(RADIATOR) Profiles problems
Brandon Lehmann
blehmann at glis.cc
Wed Nov 12 16:43:53 CST 2003
Hugh,
Trace 4 with the config in my original message shows:
--- START----
Reading dictionary file './dictionary'
sending Access-Request...
Packet dump:
*** Sending to 63.148.117.3 port 1645 ....
Code: Access-Request
Identifier: 120
Authentic: 1234567890123456
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
No reply
sending Accounting-Request Start...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 121
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 121
Authentic: f>e#O#<156><150>S<239>N<240><234><182><23><229>
Attributes:
OK
sending Accounting-Request Stop...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 122
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 122
Authentic: 5Y<2>V<137><180>L<2>R<138>vzai<248><184>
Attributes:
OK
-----END----
Chaning AuthByPolicy to ContinueWhileAccept returns this:
-----START-----
Reading dictionary file './dictionary'
sending Access-Request...
Packet dump:
*** Sending to 63.148.117.3 port 1645 ....
Code: Access-Request
Identifier: 81
Authentic: 1234567890123456
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump:
*** Received from 63.148.117.3 port 1645 ....
Code: Access-Reject
Identifier: 81
Authentic: <201>KV<189>Ao<213><235><254>3<22>z>h<239><4>
Attributes:
Reply-Message = "Request Denied"
Rejected: Request Denied
sending Accounting-Request Start...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 82
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 82
Authentic: <237><157><221><24><8><3><11><235><207><167>t<226>SVQ<227>
Attributes:
OK
sending Accounting-Request Stop...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 83
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 83
Authentic: <4>\<212>g'`<252><214><23><246>>A]<136><172><174>
Attributes:
OK
----END-----
Removing the Authby clause for the profile & timeofday returns this (with
ContinueWhileAccept):
----START------
Reading dictionary file './dictionary'
sending Access-Request...
Packet dump:
*** Sending to 63.148.117.3 port 1645 ....
Code: Access-Request
Identifier: 251
Authentic: 1234567890123456
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump:
*** Received from 63.148.117.3 port 1645 ....
Code: Access-Reject
Identifier: 251
Authentic: <2>I<24> <180>7<222><164><151>k<213><22>O<15><255>N
Attributes:
Reply-Message = "Request Denied"
Rejected: Request Denied
sending Accounting-Request Start...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 252
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 252
Authentic: <203>r<199><16>8<247>G<146><29>fe<135>`<20><133>Q
Attributes:
OK
sending Accounting-Request Stop...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 253
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 253
Authentic: TZ<243><171><164><236><146>h<14>+<186>)<190><14><<197>
Attributes:
OK
----------END---------
And with the authbyclaus for timeofday removed and the policy set to
ContinueAlways:
--------START---------
Reading dictionary file './dictionary'
sending Access-Request...
Packet dump:
*** Sending to 63.148.117.3 port 1645 ....
Code: Access-Request
Identifier: 62
Authentic: 1234567890123456
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump:
*** Received from 63.148.117.3 port 1645 ....
Code: Access-Accept
Identifier: 62
Authentic: 9<165>Y<201><211><140><2>u<210><251><161><200>3<149><179><1>
Attributes:
Service-Type = Framed-User
Session-Timeout = 18000
Idle-Timeout = 1740
Framed-IP-Netmask = 255.255.255.255
Port-Limit = 3
OK
sending Accounting-Request Start...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 63
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 63
Authentic: <1>.<245><190>|!.1g<201>0<201><148><229><234>%
Attributes:
OK
sending Accounting-Request Stop...
Packet dump:
*** Sending to 63.148.117.3 port 1646 ....
Code: Accounting-Request
Identifier: 64
Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
User-Name = "brandon"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 64
Authentic: <237><203>Z_<169><202>Um#&<241><136><29>8<145><23>
Attributes:
OK
--------END----------
As for a crash course in TimeOfDay, its a radius attribute that is used to
define when a user can login. Say 7:30am to 3:30pm etc -> "07:30-15:30" or
cannot login "!00:00-02:00" -> midnight to 2am. It is pretty similar to the
Radiator Time attribute. However I have tried changing the columndef to
"AuthColumnDef 0,Time,reply" and adding "Al" to the front of the field to
apply for all days as the radiator manual shows. What I need to do is limit
a few users to only login during certain hours (at their bosses request).
For now I have just added a stored procedure to my SQL server and a job to
turn the account on and off at the specified time however that will not work
forever.
Thanks for the help,
Brandon
Note: This is running Radiator 3.7.1 on Windows 2000 SP4, w/ activestate
perl 5.6.1 using a 3com total control.
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Brandon Lehmann" <blehmann at glis.cc>
Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
Sent: Wednesday, November 12, 2003 5:03 PM
Subject: Re: (RADIATOR) Profiles problems
>
> Hello Brandon -
>
> Could you please send me a trace 4 debug showing what is happening, and
> a bit more detail on what exactly you are wanting to have happen? I am
> not clear on what the TimeOfDay reply item is meant to do.
>
> regards
>
> Hugh
>
>
> On 13/11/2003, at 7:10 AM, Brandon Lehmann wrote:
>
> > Hi List,
> >
> > I cannot get the radius server to return the profile while using
> > the following configuration:
> >
> > ------START-----
> > LogStdout c:/radiator/stdout.txt
> > LogDir c:/radiator
> > DbDir c:/radiator.
> >
> > <Client DEFAULT>
> > Secret !removed for my protection!
> > DupInterval 0
> > </Client>
> >
> > <Realm DEFAULT>
> >
> > AuthByPolicy ContinueAlways
> >
> > <AuthBy SQL>
> > Identifier ACCT1
> > DBSource dbi:ODBC:!removed for my protection!
> > DBUsername !removed for my protection!
> > DBAuth !removed for my protection!
> >
> > AuthSelect
> >
> > AccountingTable radacct1
> > AcctColumnDef UserName,User-Name
> > AcctColumnDef LogDateTime,Timestamp,integer-date
> > AcctColumnDef AcctStatusType,Acct-Status-Type
> > AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
> > AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
> > AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
> > AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer
> > AcctColumnDef AcctOutputPackets,Acct-Output-Packets,integer
> > AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
> > AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause
> > AcctColumnDef NasIPAddress,NAS-IP-Address
> > AcctColumnDef NasIdentifier,NAS-Identifier
> > AcctColumnDef NasPortId,NAS-Port,integer
> > AcctColumnDef NasPortType,NAS-Port-Type,integer
> > AcctColumnDef ConnectInfo,Connect-Info
> > AcctColumnDef ServiceType,Service-Type
> > AcctColumnDef FramedProtocol,Framed-Protocol
> > AcctColumnDef FramedAddress,Framed-IP-Address
> > AcctColumnDef CallingStationId,Calling-Station-Id
> > </AuthBy>
> >
> > <AuthBy SQL>
> > Identifier AUTH1
> > DBSource dbi:ODBC:!removed for my protection!
> > DBUsername !removed for my protection!
> > DBAuth !removed for my protection!
> >
> > AuthSelect select
> > ClearTextPassword,ServiceType,SessionLimit, \
> > IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \
> > PortLimit,ProfileID from Customers where CustomerID=%0 \
> > and Disable is null
> > AuthColumnDef 0,Password,check
> > AuthColumnDef 1,Service-Type,reply
> > AuthColumnDef 2,Session-Timeout,reply
> > AuthColumnDef 3,Idle-Timeout,reply
> > AuthColumnDef 4,Framed-IP-Address,reply
> > AuthColumnDef 5,Framed-IP-Netmask,reply
> > AuthColumnDef 6,Framed-Route,reply
> > AuthColumnDef 7,Port-Limit,reply
> > AuthColumnDef 8,Simultaneous-Use,check
> > AuthColumnDef 9,Profile,reply
> > </AuthBy>
> > <AuthBy SQL>
> > DBSource dbi:ODBC:!removed for my protection!
> > DBUsername !removed for my protection!
> > DBAuth !removed for my protection!
> >
> > AuthSelect SELECT timeofday FROM profiles WHERE \
> > [profile]='%{Reply:Profile}'
> > AuthColumnDef 0,TimeOfDay,reply
> >
> > StripFromReply Profile
> > </AuthBy>
> >
> > SessionDatabase SDB1
> >
> > </Realm>
> >
> > <SessionDatabase SQL>
> > Identifier SDB1
> > DBSource dbi:ODBC:!removed for my protection!
> > DBUsername !removed for my protection!
> > DBAuth !removed for my protection!
> > </SessionDatabase>
> > -------END----
> >
> > If I change "AuthByPolicy ContinueAlways" to "AuthByPolicy
> > ContinueWhileAccept" then the server always returns "Request Denied".
> > Any
> > input would be greatly appreciated. Note: I have already searched the
> > list
> > archives, nothing seems to work.
> >
> > Thank you,
> >
> > Brandon Lehmann
> > Network Administrator
> > Great Lakes Internet Service, LLC.
> > The Computer Loft, Inc.
> > 218 Justice St
> > Fremont, Ohio 43420
> > 419.332.3553
> > blehmann at glis.cc
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list