(RADIATOR) Profiles problems

Brandon Lehmann blehmann at glis.cc
Wed Nov 12 23:35:23 CST 2003


Hugh,

    Sorry. I'm a fool somedays. The problem is I don't get a response if i
change the sql column to say... SessionLimit and define the session-limit
through the profile either. I'll give it another try and check the
dictionary. Maybe I'm just going crazy but this will be day 6. I'll let you
know if I get it to work.

Brandon

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Brandon Lehmann" <blehmann at glis.cc>
Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
Sent: Wednesday, November 12, 2003 11:20 PM
Subject: Re: (RADIATOR) Profiles problems


>
> Hello Brandon -
>
> Thanks for your mail.
>
> Unfortunately I meant "a trace 4 debug from Radiator" (not a trace 4
> debug from radpwtst).
>
> In any event, I suspect that at the very least the "TimeOfDay" radius
> attribute is not defined in your Radiator dictionary.
>
> regards
>
> Hugh
>
>
> On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote:
>
> > Hugh,
> >
> >     Note: I don't care that I left my ip address in there or the
> > "encrypted"
> > password. This is a test server with test data.
> >
> > Brandon
> >
> > ----- Original Message -----
> > From: "Brandon Lehmann" <blehmann at glis.cc>
> > To: "Hugh Irvine" <hugh at open.com.au>
> > Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
> > Sent: Wednesday, November 12, 2003 5:43 PM
> > Subject: Re: (RADIATOR) Profiles problems
> >
> >
> >> Hugh,
> >>
> >>     Trace 4 with the config in my original message shows:
> >>
> >> --- START----
> >> Reading dictionary file './dictionary'
> >> sending Access-Request...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1645 ....
> >> Code:       Access-Request
> >> Identifier: 120
> >> Authentic:  1234567890123456
> >> Attributes:
> >>         User-Name = "brandon"
> >>         Service-Type = Framed-User
> >>         NAS-IP-Address = 203.63.154.1
> >>         NAS-Port = 1234
> >>         Called-Station-Id = "123456789"
> >>         Calling-Station-Id = "987654321"
> >>         NAS-Port-Type = Async
> >>         User-Password =
> >> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
> >>
> >> No reply
> >> sending Accounting-Request Start...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 121
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>         User-Name = "brandon"
> >>         Service-Type = Framed-User
> >>         NAS-IP-Address = 203.63.154.1
> >>         NAS-Port = 1234
> >>         NAS-Port-Type = Async
> >>         Acct-Session-Id = "00001234"
> >>         Acct-Status-Type = Start
> >>         Called-Station-Id = "123456789"
> >>         Calling-Station-Id = "987654321"
> >>         Acct-Delay-Time = 0
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 121
> >> Authentic:  f>e#O#<156><150>S<239>N<240><234><182><23><229>
> >> Attributes:
> >>
> >> OK
> >> sending Accounting-Request Stop...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 122
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>         User-Name = "brandon"
> >>         Service-Type = Framed-User
> >>         NAS-IP-Address = 203.63.154.1
> >>         NAS-Port = 1234
> >>         NAS-Port-Type = Async
> >>         Acct-Session-Id = "00001234"
> >>         Acct-Status-Type = Stop
> >>         Called-Station-Id = "123456789"
> >>         Calling-Station-Id = "987654321"
> >>         Acct-Delay-Time = 0
> >>         Acct-Session-Time = 1000
> >>         Acct-Input-Octets = 20000
> >>         Acct-Output-Octets = 30000
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 122
> >> Authentic:  5Y<2>V<137><180>L<2>R<138>vzai<248><184>
> >> Attributes:
> >>
> >> OK
> >> -----END----
> >>
> >>
> >> Chaning AuthByPolicy to ContinueWhileAccept returns this:
> >>
> >> -----START-----
> >> Reading dictionary file './dictionary'
> >> sending Access-Request...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1645 ....
> >> Code:       Access-Request
> >> Identifier: 81
> >> Authentic:  1234567890123456
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  NAS-Port-Type = Async
> >>  User-Password =
> >> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1645 ....
