Hi Michael -
Very nice.
BTW - there are a number of custom RADIUS attributes that are available for
this sort of thing in the OSC vendor-specifics in the standard dictionary.
…..
#
# Open System Consultants VSA's for carrying user data
# from AuthBy PAM etc. OSC-AVPAIR is used to pass private data
# between instances of Radiator
#
VENDOR OSC 9048
VENDORATTR 9048 OSC-AVPAIR 0 string
VENDORATTR 9048 OSC-Uid 1 integer
VENDORATTR 9048 OSC-Gid 2 integer
VENDORATTR 9048 OSC-Home 3 string
VENDORATTR 9048 OSC-Shell 4 string
VENDORATTR 9048 OSC-Integrity-Message 5 binary
# Experimental presence indicators, used to indictae whether and
# where the user was last logged in. USed By AuthPRESENCESQL.pm
VENDORATTR 9048 OSC-User-Presence-Indicator 6 integer
VENDORATTR 9048 OSC-User-Presence-Location 7 string
VENDORATTR 9048 OSC-User-Presence-Timestamp 8 integer
VENDORATTR 9048 OSC-Client-Identifier 9 string
VENDORATTR 9048 OSC-Service-Identifier 10 string
VENDORATTR 9048 OSC-Customer-Identifier 11 string
VENDORATTR 9048 OSC-Provider-Identifier 12 string
VENDORATTR 9048 OSC-Environment-Identifier 13 string
VENDORATTR 9048 OSC-Version-Identifier 14 string
VENDORATTR 9048 OSC-Session-Identifier 15 string
VENDORATTR 9048 OSC-Device-Identifier 16 string
VENDORATTR 9048 OSC-User-Identifier 17 string
VENDORATTR 9048 OSC-Group-Identifier 18 string
VENDORATTR 9048 OSC-Acct-Input-Octets-64 19 integer64
VENDORATTR 9048 OSC-Acct-Output-Octets-64 20 integer64
VENDORATTR 9048 OSC-Authorize-Group 21 string
VALUE OSC-User-Presence-Indicator NotPresent 0
VALUE OSC-User-Presence-Indicator Present 1
VALUE OSC-User-Presence-Indicator Unsure 2
# Attributes to help exporting information from SIM/USIM authentication
VENDORATTR 9048 OSC-SIM-IMSI 80 string
VENDORATTR 9048 OSC-SIM-MSIDSN 81 string
VENDORATTR 9048 OSC-SIM-Identity 82 string
VENDORATTR 9048 OSC-SIM-TMSI 83 string
VENDORATTR 9048 OSC-SIM-FastReauthId 84 string
VENDORATTR 9048 OSC-SIM-Method 85 integer
VALUE OSC-SIM-Method EAP-SIM 18
VALUE OSC-SIM-Method EAP-AKA 23
VALUE OSC-SIM-Method EAP-AKA-PRIME 50
# The following are derived from Tacacs+ requests per draft-grant-tacacs-02
VENDORATTR 9048 OSC-TACACS-Action 100 integer
VENDORATTR 9048 OSC-TACACS-Privilege-Level 101 integer
VENDORATTR 9048 OSC-TACACS-Authen-Type 102 integer
VENDORATTR 9048 OSC-TACACS-Service 103 integer
VENDORATTR 9048 OSC-TACACS-Authen-Method 104 integer
VALUE OSC-TACACS-Action Login 1
VALUE OSC-TACACS-Action Chpass 2
VALUE OSC-TACACS-Action Sendpass 3
VALUE OSC-TACACS-Action Sendauth 4
VALUE OSC-TACACS-Privilege-Level Max 15
VALUE OSC-TACACS-Privilege-Level Root 15
VALUE OSC-TACACS-Privilege-Level User 1
VALUE OSC-TACACS-Privilege-Level Min 0
VALUE OSC-TACACS-Authen-Type ASCII 1
VALUE OSC-TACACS-Authen-Type PAP 2
VALUE OSC-TACACS-Authen-Type CHAP 3
VALUE OSC-TACACS-Authen-Type ARAP 4
VALUE OSC-TACACS-Authen-Type MSCHAP 5
VALUE OSC-TACACS-Service None 0
VALUE OSC-TACACS-Service Login 1
VALUE OSC-TACACS-Service Enable 2
VALUE OSC-TACACS-Service PPP 3
VALUE OSC-TACACS-Service ARAP 4
VALUE OSC-TACACS-Service PT 5
VALUE OSC-TACACS-Service RCMD 6
VALUE OSC-TACACS-Service X25 7
VALUE OSC-TACACS-Service NASIq 8
VALUE OSC-TACACS-Service FWPROXY 9
VALUE OSC-TACACS-Authen-Method Not_Set 0
VALUE OSC-TACACS-Authen-Method None 1
VALUE OSC-TACACS-Authen-Method KRB5 2
VALUE OSC-TACACS-Authen-Method Line 3
VALUE OSC-TACACS-Authen-Method Enable 4
VALUE OSC-TACACS-Authen-Method Local 5
VALUE OSC-TACACS-Authen-Method TACACSPLUS 6
VALUE OSC-TACACS-Authen-Method Guest 8
VALUE OSC-TACACS-Authen-Method RADIUS 16
VALUE OSC-TACACS-Authen-Method KRB4 17
VALUE OSC-TACACS-Authen-Method RCMD 32
…..
Of course you can use OSC-AVPAIR for anything at all, and you can use the
others as you see fit.
regards
Hugh
> On 5 Feb 2015, at 10:20, Michael <ri...@vianet.ca> wrote:
>
>
>
> I personally log COA/POD requests using a very custom method. This may
> not be desirable for others. I do this by after processing the COA/POD
> normally, pass it to an AuthBy config that essentially changes it to an
> Accounting-Request packet, populates a few extra values, then passes it
> to my normal accounting log AuthBy. This also requires adding custom
> values to the dictionary file.
>
>
> <AuthBy GROUP>
> Identifier convert2accounting
>
> <AuthBy INTERNAL>
> OtherHook sub {\
> # some fancy code here.
> }
> </AuthBy>
>
> # now that this packate has been converted to an accounting
> packet, it is ready to be logged. pass it to the accounting log AuthBy
> AuthBy accounting_log
> </AuthBy>
>
>
> an example result is something like this:
>
> +----------+---------------------+--------+-----------+--------------+
> | username | timestamp | type | sess_time | term_cause |
> +----------+---------------------+--------+-----------+--------------+
> | username | 2015-01-05 15:04:09 | login | NULL | NULL |
> | username | 2015-01-05 16:46:03 | info | NULL | rate-change |
> | username | 2015-01-05 16:47:02 | info | NULL | kick-request |
> | username | 2015-01-05 16:47:02 | logout | 6173 | Admin-Reset |
> +----------+---------------------+--------+-----------+--------------+
>
>
>
>
>
> On 04/02/15 05:57 PM, Hugh Irvine wrote:
>> Hello -
>>
>> As COA is not an authentication, it therefore follows that it will not be
>> logged by an AuthLog clause.
>>
>> To see what happens with a COA you will need to look at the log file (not
>> the authlog file).
>>
>> regards
>>
>> Hugh
>>
>>
>>> On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP)
>>> <carlos.onrubia.avi...@proximus.com> wrote:
>>>
>>> Dear all,
>>>
>>>
>>>
>>> I have the following problem:
>>>
>>>
>>>
>>> I can log authentification with the configuration here below, it works
>>> correctly.
>>>
>>> But if I use event_log identifier to log a COA (and not a normal
>>> Access-Request with Accept or Reject), nothing happens.
>>>
>>>
>>>
>>> Can you indicate me how to log a COA with the answer (ACK or NACK)
>>>
>>>
>>>
>>> Thanks in advance,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <Handler User-Name = ABCD
>>>
>>> AuthBy toto
>>>
>>> AuthLog event_log
>>>
>>> </Handler>
>>>
>>>
>>>
>>> <AuthLog FILE>
>>>
>>> Identifier event_log
>>>
>>> Filename %L/event_auth.log
>>>
>>> SuccessFormat %v %d
>>> %H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
>>>
>>> FailureFormat %v %d
>>> %H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
>>>
>>> LogSuccess 1
>>>
>>> LogFailure 1
>>>
>>> </AuthLog>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ***** Disclaimer *****
>>> http://www.proximus.be/maildisclaimer
>>> _______________________________________________
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>>
>> Hugh Irvine
>> h...@open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc.
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>> _______________________________________________
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
