> I'm still having problems with this...
>
> I am using MERIT radius, trying to get a single username to work for
> both shell and PPP.
>
> The user gets:
>
> host:
> login:
> password:
>
> if host: is PPP, they get PPP. Radius debug reports this working properly.
> if host: is an internet host (or cname shell, etc.) they SHOULD get
> an rlogin session. Radius debug reports sending rlogin to the portmaster,
> but the portmaster STILL goes into PPP.
>
> If I make it TELNET instead of rlogin, THAT works... go figure.
---
I JUST NOW tested version 2.4.16 with PAP for the first time,
and it worked fine.
The Livingston RADIUS we're currently using had been hacked
by somebody to select the Service-Type by a method of "service:username",
where service = { "" | "ppp" | "slip" } for a tty (rlogin or pmd),
PPP, or SLIP connection, respectively.
I've modified Stuart Lynne's "user%service" patches to the Merit
distribution to do this, so existing users can migrate or not as they
choose, and new users can use PAP.
This is also the first time I've used Windoze 95 dial-up networking
with PAP.
I'm still dialing in my setup, and it's a little convoluted right
now in an attempt to set up a default packet filter for regular and
mail-only users with the minimum number of user file entries, but I hope
you can get some useful info from it anyway:
---
1: My portmasters are not configured to prompt for a host...
I *think* this is accomplished by setting the default login host in the
global settings, setting the port's host to "default", and disabling
pass-through login. Seems like this would be irrelevant for PAP logins.
2: My radius.debug file does indeed show that the Portmaster supplied
a "Service-Type = Framed" and a "Framed-Protocol = PPP" hint in the
request (This was a PAP attempt):
gen_valpairs: entered
User-Name = "dave"
User-Password = "...."
NAS-IP-Address = "205.254.224.17"
NAS-Port = 4
Service-Type = Framed
Framed-Protocol = PPP
3: Request is matched by default entry in users file, with
"Authentication-Type = Realm" as defined in DEFAULT entry. Since the
Service-Type attribute was already present, it did not match on the
"pppuser" entry.
4: My setup the goes through two different Realms, to check if PPP
access has been disable for this user, or if it is a mail-only user, and to
leave it with the proper filter to use. If you don't need to do this,
you may be able to change the DEFAULT Authentication-Type to Unix-PW.
5: Request matches the DEFAULT in both subsequent realms and is
left with the proper filter (I had to add a few lines to retrieve the last
User-Realm pushed onto the current_request) and the Ack is returned to
the PM.
send_reply: entered: result = 0
Service-Type = Framed
Framed-Protocol = PPP
send_reply: Authentication Ack for id 67 of type 1 to cdfee011 (205.254.224.17)
---
I also verified that without PAP, I got no "hints" at all from the
Portmaster, and I DID get a match on the "dumbuser" profile.
(Portmasters are all running ComOS 3.1.4).
---
If you like, I can send you the users and authfile files,
but you'll have to extrapolate to your setup because mine depend on
some of the features from Stuart's patches, and my hacks. But they
may help.
The main issue seems to be that you're not getting the
service hints. Are you *sure* that you're hitting the Portmaster with
PPP packets right away so it supplies that hint? Try setting the default
host if you can...although I would think it would be ignored in a PPP/PAP
attempt.
Good luck....my next hurdle is getting the LAS_NO_HGAS
stuff working to control simultaneous uses. I'm trying to figure
out how to debug the state-machine implemented in fsm.c.
-- David Carmean WestNet Communications, Inc. System/Network Administrator 7 W. Figueroa St, Suite 20 WestNet Communications, Inc. Santa Barbara, CA, 93101, USA <dave@west.net> (805)892-2133, fax: (805)892-2135