Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) radius accounting issue
On Sunday January 25, 1998, Troy Settle <rewt@i-Plus.net>
had this to say about "(ASCEND) radius accounting issue":
> I'm working on some neat stuff dealing with radius accounting. One of
> these things is setting up a web page where our users can go to see their
> connection stats (ie. connect speed, time spent online, disconnect
> causes, etc).
>
> I've got things pretty much laid out the way I want them, but I'm having
> a problem authenticating users.
> One idea that seems
> good, is to do it based on IP address, looking at the most recent start
> record with the address in question. GLITCH: not all start records
> include the assigned IP address.
On systems I administrate, the page which displays such statistics is only
accessible if you're online via the locally assigned IP's/subnets (i.e. a
local Portmaster/MAX). Then, and only then, will users be asked for
authentication (and only if they're asking for user-specific
information...like billing charges).
>
> Second option: perl function or external bin to query the radius server
> with username/password to authenticate the user (I'm not sure I like
> this, but it should work fine). Does anyone have some simple code in
> perl or C that will do this?
>
There is a perl cgi "out there" which gets the remote_addr of the
connecting host, then essentially connects to the Portmaster (easily
converted to work for a MAX) and looks up the associated username. Since
the program was written before Livingston had SNMP OID's to get a
username, it used a program called "pmwho" to telnet to the
Portmaster...however it would be easy to change that routine to the
appropriate SNMP queries for the MAX. Once you have the username for a
connecting IP address, do you really need to ask them for a password? One
would assume that if you could correlate IP address with username that
whoever is on the other end must already know the password ;-)
I haven't seen the program for awhile, but you might want to check the
portmaster-users archives to get hints on writing your own program.
> Third option: you tell me...
Another idea: create an htpasswd file OUTSIDE of your www data tree by
doing something like this as root:
awk -F":" '{print $1":"$2}' < shadow_pw_file > .htaccess
This will only work if your (shadow password file) uses DES encryption.
You need to make damn sure your .htaccess file is unavailable to the
general populace on your machine (i.e. via FTP) as well as to the
web-surfing public...and remember to remove system/priviledged/staff
accounts from the file (assuming of course that your staff has free dialup
access and that you never login to the modems as root 8-) If you're
really brave..you can add a cron job to do this once or twice/day...just
make sure the machine has no user shell access or ability to see the
/etc/crontab file.
>
> --
> Troy Settle <st@i-Plus.net>
> Network Administrator, iPlus Internet Services
> http://www.i-plus.net
>
> BTW: For those of you interested, I'm logging the radius accounting
> information to a mysql database, and using perl cgi (for now) to query
> the db. If you have some tools along these lines, I would be very
> interested in seeing them. Also, if you are interested, I can post the
> one script I have so far.
>
Which radius are you using? Where'd the hack to use MYSQL come from (I've
seen several variations (Cistron, Merit, old Ascend (1.1.6)), but none for
the current stock Livingston Radius so far (yeah, I know this is the
Ascend-Users list...but I use Livingston's Radius with both MAXen and PM's
;-)
--
John-David Childs (JC612) Enterprise Internet Solutions
System Administrator @denver.net/Internet-Coach/@ronan.net
& Network Engineer 1039 S. Parker Rd. #I-8 Denver, CO 80231
As of this^H^H^H^H next week, passwords will be entered in Morse code.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: