[RadiusNT Digest]

radiusnt-digest-request@iea-software.com
Fri, 28 Aug 1998 00:01:44 -0700

Message 1:
from Predrag_Janjic@simt.com.mk

Message 2: CallsOnline
from David Moore <dmoore@communitychoice.net>

Message 3: Error Log
from Edsonet <administrator@yellowhead.com>

Message 4: Re: Error Log
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 5: Re: CallsOnline
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 6: Re: User Restrictions
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 7: Re: Radius / SQL question for Calls Table
from "Dale E. Reed Jr." <daler@iea-software.com>

Message 8: RE: User Restrictions
from "Robert F. O'Connor" <sysadmin@metro.net>

Message 9: MTU Speeds
from "Thomas Spaulding" <tsplding@talweb.com>

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 1 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
From: Predrag_Janjic@simt.com.mk
Date: Thu, 27 Aug 1998 15:49:10 +0200

unsubcribe

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 2 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: CallsOnline
From: David Moore <dmoore@communitychoice.net>
Date: Thu, 27 Aug 1998 13:20:36 -0400

Is the CallsOnline table supposed to tell me who is online at the time? It
shows me all of the NASs and PORTs regardless of if it is being used or
not. Also, it shows the last user for each port. Is this correct? What
is this supposed to tell me? Nothing in this view seems to tell me if the
user is online or not.

The FramedAddress field in the ServerPorts and Calls tables are not being
updated? Should it be updated from that data passed from the NAS? It is
being passed as Framed-IP-Address, as in the RadAttributes table. Does
this make a difference? Does the name of the field matter?

To add attributes to the Calls table do I just add the field in SQL without
the dashes? Is the order of field important? Does it have to mirror the
order being passed to it?

Thanks

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 3 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Error Log
From: Edsonet <administrator@yellowhead.com>
Date: Thu, 27 Aug 1998 14:49:59 -0600

Dale;

Just for your info, the following keeps appearing in the log file several
times a day:

Thu Aug 27 14:34:38 1998: ODBC Error:S1000:-3702:
[Microsoft][ODBC Microsoft Access 97 Driver] Field 'RadLogs.Data' can't be
a zero-length string.
Thu Aug 27 14:34:38 1998: User: xxxxxxxx Bad Password

It is not really a problem, just a curiosity. I am assuming that the user
is logging in using PAP with a zero length password. I cannot tell from the
NAS log file since it shows him logging in and then out a short time later.
The resulting login attempt of course does not get recorded in the RadLogs
table.

J.A. Coutts
Systems Engineer
Edsonet/Travpro

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.
| Message 4 |
'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'
Subject: Re: Error Log
From: "Dale E. Reed Jr." <daler@iea-software.com>
Date: Thu, 27 Aug 1998 14:27:23 -0700

Edsonet wrote:
>
> Just for your info, the following keeps appearing in the log file several
> times a day:
>
> Thu Aug 27 14:34:38 1998: ODBC Error:S1000:-3702:
> [Microsoft][ODBC Microsoft Access 97 Driver] Field 'RadLogs.Data' can't be
> a zero-length string.
> Thu Aug 27 14:34:38 1998: User: xxxxxxxx Bad Password
>
> It is not really a problem, just a curiosity. I am assuming that the user
> is logging in using PAP with a zero length password. I cannot tell from the
> NAS log file since it shows him logging in and then out a short time later.
> The resulting login attempt of course does not get recorded in the RadLogs
> table.

This is a result of the user logging in w/out a password (just hitting
enter). I'll see what I can do about making RadiusNT pad a space or
something to prevent the error.

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 5 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: CallsOnlineFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Thu, 27 Aug 1998 14:53:17 -0700

David Moore wrote:> > Is the CallsOnline table supposed to tell me who is online at the time? It> shows me all of the NASs and PORTs regardless of if it is being used or> not. Also, it shows the last user for each port. Is this correct? What> is this supposed to tell me? Nothing in this view seems to tell me if the> user is online or not.

If the AcctStatusType field is 1, then the user is online. Otherwisethey are not. > The FramedAddress field in the ServerPorts and Calls tables are not being> updated? Should it be updated from that data passed from the NAS? It is> being passed as Framed-IP-Address, as in the RadAttributes table. Does> this make a difference? Does the name of the field matter?

The attribute name should be Framed-Address. This could be anold dictionary? Changing the name should correct the problem. > To add attributes to the Calls table do I just add the field in SQL without> the dashes? Is the order of field important? Does it have to mirror the> order being passed to it?

Order is not important, but is must match the type from theRadAttributes table (0=string, 1=int, 2=ip/, etc where 0 and 2 are avarcharand 1 is an int in SQL).

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 6 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: User RestrictionsFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Thu, 27 Aug 1998 17:22:10 -0700

Robert F. O'Connor wrote:> > Is the HTML (online) version of the documentation different from the> downloadable one? The "Authentication Process" list is there, but the> additional paragraphs are not. I had not previously downloaded the Word

The HTML documentation on the website is for RadiusNT 2.2. The RadiusNT2.5 documentation is available from our FPT site in Word97 format. Weare working to put it into HTML format.

> document, since the HTML was more convenient. By themselves, items 9 and 10> don't very explicitly get that point across. In addition, the inclusion of> the "User-Service" and "Framed-Protocol" entries under the ISDN profile-type> in RadATConfigs would seem to suggest the cumulative assumption, since ISDN> profiles wouldn't generally be very useful without user-specific attributes.

A lot of the ISDN equimpment looks just like a normal user. Most newergear does NAT, can take a dynamic IP Address, etc. Routing a subnet(whether over ISDN or dialup) is completely different. The defaults arejust that, defaults. They are not meant to be a complete solution toallpossibilities. > Regardless, I would suggest that a future version of RADIUS include the> option of RadATConfigs and RadConfigs being either exclusive (the default)> or cumulative. The cumulative option would save a lot of work and, I> suppose, space and, if profile types are defined carefully and the> attributes in RadAtConfigs are wisely chosen, in my user profiles at least,> it is the extremely rare exception that would need to override those> "default" settings, even when most or all profiles have custom attributes.

This is something that we have looked as for a while. Unfortunately,its NOT a trivial thing to do. What happends if you have conflictingattributes. For example, Framed-Address would almost always conflict,since the RadATConfigs should have a 255.255.255.254 setting to tellthe NAS to assign an address. On a per-attribute basis, the answercould be, include the RadConfigs entry or include both. We choosethe current implementation because there is NO grey area of confusionon how to interupt which attributes the user gets. Adding the abilityto join the two based on some sore of rules complicates this and addsupport nightmares for us, because people simply have to play with anoption that is available, whether they understand it or not. :(

I'm very open and willing to listen to suggestions, but I want thewhole picture to be in the clear when discussing adding options.

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 7 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: Re: Radius / SQL question for Calls TableFrom: "Dale E. Reed Jr." <daler@iea-software.com>Date: Thu, 27 Aug 1998 17:29:52 -0700

Josh Hillman wrote:> > > Also, is there a command to automate the deletion process... such> > as a variable... or statement... to delete the previous month's call> data?> > ...as opposed to having to specifiy the previous month by name.> > I typically keep 2 to 3 months worth of Calls data (excluding Start> records). Typically once a month, I manually run "DELETE FROM Calls WHERE> CallDate < '6/1/98'"> > On a nightly basis (at 12:30am), I have SQL's Scheduled Task manager run> the following CmdExec command:> isql -n -E -Sservername -i\\servername\sql-script-path\Calls-Cleanup.sql> > The "Calls-Cleanup.sql" script is below:> > /* Delete START and null records from Calls table older than one day */> > DELETE FROM Calls> WHERE (AcctStatusType = 1 OR UserName = 'null')> AND DateDiff(Day, CallDate, GetDate()) > 1> GO

You can just have SQL Executive execute that TSQL directlyrather than calling isql to do it. SHould be faster, less overhead andis modifyable from any EM.

-- Dale E. Reed Jr.  (daler@iea-software.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |   http://www.iea-software.com

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 8 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: RE: User RestrictionsFrom: "Robert F. O'Connor" <sysadmin@metro.net>Date: Thu, 27 Aug 1998 20:51:49 -0700

> From: radiusnt-request@iea-software.com> [mailto:radiusnt-request@iea-software.com]On Behalf Of Dale E. Reed Jr.>> Robert F. O'Connor wrote:> >> > Is the HTML (online) version of the documentation different from the> > downloadable one? The "Authentication Process" list is there, but the> > additional paragraphs are not. I had not previously downloaded the Word>> The HTML documentation on the website is for RadiusNT 2.2. The RadiusNT> 2.5 documentation is available from our FPT site in Word97 format. We> are working to put it into HTML format.

