(RADIATOR) Problem with the username that is used for online confirmation
Vangelis Kyriakakis
vkyriak at forthnet.gr
Mon Apr 17 02:18:49 CDT 2006
Hello Hugh,
Thanks for your answer. I had already found the problem myself
and had posted the fix, but it seemed that the post didn't reach the
email list and also I was unsubscribed and didn't get the list mails.
Anyway I guess the problem was the missing $user_name in line
171. I had fixed that and tested it. It's working.
Thanks again
Vangelis
Hugh Irvine wrote:
>
> Hello again Vangelis -
>
> Thanks for your patience.
>
> We have now posted a patch which should fix this issue - many thanks
> for reporting it.
>
> The affected module is Radius/SessSQL.pm which is included in the
> latest patch set.
>
> Please test it and let me know if the problem is resolved.
>
> Apologies for the delay in getting this resolved.
>
> regards
>
> Hugh
>
>
> On 15 Apr 2006, at 14:43, Hugh Irvine wrote:
>
>>
>> Hello Vangelis -
>>
>> I'm sorry this has taken so long, but I think I have found the problem.
>>
>> I will check with Mike and we'll try to have a patch for you early
>> next week.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 7 Apr 2006, at 17:50, Vangelis Kyriakakis wrote:
>>
>>> Hello Hugh,
>>>
>>> I changed the CountQuery to
>>>
>>> CountQuery select NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID),
>>> FRAMEDIPADDRESS, USERNAME from netman..RADONLINE where USERNAME='%U'
>>>
>>> and it has the same behaviour:
>>>
>>> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 looks for match
>>> with grakkos.ath.forthnet.gr [grakkos.ath.forthnet.gr at forth
>>> net.gr]
>>> Fri Apr 7 10:40:44 2006: DEBUG: Query is: 'select NASIDENTIFIER,
>>> NASPORT, hextoint(ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME
>>> from netman..RADONLINE where USERNAME='grakkos.ath.forthnet.gr'':
>>> Fri Apr 7 10:40:44 2006: DEBUG: Checking if user is still online:
>>> CiscoDSL, grakkos.ath.forthnet.gr at forthnet.gr, 194.219.252.
>>> 147, 966, 5849343 62.1.247.103
>>> Fri Apr 7 10:40:44 2006: DEBUG: Cisco: Checking ADSL 5849343->
>>> 194.219.252.147:966:grakkos.ath.forthnet.gr at forthnet.gr
>>> Fri Apr 7 10:40:44 2006: DEBUG: Running command `/opt/ucd-snmp/
>>> bin/snmpget -c "FORTHNET" 194.219.252.147 .iso.org.dod.interne
>>> t.private.enterprises.9.9.150.1.1.3.1.2.5849343 2>&1`
>>> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 REJECT:
>>> DefaultSimultaneousUse of 1 exceeded: grakkos.ath.forthnet.gr [grak
>>> kos.ath.forthnet.gr at forthnet.gr]
>>>
>>> The username in the access request is
>>> grakkos.ath.forthnet.gr at forthnet.gr, I rewrite it into
>>> grakkos.ath.forthnet.gr and store it in the RADONLINE.
>>>
>>> Regards
>>> Vangelis
>>>
>>> Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Vangelis -
>>>>
>>>> It doesn't look like the CountQuery is configured correctly:
>>>>
>>>>
>>>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select NASIDENTIFIER,
>>>> NASPORT, hextoint(ACCTSESSIONID) from netman..RADONLINE where
>>>> USERNAME='biqiqo.ath.forthnet.gr'':
>>>>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 6 Apr 2006, at 19:17, Vangelis Kyriakakis wrote:
>>>>
>>>>> Hello Hugh,
>>>>>
>>>>> We upgraded to version 3.14 with latest patches.
>>>>> Unfortunately we get the same results:
>>>>>
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 looks for
>>>>> match with biqiqo.ath.forthnet.gr
>>>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select
>>>>> NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID) from
>>>>> netman..RADONLINE where USERNAME='biqiqo.ath.forthnet.gr'':
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Checking if user is still
>>>>> online: CiscoDSL, biqiqo.ath.forthnet.gr at forthnet.gr,
>>>>> 194.219.252.148, 2056, 4203759
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->
>>>>> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Running command `/opt/ucd-snmp/
>>>>> bin/ snmpget -c "FORTHNET" 194.219.252.148
>>>>> .iso.org.dod.internet.private.enterprises.
>>>>> 9.9.150.1.1.3.1.2.4203759 2>&1`
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 REJECT:
>>>>> DefaultSimultaneousUse of 1 exceeded: biqiqo.ath.forthnet.gr
>>>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: AuthBy LDAP2 result: REJECT,
>>>>> DefaultSimultaneousUse of 1 exceeded
>>>>>
>>>>> The line
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759->
>>>>> 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>>>> is produced by a line we added to the Cisco.pm:
>>>>>
>>>>> &main::log($main::LOG_DEBUG, "Cisco: Checking ADSL $session_id- >
>>>>> $nas_id:$nas_port:$name" );
>>>>>
>>>>> So, it seems that username that is passed to Cisco.pm is the
>>>>> original username with the realm, and not the one that %U should
>>>>> give.
>>>>>
>>>>> Regards
>>>>> Vangelis
>>>>>
>>>>> Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Vangelis -
>>>>>>
>>>>>> According to the history file this functionality was introduced
>>>>>> in Radiator 3.6.
>>>>>>
>>>>>> Could you download and install Radiator 3.14 on a clean test
>>>>>> server and test it?
>>>>>>
>>>>>> Please let me know what you discover.
>>>>>>
>>>>>> thanks and regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 31 Mar 2006, at 18:06, Vangelis Kyriakakis wrote:
>>>>>>
>>>>>>> Hello Hugh,
>>>>>>>
>>>>>>> We are running 3.7.1. We are a little behind from the
>>>>>>> current version. If it is something that was fixed in a later
>>>>>>> version we'll upgrade.
>>>>>>>
>>>>>>> Regards
>>>>>>> Vangelis
>>>>>>>
>>>>>>> Hugh Irvine wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Hello Vangelis -
>>>>>>>>
>>>>>>>> What version of Radiator are you running?
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Hugh
>>>>>>>>
>>>>>>>>
>>>>>>>> On 30 Mar 2006, at 21:56, Vangelis Kyriakakis wrote:
>>>>>>>>
>>>>>>>>> Hello Hugh,
>>>>>>>>>
>>>>>>>>> Thanks for the answer. The username that I want to get
>>>>>>>>> back is the rewritten one, that is the one I allready
>>>>>>>>> store in the RADONLINE. But What I get is the full
>>>>>>>>> original username. I guess what you told me to do will
>>>>>>>>> give me the original username, or am I wrong?
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>>
>>>>>>>>> Hugh Irvine wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello Vangelis -
>>>>>>>>>>
>>>>>>>>>> You must extend the RADONLINE table to include a field to
>>>>>>>>>> contain the original username and modify the AddQuery so
>>>>>>>>>> it adds both the rewritten username and the original
>>>>>>>>>> username to the table. Then the fifth field in the
>>>>>>>>>> CountQuery must be the original username.
>>>>>>>>>>
>>>>>>>>>> hope that helps
>>>>>>>>>>
>>>>>>>>>> regards
>>>>>>>>>>
>>>>>>>>>> Hugh
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 30 Mar 2006, at 20:43, Vangelis Kyriakakis wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I see from the logfiles that Radiator always uses the
>>>>>>>>>>> whole username that is being authenticated as the
>>>>>>>>>>> username that is used for online confirmation via SNMP.
>>>>>>>>>>> The manual says in CountQuery "If a user name is
>>>>>>>>>>> present as the fifth field returned by the query, that
>>>>>>>>>>> is the user name that will be used to confirm the user
>>>>>>>>>>> is still on line.".
>>>>>>>>>>> Using the following configuration:
>>>>>>>>>>>
>>>>>>>>>>> <Handler Client-Identifier=adsl>
>>>>>>>>>>> RejectHasReason
>>>>>>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>>>>>>> AuthBy adsl
>>>>>>>>>>> SessionDatabase Session-dsl
>>>>>>>>>>> AuthLog logger
>>>>>>>>>>> </Handler>
>>>>>>>>>>>
>>>>>>>>>>> <SessionDatabase SQL>
>>>>>>>>>>> Identifier Session-dsl
>>>>>>>>>>> DBSource dbi:Sybase:RADIUS
>>>>>>>>>>> DBUsername tacacs
>>>>>>>>>>> DBAuth xxxxxxx
>>>>>>>>>>> Timeout 5
>>>>>>>>>>> FailureBackoffTime 5
>>>>>>>>>>> AddQuery insert into netman..RADONLINE
>>>>>>>>>>> (USERNAME,NASIDENTIFIER,NASPORT,\
>>>>>>>>>>>
>>>>>>>>>>> ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
>>>>>>>>>>> SERVICETYPE) values ('%U','%N',0%{NAS-
>>>>>>>>>>> Port},'% {Acct- Session-Id}',\
>>>>>>>>>>> %{Timestamp},'%{Framed-IP-Address}','%{NAS-
>>>>>>>>>>> Port- Type}',\
>>>>>>>>>>> '%{Service-Type}')
>>>>>>>>>>> DeleteQuery delete from netman..RADONLINE where
>>>>>>>>>>> NASIDENTIFIER='%1' and NASPORT=0%2
>>>>>>>>>>> ClearNasQuery delete from netman..RADONLINE
>>>>>>>>>>> where NASIDENTIFIER='%N'
>>>>>>>>>>> CountQuery select NASIDENTIFIER, NASPORT,
>>>>>>>>>>> hextoint (ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME
>>>>>>>>>>> from netman..RADONLINE wh
>>>>>>>>>>> ere USERNAME='%U'
>>>>>>>>>>> </SessionDatabase>
>>>>>>>>>>> If the user that is being authenticated is user at domain
>>>>>>>>>>> then Radiator always uses user at domain as the username
>>>>>>>>>>> that is checked against the snmpget result although
>>>>>>>>>>> the RADONLINE database keeps only user in the USERNAME
>>>>>>>>>>> field.
>>>>>>>>>>>
>>>>>>>>>>> Am I doing something wrong, or is this a bug?
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> NB:
>>>>>>>>>>
>>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>>> (www.open.com.au/ archives/ radiator)?
>>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>>>> secrets),
>>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NB:
>>>>>>>>
>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>>>> archives/ radiator)?
>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>> archives/ radiator)?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list