(RADIATOR) Problem with the username that is used for online confirmation
Hugh Irvine
hugh at open.com.au
Tue Apr 18 00:55:16 CDT 2006
Hello Vangelis -
Thanks for letting me know.
regards
Hugh
On 17 Apr 2006, at 17:18, Vangelis Kyriakakis wrote:
> Hello Hugh,
>
> Thanks for your answer. I had already found the problem
> myself and had posted the fix, but it seemed that the post didn't
> reach the email list and also I was unsubscribed and didn't get the
> list mails.
> Anyway I guess the problem was the missing $user_name in line
> 171. I had fixed that and tested it. It's working.
>
> Thanks again
> Vangelis
>
> Hugh Irvine wrote:
>
>>
>> Hello again Vangelis -
>>
>> Thanks for your patience.
>>
>> We have now posted a patch which should fix this issue - many
>> thanks for reporting it.
>>
>> The affected module is Radius/SessSQL.pm which is included in the
>> latest patch set.
>>
>> Please test it and let me know if the problem is resolved.
>>
>> Apologies for the delay in getting this resolved.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 15 Apr 2006, at 14:43, Hugh Irvine wrote:
>>
>>>
>>> Hello Vangelis -
>>>
>>> I'm sorry this has taken so long, but I think I have found the
>>> problem.
>>>
>>> I will check with Mike and we'll try to have a patch for you
>>> early next week.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 7 Apr 2006, at 17:50, Vangelis Kyriakakis wrote:
>>>
>>>> Hello Hugh,
>>>>
>>>> I changed the CountQuery to
>>>>
>>>> CountQuery select NASIDENTIFIER, NASPORT, hextoint
>>>> (ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME from
>>>> netman..RADONLINE where USERNAME='%U'
>>>>
>>>> and it has the same behaviour:
>>>>
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 looks for
>>>> match with grakkos.ath.forthnet.gr [grakkos.ath.forthnet.gr at forth
>>>> net.gr]
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Query is: 'select
>>>> NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID),
>>>> FRAMEDIPADDRESS, USERNAME
>>>> from netman..RADONLINE where USERNAME='grakkos.ath.forthnet.gr'':
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Checking if user is still
>>>> online: CiscoDSL, grakkos.ath.forthnet.gr at forthnet.gr,
>>>> 194.219.252.
>>>> 147, 966, 5849343 62.1.247.103
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Cisco: Checking ADSL 5849343->
>>>> 194.219.252.147:966:grakkos.ath.forthnet.gr at forthnet.gr
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Running command `/opt/ucd-snmp/
>>>> bin/snmpget -c "FORTHNET" 194.219.252.147 .iso.org.dod.interne
>>>> t.private.enterprises.9.9.150.1.1.3.1.2.5849343 2>&1`
>>>> Fri Apr 7 10:40:44 2006: DEBUG: Radius::AuthLDAP2 REJECT:
>>>> DefaultSimultaneousUse of 1 exceeded: grakkos.ath.forthnet.gr [grak
>>>> kos.ath.forthnet.gr at forthnet.gr]
>>>>
>>>> The username in the access request is
>>>> grakkos.ath.forthnet.gr at forthnet.gr, I rewrite it into
>>>> grakkos.ath.forthnet.gr and store it in the RADONLINE.
>>>>
>>>> Regards
>>>> Vangelis
>>>>
>>>> Hugh Irvine wrote:
>>>>
>>>>>
>>>>> Hello Vangelis -
>>>>>
>>>>> It doesn't look like the CountQuery is configured correctly:
>>>>>
>>>>>
>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select
>>>>> NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID) from
>>>>> netman..RADONLINE where USERNAME='biqiqo.ath.forthnet.gr'':
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 6 Apr 2006, at 19:17, Vangelis Kyriakakis wrote:
>>>>>
>>>>>> Hello Hugh,
>>>>>>
>>>>>> We upgraded to version 3.14 with latest patches.
>>>>>> Unfortunately we get the same results:
>>>>>>
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 looks for
>>>>>> match with biqiqo.ath.forthnet.gr
>>>>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Query is: 'select
>>>>>> NASIDENTIFIER, NASPORT, hextoint(ACCTSESSIONID) from
>>>>>> netman..RADONLINE where USERNAME='biqiqo.ath.forthnet.gr'':
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Checking if user is still
>>>>>> online: CiscoDSL, biqiqo.ath.forthnet.gr at forthnet.gr,
>>>>>> 194.219.252.148, 2056, 4203759
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759-
>>>>>> > 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Running command `/opt/ucd-
>>>>>> snmp/ bin/ snmpget -c "FORTHNET"
>>>>>> 194.219.252.148 .iso.org.dod.internet.private.enterprises.
>>>>>> 9.9.150.1.1.3.1.2.4203759 2>&1`
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Radius::AuthLDAP2 REJECT:
>>>>>> DefaultSimultaneousUse of 1 exceeded: biqiqo.ath.forthnet.gr
>>>>>> [biqiqo.ath.forthnet.gr at forthnet.gr]
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: AuthBy LDAP2 result:
>>>>>> REJECT, DefaultSimultaneousUse of 1 exceeded
>>>>>>
>>>>>> The line
>>>>>> Thu Apr 6 12:03:10 2006: DEBUG: Cisco: Checking ADSL 4203759-
>>>>>> > 194.219.252.148:2056:biqiqo.ath.forthnet.gr at forthnet.gr
>>>>>> is produced by a line we added to the Cisco.pm:
>>>>>>
>>>>>> &main::log($main::LOG_DEBUG, "Cisco: Checking ADSL
>>>>>> $session_id- > $nas_id:$nas_port:$name" );
>>>>>>
>>>>>> So, it seems that username that is passed to Cisco.pm is the
>>>>>> original username with the realm, and not the one that %U
>>>>>> should give.
>>>>>>
>>>>>> Regards
>>>>>> Vangelis
>>>>>>
>>>>>> Hugh Irvine wrote:
>>>>>>
>>>>>>>
>>>>>>> Hello Vangelis -
>>>>>>>
>>>>>>> According to the history file this functionality was
>>>>>>> introduced in Radiator 3.6.
>>>>>>>
>>>>>>> Could you download and install Radiator 3.14 on a clean
>>>>>>> test server and test it?
>>>>>>>
>>>>>>> Please let me know what you discover.
>>>>>>>
>>>>>>> thanks and regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>>
>>>>>>> On 31 Mar 2006, at 18:06, Vangelis Kyriakakis wrote:
>>>>>>>
>>>>>>>> Hello Hugh,
>>>>>>>>
>>>>>>>> We are running 3.7.1. We are a little behind from
>>>>>>>> the current version. If it is something that was fixed in
>>>>>>>> a later version we'll upgrade.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Vangelis
>>>>>>>>
>>>>>>>> Hugh Irvine wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello Vangelis -
>>>>>>>>>
>>>>>>>>> What version of Radiator are you running?
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> Hugh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 30 Mar 2006, at 21:56, Vangelis Kyriakakis wrote:
>>>>>>>>>
>>>>>>>>>> Hello Hugh,
>>>>>>>>>>
>>>>>>>>>> Thanks for the answer. The username that I want to
>>>>>>>>>> get back is the rewritten one, that is the one I
>>>>>>>>>> allready store in the RADONLINE. But What I get is the
>>>>>>>>>> full original username. I guess what you told me to do
>>>>>>>>>> will give me the original username, or am I wrong?
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>>>
>>>>>>>>>> Hugh Irvine wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello Vangelis -
>>>>>>>>>>>
>>>>>>>>>>> You must extend the RADONLINE table to include a field
>>>>>>>>>>> to contain the original username and modify the
>>>>>>>>>>> AddQuery so it adds both the rewritten username and
>>>>>>>>>>> the original username to the table. Then the fifth
>>>>>>>>>>> field in the CountQuery must be the original username.
>>>>>>>>>>>
>>>>>>>>>>> hope that helps
>>>>>>>>>>>
>>>>>>>>>>> regards
>>>>>>>>>>>
>>>>>>>>>>> Hugh
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 30 Mar 2006, at 20:43, Vangelis Kyriakakis wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I see from the logfiles that Radiator always uses
>>>>>>>>>>>> the whole username that is being authenticated as
>>>>>>>>>>>> the username that is used for online confirmation
>>>>>>>>>>>> via SNMP.
>>>>>>>>>>>> The manual says in CountQuery "If a user name is
>>>>>>>>>>>> present as the fifth field returned by the query,
>>>>>>>>>>>> that is the user name that will be used to confirm
>>>>>>>>>>>> the user is still on line.".
>>>>>>>>>>>> Using the following configuration:
>>>>>>>>>>>>
>>>>>>>>>>>> <Handler Client-Identifier=adsl>
>>>>>>>>>>>> RejectHasReason
>>>>>>>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>>>>>>>> AuthBy adsl
>>>>>>>>>>>> SessionDatabase Session-dsl
>>>>>>>>>>>> AuthLog logger
>>>>>>>>>>>> </Handler>
>>>>>>>>>>>>
>>>>>>>>>>>> <SessionDatabase SQL>
>>>>>>>>>>>> Identifier Session-dsl
>>>>>>>>>>>> DBSource dbi:Sybase:RADIUS
>>>>>>>>>>>> DBUsername tacacs
>>>>>>>>>>>> DBAuth xxxxxxx
>>>>>>>>>>>> Timeout 5
>>>>>>>>>>>> FailureBackoffTime 5
>>>>>>>>>>>> AddQuery insert into netman..RADONLINE
>>>>>>>>>>>> (USERNAME,NASIDENTIFIER,NASPORT,\
>>>>>>>>>>>>
>>>>>>>>>>>> ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
>>>>>>>>>>>> SERVICETYPE) values ('%U','%N',0%{NAS-
>>>>>>>>>>>> Port},'% {Acct- Session-Id}',\
>>>>>>>>>>>> %{Timestamp},'%{Framed-IP-Address}','%
>>>>>>>>>>>> {NAS- Port- Type}',\
>>>>>>>>>>>> '%{Service-Type}')
>>>>>>>>>>>> DeleteQuery delete from netman..RADONLINE
>>>>>>>>>>>> where NASIDENTIFIER='%1' and NASPORT=0%2
>>>>>>>>>>>> ClearNasQuery delete from netman..RADONLINE
>>>>>>>>>>>> where NASIDENTIFIER='%N'
>>>>>>>>>>>> CountQuery select NASIDENTIFIER, NASPORT,
>>>>>>>>>>>> hextoint (ACCTSESSIONID), FRAMEDIPADDRESS, USERNAME
>>>>>>>>>>>> from netman..RADONLINE wh
>>>>>>>>>>>> ere USERNAME='%U'
>>>>>>>>>>>> </SessionDatabase>
>>>>>>>>>>>> If the user that is being authenticated is user at domain
>>>>>>>>>>>> then Radiator always uses user at domain as the
>>>>>>>>>>>> username that is checked against the snmpget result
>>>>>>>>>>>> although the RADONLINE database keeps only user in
>>>>>>>>>>>> the USERNAME field.
>>>>>>>>>>>>
>>>>>>>>>>>> Am I doing something wrong, or is this a bug?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> NB:
>>>>>>>>>>>
>>>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>>>> (www.open.com.au/ archives/ radiator)?
>>>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>>>>> secrets),
>>>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NB:
>>>>>>>>>
>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>> (www.open.com.au/ archives/ radiator)?
>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>>> secrets),
>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> NB:
>>>>>>>
>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>>> archives/ radiator)?
>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>> Have you included a copy of your configuration file (no
>>>>>>> secrets),
>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>> archives/ radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/
>>> archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list