(RADIATOR) Profiles problems

Hugh Irvine hugh at open.com.au
Wed Nov 12 22:20:55 CST 2003


Hello Brandon -

Thanks for your mail.

Unfortunately I meant "a trace 4 debug from Radiator" (not a trace 4 
debug from radpwtst).

In any event, I suspect that at the very least the "TimeOfDay" radius 
attribute is not defined in your Radiator dictionary.

regards

Hugh


On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote:

> Hugh,
>
>     Note: I don't care that I left my ip address in there or the 
> "encrypted"
> password. This is a test server with test data.
>
> Brandon
>
> ----- Original Message -----
> From: "Brandon Lehmann" <blehmann at glis.cc>
> To: "Hugh Irvine" <hugh at open.com.au>
> Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
> Sent: Wednesday, November 12, 2003 5:43 PM
> Subject: Re: (RADIATOR) Profiles problems
>
>
>> Hugh,
>>
>>     Trace 4 with the config in my original message shows:
>>
>> --- START----
>> Reading dictionary file './dictionary'
>> sending Access-Request...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 120
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "brandon"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
>>
>> No reply
>> sending Accounting-Request Start...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 121
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>         User-Name = "brandon"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         NAS-Port-Type = Async
>>         Acct-Session-Id = "00001234"
>>         Acct-Status-Type = Start
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         Acct-Delay-Time = 0
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 121
>> Authentic:  f>e#O#<156><150>S<239>N<240><234><182><23><229>
>> Attributes:
>>
>> OK
>> sending Accounting-Request Stop...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 122
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>         User-Name = "brandon"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         NAS-Port-Type = Async
>>         Acct-Session-Id = "00001234"
>>         Acct-Status-Type = Stop
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         Acct-Delay-Time = 0
>>         Acct-Session-Time = 1000
>>         Acct-Input-Octets = 20000
>>         Acct-Output-Octets = 30000
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 122
>> Authentic:  5Y<2>V<137><180>L<2>R<138>vzai<248><184>
>> Attributes:
>>
>> OK
>> -----END----
>>
>>
>> Chaning AuthByPolicy to ContinueWhileAccept returns this:
>>
>> -----START-----
>> Reading dictionary file './dictionary'
>> sending Access-Request...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 81
>> Authentic:  1234567890123456
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  NAS-Port-Type = Async
>>  User-Password = 
>> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1645 ....
>> Code:       Access-Reject
>> Identifier: 81
>> Authentic:  <201>KV<189>Ao<213><235><254>3<22>z>h<239><4>
>> Attributes:
>>  Reply-Message = "Request Denied"
>>
>> Rejected: Request Denied
>> sending Accounting-Request Start...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 82
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Start
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 82
>> Authentic:  <237><157><221><24><8><3><11><235><207><167>t<226>SVQ<227>
>> Attributes:
>>
>> OK
>> sending Accounting-Request Stop...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 83
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Stop
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>  Acct-Session-Time = 1000
>>  Acct-Input-Octets = 20000
>>  Acct-Output-Octets = 30000
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 83
>> Authentic:  <4>\<212>g'`<252><214><23><246>>A]<136><172><174>
>> Attributes:
>>
>> OK
>>
>> ----END-----
>>
>> Removing the Authby clause for the profile & timeofday returns this 
>> (with
>> ContinueWhileAccept):
>>
>> ----START------
>> Reading dictionary file './dictionary'
>> sending Access-Request...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 251
>> Authentic:  1234567890123456
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  NAS-Port-Type = Async
>>  User-Password = 
>> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1645 ....
>> Code:       Access-Reject
>> Identifier: 251
>> Authentic:  <2>I<24> <180>7<222><164><151>k<213><22>O<15><255>N
>> Attributes:
>>  Reply-Message = "Request Denied"
>>
>> Rejected: Request Denied
>> sending Accounting-Request Start...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 252
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Start
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 252
>> Authentic:  <203>r<199><16>8<247>G<146><29>fe<135>`<20><133>Q
>> Attributes:
>>
>> OK
>> sending Accounting-Request Stop...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 253
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Stop
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>  Acct-Session-Time = 1000
>>  Acct-Input-Octets = 20000
>>  Acct-Output-Octets = 30000
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 253
>> Authentic:  TZ<243><171><164><236><146>h<14>+<186>)<190><14><<197>
>> Attributes:
>>
>> OK
>> ----------END---------
>>
>> And with the authbyclaus for timeofday removed and the policy set to
>> ContinueAlways:
>>
>> --------START---------
>> Reading dictionary file './dictionary'
>> sending Access-Request...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1645 ....
>> Code:       Access-Request
>> Identifier: 62
>> Authentic:  1234567890123456
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  NAS-Port-Type = Async
>>  User-Password = 
>> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1645 ....
>> Code:       Access-Accept
>> Identifier: 62
>> Authentic:  
>> 9<165>Y<201><211><140><2>u<210><251><161><200>3<149><179><1>
>> Attributes:
>>  Service-Type = Framed-User
>>  Session-Timeout = 18000
>>  Idle-Timeout = 1740
>>  Framed-IP-Netmask = 255.255.255.255
>>  Port-Limit = 3
>>
>> OK
>> sending Accounting-Request Start...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 63
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Start
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 63
>> Authentic:  <1>.<245><190>|!.1g<201>0<201><148><229><234>%
>> Attributes:
>>
>> OK
>> sending Accounting-Request Stop...
>> Packet dump:
>> *** Sending to 63.148.117.3 port 1646 ....
>> Code:       Accounting-Request
>> Identifier: 64
>> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Attributes:
>>  User-Name = "brandon"
>>  Service-Type = Framed-User
>>  NAS-IP-Address = 203.63.154.1
>>  NAS-Port = 1234
>>  NAS-Port-Type = Async
>>  Acct-Session-Id = "00001234"
>>  Acct-Status-Type = Stop
>>  Called-Station-Id = "123456789"
>>  Calling-Station-Id = "987654321"
>>  Acct-Delay-Time = 0
>>  Acct-Session-Time = 1000
>>  Acct-Input-Octets = 20000
>>  Acct-Output-Octets = 30000
>>
>> Packet dump:
>> *** Received from 63.148.117.3 port 1646 ....
>> Code:       Accounting-Response
>> Identifier: 64
>> Authentic:  <237><203>Z_<169><202>Um#&<241><136><29>8<145><23>
>> Attributes:
>>
>> OK
>> --------END----------
>>
>> As for a crash course in TimeOfDay, its a radius attribute that is 
>> used to
>> define when a user can login. Say 7:30am to 3:30pm etc -> 
>> "07:30-15:30" or
>> cannot login "!00:00-02:00" -> midnight to 2am. It is pretty similar 
>> to
> the
>> Radiator Time attribute. However I have tried changing the columndef 
>> to
>> "AuthColumnDef 0,Time,reply" and adding "Al" to the front of the 
>> field to
>> apply for all days as the radiator manual shows. What I need to do is
> limit
>> a few users to only login during certain hours (at their bosses 
>> request).
>> For now I have just added a stored procedure to my SQL server and a 
>> job to
>> turn the account on and off at the specified time however that will 
>> not
> work
>> forever.
>>
>> Thanks for the help,
>>
>> Brandon
>>
>> Note: This is running Radiator 3.7.1 on Windows 2000 SP4, w/ 
>> activestate
>> perl 5.6.1 using a 3com total control.
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Brandon Lehmann" <blehmann at glis.cc>
>> Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
>> Sent: Wednesday, November 12, 2003 5:03 PM
>> Subject: Re: (RADIATOR) Profiles problems
>>
>>
>>>
>>> Hello Brandon -
>>>
>>> Could you please send me a trace 4 debug showing what is happening, 
>>> and
>>> a bit more detail on what exactly you are wanting to have happen? I 
>>> am
>>> not clear on what the TimeOfDay reply item is meant to do.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 13/11/2003, at 7:10 AM, Brandon Lehmann wrote:
>>>
>>>> Hi List,
>>>>
>>>> I cannot get the radius server to return the profile while using
>>>> the following configuration:
>>>>
>>>> ------START-----
>>>> LogStdout   c:/radiator/stdout.txt
>>>> LogDir c:/radiator
>>>> DbDir c:/radiator.
>>>>
>>>> <Client DEFAULT>
>>>>      Secret !removed for my protection!
>>>>      DupInterval 0
>>>> </Client>
>>>>
>>>> <Realm DEFAULT>
>>>>
>>>>      AuthByPolicy ContinueAlways
>>>>
>>>>      <AuthBy SQL>
>>>>           Identifier ACCT1
>>>>           DBSource dbi:ODBC:!removed for my protection!
>>>>           DBUsername !removed for my protection!
>>>>           DBAuth !removed for my protection!
>>>>
>>>>           AuthSelect
>>>>
>>>>           AccountingTable radacct1
>>>>           AcctColumnDef UserName,User-Name
>>>>           AcctColumnDef LogDateTime,Timestamp,integer-date
>>>>           AcctColumnDef AcctStatusType,Acct-Status-Type
>>>>           AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
>>>>           AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
>>>>           AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
>>>>           AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer
>>>>           AcctColumnDef 
>>>> AcctOutputPackets,Acct-Output-Packets,integer
>>>>           AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
>>>>           AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause
>>>>           AcctColumnDef NasIPAddress,NAS-IP-Address
>>>>           AcctColumnDef NasIdentifier,NAS-Identifier
>>>>           AcctColumnDef NasPortId,NAS-Port,integer
>>>>           AcctColumnDef NasPortType,NAS-Port-Type,integer
>>>>           AcctColumnDef ConnectInfo,Connect-Info
>>>>           AcctColumnDef ServiceType,Service-Type
>>>>           AcctColumnDef FramedProtocol,Framed-Protocol
>>>>           AcctColumnDef FramedAddress,Framed-IP-Address
>>>>           AcctColumnDef CallingStationId,Calling-Station-Id
>>>>      </AuthBy>
>>>>
>>>>      <AuthBy SQL>
>>>>           Identifier AUTH1
>>>>           DBSource dbi:ODBC:!removed for my protection!
>>>>           DBUsername !removed for my protection!
>>>>           DBAuth  !removed for my protection!
>>>>
>>>>           AuthSelect select
>>>> ClearTextPassword,ServiceType,SessionLimit, \
>>>>               IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \
>>>>               PortLimit,ProfileID from Customers where 
>>>> CustomerID=%0 \
>>>>               and Disable is null
>>>>           AuthColumnDef 0,Password,check
>>>>           AuthColumnDef 1,Service-Type,reply
>>>>           AuthColumnDef 2,Session-Timeout,reply
>>>>           AuthColumnDef 3,Idle-Timeout,reply
>>>>           AuthColumnDef 4,Framed-IP-Address,reply
>>>>           AuthColumnDef 5,Framed-IP-Netmask,reply
>>>>           AuthColumnDef 6,Framed-Route,reply
>>>>           AuthColumnDef 7,Port-Limit,reply
>>>>           AuthColumnDef 8,Simultaneous-Use,check
>>>>           AuthColumnDef 9,Profile,reply
>>>>      </AuthBy>
>>>>      <AuthBy SQL>
>>>>          DBSource dbi:ODBC:!removed for my protection!
>>>>          DBUsername !removed for my protection!
>>>>          DBAuth !removed for my protection!
>>>>
>>>>          AuthSelect      SELECT timeofday FROM profiles WHERE \
>>>>             [profile]='%{Reply:Profile}'
>>>>          AuthColumnDef 0,TimeOfDay,reply
>>>>
>>>>          StripFromReply Profile
>>>>      </AuthBy>
>>>>
>>>>      SessionDatabase SDB1
>>>>
>>>> </Realm>
>>>>
>>>> <SessionDatabase SQL>
>>>>      Identifier SDB1
>>>>      DBSource dbi:ODBC:!removed for my protection!
>>>>      DBUsername !removed for my protection!
>>>>      DBAuth  !removed for my protection!
>>>> </SessionDatabase>
>>>> -------END----
>>>>
>>>> If I change "AuthByPolicy ContinueAlways" to "AuthByPolicy
>>>> ContinueWhileAccept" then the server always returns "Request 
>>>> Denied".
>>>> Any
>>>> input would be greatly appreciated. Note: I have already searched 
>>>> the
>>>> list
>>>> archives, nothing seems to work.
>>>>
>>>> Thank you,
>>>>
>>>> Brandon Lehmann
>>>> Network Administrator
>>>> Great Lakes Internet Service, LLC.
>>>> The Computer Loft, Inc.
>>>> 218 Justice St
>>>> Fremont, Ohio 43420
>>>> 419.332.3553
>>>> blehmann at glis.cc
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list