> >> Code:       Access-Reject
> >> Identifier: 81
> >> Authentic:  <201>KV<189>Ao<213><235><254>3<22>z>h<239><4>
> >> Attributes:
> >>  Reply-Message = "Request Denied"
> >>
> >> Rejected: Request Denied
> >> sending Accounting-Request Start...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 82
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Start
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 82
> >> Authentic:  <237><157><221><24><8><3><11><235><207><167>t<226>SVQ<227>
> >> Attributes:
> >>
> >> OK
> >> sending Accounting-Request Stop...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 83
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Stop
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>  Acct-Session-Time = 1000
> >>  Acct-Input-Octets = 20000
> >>  Acct-Output-Octets = 30000
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 83
> >> Authentic:  <4>\<212>g'`<252><214><23><246>>A]<136><172><174>
> >> Attributes:
> >>
> >> OK
> >>
> >> ----END-----
> >>
> >> Removing the Authby clause for the profile & timeofday returns this
> >> (with
> >> ContinueWhileAccept):
> >>
> >> ----START------
> >> Reading dictionary file './dictionary'
> >> sending Access-Request...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1645 ....
> >> Code:       Access-Request
> >> Identifier: 251
> >> Authentic:  1234567890123456
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  NAS-Port-Type = Async
> >>  User-Password =
> >> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1645 ....
> >> Code:       Access-Reject
> >> Identifier: 251
> >> Authentic:  <2>I<24> <180>7<222><164><151>k<213><22>O<15><255>N
> >> Attributes:
> >>  Reply-Message = "Request Denied"
> >>
> >> Rejected: Request Denied
> >> sending Accounting-Request Start...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 252
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Start
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 252
> >> Authentic:  <203>r<199><16>8<247>G<146><29>fe<135>`<20><133>Q
> >> Attributes:
> >>
> >> OK
> >> sending Accounting-Request Stop...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 253
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Stop
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>  Acct-Session-Time = 1000
> >>  Acct-Input-Octets = 20000
> >>  Acct-Output-Octets = 30000
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 253
> >> Authentic:  TZ<243><171><164><236><146>h<14>+<186>)<190><14><<197>
> >> Attributes:
> >>
> >> OK
> >> ----------END---------
> >>
> >> And with the authbyclaus for timeofday removed and the policy set to
> >> ContinueAlways:
> >>
> >> --------START---------
> >> Reading dictionary file './dictionary'
> >> sending Access-Request...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1645 ....
> >> Code:       Access-Request
> >> Identifier: 62
> >> Authentic:  1234567890123456
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  NAS-Port-Type = Async
> >>  User-Password =
> >> ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1645 ....
> >> Code:       Access-Accept
> >> Identifier: 62
> >> Authentic:
> >> 9<165>Y<201><211><140><2>u<210><251><161><200>3<149><179><1>
> >> Attributes:
> >>  Service-Type = Framed-User
> >>  Session-Timeout = 18000
> >>  Idle-Timeout = 1740
> >>  Framed-IP-Netmask = 255.255.255.255
> >>  Port-Limit = 3
> >>
> >> OK
> >> sending Accounting-Request Start...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 63
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Start
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 63
> >> Authentic:  <1>.<245><190>|!.1g<201>0<201><148><229><234>%
> >> Attributes:
> >>
> >> OK
> >> sending Accounting-Request Stop...
> >> Packet dump:
> >> *** Sending to 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Request
> >> Identifier: 64
> >> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >> Attributes:
> >>  User-Name = "brandon"
> >>  Service-Type = Framed-User
> >>  NAS-IP-Address = 203.63.154.1
> >>  NAS-Port = 1234
> >>  NAS-Port-Type = Async
> >>  Acct-Session-Id = "00001234"
> >>  Acct-Status-Type = Stop
> >>  Called-Station-Id = "123456789"
> >>  Calling-Station-Id = "987654321"
> >>  Acct-Delay-Time = 0
> >>  Acct-Session-Time = 1000
> >>  Acct-Input-Octets = 20000
> >>  Acct-Output-Octets = 30000
> >>
> >> Packet dump:
> >> *** Received from 63.148.117.3 port 1646 ....
> >> Code:       Accounting-Response
> >> Identifier: 64
> >> Authentic:  <237><203>Z_<169><202>Um#&<241><136><29>8<145><23>
> >> Attributes:
> >>
> >> OK
> >> --------END----------
> >>
> >> As for a crash course in TimeOfDay, its a radius attribute that is
> >> used to
> >> define when a user can login. Say 7:30am to 3:30pm etc ->
> >> "07:30-15:30" or
> >> cannot login "!00:00-02:00" -> midnight to 2am. It is pretty similar
> >> to
> > the
> >> Radiator Time attribute. However I have tried changing the columndef
> >> to
> >> "AuthColumnDef 0,Time,reply" and adding "Al" to the front of the
> >> field to
> >> apply for all days as the radiator manual shows. What I need to do is
> > limit
> >> a few users to only login during certain hours (at their bosses
> >> request).
> >> For now I have just added a stored procedure to my SQL server and a
> >> job to
> >> turn the account on and off at the specified time however that will
> >> not
> > work
> >> forever.
> >>
> >> Thanks for the help,
> >>
> >> Brandon
> >>
> >> Note: This is running Radiator 3.7.1 on Windows 2000 SP4, w/
> >> activestate
> >> perl 5.6.1 using a 3com total control.
> >>
> >> ----- Original Message -----
> >> From: "Hugh Irvine" <hugh at open.com.au>
> >> To: "Brandon Lehmann" <blehmann at glis.cc>
> >> Cc: <owner-radiator at open.com.au>; <radiator at open.com.au>
> >> Sent: Wednesday, November 12, 2003 5:03 PM
> >> Subject: Re: (RADIATOR) Profiles problems
> >>
> >>
> >>>
> >>> Hello Brandon -
> >>>
> >>> Could you please send me a trace 4 debug showing what is happening,
> >>> and
> >>> a bit more detail on what exactly you are wanting to have happen? I
> >>> am
> >>> not clear on what the TimeOfDay reply item is meant to do.
> >>>
> >>> regards
> >>>
> >>> Hugh
> >>>
> >>>
> >>> On 13/11/2003, at 7:10 AM, Brandon Lehmann wrote:
> >>>
> >>>> Hi List,
> >>>>
> >>>> I cannot get the radius server to return the profile while using
> >>>> the following configuration:
> >>>>
> >>>> ------START-----
> >>>> LogStdout   c:/radiator/stdout.txt
> >>>> LogDir c:/radiator
> >>>> DbDir c:/radiator.
> >>>>
> >>>> <Client DEFAULT>
> >>>>      Secret !removed for my protection!
> >>>>      DupInterval 0
> >>>> </Client>
> >>>>
> >>>> <Realm DEFAULT>
> >>>>
> >>>>      AuthByPolicy ContinueAlways
> >>>>
> >>>>      <AuthBy SQL>
> >>>>           Identifier ACCT1
> >>>>           DBSource dbi:ODBC:!removed for my protection!
> >>>>           DBUsername !removed for my protection!
> >>>>           DBAuth !removed for my protection!
> >>>>
> >>>>           AuthSelect
> >>>>
> >>>>           AccountingTable radacct1
> >>>>           AcctColumnDef UserName,User-Name
> >>>>           AcctColumnDef LogDateTime,Timestamp,integer-date
> >>>>           AcctColumnDef AcctStatusType,Acct-Status-Type
> >>>>           AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
> >>>>           AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
> >>>>           AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
> >>>>           AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer
> >>>>           AcctColumnDef
> >>>> AcctOutputPackets,Acct-Output-Packets,integer
> >>>>           AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
> >>>>           AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause
> >>>>           AcctColumnDef NasIPAddress,NAS-IP-Address
> >>>>           AcctColumnDef NasIdentifier,NAS-Identifier
> >>>>           AcctColumnDef NasPortId,NAS-Port,integer
> >>>>           AcctColumnDef NasPortType,NAS-Port-Type,integer
> >>>>           AcctColumnDef ConnectInfo,Connect-Info
> >>>>           AcctColumnDef ServiceType,Service-Type
> >>>>           AcctColumnDef FramedProtocol,Framed-Protocol
> >>>>           AcctColumnDef FramedAddress,Framed-IP-Address
> >>>>           AcctColumnDef CallingStationId,Calling-Station-Id
> >>>>      </AuthBy>
> >>>>
> >>>>      <AuthBy SQL>
> >>>>           Identifier AUTH1
> >>>>           DBSource dbi:ODBC:!removed for my protection!
> >>>>           DBUsername !removed for my protection!
> >>>>           DBAuth  !removed for my protection!
> >>>>
> >>>>           AuthSelect select
> >>>> ClearTextPassword,ServiceType,SessionLimit, \
> >>>>               IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \
> >>>>               PortLimit,ProfileID from Customers where
> >>>> CustomerID=%0 \
> >>>>               and Disable is null
> >>>>           AuthColumnDef 0,Password,check
> >>>>           AuthColumnDef 1,Service-Type,reply
> >>>>           AuthColumnDef 2,Session-Timeout,reply
> >>>>           AuthColumnDef 3,Idle-Timeout,reply
> >>>>           AuthColumnDef 4,Framed-IP-Address,reply
> >>>>           AuthColumnDef 5,Framed-IP-Netmask,reply
> >>>>           AuthColumnDef 6,Framed-Route,reply
> >>>>           AuthColumnDef 7,Port-Limit,reply
> >>>>           AuthColumnDef 8,Simultaneous-Use,check
> >>>>           AuthColumnDef 9,Profile,reply
> >>>>      </AuthBy>
> >>>>      <AuthBy SQL>
> >>>>          DBSource dbi:ODBC:!removed for my protection!
> >>>>          DBUsername !removed for my protection!
> >>>>          DBAuth !removed for my protection!
> >>>>
> >>>>          AuthSelect      SELECT timeofday FROM profiles WHERE \
> >>>>             [profile]='%{Reply:Profile}'
> >>>>          AuthColumnDef 0,TimeOfDay,reply
> >>>>
> >>>>          StripFromReply Profile
> >>>>      </AuthBy>
> >>>>
> >>>>      SessionDatabase SDB1
> >>>>
> >>>> </Realm>
> >>>>
> >>>> <SessionDatabase SQL>
> >>>>      Identifier SDB1
> >>>>      DBSource dbi:ODBC:!removed for my protection!
> >>>>      DBUsername !removed for my protection!
> >>>>      DBAuth  !removed for my protection!
> >>>> </SessionDatabase>
> >>>> -------END----
> >>>>
> >>>> If I change "AuthByPolicy ContinueAlways" to "AuthByPolicy
> >>>> ContinueWhileAccept" then the server always returns "Request
> >>>> Denied".
> >>>> Any
> >>>> input would be greatly appreciated. Note: I have already searched
> >>>> the
> >>>> list
> >>>> archives, nothing seems to work.
> >>>>
> >>>> Thank you,
> >>>>
> >>>> Brandon Lehmann
> >>>> Network Administrator
> >>>> Great Lakes Internet Service, LLC.
> >>>> The Computer Loft, Inc.
> >>>> 218 Justice St
> >>>> Fremont, Ohio 43420
> >>>> 419.332.3553
> >>>> blehmann at glis.cc
> >>>>
> >>>> ===
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>>
> >>>>
> >>>
> >>> NB: have you included a copy of your configuration file (no secrets),
> >>> together with a trace 4 debug showing what is happening?
> >>>
> >>> -- 
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> -
> >>> Nets: internetwork inventory and management - graphical, extensible,
> >>> flexible with hardware, software, platform and database independence.
> >>> -
> >>> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>>
> >>>
> >>
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list