(RADIATOR) CHAP and PAP
Mike Gomez
mgomez at iland.net
Mon Oct 30 10:32:49 CST 2006
Awesome, I believe that did it! Thank you so much for your help, Hugh! :)
Mike
On Friday 27 October 2006 17:41, Hugh Irvine wrote:
> Hello Mike -
>
> You can use this:
>
>
> <Handler CHAP-Password = /.+/>
> .....
> </Handler>
>
> .....
>
> Keep in mind that you should not mix Realms and Handlers in the same
> configuration file as Realms are always evaluated before Handlers.
>
> hope that helps
>
> regards
>
> Hugh
>
> On 28 Oct 2006, at 05:58, Mike Gomez wrote:
> > Hugh,
> >
> > The handler suggestion sounds like it would fit best for what I'm
> > trying to
> > do. The requests I need to treat differently will always have
> > something
> > like:
> >
> > CHAP-Password = blahblahblah
> >
> > How would I setup the handler for that? Something like:
> >
> > <Handler CHAP-Password>
> >
> > and then the different <AuthBy SQL> statement? I'm playing with it
> > right now
> > to see what combination I can use to get it to work, but I figured I'd
> > ask. :)
> >
> > Thanks!
> > Mike
> >
> > On Thursday 26 October 2006 21:06, Hugh Irvine wrote:
> >> Hello Mike -
> >>
> >> On thinking about this a bit more, you could also use an
> >> AuthColumnDef for your passwords rather than the default and use a
> >> different AuthSelect query. Or if you can identify these "special"
> >> users by the contents of the radius request (or where it comes from)
> >> you can also set up a Handler to deal with them differently with
> >> different AuthBy SQL clauses. You could also use a stored procedure
> >> in the database to do whatever is required before returning the
> >> password to Radiator.
> >>
> >> hope this helps
> >>
> >> regards
> >>
> >> Hugh
> >>
> >> On 27 Oct 2006, at 10:26, Hugh Irvine wrote:
> >>> Hello Mike -
> >>>
> >>> Of course you will also need to remove the "EncryptedPassword"
> >>> parameter from the AuthBy SQL clause(s).
> >>>
> >>> regards
> >>>
> >>> Hugh
> >>>
> >>> On 27 Oct 2006, at 10:13, Hugh Irvine wrote:
> >>>> Hello again Mike -
> >>>>
> >>>> We have just been discussing this again here and I don't think my
> >>>> suggestion will work, unfortunately.
> >>>>
> >>>> The alternative therefore is to add "{crypt}" prefixes to your
> >>>> existing passwords, except for those plaintext passwords which can
> >>>> either have "{clear}" prefixes or be left as cleartext.
> >>>>
> >>>> Apologies for any confusion.
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>> On 27 Oct 2006, at 08:49, Hugh Irvine wrote:
> >>>>> Hi Mike -
> >>>>>
> >>>>> As you suggest below, you can use "{clear}password" just for
> >>>>> those users who need it and leave the rest as they are.
> >>>>>
> >>>>> See sections 12.1.1 and 12.1.2 in the Radiator 3.15 reference
> >>>>> manual ("doc/ref.html").
> >>>>>
> >>>>> regards
> >>>>>
> >>>>> Hugh
> >>>>>
> >>>>> On 27 Oct 2006, at 07:53, Mike Gomez wrote:
> >>>>>> Hi All,
> >>>>>>
> >>>>>> I've run into a bit of a problem that I'm hoping I can figure
> >>>>>> out without
> >>>>>> having to do too much of an overhaul on our mysql database. ;)
> >>>>>> We've been
> >>>>>> using Radiator and PAP authentication for years (using just
> >>>>>> standard unix
> >>>>>> encryption on passwords). We've just recently switched dialup
> >>>>>> providers, and
> >>>>>> some of the Qwest numbers they use only allow CHAP.
> >>>>>>
> >>>>>> It's only for a small subset of my users that this is causing a
> >>>>>> problem for
> >>>>>> (150 out of the 12,000 or so in the database). Since my
> >>>>>> passwords aren't in
> >>>>>> clear text, CHAP won't work. From what I've read, I believe I
> >>>>>> could change
> >>>>>> all of my users to clear text passwords and then both PAP and
> >>>>>> CHAP would
> >>>>>> work, but I'd honestly like to avoid making changes to all
> >>>>>> 12,000 users and
> >>>>>> just change the 150 that are having problems.
> >>>>>>
> >>>>>> We use the EncryptedPassword option, since we don't have {crypt}
> >>>>>> specified
> >>>>>> before each password. Is there any way I could just change the
> >>>>>> problem users
> >>>>>> to have their passwords set as "{clear}password" in mysql and
> >>>>>> not have to end
> >>>>>> up changing all of the rest of the passwords (either to clear
> >>>>>> text, or by
> >>>>>> putting {crypt} in front of them)? I'm reading through the
> >>>>>> reference manual,
> >>>>>> but the only way I can see to do this is either by changing
> >>>>>> everyone to clear
> >>>>>> text, or using the {} before each user's password to describe
> >>>>>> whether it's
> >>>>>> encrypted of not.
> >>>>>>
> >>>>>> Thanks in advance for any help! :)
> >>>>>> --
> >>>>>> Mike Gomez
> >>>>>>
> >>>>>> --
> >>>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>>> Announcements on radiator-announce at open.com.au
> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>> NB:
> >>>>>
> >>>>> Have you read the reference manual ("doc/ref.html")?
> >>>>> Have you searched the mailing list archive (www.open.com.au/
> >>>>> archives/radiator)?
> >>>>> Have you had a quick look on Google (www.google.com)?
> >>>>> Have you included a copy of your configuration file (no secrets),
> >>>>> together with a trace 4 debug showing what is happening?
> >>>>>
> >>>>> --
> >>>>> Radiator: the most portable, flexible and configurable RADIUS
> >>>>> server
> >>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>>> Includes support for reliable RADIUS transport (RadSec),
> >>>>> and DIAMETER translation agent.
> >>>>> -
> >>>>> Nets: internetwork inventory and management - graphical,
> >>>>> extensible,
> >>>>> flexible with hardware, software, platform and database
> >>>>> independence.
> >>>>> -
> >>>>> CATool: Private Certificate Authority for Unix and Unix-like
> >>>>> systems.
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>
> >>>> NB:
> >>>>
> >>>> Have you read the reference manual ("doc/ref.html")?
> >>>> Have you searched the mailing list archive (www.open.com.au/
> >>>> archives/radiator)?
> >>>> Have you had a quick look on Google (www.google.com)?
> >>>> Have you included a copy of your configuration file (no secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS
> >>>> server
> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>> Includes support for reliable RADIUS transport (RadSec),
> >>>> and DIAMETER translation agent.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical,
> >>>> extensible,
> >>>> flexible with hardware, software, platform and database
> >>>> independence.
> >>>> -
> >>>> CATool: Private Certificate Authority for Unix and Unix-like
> >>>> systems.
> >>>>
> >>>>
> >>>> --
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>> NB:
> >>>
> >>> Have you read the reference manual ("doc/ref.html")?
> >>> Have you searched the mailing list archive (www.open.com.au/
> >>> archives/radiator)?
> >>> Have you had a quick look on Google (www.google.com)?
> >>> Have you included a copy of your configuration file (no secrets),
> >>> together with a trace 4 debug showing what is happening?
> >>>
> >>> --
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> Includes support for reliable RADIUS transport (RadSec),
> >>> and DIAMETER translation agent.
> >>> -
> >>> Nets: internetwork inventory and management - graphical, extensible,
> >>> flexible with hardware, software, platform and database
> >>> independence.
> >>> -
> >>> CATool: Private Certificate Authority for Unix and Unix-like
> >>> systems.
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive (www.open.com.au/archives/
> >> radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >
> > --
> > Mike Gomez
> > Network Operations Center
> > I-Land Internet Services
> > 660.829.4638 Ext. 130
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
--
Mike Gomez
Network Operations Center
I-Land Internet Services
660.829.4638 Ext. 130
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list