Re: [RADIATOR] Accounting records are not written to database

[rohan.henry]

Thanks Hugh. It's working now!

The Socket6.pm module needed to be installed.

Tue Nov  6 09:28:28 2012: DEBUG: Handling request with Handler 
'NAS-Identifier="Juniper_E320_2"'
Tue Nov  6 09:28:28 2012: DEBUG: SQLSDB Deleting session for fritzsamuels1, 
208.138.43.125, 805307373
Tue Nov  6 09:28:28 2012: DEBUG: do query is: 'delete from ACTIVE_SESSIONS 
where USER_NAME='fritzsamuels1' and NAS_IP_ADDRESS='208.138.43.125' and 
NAS_PORT_ID='TenGigabitEthernet 3/0/0.941005:94-1005'': 
Tue Nov  6 09:28:28 2012: DEBUG: Query is: 'select 
NAS_IP_ADDRESS='208.138.43.125',NAS_PORT_ID='TenGigabitEthernet 
3/0/0.941005:94-1005',ACCT_SESSION_ID='erx TenGigabitEthernet 
3/0/0.941005:94-1005:1831600483' from ACTIVE_SESSIONS where 
USER_NAME='fritzsamuels1'': 
Tue Nov  6 09:28:28 2012: WARNING: SQLSDB Could not find a Client for NAS 1 to 
double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for that 
NAS?
Tue Nov  6 09:28:28 2012: INFO: Access rejected for fritzsamuels1: MaxSessions 
exceeded

The CounQuery is like that since I expect only a single entry per user. 
Simultaneous-Use should be one (1).

Rohan

On Tue, 6 Nov 2012 16:28:01 +1100
 Hugh Irvine  wrote:
>
>Hello Rohan -
>
>To see what is happening with the crash you should run radiusd from the 
>command line so you can see the relevant Perl messages.
>
>Something like this (with your local pathnames):
>
>
>   /usr/bin/perl /usr/local/bin/radiusd -foreground -log_stdout -trace 4 
> -config_file /etc/radiator/radius.cfg
>
>
>BTW - I don't think your CountQuery is correct as it will never find all 
>existing sessions for that particular user.
>
>regards
>
>Hugh
>
>
>On 6 Nov 2012, at 09:30,  wrote:
>
>> Hugh,
>> 
>> re: server crash see config and log files attached.
>> 
>> Rohan
>> 
>> On Sat, 3 Nov 2012 09:06:44 +1100
>> Hugh Irvine  wrote:
>>> 
>>> Hello Rohan -
>>> 
>>> The easiest way to do this is to store only the Stop records, and calculate 
>>> the start time from the attributes present in the accounting stop request.
>>> 
>>> Something like this (the value is in epoch seconds):
>>> 
>>> Timestamp - Acct-Session-Time - Acct-Delay-Time
>>> 
>>> For the crash I will need to see the logfile that immediately precedes it 
>>> together with the configuration file you are using.
>>> 
>>> regards
>>> 
>>> Hugh
>>> 
>>> 
>>> On 3 Nov 2012, at 02:24,  wrote:
>>> 
 Hugh,
 
 Now that records are being written to the database, I want a single record 
 per session that includes both Stop and Start times like below.
 
 User_Name, NAS_IP_Address, NAS_Port, Framed_IP_Address, Acct_Start_Time, 
 Acct_Stop_Time, Acct_Session_ID
 jwilliams12 208.138.43.123 805306450 72.27.33.224 Nov 2, 2012 12:21:04 AM 
 Nov 2, 2012 1:21:16 AM, erx TenGigabitEthernet 3/0/0.37:123-82:1830880926
 
 So the record is added to the accounting database at the end of a session 
 and includes both Stop and Start times.
 
 Added to that is the issue I have where Radiator crashes when I try to use 
 the Simultaneous-Use features.
 
 Thanks.
 
