[RadiusNT Digest]

radiusnt-digest-request@iea-software.com
Mon, 20 Jul 1998 00:00:00 -0700

Message 1: Cisco filters and IP Pool
from "Mohammed Ersan" <ersan@first.net.jo>

Message 2: TimeBank and USR NetServer
from Einstein Oliveira <einstein@yawl.com.br>

Message 3: Re: TimeBank and USR NetServer
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 4: Re: Problems with Proxy from Service
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 5: ServerPorts
from Ted Olson <tolson@ocsnet.net>

Message 6: Re: TimeBank and USR NetServer
from Einstein Oliveira <einstein@yawl.com.br>

Message 7: Re: TimeBank and USR NetServer
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 8: Re: Concurency Control
from rabaut <rabaut@hcc.cc.fl.us>

Message 9: RE: Problems with Proxy from Service
from "Tony Schwartz" <tony@transport.com>

Message 10: Expire Date Problem
from postman@cp-tel.net (Postman Account)

Message 11: Re: TimeBank and USR NetServer
from "2Day Internet" <peter@2day.net.nz>

Message 12: SOLVED: Problems with Proxy from Service
from "Tony Schwartz" <tony@transport.com>

Message 13: Re: SOLVED: Problems with Proxy from Service
from "Dale E. Reed Jr." <daler@iea-software.com>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 1 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Cisco filters and IP Pool
From: "Mohammed Ersan" <ersan@first.net.jo>
Date: Sun, 19 Jul 1998 13:49:38 +0300

hi,

we have a number Portmasters + Cisco 3640 working as Access Servers for
Local and remote sites, on the Cisco I've created the required filters
(same names on the PM & Cisco) but how do I make radius to assign the
filter on the Cisco and how could I prevent some one from assigning his
address because if a dial-in user assigns his address he will be
authenticated normally.....

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 2 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: TimeBank and USR NetServer
From: Einstein Oliveira <einstein@yawl.com.br>
Date: Sun, 19 Jul 1998 12:16:52 -0300

Hi,

We're having problems to put time-banking feature of RadiusNT working with USR
NetServers. The problem is that the NAS doesn't hang up a call when the time
left is over, resulting in values like -xxx in the TimeLeft column of
SubAccounts table.

Any Ideas ?

Einstein Oliveira

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 3 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Re: TimeBank and USR NetServer
From: "Dale E. Reed Jr." <daler@iea-software.com>
Date: Sun, 19 Jul 1998 10:48:13 -0700

Einstein Oliveira wrote:
>
> We're having problems to put time-banking feature of RadiusNT working with USR
> NetServers. The problem is that the NAS doesn't hang up a call when the time
> left is over, resulting in values like -xxx in the TimeLeft column of
> SubAccounts table.

For time banking to fully work, the NAS must support the Session-Timeut
attribute. RadiusNT will include this attriute when it returns the set
of atriutes for the user if the user is configured for time banking.
It is possible for the final calculation to be a couple of minuites
negative, but it shouldn't be much more than that.

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 4 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Problems with Proxy from ServiceFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Sun, 19 Jul 1998 10:55:26 -0700

Tony Schwartz wrote:> > I am making some progress in my eval of Enterprise proxying..> > My problem on an NT box using SQL, I can do proxy from Debug mode but not> from service mode. Any ideas??

Have you verified that your DSN is a system DSN? What commandline options are you using in debug mode? For the service towork the same, you should only be using the -x15 command lineoption. Does it work at all as a service (normal authentication)?

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 5 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: ServerPortsFrom: Ted Olson <tolson@ocsnet.net>Date: Sun, 19 Jul 1998 11:18:34 -0700

Our ServerPorts table correctly stamps each call for 3 different NASes.We've added a fourth NAS, ID'ed it in the Servers table, and added matchingrecords for each of its ports in ServerPorts (keyed to ServerID in theServers table). The NAS is handling calls normally and they're beingrecorded properly in the Calls table - but nothing is being stamped inServerPorts (for the new NAS only). I read that there may be a relatedquery edit required when using Access97, but can't find anything relevantin our existing queries. Any ideas?

