Message-ID: <068f01c1ea32$6ed8f060$14c22cc7@photon> From: "Josh Hillman" <admin-maillist@talstar.com> Subject: Re: [Emerald] Users staying online Date: Mon, 22 Apr 2002 15:18:06 -0400
----- Original Message -----
From: "Vilmos Branyik" <vbranyik@piopc.com>
> Thanks for the detailed reply, but could you answer a few more questions?
>
> All my units are MAX 40xx so is the below script correct?
>
> UPDATE ServerPorts
> SET SNMPUser = '.1.3.6.1.4.1.529.12.3.1.4.5.'
Use this script:
UPDATE ServerPorts
SET SNMPUser = '.1.3.6.1.4.1.529.12.3.1.4.' + convert(varchar(5), Port+1)
> I can enter this using MS Query (I'm running SQL 6.5)
You can do it that way or use ISQL/w.
> On the Max it looks like SNMP is already setup. Here is what is already in
> SNMP Options under 90-900 Mod Config:
>
> Read Comm=public
> R/W Comm Enable=Yes
> R/W Comm=write
> Security=no
> RD Mgr1=0.0.0.0
> RD Mgr2=0.0.0.0
> RD Mgr3=0.0.0.0
> RD Mgr4=0.0.0.0
> RD Mgr5=0.0.0.0
> WR Mgr1=0.0.0.0
> WR Mgr2=0.0.0.0
> WR Mgr3=0.0.0.0
> WR Mgr4=0.0.0.0
> WR Mgr5=0.0.0.0
> Queue Depth=0
IMMEDIATELY change the "Read Comm" AND the "R/W Comm" to something else
(think of them as passwords). The last thing you want is to have anyone out
there to have your SNMP read/write community name. Remember that messages
to this list are available on the web shortly after their posted, so if you
don't change those community names now, you put your maxes at a serious
security risk.
> I pretty sure I should enable security, it doesn't look like I have any
now.
> So if there is a hole I don't want to leave it open.
You can leave the "Security" option set to "No". SNMP concurrency control
will work with it set to no.
> If I enable security should I change the Read Com value to something else?
See above.
> Or would it be OK to leave it as public. Also do I need to include the IP
> address of the server that is running Radius in the RD Mgr1 and WR Mgr1
> values?
Leave the RD and WR Mgr settings as 0.0.0.0. Actually, of all of the things
you displayed, you only need to change the two community names.
> Do I need to set up a SNMP Trap?
No.
> Lastly, I didn't quite understand the RadCheckOnlineSNMP procedure. Is it
> already built into the system or is that something I have to add? If I
have
> to add it, where do I do that?
That, I don't remember. You can take a look in SQL Enterprise Manager,
though in 6.5, I don't remember where. Here's my stored procedure (from
Emerald 2.5):
CREATE PROCEDURE RadCheckOnlineSNMP @Username varchar(64) AS
SELECT s.IPAddress,
s.ServerType,
s.Community,
sp.SNMPUser,
sp.AcctSessionID
FROM Servers s, ServerPorts sp
WHERE s.ServerID = sp.ServerID
AND Username=@Username
AND AcctStatusType=1
UNION
SELECT NASIdentifier, 0, NULL, NULL, NULL
FROM RadRoamPorts
WHERE Username=@Username
> Thanks for your help and sorry about the delay in reposting. I got called
> out for a week.
You're welcome. Get those community names changed!
Oh, once you change the community names, run this:
UPDATE Servers SET Community = 'abcxyz'
(changing abcxyz to whatever your new community name is)
Josh
> -----Original Message-----
> From: Josh Hillman [mailto:admin-maillist@talstar.com]
> Sent: Tuesday, April 16, 2002 8:31 AM
> To: emerald@iea-software.com
> Subject: Re: [Emerald] Users staying online
>
>
> Matt,
>
> See this:
> http://www.iea-software.com/radiusnt/faqs/SNMP-Concurrency.html
>
> We've been using the SNMP concurrency control with our Max 40xx units for
> quite some time and have never had any problems with it.
>
> Use this SQL script to update your ServerPorts table, changing the last
line
> as needed (see further below):
>
> UPDATE ServerPorts
> SET SNMPUser = '.1.3.6.1.4.1.529.12.3.1.4.' + convert(varchar(5), Port+1)
> WHERE ServerID = 1234
>
> If all of your NASes are Ascend Max 40xx units, then you can just comment
> out or delete the "WHERE..." line. Otherwise, enter the appropriate
> ServerID value there for each of your Maxes. You can use "SELECT * FROM
> Servers" to see the details for each of them.
>
> Be sure to read the rest of the info on that webpage I mentioned,
especially
> the part regarding "RadCheckOnlineSNMP"
>
> You will also need to make sure that you have RadiusNT configured
correctly.
> Go into the Admin and make sure that "SNMP Concurrency" or something like
> that (can't remember what it is in RadiusNT 2.5) is selected as well as
any
> other concurrency control options. If any changes are made, you'll have
to
> restart RadiusNT. Because you're using Ascend equipment, you will
probably
> have to fix this registry entry after saving your RadiusNT config. As far
> as I know, IEA Software never fixed the 2.5 admin to handle this entry
> correctly. You can make a file named (whatever.reg) and enter the
following
> lines in it, then just double-click on the file on your RadiusNT server.
> Or, just go into the registry and fix the entry before starting RadiusNT:
>
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\IEA\RadiusNT]
> "AllowMalformed"="3"
>
>
> Also, make sure that your Maxes have the latest version TAOS. For the
40xx
> series, the latest version at the time that I'm writing this is 7.0.28:
> ftp://ftp.ascend.com/pub/Software-Releases/Max/Release-7.0.X/
> This was released on 2/13/02. Prior to that, 7.0.26 was the latest
version
> for quite some time.
>
> Josh
>
>
> ----- Original Message -----
> From: "Vilmos Branyik" <vbranyik@piopc.com>
> To: <emerald@iea-software.com>
> Sent: Monday, April 15, 2002 9:50 PM
> Subject: [Emerald] Users staying online
>
>
> > In the past several days we have been having a problem with users
staying
> > online even though they have been disconnected.
> >
> > I can clear them on the online view and they are then able to login.
> >
> > I saw some information about SNMP Concurrency control but it really
didn't
> > make a lot of sense to me.
> >
> > We are using Emerald 2.5.342 and Ascend Max 4000 series access servers.
> >
> > Do I have to enable SNMP or is there some other way to fix this. If I
have
> > to do this is there some sort of step by step guide to getting this
> feature
> > to work?
> >
> > Thanks in advance for any help you can give me.
> >
> > Matt Branyik
> >
> > Pioneer PC Associates
> > www.piopc.net
> > ------------
> >
> <snip>
> ------------
>
> This is a user supported list. If you require assistance from IEA
Software's
> Support Engineers, please check out our Support resources at
> http://www.iea-software.com/support.
>
> For more information about this list (including removal) go to:
> http://www.iea-software.com/support/maillists/liststart
.