 On Fri, 2 Nov 2012 17:46:58 +1100
 Hugh Irvine  wrote:
> 
> Hello Rohan -
> 
> Can you please explain exactly what you are trying to do?
> 
> It is normal for you to get two records in your accounting table, as that 
> is what you have configured.
> 
> If you can tell us what you are trying to achieve we will be able to make 
> sensible suggestions.
> 
> regards
> 
> Hugh
> 
> 
> On 2 Nov 2012, at 09:38,  wrote:
> 
>> Thanks Michael,
>> 
>> 
>> 
>> I was able to go further with the advice using the AuthByPolicy and 
>> AuthBy GROUP under the existing Handler. Only that two records are added 
>> to my accounting database for a single session - one at Start and one at 
>> Stop.
>> 
>> 
>>  AddToRequest SERVICESTATUS = ACTIVE
>>  SessionDatabase SQLSDB
>> #   MaxSessions 1
>>  RejectHasReason
>> 
>> AuthByPolicy ContinueAlways
>>  AuthBy SQLAccounting
>>  
>>  AuthByPolicy ContinueWhileIgnore
>>  AuthBy xDSL
>>  
>> 
>> 
>> Regards,
>> 
>> Rohan
>> 
>> 
>> 
>> On Thu, 01 Nov 2012 17:45:18 -0400
>> 
>> Michael  wrote:
>> 
>>> Looks like your "AuthBy xDSL" is accepting, therefore since the default 
>>> AuthByPolicy is ContinueWhileIgnore, it will stop at the xDSL authby 
>>> and the "AuthBy SQLAccounting" is not processed.
>> 
>>> 
>> 
>>> I personally handle accounting in a separate handler.  To me, handling 
>>> accounting and authorization in the same handler is tricky.
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> Michael
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> On 01/11/12 05:07 PM, rohan.

[RADIATOR] Radiator does not wait for RADIUS requests

[Qiu, Dennis]

Hi,

I am new to Radiator. I installed Radiator 4.10 and started daemon perl 
c:\perl\bin\radiusd on my Windows 2008 server. I did not see message "Radiator 
is now waiting for RADIUS requests to arrive"

I ran perl radwptst -user mikem -password fred and got "No reply" message. I am 
using radius.cfg from installation.

Can you let me know if I miss anything?

Thank you

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Alan Buxey]

Check your radius.cfg file for config presence and what debug value are you 
running at. For initial work you might to be running at level 4 or 5

alan

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Alan Buxey]

Without ANY changes? Unless your server has the IP address that's the same as 
the config file you used...then that won't work.

The default config is a starting point , a basic block to build/construct from.

alan

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Qiu, Dennis]

Sorry, That is the only change I make.

The server IP matches BindAddress IP. See following ipconfig output.

C:\Perl\bin>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 144.211.2.97
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 144.211.2.248


I also notice radiusd is listening to the port 1812 and 1813.
C:\Program Files\Radiator>netstat -an | grep 18
  UDP0.0.0.0:57183  *:*
  UDP127.0.0.1:57185*:*
  UDP144.211.2.97:1812  *:*
  UDP[::]:57184 *:*

C:\Program Files\Radiator>



For some unknown reason, radpwtst cannot connect to radiusd.

From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
Sent: Tuesday, November 06, 2012 12:15 PM
To: Qiu, Dennis; radiator@open.com.au
Subject: Re: [RADIATOR] Radiator does not wait for RADIUS requests

Without ANY changes? Unless your server has the IP address that's the same as 
the config file you used...then that won't work.

The default config is a starting point , a basic block to build/construct from.

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Alan Buxey]

Providing the correct shared secret when using radpwtst may help...

alan

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Qiu, Dennis]

I entered the correct password. Problem is caused by radiusd not responding to 
RADIUS request.

From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
Sent: Tuesday, November 06, 2012 12:49 PM
To: Qiu, Dennis; radiator@open.com.au
Subject: Re: [RADIATOR] Radiator does not wait for RADIUS requests

Providing the correct shared secret when using radpwtst may help...

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[alan buxey]

Hi,
>I entered the correct password. 

did you? All I have seen you say so far is that you used


perl radpwtst -user mikem -password fred -auth_port 1812 -trace 4


wheres the shared secret for the client to talk to the RADIUS server?
radpwst emulates a NAS rather than a real client edge device - so it needs
to have a shared secret

radpwtst -h



alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Michael]

and if the secret is wrong, i'm pretty sure it will show the connection 
in the debug logs.


