(RADIATOR) CHAP and PAP

Hugh Irvine hugh at open.com.au
Fri Oct 27 17:41:19 CDT 2006


Hello Mike -

You can use this:


<Handler CHAP-Password = /.+/>
	.....
</Handler>

.....

Keep in mind that you should not mix Realms and Handlers in the same  
configuration file as Realms are always evaluated before Handlers.

hope that helps

regards

Hugh



On 28 Oct 2006, at 05:58, Mike Gomez wrote:

> Hugh,
>
> The handler suggestion sounds like it would fit best for what I'm  
> trying to
> do.  The requests I need to treat differently will always have  
> something
> like:
>
> CHAP-Password = blahblahblah
>
> How would I setup the handler for that?  Something like:
>
> <Handler CHAP-Password>
>
> and then the different <AuthBy SQL> statement?  I'm playing with it  
> right now
> to see what combination I can use to get it to work, but I figured I'd
> ask. :)
>
> Thanks!
> Mike
>
> On Thursday 26 October 2006 21:06, Hugh Irvine wrote:
>> Hello Mike -
>>
>> On thinking about this a bit more, you could also use an
>> AuthColumnDef for your passwords rather than the default and use a
>> different AuthSelect query. Or if you can identify these "special"
>> users by the contents of the radius request (or where it comes from)
>> you can also set up a Handler to deal with them differently with
>> different AuthBy SQL clauses. You could also use a stored procedure
>> in the database to do whatever is required before returning the
>> password to Radiator.
>>
>> hope this helps
>>
>> regards
>>
>> Hugh
>>
>> On 27 Oct 2006, at 10:26, Hugh Irvine wrote:
>>> Hello Mike -
>>>
>>> Of course you will also need to remove the "EncryptedPassword"
>>> parameter from the AuthBy SQL clause(s).
>>>
>>> regards
>>>
>>> Hugh
>>>
>>> On 27 Oct 2006, at 10:13, Hugh Irvine wrote:
>>>> Hello again Mike -
>>>>
>>>> We have just been discussing this again here and I don't think my
>>>> suggestion will work, unfortunately.
>>>>
>>>> The alternative therefore is to add "{crypt}" prefixes to your
>>>> existing passwords, except for those plaintext passwords which can
>>>> either have "{clear}" prefixes or be left as cleartext.
>>>>
>>>> Apologies for any confusion.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>> On 27 Oct 2006, at 08:49, Hugh Irvine wrote:
>>>>> Hi Mike -
>>>>>
>>>>> As you suggest below, you can use "{clear}password" just for
>>>>> those users who need it and leave the rest as they are.
>>>>>
>>>>> See sections 12.1.1 and 12.1.2 in the Radiator 3.15 reference
>>>>> manual ("doc/ref.html").
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>> On 27 Oct 2006, at 07:53, Mike Gomez wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> I've run into a bit of a problem that I'm hoping I can figure
>>>>>> out without
>>>>>> having to do too much of an overhaul on our mysql database. ;)
>>>>>> We've been
>>>>>> using Radiator and PAP authentication for years (using just
>>>>>> standard unix
>>>>>> encryption on passwords).  We've just recently switched dialup
>>>>>> providers, and
>>>>>> some of the Qwest numbers they use only allow CHAP.
>>>>>>
>>>>>> It's only for a small subset of my users that this is causing a
>>>>>> problem for
>>>>>> (150 out of the 12,000 or so in the database).  Since my
>>>>>> passwords aren't in
>>>>>> clear text, CHAP won't work.  From what I've read, I believe I
>>>>>> could change
>>>>>> all of my users to clear text passwords and then both PAP and
>>>>>> CHAP would
>>>>>> work, but I'd honestly like to avoid making changes to all
>>>>>> 12,000 users and
>>>>>> just change the 150 that are having problems.
>>>>>>
>>>>>> We use the EncryptedPassword option, since we don't have {crypt}
>>>>>> specified
>>>>>> before each password.  Is there any way I could just change the
>>>>>> problem users
>>>>>> to have their passwords set as "{clear}password" in mysql and
>>>>>> not have to end
>>>>>> up changing all of the rest of the passwords (either to clear
>>>>>> text, or by
>>>>>> putting {crypt} in front of them)?  I'm reading through the
>>>>>> reference manual,
>>>>>> but the only way I can see to do this is either by changing
>>>>>> everyone to clear
>>>>>> text, or using the {} before each user's password to describe
>>>>>> whether it's
>>>>>> encrypted of not.
>>>>>>
>>>>>> Thanks in advance for any help! :)
>>>>>> --
>>>>>> Mike Gomez
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>> archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>> and DIAMETER translation agent.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,  
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>> systems.
>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/
>>> archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database  
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>> systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> -- 
> Mike Gomez
> Network Operations Center
> I-Land Internet Services
> 660.829.4638 Ext. 130



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list