Operator change post proxy

2011-10-20 Thread Dan Fisher | Fluidata 
Hi,

We are using Cisco and Juniper devices as LAC's to terminate DSL sessions 
before sending on via L2TP to customer LNS's. We allow our customers to use 
radius Attribute 67 via our radius servers to specify the 
tunnel-server-endpoint for their sessions.

We have been using Cisco LACs predominantly over the last couple of years but 
now have a need to move to Juniper kit for scalability constraints. The issue I 
have is how we allow customers to specify groups of radius reply values for 
failover/load balancing across their LNS's.

Below is an example showing what we are sending back to our Cisco LAC's (please 
note the use of += as the operator for the "second" group in the list):

Sending Access-Accept of id 216 to 192.168.1.1 port 50075
Tunnel-Client-Auth-Id:1 = ""
   Tunnel-Type:1 = L2TP
Tunnel-Password:1 = "yyy"
Tunnel-Server-Endpoint:1 = "1.2.3.4"
Tunnel-Preference:1 = 10
Tunnel-Client-Auth-Id:2 += " "
Tunnel-Type:2 += L2TP
Tunnel-Password:2 += " yyy"
Tunnel-Server-Endpoint:2 += "1.2.3.5"
Tunnel-Preference:2 += 10


The issue I have is that the Juniper device will not process the += operator 
based results, so in order to have the same functionailty, the radius result 
would have to look like below (please note there is no += anymore):

Sending Access-Accept of id 217 to 192.168.1.1 port 50075
Tunnel-Client-Auth-Id:1 = ""
   Tunnel-Type:1 = L2TP
Tunnel-Password:1 = "yyy"
Tunnel-Server-Endpoint:1 = "1.2.3.4"
Tunnel-Preference:1 = 10
Tunnel-Client-Auth-Id:2 = " "
Tunnel-Type:2 = L2TP
Tunnel-Password:2 = " yyy"
Tunnel-Server-Endpoint:2 = "1.2.3.5"
Tunnel-Preference:2 = 10

I have a case open with Juniper to resolve the +=/= issue, but I haven't got an 
ETA of the fix yet, and I cannot just wait for it. I cannot force all of my 
customers to change the attributes they send me back from proxying based on the 
NAS-IP-Address, so I have to make the necessary changes myself on my radius 
servers. I know I can add a bit of code in post proxy using ulang to carry out 
something when the Juniper devices IP's are listed as the NAS-IP-Address, but I 
cannot see how to change the operator that is sent from += to =. The only 
complication I have is that people could send back upto 8 groups to me, and 
there is no guarantee that the groups will be number 1,2,3,4 etc, the customer 
could choose anything they like.

Anyone got any ideas or able to point me in the right direction?

Thanks
Dan


Technical Manager

T 0845 868 7848
F 0845 868 7858
www.fluidata.co.uk
www.twitter.com/fluidata
2 More London SE1 2AP

get your data flowing ...

This message is intended solely for the use of the individual or organisation 
to whom it is addressed. It may contain privileged or confidential information. 
If you have received this message in error, please notify the originator 
immediately. If you are not the intended recipient, you should not use, copy, 
alter, or disclose the contents of this message. All information or opinions 
expressed in this message and/or any attachments are those of the author and 
are not necessarily those of Fluidata Ltd. Fluidata accepts no responsibility 
for loss or damage arising from its use, including damage from virus.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Combine Proxy Answer with Local Information

2009-11-24 Thread Dan Fisher | Fluidata 
Hi,

Thanks for the all the pointers, I have got the proxying and post proxy
configuration working with your hints. 

I have one small issue that I need to address. For some of our clients
they don't want us to proxy requests before our LAC forwards them.
Obviosuly I can configure a default entry in the proxy config so that
any domain realm that I havent configured is matched, and specified to
be handled locally.

The problem comes that I don't know the passwords for all of the
individual users that will come thorugh, so effectively I just need to
generate an Accept packet whenever I hit this default proxy config. Is
there someway I can do this, would I need to configure something within
the users file instead or is there something I can add within the
authorization section to allow this to work?

Any help you can give would be much appreciated.

Dan Fisher

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Combine Proxy Answer with Local Information

2009-11-23 Thread Dan Fisher | Fluidata 
Hi,

 

 

>> My problem is that the response I send to our LAC has to contain
extra
>> information depending on the domain. Is it possible to query a local
>> mysql database for this extra information (these are cisco av pairs
>> needed to establish the tunnels between the LAC and LNS)
 
>Yes. See man unlang.
 
