[RadiusNT Digest]

radiusnt-digest-request@iea-software.com
Thu, 2 Jul 1998 00:00:48 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Dale Reed: "Re: Multiple logins"
Next message: Thomas Kernen: "Re: Ip address and concurrency"

Message 1: R: Transparent Proxy
from "Luca Brizzi" <LBrizzi@pronet.it>

Message 2: Ip address and concurrency
from Thomas Kernen <tkernen@deckpoint.ch>

Message 3: Re: Ip address and concurrency
from Dale Reed <daler@iea-software.com>

Message 4: Multiple logins
from "Greg Lowthian" <greg@isat.com>

Message 5: Re: Malformed Packet w/ Ascend and Rad2.5
from Dale Reed <daler@iea-software.com>

Message 6:
from Mark DeWar <mdewar@fiber-net.com>

Message 7: Not authenticating - bad secret?
from "Paul Smith" <pjsmith@microtech.co.gg>

Message 8: unsubscribe
from David Inman <dinman@weblnk.net>

Message 9: Re: A second chance RadiusNT server?
from Dale Reed <daler@iea-software.com>

Message 10: Re: A second chance RadiusNT server?
from Mike Noel <noel@integrityonline.com>

Message 11: Re: NAS-Port-Type
from Dale Reed <daler@iea-software.com>

Message 12: Re: OT: Transparent Proxy
from Dale Reed <daler@iea-software.com>

Message 13: NO UDP service problem.
from "Allen Mallari" <allen@fiax.net>

Message 14: Re: NAS-Port-Type
from "Mourad Dahoumane" <mdahoumane@interway.lu>

Message 15: Re: NAS-Port-Type
from Dale Reed <daler@iea-software.com>

Message 16: Re: NO UDP service problem.
from Dale Reed <daler@iea-software.com>

Message 17: Re: Not authenticating - bad secret?
from Dale Reed <daler@iea-software.com>

Message 18: Re:
from Dale Reed <daler@iea-software.com>

Message 19: Re: Multiple logins
from Dale Reed <daler@iea-software.com>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 1 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: R: Transparent Proxy
From: "Luca Brizzi" <LBrizzi@pronet.it>
Date: Wed, 1 Jul 1998 09:25:43 +0200

You can buy the Cisco WebCache Box (pros: it works!-cons: $$$$$!!!!)

or you can try this for free http://squid.nlanr.net/Squid/

It works fine and it's fast!!

Luca Brizzi
Pro.Net. srl
LBrizzi@PNGroup.net

-----Messaggio originale-----
Da: Carlo Gibertini <carlo@nw.com.br>
A: radiusnt@iea-software.com <radiusnt@iea-software.com>
Data: martedė 30 giugno 1998 23.51
Oggetto: OT: Transparent Proxy

>Hello,
>
>I am looking for a transparent proxy solution.
>
>Can someone point me in the direction, and list the pro and cons of using
>this tecnologies?
>
>Thanks in advance,
>
>Carlo Gibertini
>
>
>
>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 2 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Ip address and concurrency
From: Thomas Kernen <tkernen@deckpoint.ch>
Date: Wed, 01 Jul 1998 17:29:53 +0200

Hello,

I've noticed that my calls online table doesn't seem to receive the IP
addresses for all my users. At the NAS level it's all ok. Running
RadiusNT 2.2.

Also, using concurrency control to allow multiple connections with the
same user ID I noticed that only MP and MPP connections will allow
adding channel ie: 2 seperate users using the same ID cannot login at
the same time even if the account allows multiple logins.

Any ideas?

Thomas

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 3 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Re: Ip address and concurrency
From: Dale Reed <daler@iea-software.com>
Date: Wed, 01 Jul 1998 11:09:20 -0700

Thomas Kernen wrote:
>
> Hello,
>
> I've noticed that my calls online table doesn't seem to receive the IP
> addresses for all my users. At the NAS level it's all ok. Running
> RadiusNT 2.2.

Do you mean some have the IP and some dont? Does the -x15 debug show
Framed-Address for all the accounting start records?

> Also, using concurrency control to allow multiple connections with the
> same user ID I noticed that only MP and MPP connections will allow
> adding channel ie: 2 seperate users using the same ID cannot login at
> the same time even if the account allows multiple logins.

Make sure you have variable login limits enabled. Otherwise, RadiusNT
ignores the Login Limit field and uses one for all users.