Thanks much,Ted OlsonOCS Software

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 6 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: TimeBank and USR NetServerFrom: Einstein Oliveira <einstein@yawl.com.br>Date: Sun, 19 Jul 1998 17:17:55 -0300

Hi Dale,

This is the output of RadiusNT running in -x15 mode:------------------------------------------------------------C:\radius>radius -x15

RadiusNT 2.2.41 7/27/97 Copyright (c) 1996-1997 IEA Software, Inc. All Rights Reserved, Worldwide

Some portions Copyright (c) 1992 Livingston Enterprises, Inc. and Copyright (c) 1995 Ascend Communications, Inc.

0) EncryptPasswords: 01) IgnoreCase: 02) ReqAcctAuth: 03) Mode: 14) Options: 695) Debug: 06) ODBCDatasource: RadiusNT7) DataDirectory:8) AcctDirectory:9) UsersFile: Users10) Username: xxxxx11) Password: xxxxx12) CompanyName:13) License:

Param: Debug Level: 15Initializing Winsock...ODBC Datasource: 'RadiusNT'...Making ODBC Connection...Licensed MBRs: 200Allocating Statement...

SQL Statement: Select Name, RadAttributeID, Type From RadAttributes

SQL Statement: Select ra.Name, rv.Name, rv.Value From RadValues rv,RadAttributes ra Where rv.RadAttributeID = ra.RadAttributeId

SQL Statement: Select Server, IPAddress, Secret From Servers

6 Clients Loaded 12 Accounting Columns Loaded

Radius NT is ready to receive requests!radrecv: Request from host xxxxxxxx code=1, id=1, length=0 NAS-Identifier = 127.0.0.1 NAS-Port = 0 User-Name = "foo" Password = "\032n^\015\234\322Sm\252s\211\034pg\226\265"rad_authenticate_ODBC() Password = "\032n^\015\234\322Sm\252s\211\034pg\226\265"

SQL Statement: Select DateAdd(Day, (ma.extension + ma.overdue), maExpireDate),DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,sa.Password, sa.Login, sa.Shell, sa.TimeLeft, sa.LoginLimit From MasterAccountsma, SubAccounts sa Where (sa.Login='foo' or sa.Shell='foo') ANDma.CustomerID=sa.CustomerID and sa.Active<>0 and ma.Active<>0

Decrypted Password: foo Database Password: fooChecking for duplicate logins.

SQL Statement: Select Count(*) from CallsOnline Where UserName='foo' andAcctStatusType=1

foo found on-line 0 time(s).

SQL Statement: Select ra.RadAttributeID, Name, Data, Value, Type FromRadConfigs rc, RadAttributes ra Where ra.RadAttributeID=rc.RadAttributeID ANDrc.AccountID=1292

Loading radius defaults for this type...

SQL Statement: Select ra.RadAttributeID, Name, Data, Value, Type FromRadATConfigs rc, RadAttributes ra Where ra.RadAttributeID=rc.RadAttributeID ANDrc.AccountType='PPP'

User-Service = 2 (2) Framed-Protocol = 1 (1) Framed-Address = 255.255.255.254 (1) Framed-Compression = 1 (1)Sending Ack of id 1 to xxxxxxxx (XXXXXX) User-Service = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobsen-TCP-IP

Resp Time: 90 Auth: 1/0 -> 1 Acct: 0/0/0 -> 0------------------------------------------------------------

and this is the output of radlogin when I try to log a user with 60 in histimeleft column and TimeBank Checked in RadiusNT Administrator:

------------------------------------------------------------C:\radius>radlogin foo foo

Checking Radius user foo: User-Service = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobsen-TCP-IP0: Time: 130 Auth: Good 1 Good 0 Bad 130 Avg------------------------------------------------------------

am I wrong or this is where the Session-Timeout Attribute should appear asresponse to NAS ? I'm just setting the TimeLeft field for the account. Do I needto do something else ?

Einstein Oliveira

Dale E. Reed Jr. wrote:> > Einstein Oliveira wrote:> >> > We're having problems to put time-banking feature of RadiusNT working with USR> > NetServers. The problem is that the NAS doesn't hang up a call when the time> > left is over, resulting in values like -xxx in the TimeLeft column of> > SubAccounts table.> > For time banking to fully work, the NAS must support the Session-Timeut> attribute. RadiusNT will include this attriute when it returns the set> of atriutes for the user if the user is configured for time banking.> It is possible for the final calculation to be a couple of minuites> negative, but it shouldn't be much more than that.> > --> Dale E. Reed Jr. (daler@iea-software.com)> _________________________________________________________________> IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs> Internet Solutions for Today | http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 7 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: TimeBank and USR NetServerFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Sun, 19 Jul 1998 14:45:40 -0700

Einstein Oliveira wrote:> > ------------------------------------------------------------> C:\radius>radlogin foo foo> > Checking Radius user foo:> User-Service = Framed-User> Framed-Protocol = PPP> Framed-Address = 255.255.255.254> Framed-Compression = Van-Jacobsen-TCP-IP> 0: Time: 130 Auth: Good> 1 Good 0 Bad 130 Avg> ------------------------------------------------------------> > am I wrong or this is where the Session-Timeout Attribute should appear as> response to NAS ? I'm just setting the TimeLeft field for the account. Do I need> to do something else ?

Upgrade to RadiusNT 2.5 and it should fix the problem:

Sending Ack of id 90 to 7f000001 (localhost) User-Service = Framed-User Framed-Protocol = PPP Session-Timeout = 3600

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 8 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Concurency ControlFrom: rabaut <rabaut@hcc.cc.fl.us>Date: Sun, 19 Jul 1998 18:13:49 -0400

Hi

I am having someproblems understanding how to set up some of the featuresin RadiusNT. I saw your questions on the newsgroup. Have you everreceived an answer to them??

I sure would appredciate knowing...

Mikerabaut2hcc.cc.fl.us

At 03:15 PM 7/16/98 +1000, you wrote:>Hiyas,>>Radius 2.5 ,Emerald,NT.>I have spent too many hours trying to get concurrncy control working,no>luck yet :/>>Below is an excerpt form the radius manual.>>********************************************************************************************>> Preventing a single user from logging in multiple times simultaneously>is called concurrency control. RadiusNT uses the RADIUS Accounting>records to maintain a list of who is currently on-line. To achieve>this, you must add records into the ServerPorts table that match the>ServerID from the Servers table, and the Port column which matches the>NAS-Port attribute in the accounting packet. You can run RadiusNT in>-x15 debug mode to see examples of the NAS-Port numbers. RadiusNT will>only update the records of the ServerPorts table, and will not create>them.>>The CallsOnline view contains columns from both the Servers and>ServerPorts table. It is simply a convenient way to read and manipulate>data based on both of those tables. This view is used mainly for>checking and updating the callsonline list, as noted below.>>When RadiusNT receives an authentication request and concurrency control>is enabled, it will look at the number of entries in the CallsOnline>view which match the username. If you do not have variable login limits>enabled, then RadiusNT will default to only allowing the user to login>one time. If you do have variable login limits enabled, then RadiusNT>will only allow the user to login the number of times specified in the>LoginLimit field. All other requests will be rejected.>**********************************************************************************************>>It says :>>"To achieve this, you must add records into the ServerPorts table that>match the ServerID from the Servers table, and the Port column which>matches the NAS-Port attribute in the accounting packet">>Add records ? what records ?>Whats the server ID from the call table ?>Port column which matches the NAS-Port attribute ?>>I dont see how i can match those,the NAS-Port attribute for each call is>simply the port number on which thatcall is being made ?>>Any help with this would be greatly appreciated as I have recently>introducedan Unlimited Plan,and a few clients are trying to share one>account.>>--> ~GolSyd~> ~GamesOnline Sydney~>~ Internet Service Provider & Online Gaming ~> "SPEED DOES MATTER"> http://www.golsyd.net.au> ftp://ftp.golsyd.net.au/> admin@golsyd.net.au .>>>

rabaut@hcc.cc.fl.usHillsborough Community CollegeP.O. Box 5096Tampa, Florida 33675-5096

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 9 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: RE: Problems with Proxy from ServiceFrom: "Tony Schwartz" <tony@transport.com>Date: Sun, 19 Jul 1998 16:37:08 -0700

Dale and Friends:

I actually got it to work after killing it off completely and reinstalling.

However, I find that from a unix box I can do a radpwtst (Merit testprogram) and find success hitting the box. However from Merit's actualserver I get malformed packet errors all the time.

Any clues??