On 06/11/12 02:38 PM, alan buxey wrote:
> Hi,
>> I entered the correct password.
> did you? All I have seen you say so far is that you used
>
>
> perl radpwtst -user mikem -password fred -auth_port 1812 -trace 4
>
>
> wheres the shared secret for the client to talk to the RADIUS server?
> radpwst emulates a NAS rather than a real client edge device - so it needs
> to have a shared secret
>
> radpwtst -h
>
>
>
> alan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[alan buxey]

Hi,

>I use a generic radiaus.cfg from installation without any changes.
>Following is my radius.cfg file:

you are binding to an IPso IIRC, RADIATOR will onyl bind to that IP
(if you used 0.0.0.0 then it'll bind to all interfaces, including 127.0.0.1
(localhost)

set the server IP address with radpwtst and you should see the request
come through nice and cleari see you are already doing -auth_port 1812
(which is goodbecause if you dont, then it sends it to 1645 (the legacy
RADIUS portit really shouldnt do that by default now)...and your
server is listening on port 1812 as you already said :-)

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[Qiu, Dennis]

Hi Guys,

I figured out. Apparently, radpwtst command does not work for me. But my 
networking devices can authenticate using my Radiator servers.

> -Original Message-
> From: Michael [mailto:ri...@vianet.ca]
> Sent: Tuesday, November 06, 2012 3:01 PM
> To: alan buxey
> Cc: Qiu, Dennis; radiator@open.com.au
> Subject: Re: [RADIATOR] Radiator does not wait for RADIUS requests
> 
> and if the secret is wrong, i'm pretty sure it will show the connection in 
> the debug
> logs.
> 
> 
> On 06/11/12 02:38 PM, alan buxey wrote:
> > Hi,
> >> I entered the correct password.
> > did you? All I have seen you say so far is that you used
> >
> >
> > perl radpwtst -user mikem -password fred -auth_port 1812 -trace 4
> >
> >
> > wheres the shared secret for the client to talk to the RADIUS server?
> > radpwst emulates a NAS rather than a real client edge device - so it needs
> > to have a shared secret
> >
> > radpwtst -h
> >
> >
> >
> > alan
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Accounting records are not written to database

[Hugh Irvine]

Hello Rohan -

The session database and the MaxSessions and/or Simultaneous-Use directives are 
designed to limit a particular user to some predetermined number of sessions at 
the same time (typically one).

To do this, Radiator maintains a state table in the session database of all 
sessions for which an accounting start has been received.

When the session ends, the session entry is removed from the session database, 
and Radiator also does a delete when a new access request is received as a 
housekeeping exercise.

You should check your use of the session database by testing using a call from 
a test user (and leaving it up), checking the entry in the session database, 
then making another call from the same test user and again checking what 
happens with the session database.

If simultaeous use is set to one, the first call should result in an entry 
being added to the session database, and the second call should result in a 
reject because there is already an entry present for that test user.

hope that helps

regards

Hugh


On 7 Nov 2012, at 01:57, rohan.he...@cwjamaica.com wrote:

> Thanks Hugh. It's working now!
> 
> The Socket6.pm module needed to be installed.
> 
> Tue Nov  6 09:28:28 2012: DEBUG: Handling request with Handler 
> 'NAS-Identifier="Juniper_E320_2"'
> Tue Nov  6 09:28:28 2012: DEBUG: SQLSDB Deleting session for fritzsamuels1, 
> 208.138.43.125, 805307373
> Tue Nov  6 09:28:28 2012: DEBUG: do query is: 'delete from ACTIVE_SESSIONS 
> where USER_NAME='fritzsamuels1' and NAS_IP_ADDRESS='208.138.43.125' and 
> NAS_PORT_ID='TenGigabitEthernet 3/0/0.941005:94-1005'': 
> Tue Nov  6 09:28:28 2012: DEBUG: Query is: 'select 
> NAS_IP_ADDRESS='208.138.43.125',NAS_PORT_ID='TenGigabitEthernet 
> 3/0/0.941005:94-1005',ACCT_SESSION_ID='erx TenGigabitEthernet 
> 3/0/0.941005:94-1005:1831600483' from ACTIVE_SESSIONS where 
> USER_NAME='fritzsamuels1'': 
> Tue Nov  6 09:28:28 2012: WARNING: SQLSDB Could not find a Client for NAS 1 
> to double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for 
> that NAS?
> Tue Nov  6 09:28:28 2012: INFO: Access rejected for fritzsamuels1: 
> MaxSessions exceeded
> 
> The CounQuery is like that since I expect only a single entry per user. 
> Simultaneous-Use should be one (1).
> 
> Rohan
> 
> On Tue, 6 Nov 2012 16:28:01 +1100
> Hugh Irvine  wrote:
>> 
>> Hello Rohan -
>> 
>> To see what is happening with the crash you should run radiusd from the 
>> command line so you can see the relevant Perl messages.
>> 
>> Something like this (with your local pathnames):
>> 
>> 
>>  /usr/bin/perl /usr/local/bin/radiusd -foreground -log_stdout -trace 4 
>> -config_file /etc/radiator/radius.cfg
>> 
>> 
>> BTW - I don't think your CountQuery is correct as it will never find all 
>> existing sessions for that particular user.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 6 Nov 2012, at 09:30,  wrote:
>> 
>>> Hugh,
>>> 
>>> re: server crash see config and log files attached.
>>> 
>>> Rohan
>>> 
>>> On Sat, 3 Nov 2012 09:06:44 +1100
>>> Hugh Irvine  wrote:
 
 Hello Rohan -
 
 The easiest way to do this is to store only the Stop records, and 
 calculate the start time from the attributes present in the accounting 
 stop request.
 
 Something like this (the value is in epoch seconds):
 
Timestamp - Acct-Session-Time - Acct-Delay-Time
 
 For the crash I will need to see the logfile that immediately precedes it 
 together with the configuration file you are using.
 
 regards
 
 Hugh
 
 
 On 3 Nov 2012, at 02:24,  wrote:
 
> Hugh,
> 
> Now that records are being written to the database, I want a single 
> record per session that includes both Stop and Start times like below.
> 
> User_Name, NAS_IP_Address, NAS_Port, Framed_IP_Address, Acct_Start_Time, 
> Acct_Stop_Time, Acct_Session_ID
> jwilliams12 208.138.43.123 805306450 72.27.33.224 Nov 2, 2012 12:21:04 AM 
> Nov 2, 2012 1:21:16 AM, erx TenGigabitEthernet 3/0/0.37:123-82:1830880926
> 
> So the record is added to the accounting database at the end of a session 
> and includes both Stop and Start times.
> 
> Added to that is the issue I have where Radiator crashes when I try to 
> use the Simultaneous-Use features.
> 
> Thanks.
> 
> On Fri, 2 Nov 2012 17:46:58 +1100
> Hugh Irvine  wrote:
>> 
>> Hello Rohan -
>> 
>> Can you please explain exactly what you are trying to do?
>> 
>> It is normal for you to get two records in your accounting table, as 
>> that is what you have configured.
>> 
>> If you can tell us what you are trying to achieve we will be able to 
>> make sensible suggestions.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 2 Nov 2012, at 09:38,  wrote:
>> 
>>> Thanks Michael,
>>> 
>>> 
>>> 
>>> I was able to go further with the advice using the AuthByPolicy 

Re: [RADIATOR] Radiator does not wait for RADIUS requests

[alan buxey]

Hi,

> I figured out. Apparently, radpwtst command does not work for me. But my 
> networking devices can authenticate using my Radiator servers.

answer for that in my previous email - your network devices are talking
to the real IP, not to 127.0.0.1 (on which the server is not listening).
point radpwtst to that IP and you'll get results

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] tacacs+ and command auth

[Murat Bilal]

Hi all,

I wonder if Radiator supports tacacs protocol and command authorization. If so, 
can I  install this scenario on a 2 node linux(Ubuntu) mysql cluster.

Thanks

MURAT BİLAL
Services Engineer

Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bi...@ericsson.com
www.ericsson.com


[cid:image001.png@01CDBCCE.14B4F1E0]

This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

<>___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator