(RADIATOR) Problem with the username that is used for online confirmation
Hugh Irvine
hugh at open.com.au
Tue Apr 11 02:39:07 CDT 2006
Hello Vangelis -
Could you please send me the contents of the RADONLINE table when you
try your tests, and also the output of running the CountQuery by hand?
I'd also like to see the startup messages from Radiator.
many thanks
Hugh
On 7 Apr 2006, at 17:50, Vangelis Kyriakakis wrote:
> Hello Hugh,
>
> I changed the CountQuery to
>
> CountQuery select NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID),
> FRAMEDIPADDRESS, USERNAME from netman..RADONLINE where USERNAME='%U'
>
> and it has the same behaviour:
>
> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with grakkos.ath.forthnet.gr [grakkos.ath.forthnet.gr at forth
> net.gr]
> Fri Apr 7 10:40:44 2006: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, hextoint(ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME
> from netman..RADONLINE where USERNAME='grakkos.ath.forthnet.gr'':
> Fri Apr 7 10:40:44 2006: DEBUG: Checking if user is still online:
> CiscoDSL, grakkos.ath.forthnet.gr at forthnet.gr, 194.219.252.
> 147, 966, 5849343 62.1.247.103
> Fri Apr 7 10:40:44 2006: DEBUG: Cisco: Checking ADSL 5849343->
> 194.219.252.147:966:grakkos.ath.forthnet.gr at forthnet.gr
> Fri Apr 7 10:40:44 2006: DEBUG: Running command `/opt/ucd-snmp/bin/
> snmpget -c "FORTHNET" 194.219.252.147 .iso.org.dod.interne
> t.private.enterprises.9.9.150.1.1.3.1.2.5849343 2>&1`
> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 REJECT:
> DefaultSimultaneousUse of 1 exceeded: grakkos.ath.forthnet.gr [grak
> kos.ath.forthnet.gr at forthnet.gr]
>
> The username in the access request is
> grakkos.ath.forthnet.gr at forthnet.gr, I rewrite it into
> grakkos.ath.forthnet.gr and store it in the RADONLINE.
>
> Regards
> Vangelis
>
> Hugh Irvine wrote:
>
>>
>> Hello Vangelis -
>>
>> It doesn't look like the CountQuery is configured correctly:
>>
>>
>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select NASIDENTIFIER,
>> NASPORT, hextoint(ACCTSESSIONID) from netman..RADONLINE where
>> USERNAME='biqiqo.ath.forthnet.gr'':
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 6 Apr 2006, at 19:17, Vangelis Kyriakakis wrote:
>>
>>> Hello Hugh,
>>>
>>> We upgraded to version 3.14 with latest patches.
>>> Unfortunately we get the same results:
>>>
>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 looks for
>>> match with biqiqo.ath.forthnet.gr
>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select
>>> NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID) from
>>> netman..RADONLINE where USERNAME='biqiqo.ath.forthnet.gr'':
>>> Thu Apr 6 12:03:10 2006: DEBUG: Checking if user is still
>>> online: CiscoDSL, biqiqo.ath.forthnet.gr at forthnet.gr,
>>> 194.219.252.148, 2056, 4203759
>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->
>>> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>> Thu Apr 6 12:03:10 2006: DEBUG: Running command `/opt/ucd-snmp/
>>> bin/ snmpget -c "FORTHNET"
>>> 194.219.252.148 .iso.org.dod.internet.private.enterprises.
>>> 9.9.150.1.1.3.1.2.4203759 2>&1`
>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 REJECT:
>>> DefaultSimultaneousUse of 1 exceeded: biqiqo.ath.forthnet.gr
>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>> Thu Apr 6 12:03:10 2006: DEBUG: AuthBy LDAP2 result: REJECT,
>>> DefaultSimultaneousUse of 1 exceeded
>>>
>>> The line
>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->
>>> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>> is produced by a line we added to the Cisco.pm:
>>>
>>> &main::log($main::LOG_DEBUG, "Cisco: Checking ADSL $session_id->
>>> $nas_id:$nas_port:$name" );
>>>
>>> So, it seems that username that is passed to Cisco.pm is the
>>> original username with the realm, and not the one that %U should
>>> give.
>>>
>>> Regards
>>> Vangelis
>>>
>>> Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Vangelis -
>>>>
>>>> According to the history file this functionality was introduced
>>>> in Radiator 3.6.
>>>>
>>>> Could you download and install Radiator 3.14 on a clean test
>>>> server and test it?
>>>>
>>>> Please let me know what you discover.
>>>>
>>>> thanks and regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 31 Mar 2006, at 18:06, Vangelis Kyriakakis wrote:
>>>>
>>>>> Hello Hugh,
>>>>>
>>>>> We are running 3.7.1. We are a little behind from the
>>>>> current version. If it is something that was fixed in a later
>>>>> version we'll upgrade.
>>>>>
>>>>> Regards
>>>>> Vangelis
>>>>>
>>>>> Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Vangelis -
>>>>>>
>>>>>> What version of Radiator are you running?
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 30 Mar 2006, at 21:56, Vangelis Kyriakakis wrote:
>>>>>>
>>>>>>> Hello Hugh,
>>>>>>>
>>>>>>> Thanks for the answer. The username that I want to get
>>>>>>> back is the rewritten one, that is the one I allready
>>>>>>> store in the RADONLINE. But What I get is the full
>>>>>>> original username. I guess what you told me to do will
>>>>>>> give me the original username, or am I wrong?
>>>>>>>
>>>>>>> Regards
>>>>>>> Vangelis Kyriakakis
>>>>>>>
>>>>>>> Hugh Irvine wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Hello Vangelis -
>>>>>>>>
>>>>>>>> You must extend the RADONLINE table to include a field to
>>>>>>>> contain the original username and modify the AddQuery so
>>>>>>>> it adds both the rewritten username and the original
>>>>>>>> username to the table. Then the fifth field in the
>>>>>>>> CountQuery must be the original username.
>>>>>>>>
>>>>>>>> hope that helps
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Hugh
>>>>>>>>
>>>>>>>>
>>>>>>>> On 30 Mar 2006, at 20:43, Vangelis Kyriakakis wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I see from the logfiles that Radiator always uses the
>>>>>>>>> whole username that is being authenticated as the
>>>>>>>>> username that is used for online confirmation via SNMP.
>>>>>>>>> The manual says in CountQuery "If a user name is
>>>>>>>>> present as the fifth field returned by the query, that
>>>>>>>>> is the user name that will be used to confirm the user
>>>>>>>>> is still on line.".
>>>>>>>>> Using the following configuration:
>>>>>>>>>
>>>>>>>>> <Handler Client-Identifier=adsl>
>>>>>>>>> RejectHasReason
>>>>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>>>>> AuthBy adsl
>>>>>>>>> SessionDatabase Session-dsl
>>>>>>>>> AuthLog logger
>>>>>>>>> </Handler>
>>>>>>>>>
>>>>>>>>> <SessionDatabase SQL>
>>>>>>>>> Identifier Session-dsl
>>>>>>>>> DBSource dbi:Sybase:RADIUS
>>>>>>>>> DBUsername tacacs
>>>>>>>>> DBAuth xxxxxxx
>>>>>>>>> Timeout 5
>>>>>>>>> FailureBackoffTime 5
>>>>>>>>> AddQuery insert into netman..RADONLINE
>>>>>>>>> (USERNAME,NASIDENTIFIER,NASPORT,\
>>>>>>>>>
>>>>>>>>> ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
>>>>>>>>> SERVICETYPE) values ('%U','%N',0%{NAS-
>>>>>>>>> Port},'% {Acct- Session-Id}',\
>>>>>>>>> %{Timestamp},'%{Framed-IP-Address}','%{NAS-
>>>>>>>>> Port- Type}',\
>>>>>>>>> '%{Service-Type}')
>>>>>>>>> DeleteQuery delete from netman..RADONLINE where
>>>>>>>>> NASIDENTIFIER='%1' and NASPORT=0%2
>>>>>>>>> ClearNasQuery delete from netman..RADONLINE
>>>>>>>>> where NASIDENTIFIER='%N'
>>>>>>>>> CountQuery select NASIDENTIFIER, NASPORT,
>>>>>>>>> hextoint (ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME
>>>>>>>>> from netman..RADONLINE wh
>>>>>>>>> ere USERNAME='%U'
>>>>>>>>> </SessionDatabase>
>>>>>>>>> If the user that is being authenticated is user at domain
>>>>>>>>> then Radiator always uses user at domain as the username
>>>>>>>>> that is checked against the snmpget result although
>>>>>>>>> the RADONLINE database keeps only user in the USERNAME
>>>>>>>>> field.
>>>>>>>>>
>>>>>>>>> Am I doing something wrong, or is this a bug?
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NB:
>>>>>>>>
>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>> Have you searched the mailing list archive
>>>>>>>> (www.open.com.au/ archives/ radiator)?
>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>> secrets),
>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>> archives/ radiator)?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list