Tony

> -----Original Message-----> From: radiusnt-request@iea-software.com> [mailto:radiusnt-request@iea-software.com]On Behalf Of Dale E. Reed Jr.> Sent: Sunday, July 19, 1998 10:55 AM> To: radiusnt@iea-software.com> Subject: Re: Problems with Proxy from Service>>> Tony Schwartz wrote:> >> > I am making some progress in my eval of Enterprise proxying..> >> > My problem on an NT box using SQL, I can do proxy from Debug> mode but not> > from service mode. Any ideas??>> Have you verified that your DSN is a system DSN? What command> line options are you using in debug mode? For the service to> work the same, you should only be using the -x15 command line> option. Does it work at all as a service (normal authentication)?>>> --> Dale E. Reed Jr. (daler@iea-software.com)> _________________________________________________________________> IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs> Internet Solutions for Today | http://www.iea-software.com>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 10 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Expire Date ProblemFrom: postman@cp-tel.net (Postman Account)Date: Sun, 19 Jul 1998 20:22:06 -0500

We are currently in the process of upgrading to MS SQL server... and should be finishing up on Monday (hopefully).

But, I have noticed that our ma.ExpireDate no longer has any effecton the account... users can still authenticate even if they are past the expiration date.

(Also, I noticed the Sub Account's sa.ExpireDate has been removedin the latest Radius.)

Why isn't ma.ExpireDate working with MS SQL and RadiusNT 2.5124?

Please help!

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 11 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: TimeBank and USR NetServerFrom: "2Day Internet" <peter@2day.net.nz>Date: Mon, 20 Jul 1998 15:11:52 +1200

> We're having problems to put time-banking feature of RadiusNT working withUSR>NetServers. The problem is that the NAS doesn't hang up a call when thetime>left is over, resulting in values like -xxx in the TimeLeft column of>SubAccounts table.

Not sure which Netserver product you refer to, but support forsession-timeout in Netserver/8i and Netserver/16i did not happen until v3.3

regards

Peter MottChief Enthusiast2Day Internet Limited.

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 12 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: SOLVED: Problems with Proxy from ServiceFrom: "Tony Schwartz" <tony@transport.com>Date: Sun, 19 Jul 1998 22:34:14 -0700

Sorry... A great case of RTFM...

I had to set malformed to on. A little more reading always helps.

Tony

> -----Original Message-----> From: radiusnt-request@iea-software.com> [mailto:radiusnt-request@iea-software.com]On Behalf Of Tony Schwartz> Sent: Sunday, July 19, 1998 4:37 PM> To: radiusnt@iea-software.com> Subject: RE: Problems with Proxy from Service> > > Dale and Friends:> > I actually got it to work after killing it off completely and > reinstalling.> > However, I find that from a unix box I can do a radpwtst (Merit test> program) and find success hitting the box. However from Merit's actual> server I get malformed packet errors all the time.> > Any clues??> > Tony> > > > > > -----Original Message-----> > From: radiusnt-request@iea-software.com> > [mailto:radiusnt-request@iea-software.com]On Behalf Of Dale E. Reed Jr.> > Sent: Sunday, July 19, 1998 10:55 AM> > To: radiusnt@iea-software.com> > Subject: Re: Problems with Proxy from Service> >> >> > Tony Schwartz wrote:> > >> > > I am making some progress in my eval of Enterprise proxying..> > >> > > My problem on an NT box using SQL, I can do proxy from Debug> > mode but not> > > from service mode. Any ideas??> >> > Have you verified that your DSN is a system DSN? What command> > line options are you using in debug mode? For the service to> > work the same, you should only be using the -x15 command line> > option. Does it work at all as a service (normal authentication)?> >> >> > --> > Dale E. Reed Jr. (daler@iea-software.com)> > _________________________________________________________________> > IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs> > Internet Solutions for Today | http://www.iea-software.com> >>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 13 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: SOLVED: Problems with Proxy from ServiceFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Sun, 19 Jul 1998 23:44:37 -0700

Tony Schwartz wrote:> > Sorry... A great case of RTFM...> > I had to set malformed to on. A little more reading always helps.

So, we have Merit, Cisco, USR, and Livingston all sending malformedpackets. Is there ANYONE who can read an RFC and implement itcorrectly. Man that is just downright depressing! :(

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com