Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded

Steven E. Ames Fri, 3 Mar 2000 08:29:32 -0800
Long winded response with many examples and captures of test sessions
coming up:

> Well, you are seeing two problems - the first was a "bug" in 2.14.1 in
that
> only a single attribute would be handled by AddToReplyIfNotExist.

Alrighty. This is fixed in 2.15?

> However the
> second problem with what you are doing is that after the first
insertion of the
> Ascend-Data-Filter, you then have an attribute of that name, and
further
> additions with the same name will fail, by definition.

?? How do I send back multiple defintions of the same attribute? If I
set this up as a 'replyitem' (pulled from LDAP) it works fine. Its just
when its being pulled from the configuration file that it fails.

How would you send back a complex data filter?

> I think you will have to send me a copy of your configuration file
together
> with an explanation of what you are trying to do.

No problem. Here it is:

------config file-----------
<Realm mydomain.com>
        AuthByPolicy ContinueUntilAccept
   <AuthBy SQL>
        DBSource        dbi:Pg:dbname=radiator;host=10.0.0.1
        DBUsername
        DBAuth
        # by leaving 'AuthSelect' blank... no authentication is done
        AuthSelect
        AcctColumnDef   USERNAME,User-Name
        AcctColumnDef   TIME_STAMP,Timestamp,integer
        AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
       AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef   ACCTTERMINATECAUSE,Acct_Terminate-Cause
        AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
        AcctColumnDef   NASPORT,NAS-Port,integer
        AcctColumnDef   ASYNCIPADDRESS,Framed-IP-Address
   </AuthBy>
   <AuthBy LDAP>
                HoldServerConnection
                NoDefaultIfFound
                Host localhost
                Port 389
                BaseDN ou=mydomain.com, o=mycompany
                UsernameAttr uid
                PasswordAttr userpassword
                AuthAttrDef netmask, Framed-IP-Netmask, reply
                ReplyAttr replyitems
        AddToReplyIfNotExist
Service-Type=Framed-User,Framed-Protocol=PPP,Ascend-Assign-IP-Pool=0
        # AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp
est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5",
Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in
forward"

    </AuthBy>
</Realm>

---------------END-----------
The reasoning. The 'AddToReplyIfNotExist' that is not commented out is
the one I'm currently using (all attributes _ARE_ being returned
properly BTW). The commented one is the data filter that I was testing.
The only attribute that gets sent is the first one (which is bad because
it'll only forward established connections). What I _WANT_ to happen is
for an entire filter sequence to be sent to the NAS that says:

if its an established connection, forward it
if the destination is 10.0.0.5, forward it
if the destination port is 25, drop it
forward everything else

The purpose of this is to restrict dialup users to only being able to
use designated SMTP relays. If I add this to an individual user and
allow it to be pulled in via ReplyAttr (from OpenLDAP):

uid=seames, ou=mydomain.com, o=mycompany
ou=mydomain.com
userpassword=supersecretpassword
gecos=Steve Ames
loginshell=/usr/local/bin/tcsh
protocol=PPP
uid=seames
homedirectory=/home/s/seames
enabled=1
replyitems=Ascend-Data-Filter="ip in forward tcp
est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5",
Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in
forward"

This works just fine. All of the attributes are returned correctly and
in the order they appear:

winrad1# radpwtst -s 127.0.0.1 -secret supersecret -trace -user
[EMAIL PROTECTED] -password supersecretpassword
Code:       Access-Request
Identifier: 211
Authentic:  1234567890123456
Attributes:
        User-Name = "[EMAIL PROTECTED]"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        User-Password = "<213>*S<191>U<190><8> K<230>Yze1<22><247>"
sending Access-Request...
OK
Code:       Access-Accept
Identifier: 211
Authentic:  <11>~<226><184>3<167><156>;<167>q=<241><196>o<218><224>
Attributes:
        Ascend-Data-Filter = ip in forward tcp est
        Ascend-Data-Filter = ip in forward dstip 10.0.0.5/32
        Ascend-Data-Filter = ip in drop tcp dstport = 25
        Ascend-Data-Filter = ip in forward
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Maximum-Time = 0

Works fine from a ReplyAttr. But If the account doesn't have the
ReplyAttr information and I, instead, want to insert it using
"AddToReplyIfNotExist" then it fails.

Help?

-Steve



===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded

Reply via email to
