(RADIATOR) CHAP and PAP

Mike Gomez mgomez at iland.net
Fri Oct 27 14:58:19 CDT 2006


Hugh,

The handler suggestion sounds like it would fit best for what I'm trying to 
do.  The requests I need to treat differently will always have something 
like:

CHAP-Password = blahblahblah

How would I setup the handler for that?  Something like:

<Handler CHAP-Password>

and then the different <AuthBy SQL> statement?  I'm playing with it right now 
to see what combination I can use to get it to work, but I figured I'd 
ask. :)

Thanks!
Mike

On Thursday 26 October 2006 21:06, Hugh Irvine wrote:
> Hello Mike -
>
> On thinking about this a bit more, you could also use an
> AuthColumnDef for your passwords rather than the default and use a
> different AuthSelect query. Or if you can identify these "special"
> users by the contents of the radius request (or where it comes from)
> you can also set up a Handler to deal with them differently with
> different AuthBy SQL clauses. You could also use a stored procedure
> in the database to do whatever is required before returning the
> password to Radiator.
>
> hope this helps
>
> regards
>
> Hugh
>
> On 27 Oct 2006, at 10:26, Hugh Irvine wrote:
> > Hello Mike -
> >
> > Of course you will also need to remove the "EncryptedPassword"
> > parameter from the AuthBy SQL clause(s).
> >
> > regards
> >
> > Hugh
> >
> > On 27 Oct 2006, at 10:13, Hugh Irvine wrote:
> >> Hello again Mike -
> >>
> >> We have just been discussing this again here and I don't think my
> >> suggestion will work, unfortunately.
> >>
> >> The alternative therefore is to add "{crypt}" prefixes to your
> >> existing passwords, except for those plaintext passwords which can
> >> either have "{clear}" prefixes or be left as cleartext.
> >>
> >> Apologies for any confusion.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >> On 27 Oct 2006, at 08:49, Hugh Irvine wrote:
> >>> Hi Mike -
> >>>
> >>> As you suggest below, you can use "{clear}password" just for
> >>> those users who need it and leave the rest as they are.
> >>>
> >>> See sections 12.1.1 and 12.1.2 in the Radiator 3.15 reference
> >>> manual ("doc/ref.html").
> >>>
> >>> regards
> >>>
> >>> Hugh
> >>>
> >>> On 27 Oct 2006, at 07:53, Mike Gomez wrote:
> >>>> Hi All,
> >>>>
> >>>> I've run into a bit of a problem that I'm hoping I can figure
> >>>> out without
> >>>> having to do too much of an overhaul on our mysql database. ;)
> >>>> We've been
> >>>> using Radiator and PAP authentication for years (using just
> >>>> standard unix
> >>>> encryption on passwords).  We've just recently switched dialup
> >>>> providers, and
> >>>> some of the Qwest numbers they use only allow CHAP.
> >>>>
> >>>> It's only for a small subset of my users that this is causing a
> >>>> problem for
> >>>> (150 out of the 12,000 or so in the database).  Since my
> >>>> passwords aren't in
> >>>> clear text, CHAP won't work.  From what I've read, I believe I
> >>>> could change
> >>>> all of my users to clear text passwords and then both PAP and
> >>>> CHAP would
> >>>> work, but I'd honestly like to avoid making changes to all
> >>>> 12,000 users and
> >>>> just change the 150 that are having problems.
> >>>>
> >>>> We use the EncryptedPassword option, since we don't have {crypt}
> >>>> specified
> >>>> before each password.  Is there any way I could just change the
> >>>> problem users
> >>>> to have their passwords set as "{clear}password" in mysql and
> >>>> not have to end
> >>>> up changing all of the rest of the passwords (either to clear
> >>>> text, or by
> >>>> putting {crypt} in front of them)?  I'm reading through the
> >>>> reference manual,
> >>>> but the only way I can see to do this is either by changing
> >>>> everyone to clear
> >>>> text, or using the {} before each user's password to describe
> >>>> whether it's
> >>>> encrypted of not.
> >>>>
> >>>> Thanks in advance for any help! :)
> >>>> --
> >>>> Mike Gomez
> >>>>
> >>>> --
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>> NB:
> >>>
> >>> Have you read the reference manual ("doc/ref.html")?
> >>> Have you searched the mailing list archive (www.open.com.au/
> >>> archives/radiator)?
> >>> Have you had a quick look on Google (www.google.com)?
> >>> Have you included a copy of your configuration file (no secrets),
> >>> together with a trace 4 debug showing what is happening?
> >>>
> >>> --
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> Includes support for reliable RADIUS transport (RadSec),
> >>> and DIAMETER translation agent.
> >>> -
> >>> Nets: internetwork inventory and management - graphical, extensible,
> >>> flexible with hardware, software, platform and database
> >>> independence.
> >>> -
> >>> CATool: Private Certificate Authority for Unix and Unix-like
> >>> systems.
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive (www.open.com.au/
> >> archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> Includes support for reliable RADIUS transport (RadSec),
> >> and DIAMETER translation agent.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/
> > archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike Gomez
Network Operations Center
I-Land Internet Services
660.829.4638 Ext. 130

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list