth radiusgold
> # DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
> # where YIADDR='%0' or YIADDR='%{Class}'
>
> DefaultLeasePeriod 172800
> # LeaseReclaimInterval 86400
>
> # POOL ALLOCATION RULES
> <AddressPool viruse1>
> Subnetmask 255.255.255.255
> Range a.b.e.31 a.b.e.60
> Range a.b.e.62 a.b.e.91
> </AddressPool>
> <AddressPool viruse2>
> Subnetmask 255.255.255.255
> Range a.b.c.52 a.b.c.100
> Range a.b.c.110 a.b.c.139
> Range a.b.c.150 a.b.c.200
> Range a.b.c.225 a.b.c.250
> </AddressPool>
> </AddressAllocator>
>
> # =================== CLIENTs =================================
> <Client a.b.c.3>
> Secret <mypassword>
> DupInterval 0
> SNMPCommunity public
> Identifier viruse2
> IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6 \
> 172.31.1.6 172.31.1.4 172.31.1.8 192.168.10.5
> RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
> </Client>
> <Client a.b.c.30>
> # pattonRAS
> Secret <mypassword>
> DupInterval 0
> NasType Patton
> SNMPCommunity patt123mon
> Identifier viruse1
> IdenticalClients a.b.c.61 a.b.c.92
> RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
> </Client>
> <Client localhost>
> # ipass client for VNAS (incoming roamers)
> Secret <mypassword>
> Identifier ipassclient
> IdenticalClients d.e.f.212
> RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
> </Client>
> #<Client 127.0.0.1>
> # web server on this box
> # Secret apache!:123
> # DupInterval 0
> # Identifier apache
> #</Client>
> # =================== AUTH BYs =================================
> <AuthBy SQL>
> Identifier SQLStaffauth
> NoDefault
> DBSource dbi:Oracle:radius00
> DBUsername radius
> DBAuth radius
> AuthSelect select PASSWORD, CHECKATTR from STAFF \
> where USERNAME = '%n' and STATUS = 'Enabled'
> </Auth>
> <AuthBy SQL>
> Identifier SQLClientauth
> NoDefault
> DBSource dbi:Oracle:radius00
> DBUsername radius
> DBAuth radius
> AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
> from SUBSCRIBERS where USERNAME = '%n' \
> and STATUS = 'Enabled'
> AutoMPPEKeys
> </Auth>
> <AuthBy DYNADDRESS>
> Identifier myIPADDRESSauth
> Allocator mySQLallocator
> # AddToReply Class = %{Reply:Framed-IP-Address}
> # PoolHint %{Reply:PoolHint}
> PoolHint %{Client:Identifier}
> MapAttribute yiaddr, Framed-IP-Address
> MapAttribute subnetmask, Framed-IP-Netmask
> StripFromReply PoolHint
> # policy = 4 (40bit), 2 (128bit), 6 (any)
> AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6
> AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key
> </AuthBy>
> <AuthBy DYNADDRESS>
> Identifier pattonIPADDRESSauth
> Allocator mySQLallocator
> PoolHint %{Client:Identifier}
> # PoolHint %{Reply:PoolHint}
> MapAttribute yiaddr, Framed-IP-Address
> MapAttribute subnetmask, Framed-IP-Netmask
> StripFromReply PoolHint
> </AuthBy>
> ###### proxy radius for IPASS
> <AuthBy RADIUS>
> Identifier ipassNetserver
> Host d.e.f.211
> Secret <mypassword>
> AuthPort 11812
> AcctPort 11813
> </AuthBy>
> #=================== HANDLERs ================================
> <Handler Realm=myipass>
> AcctLogFileName %L/ipass/detail
> RewriteUsername s/^IPASS\/([^#]+)\#([^@]+)\@myipass$/IPASS\/$1\@$2/
> AuthBy ipassNetserver
> </Handler>
> <Handler Client-Identifier=viruse2>
> AuthByPolicy ContinueWhileAccept
> # remove @domain-name
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> # UsernameCharset a-zA-Z0-9\._ at -
> MaxSessions 1
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
> SessionDatabase SDB1
> AuthBy SQLClientauth
> AuthBy myIPADDRESSauth
> </Handler>
> <Handler Client-Identifier=ipassclient>
> AuthByPolicy ContinueWhileAccept
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> UsernameCharset a-zA-Z0-9\._ at -#
> MaxSessions 1
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
> SessionDatabase SDB1
> AuthBy SQLClientauth
> StripFromReply Framed-IP-Address
> </Handler>
> <Handler Client-Identifier=apache>
> AuthByPolicy ContinueWhileAccept
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> UsernameCharset a-zA-Z0-9\._ at -
> MaxSessions 1
> AuthBy SQLStaffauth
> </Handler>
>
> # DEFAULT HANDLER => handles any requests not in above
> <Handler>
> # default handler => handles any requests not in above
> AuthBy ipassNetserver
> </Handler>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 9464 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020903/2c603ba6/attachment.bin>
More information about the radiator
mailing list