-- Dale E. Reed Jr. (daler@iea-software.com)_________________________________________________________________ IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs Internet Solutions for Today | http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 4 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Multiple loginsFrom: "Greg Lowthian" <greg@isat.com>Date: Wed, 1 Jul 1998 11:13:19 -0700

RadiusNT 2.5.124Emerald 3.2.38Sql 6.5

All of the sudden I can't get online more than once for thiscustomeron this Ascend 4048 on another 4004 its fine.They can get on once fine and I can dial into any of the other ofthe 9boxes and get on but not on this one.

radrecv: Request from host ceab7381 code=1, id=245, length=85 User-Name = "BlaBla" Password = " \221PIZW\2452[\207" NAS-Identifier = 206.171.115.129 NAS-Port = 20214 NAS-Port-Type = Async User-Service = Framed-User Framed-Protocol = PPP State = "" Acct-Session-Id = "260640134"rad_authenticate_ODBC() Password = " \221PIZW\2452[\207"

SQL Statement: Select DateDiff(Minute, GetDate(), DateAdd(Day,(ma.Extension+ma..OverDue+1), maExpireDate)), DateDiff(Minute, GetDate(),DateAdd(Day, sa.Extension+1, saExpireDate)), sa.AccountID, sa.AccountType, sa.Password,sa.Login, sa.Shell, sa.LoginLimit From MasterAccounts ma, SubAccounts saWhere(sa.Login='BlaBla' or sa.Shell='BlaBla' or sa.Email='BlaBla') ANDma.CustomerID=sa.CustomerID and sa.Active<>0 and ma.Active<>0

Decrypted Password: BlaBla Database Password: BlaBlaChecking for duplicate logins.

SQL Statement: RadCheckOnline 'BlaBla'

isdept found on-line 1 time(s).

SQL Statement: RadGetConfigs 2806

Loading radius defaults for this type...

SQL Statement: RadGetATConfigs 'BusAcct39'

User-Service = Framed-User (2) Framed-Protocol = PPP (1)Sending Ack of id 245 to ceab7381 (as3.isat.com) User-Service = Framed-User Framed-Protocol = PPP

Resp Time: 371 Auth: 19/25 -> 44 Acct: 26/0/0 -> 26

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 5 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Malformed Packet w/ Ascend and Rad2.5From: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 11:33:39 -0700

George Mansoor (LS) wrote:> > For the record, Maxes with 6.0.2 do the same thing. I added> the registry> entry and that &quotfixed" the problem. Have you (Dale) sent> > support@ascend.com anything on this issue?> > There's a referecned to a a registry entry. What is this registry> entry that needs to be fixed? Its in the docs. Also, RadiusNT 2.5.124 and higher defaults tomalformed allow, since there are so many broken implementationsof RADIUS floating around. Most of the NAS vendors need to begiven a swift kick in the butt and forced read the RFC 1000 timesstraight and memorize it. Its not that tough. :(

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 6 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: From: Mark DeWar <mdewar@fiber-net.com>Date: Wed, 01 Jul 1998 14:49:55 -0400

I am currently using the UNET Radius. I have about 1275 people that i wouldneed to switch over.nothing fancy. just straight ppp login. what is the basic setup in the userfile i need to get going ?

how is anyone changing exp dates to keep those that don't pay from loggingon ? that looks like a problem.

thanks

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 7 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Not authenticating - bad secret?From: "Paul Smith" <pjsmith@microtech.co.gg>Date: Wed, 1 Jul 1998 20:54:24 +0100

I am trying to use RadiusNT to authenticat users from the emerald database.I have the secret setup on the terminal server and the emerald database, butthe decrypted password still shows up as garbage. Have I missed somthing?does radiusNT get the secret from Emerald or do I need to set it in RadiusNTas well?

Regards, paul

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 8 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: unsubscribeFrom: David Inman <dinman@weblnk.net>Date: Wed, 01 Jul 1998 16:26:02 -0400

unsubscribe

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 9 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: A second chance RadiusNT server?From: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 14:50:28 -0700

Mike Noel wrote:> > When RadiusNT 2.5 gets an auth request, it checks its tables to see if the> username and password (and other check items) are correct. If they all> are, it sends back an OK and some reply items. If the check items don't> match, it sends a reject.> > I would like my Radius server to add a second step. If the check items> fail, instead of sending a reject, I would like the server to forward the> request to a different server. Kinda like the roaming service that> RadiusNT 2.5 supports, but doing the second check only if the first one fails.> > I call this a "second chance" server. Is it possible to set this up with> RadiusNT 2.5?

Currently this isn't possible with RadiusNT 2.5. I understand what youwant it to do, but I can't figure in what situation you would use this?

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 10 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: A second chance RadiusNT server?From: Mike Noel <noel@integrityonline.com>Date: Wed, 01 Jul 1998 15:26:18 -0700

>Currently this isn't possible with RadiusNT 2.5. I understand what you>want it to do, but I can't figure in what situation you would use this?

One use would be in the place of the proxy server (roaming server) that isin RadiusNT now. If the first server contaced didn't authenticate, therequest could be passed to another. This could happen without the userneeding to type in their full domain name. If the other didn'tauthenticate, it could pass to another, and so on in a ring. Certainlyyou'd have to watch out for loops.

Another possibility is a set of cascaded servers. Imagine a centralizedauthentication server but with sub-servers located in densely populatedarea. The sub-server would try the request first. If it didn'tauthenticate, the request would bounce back to the central authenticator.

A third use would be to redirect certain auth requests to a differentserver to be handled differently. For example, customers who haven't paidtheir ISP bill could be removed from the primary server. Their requestwould get forwarded to a different server which would handle them differently.

I'm sure there are other uses. It's just a bit more flexibility for thepackage. My main interest is in #1 and #2 but I can see how we might beable to use #3 at my ISP too.

_M_

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 11 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: NAS-Port-TypeFrom: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 16:14:06 -0700

Mourad Dahoumane wrote:> > Users defined as async should not be able to connect to the I and vis-versa> users with ISDN should not be able to connect to the async.> That how it should be.> > But this doesn't work in my case, any ISDN user knowing the async dial up> number can connect et vis-versa.

Are you trying to use server port access ot check attributes? Isthis in ODBC mode or text? What does the authentication requestlook like that should fail, but doesn't?

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 12 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: OT: Transparent ProxyFrom: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 16:18:14 -0700

Carlo Gibertini wrote:> > I am looking for a transparent proxy solution.> > Can someone point me in the direction, and list the pro and cons of using> this tecnologies?

If you mean proxying RADIUS requests, then you are most likelylooking for the Server Proxy feature of RadiusNT 2.5. If not,then you define what kind of proxy you are talking about (andpossibly on the ntisp list, not here).

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 13 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: NO UDP service problem.From: "Allen Mallari" <allen@fiax.net>Date: Wed, 01 Jul 1998 16:48:51 -0700

Hi, I installed Radius 2.5 and unistalled it and installedRadius 2.x and I'm getting this error whenever i'm runningin radius -x15 mode. I'm using TEXT MODE.

10) AcctDirectory: c:\radius\acct11) UsersFile: Users12) Username:13) Password:14) CompanyName: First Internet Alliance-Las Vegas15) License: MY LISCENSE IS HERE..

Param: Debug Level: 15Initializing Winsock... Client:Some IP HERE..... Client:127.0.0.1:127.0.0.1:Mysecret

Loading users... User:DEFAULT1 users loaded!RADIUS: No such service: radius/udp in your services file.Defaulting to port 1645 for RADIUS Authentication.RADIUS: No such service: radacct/udp in your services file.Defaulting to port 27911 for RADIUS Authentication.Radius NT is ready to receive requests!

Please reply ASAP!

Thanks,Allen

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 14 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: NAS-Port-TypeFrom: "Mourad Dahoumane" <mdahoumane@interway.lu>Date: Thu, 2 Jul 1998 02:03:13 +0200

If I use server port access, then it works: the user is denied access tothe port async portsand allowed access to one of the 10 B channels.But with server port access enabled, roaming users are denied access tothrough Ipass (radiusdoesnt recognize the type of port, of course there is no physical portsthere).

With check attributes, it doesn't work as I a explained earlier. I am usingODBC onlyIn the text file it looks like this :

xxxxxxx Password = "yyyyyy", Expiration = "Aug 01 1998"Framed-Protocol = 1NAS-Port-Type = 2Port-Limit = 1User-Service = 0

the authentication process is like the following:

decrypted password:dghgdhdfgfh

sql statement: RadGetConfigs 91

loading radius defaults for this type...SQL statement : RadGetATConfigs 'ISDN '

User-Service = Framed-user (2) Framed-protocol = PPP (1) Port-Limit = 1 (1) NAS-Port-Type = ISDN (2)Sending Ack of id 239 to c33de104 User-Service = Framed-user Framed-protocol = PPP Port-Limit = 1 NAS-Port-Type = ISDN

>>Are you trying to use server port access ot check attributes? Is>this in ODBC mode or text? What does the authentication request>look like that should fail, but doesn't?>-- >Dale E. Reed Jr. (daler@iea-software.com)

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 15 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: NAS-Port-TypeFrom: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 21:22:53 -0700

Mourad Dahoumane wrote:> > If I use server port access, then it works: the user is denied access to> the port async ports> and allowed access to one of the 10 B channels.> But with server port access enabled, roaming users are denied access to> through Ipass (radius> doesnt recognize the type of port, of course there is no physical ports> there).

HMMM. I'll have to think about the roam perspective of SPA. :( > With check attributes, it doesn't work as I a explained earlier. I am using> ODBC only> In the text file it looks like this :> > xxxxxxx Password = "yyyyyy", Expiration = "Aug 01 1998"> Framed-Protocol = 1> NAS-Port-Type = 2> Port-Limit = 1> User-Service = 0

If you are running in ODBC only mode, the text file doesn't matter.Not sure if you meant something else above? > the authentication process is like the following:> > decrypted password:dghgdhdfgfh> > sql statement: RadGetConfigs 91> > loading radius defaults for this type...> SQL statement : RadGetATConfigs 'ISDN '> > User-Service = Framed-user (2)> Framed-protocol = PPP (1)> Port-Limit = 1 (1)> NAS-Port-Type = ISDN (2)> Sending Ack of id 239 to c33de104> User-Service = Framed-user> Framed-protocol = PPP> Port-Limit = 1> NAS-Port-Type = ISDN

You need to make NAS-Port-Type a CHECK attribute, not a reply attribute.You need RadiusNT 2.5 for this, and in the RadATConfigs table, the NAS-Port-Type record should havde the RadCheck value set to 1. Allotherrecords will have RadCheck set to either NULL or 0. > >> >Are you trying to use server port access ot check attributes? Is> >this in ODBC mode or text? What does the authentication request> >look like that should fail, but doesn't?> >--> >Dale E. Reed Jr. (daler@iea-software.com)

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 16 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: NO UDP service problem.From: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 21:26:21 -0700

Allen Mallari wrote:> > I installed Radius 2.5 and unistalled it and installed> Radius 2.x and I'm getting this error whenever i'm running> in radius -x15 mode. I'm using TEXT MODE.

I'd recommend re-installing RadiusNT 2.5. :) > RADIUS: No such service: radius/udp in your services file.> Defaulting to port 1645 for RADIUS Authentication.> RADIUS: No such service: radacct/udp in your services file.> Defaulting to port 27911 for RADIUS Authentication.> Radius NT is ready to receive requests!

RadiusNT 2.2 defaults to the wrong port for accounting (which isreally what the second line is for). You need to add the two entriesto your services file to correct this. Add these in port order.The file is winnt\system32\drivers\etc\services

radius 1645/udp radiusdradacct 1646/udp

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 17 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Not authenticating - bad secret?From: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 23:00:42 -0700

Paul Smith wrote:> > I am trying to use RadiusNT to authenticat users from the emerald database.> I have the secret setup on the terminal server and the emerald database, but> the decrypted password still shows up as garbage. Have I missed somthing?> does radiusNT get the secret from Emerald or do I need to set it in RadiusNT> as well?

Assuming that RadiusNT is pointing to your Emerald database in ODBCmode, then the secret is indeed taken from the database. Secrets arecase sensitive. Check for spaces before or after them to cause possible problems.

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 18 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re:From: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 23:30:36 -0700

Mark DeWar wrote:> > I am currently using the UNET Radius. I have about 1275 people that i would> need to switch over.> nothing fancy. just straight ppp login. what is the basic setup in the user> file i need to get going ?

The RadiusNT users file is the same format as Livingston and Ascend.Take a look at the users.example for a better description of it. > how is anyone changing exp dates to keep those that don't pay from logging> on ? that looks like a problem.

I would recommend looking into the ODBC support of RadiusNT. This iswhat most people use and allows easy user management, etc.

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 19 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Multiple loginsFrom: Dale Reed <daler@iea-software.com>Date: Wed, 01 Jul 1998 23:51:36 -0700

Greg Lowthian wrote:> > All of the sudden I can't get online more than once for this> customer on this Ascend 4048 on another 4004 its fine.> They can get on once fine and I can dial into any of the other of> the 9 boxes and get on but not on this one.

Ascend has an option called "Shared Profiles". If this is setto No, then the Ascend will reject a user logging in that italready has listed as on. > Sending Ack of id 245 to ceab7381 (as3.isat.com)> User-Service = Framed-User> Framed-Protocol = PPP

Even though RadiusNT acks it, if Shared Profiles is set to No,the Ascend will still reject it.

Previous message: Dale Reed: "Re: Multiple logins"
Next message: Thomas Kernen: "Re: Ip address and concurrency"