I see that at the top of the documentation page (much forehead slapping),but you might want to add the specific version info on the support.htmlpage where you describe the links so the difference is more obvious.

>> > document, since the HTML was more convenient. By themselves,> items 9 and 10> > don't very explicitly get that point across. In addition, the> inclusion of> > the "User-Service" and "Framed-Protocol" entries under the ISDN> profile-type> > in RadATConfigs would seem to suggest the cumulative> assumption, since ISDN> > profiles wouldn't generally be very useful without> user-specific attributes.>> A lot of the ISDN equimpment looks just like a normal user. Most newer> gear does NAT, can take a dynamic IP Address, etc. Routing a subnet> (whether over ISDN or dialup) is completely different. The defaults are> just that, defaults. They are not meant to be a complete solution to> all> possibilities.

All of our ISDN accounts are authenticated routed subnets over an Ascend MAXso a defaults table is where I would puts lots of stuff like"Ascend-Require-Auth=Require-Auth", etc., or for dial-outs and routes,"Password=ascend", etc.

Also, for dialups, it would be nice to add a fixed IP to a particular userwithout having to remember to go back and add things like User-Service andIdle-Timeout and Session-Timeout.

Changes in policy would not have to be applied individually to all thespecial cases and scripting is easier if adding an attribute doesn't requirechecking to see if the RadATConfigs duplication was already done.

>> > Regardless, I would suggest that a future version of RADIUS include the> > option of RadATConfigs and RadConfigs being either exclusive> (the default)> > or cumulative. The cumulative option would save a lot of work and, I> > suppose, space and, if profile types are defined carefully and the> > attributes in RadAtConfigs are wisely chosen, in my user> profiles at least,> > it is the extremely rare exception that would need to override those> > "default" settings, even when most or all profiles have custom> attributes.>> This is something that we have looked as for a while. Unfortunately,> its NOT a trivial thing to do. What happends if you have conflicting> attributes. For example, Framed-Address would almost always conflict,> since the RadATConfigs should have a 255.255.255.254 setting to tell> the NAS to assign an address. On a per-attribute basis, the answer> could be, include the RadConfigs entry or include both. We choose> the current implementation because there is NO grey area of confusion> on how to interupt which attributes the user gets. Adding the ability> to join the two based on some sore of rules complicates this and add> support nightmares for us, because people simply have to play with an> option that is available, whether they understand it or not. :(

As is the default now, if a user wants to stupidly have three versions ofthe same attribute with different values, nothing is stopping him.Similarly, you could (by default) just let the user make the mistake andfigure out what's wrong. You could then add the explicit alternatives tothat of 1: Custom attributes override defaults; and 2) Defaults alwaysprevail.

Actually a default of "custom overrides" would allow those who alreadyduplicate default RadATConfigs to turn on a "RadATConfigs applies to all"option without breaking anything, and might be a little more forgiving tothe bonehead user who doesn't get it. And come to think of it, would allowexceptions to policies to be easier to implement (e.g., for user"bigdownload", Session-Timeout=8 instead of 6, but everything else thesame).

>> I'm very open and willing to listen to suggestions, but I want the> whole picture to be in the clear when discussing adding options.>> --> Dale E. Reed Jr. (daler@iea-software.com)> _________________________________________________________________> IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs> Internet Solutions for Today | http://www.iea-software.com>

-Robert F. O'ConnorSystem Administrator, Metro.Netsysadmin@metro.net

..------ ------ ------ ------ ------ ------ ------ ------ ------ ------.| Message 9 |'------ ------ ------ ------ ------ ------ ------ ------ ------ ------'Subject: MTU SpeedsFrom: "Thomas Spaulding" <tsplding@talweb.com>Date: Fri, 28 Aug 1998 01:35:45 -0400

I was just reading an article that says the MTU setting should be loweredfrom 1500 to 576. Should I do this ? What problems could be expected? Ihave USR-TCH's and Radius .60 running MS-Access.

Thank you.

BTW, is there a web archive of these letters ?

Thomas Spaulding http://www.talweb.com/tspldingStaff@TalWeb.com http://www.talweb.com/