>> and add it into
>> the Access-Accept message that is returned to the LAC from the
radius?
 
>Use unlang in post-proxy.
 
>Ivan Kalik

 

Thanks for the guidance ivan, its given me a good starting point. I have
managed to get new information into my accept requests by hard coding
update reply sections in the unlang code (example below) :

 

update reply {

   Tunnel-Client-Auth-ID = "fluidata"

}

 

 

However I am having real problems getting the mysql part working. I have
tried using examples other people are using that work and they either
just get treated as a string or the server wont even run in debug mode.
I don't appear to be able to use the sql module itself as I get an error
saying its not supported in the post-proxy configuration section. Can
anyone suggest where I might be going wrong with this? Inside the
post-proxy section I have:

 

Where %{2} is the result of a regular expression to split a full
username so I just have the domain to use later on.

 

if ( "%{sql: SELECT Attribute from radreply where username
='%{2}' and attribute='Tunnel-Password'}" ) {

ok

}

 

I have tried this with and without the 

Output looks like:

 

WARNING: Unknown module "sql" in string expansion "%{sql: SELECT
Attribute from radreply where Username ='burst.net' and
Attribute='Tunnel-Password'}"

expand: %{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'} ->

? Evaluating ("%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE

++? if ("%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE

 

/etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in
'post-proxy' sections -- they have no such method.

/etc/raddb/sites-enabled/default[512]: Errors parsing post-proxy
section.

 

If anyone has any thoughts on this or whether I can obtain the same
information another way that would be much appreciated. I will be having
potentially hundreds of different relams going through this freeradius
instance and I need to add this information for each one

 

Dan Fisher

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Combine Proxy Answer with Local Information

2009-11-18 Thread Dan Fisher | Fluidata 
Hi all,

 

 

I am wondering if someone will be able to point me in the correct
direction with a setup I am trying to achieve. Basically we are rolling
out a new offering to our customers where we want to have our LAC's
query our radius servers which will then proxy requests on to our
customer's radius servers based on the domain used in the username. I
have got all of the proxy'ing working within radius - nice and easy
following the wiki and instructions - thanks.

 

My problem is that the response I send to our LAC has to contain extra
information depending on the domain. Is it possible to query a local
mysql database for this extra information (these are cisco av pairs
needed to establish the tunnels between the LAC and LNS) and add it into
the Access-Accept message that is returned to the LAC from the radius?

 

An example would of what I have at the moment is:

 

Sending Access-Accept of id 6 to xx.xx.xx.xx port 51274

Framed-IP-Address = 192.168.0.1

Service-Type = Framed-User

Framed-Protocol = PPP

Framed-IP-Netmask = 255.255.255.255

Tunnel-Server-Endpoint:0 = "yy.yy.yy.yy"

 

And I need it contain 3 extra lines that would be stored locally (in
italics):

 

Sending Access-Accept of id 6 to xx.xx.xx.xx port 51274

Framed-IP-Address = 192.168.0.1

Service-Type = Framed-User

Framed-Protocol = PPP

Framed-IP-Netmask = 255.255.255.255

Tunnel-Server-Endpoint:0 = "yy.yy.yy.yy"

Tunnel-Type:0 = L2TP

Tunnel-ID=DEFGH

L2TP-Tunnel-Password=ABCDE"

 

This is currently running on FreeRADIUS Version 2.1.7. I have read the
documentation and the mailing lists but cant seem to find anyone who has
had to do a similar thing.

 

Kind Regards

Dan Fisher

 

Technical Manager

 

get your data flowing ...

 

DDI: 020 7099 8985

 

 

Tel: 0845 868 7848

Fax: 0845 868 7858

 

danfis...@fluidata.co.uk  

www.fluidata.co.uk  

 

This message is intended solely for the use of the individual or
organisation to whom it is addressed. It may contain privileged or
confidential information. If you have received this message in error,
please notify the originator immediately. If you are not the intended
recipient, you should not use, copy, alter, or disclose the contents of
this message. All information or opinions expressed in this message
and/or any attachments are those of the author and are not necessarily
those of Fluidata Ltd. Fluidata accepts no responsibility for loss or
damage arising from its use, including damage from virus.

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html