(RADIATOR) Problem with the username that is used for online confirmation

Hugh Irvine hugh at open.com.au
Thu Apr 6 15:17:30 CDT 2006 

Hello Vangelis -

It doesn't look like the CountQuery is configured correctly:


Thu Apr  6 12:03:10 2006: DEBUG: Query is: 'select NASIDENTIFIER,  
NASPORT, hextoint(ACCTSESSIONID) from netman..RADONLINE where  
USERNAME='biqiqo.ath.forthnet.gr'':


regards

Hugh


On 6 Apr 2006, at 19:17, Vangelis Kyriakakis wrote:

> Hello Hugh,
>
>       We upgraded to version 3.14 with latest patches.  
> Unfortunately we get the same results:
>
> Thu Apr  6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 looks for match  
> with biqiqo.ath.forthnet.gr [biqiqo.ath.forthnet.gr at forthnet.gr]
> Thu Apr  6 12:03:10 2006: DEBUG: Query is: 'select NASIDENTIFIER,  
> NASPORT, hextoint(ACCTSESSIONID) from netman..RADONLINE where  
> USERNAME='biqiqo.ath.forthnet.gr'':
> Thu Apr  6 12:03:10 2006: DEBUG: Checking if user is still online:  
> CiscoDSL, biqiqo.ath.forthnet.gr at forthnet.gr, 194.219.252.148,  
> 2056, 4203759
> Thu Apr  6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->  
> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
> Thu Apr  6 12:03:10 2006: DEBUG: Running command `/opt/ucd-snmp/bin/ 
> snmpget -c "FORTHNET"  
> 194.219.252.148 .iso.org.dod.internet.private.enterprises. 
> 9.9.150.1.1.3.1.2.4203759 2>&1`
> Thu Apr  6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 REJECT:  
> DefaultSimultaneousUse of 1 exceeded: biqiqo.ath.forthnet.gr  
> [biqiqo.ath.forthnet.gr at forthnet.gr]
> Thu Apr  6 12:03:10 2006: DEBUG: AuthBy LDAP2 result: REJECT,  
> DefaultSimultaneousUse of 1 exceeded
>
> The line
> Thu Apr  6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->  
> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
> is produced by a line we added to the Cisco.pm:
>
> &main::log($main::LOG_DEBUG, "Cisco: Checking ADSL $session_id->  
> $nas_id:$nas_port:$name" );
>
> So, it seems that username that is passed to Cisco.pm is the  
> original username with the realm, and not the one that %U should give.
>
>          Regards
>              Vangelis
>
> Hugh Irvine wrote:
>
>>
>> Hello Vangelis -
>>
>> According to the history file this functionality was introduced  
>> in  Radiator 3.6.
>>
>> Could you download and install Radiator 3.14 on a clean test  
>> server  and test it?
>>
>> Please let me know what you discover.
>>
>> thanks and regards
>>
>> Hugh
>>
>>
>> On 31 Mar 2006, at 18:06, Vangelis Kyriakakis wrote:
>>
>>> Hello Hugh,
>>>
>>>         We are running 3.7.1. We are a little behind from the   
>>> current version. If it is something that was fixed in a later   
>>> version we'll upgrade.
>>>
>>>                               Regards
>>>                                   Vangelis
>>>
>>> Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Vangelis -
>>>>
>>>> What version of Radiator are you running?
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 30 Mar 2006, at 21:56, Vangelis Kyriakakis wrote:
>>>>
>>>>> Hello Hugh,
>>>>>
>>>>>      Thanks for the answer. The username that I want to get  
>>>>> back  is  the rewritten one, that is the one I allready store  
>>>>> in the   RADONLINE. But What I get is the full original  
>>>>> username. I guess   what you told me to do will give me the  
>>>>> original username, or am  I  wrong?
>>>>>
>>>>>            Regards
>>>>>                 Vangelis Kyriakakis
>>>>>
>>>>> Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Vangelis -
>>>>>>
>>>>>> You must extend the RADONLINE table to include a field to   
>>>>>> contain  the  original username and modify the AddQuery so it   
>>>>>> adds both  the  rewritten username and the original username  
>>>>>> to  the table.  Then the  fifth field in the CountQuery must  
>>>>>> be the  original  username.
>>>>>>
>>>>>> hope that helps
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 30 Mar 2006, at 20:43, Vangelis Kyriakakis wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>>     I see from the logfiles that Radiator always uses the   
>>>>>>> whole   username that is being authenticated as the username   
>>>>>>> that is  used  for online confirmation via SNMP.
>>>>>>>     The manual says in CountQuery "If a user name is present   
>>>>>>> as  the  fifth field returned by the query, that is the user   
>>>>>>> name  that will  be used to confirm the user is still on line.".
>>>>>>>     Using the following configuration:
>>>>>>>
>>>>>>> <Handler Client-Identifier=adsl>
>>>>>>>        RejectHasReason
>>>>>>>        RewriteUsername s/^([^@]+).*/$1/
>>>>>>>        AuthBy adsl
>>>>>>>        SessionDatabase Session-dsl
>>>>>>>        AuthLog logger
>>>>>>> </Handler>
>>>>>>>
>>>>>>> <SessionDatabase SQL>
>>>>>>>        Identifier Session-dsl
>>>>>>>        DBSource dbi:Sybase:RADIUS
>>>>>>>        DBUsername tacacs
>>>>>>>        DBAuth xxxxxxx
>>>>>>>        Timeout 5
>>>>>>>        FailureBackoffTime 5
>>>>>>>        AddQuery insert into netman..RADONLINE     
>>>>>>> (USERNAME,NASIDENTIFIER,NASPORT,\
>>>>>>>                 
>>>>>>> ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
>>>>>>>               SERVICETYPE) values ('%U','%N',0%{NAS-Port},'%   
>>>>>>> {Acct- Session-Id}',\
>>>>>>>               %{Timestamp},'%{Framed-IP-Address}','%{NAS- 
>>>>>>> Port-  Type}',\
>>>>>>>               '%{Service-Type}')
>>>>>>>        DeleteQuery delete from netman..RADONLINE where     
>>>>>>> NASIDENTIFIER='%1' and NASPORT=0%2
>>>>>>>        ClearNasQuery delete from netman..RADONLINE where     
>>>>>>> NASIDENTIFIER='%N'
>>>>>>>        CountQuery select NASIDENTIFIER, NASPORT, hextoint    
>>>>>>> (ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME from   
>>>>>>> netman..RADONLINE wh
>>>>>>> ere USERNAME='%U'
>>>>>>> </SessionDatabase>
>>>>>>> If the user that is being authenticated is user at domain  
>>>>>>> then    Radiator always uses user at domain as the username that  
>>>>>>> is  checked   against the snmpget result although the  
>>>>>>> RADONLINE  database keeps   only user in the USERNAME field.
>>>>>>>
>>>>>>>     Am I doing something wrong, or is this a bug?
>>>>>>>
>>>>>>>                   Regards
>>>>>>>                        Vangelis Kyriakakis
>>>>>>>
>>>>>>> -- 
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/   
>>>>>> archives/ radiator)?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>
>>>>> -- 
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/  
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>
>>> -- 
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list