(RADIATOR) AuthBy Group Question
Hi Guys, I am using radiator as a proxy server for Wholesale Dialup. Here's what I would like to do. When a user makes a request, the request is proxied off to a remote radius server. At the same time, a call log entry is entered into a SQL server that I maintain. I am trying to accomplish this through the following: Identifier NetwayAuthDNIS RewriteUsername s/^NETWAY\/(.*)$/$1/ AuthByPolicy ContinueAlways DBSource dbi:FreeTDS:database=Radius;host=xxx.xxx.xxx.xxx;port=1433 DBUsername xxx DBAuth xxx # You can add to or change these if you want. AccountingTable netwaycalls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer AcctColumnDef UserService,Service-Type,integer AcctColumnDef FramedProtocol,Framed-Protocol,integer AcctColumnDef FramedAddress,Framed-IP-Address AcctColumnDef NASPortType,NAS-Port-Type,integer AcctColumnDef NASPortDNIS,Called-Station-Id AcctColumnDef CallerID,Calling-Station-Id AuthSelect Host xxx.xxx.xxx.xxx Host yyy.yyy.yyy.yyy Secret zzz AuthPort 1645 AcctPort 1646 Retries 2 RetryTimeout 30 FailureBackoffTime 60 However, this does not put entries into my SQL database. Any ideas? Thanks, -- Tom DalyNetwork Operations / Systems AdministratorG4 Communications Corp.V: 603.296.4413 / F: 603.647.7576E: [EMAIL PROTECTED] / W3: www.g4.net
Re: (RADIATOR) VoIP Block Time Woes
Hi Zebaulon, I have done this before. Indeed, I do it now :) I wrote a prepaid card system from scratch for Cisco 5400's (identical to 5300's in voice terms - essentially the next generation hardware). There are two things here - one is related to understanding properly how voice accounting works on Cisco voice platforms, the other is the answer to your question about whether there is a 'trick' to organising to have prepaid cards only have their balance deducted 'once' per call, not once per valid 'Stop' record for the call (because, yes, there are multiple of those). First thing. Its normal, and expected, to generate multiple stop records. In case you aren't aware of it, all calls have four 'legs' in principle (in practice you can even generate -more- than four legs in practice under certain circumstances). Try reading these url's for a start: http://www.cisco.com/warp/public/788/voip/dialpeer_call_leg.html http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm It can take a while to get ones' head around this stuff. The pathological case of more than four legs happens when a call tries to use (say) h323 to reach a remote voice node, that node rejects the call, and the originating voice gateway then hairpin's the call out locally. In that case you wind up with a Stop record for the zero duration attempted VoIP call, then a non-zero duration call (of call type 'Telephony') via the local gateway for the hairpinned call. You can also wind up with less than four call legs for calls that don't succeed. You will also get accounting Stop records from TWO gateways, not just one - the 'local' gateway and the 'remote' one all generate accounting records. So a Handler might not be good enough, you really need to figure out exactly -which- Stop record you want to use. Each call leg has a duration, and those durations can differ (as you correctly indicate - one of them has the whole 'IVR' interaction time in it, others have the resulting leg durations for the parts of the call that involved attempts to commit telephony with someone). The critical thing about these legs is that you can work out which leg (1, 2, 3 or 4) you're seeing by looking at the h323-call-type and the h323-call-origin. The h323-call-type can be 'Telephony' or 'VoIP' (well those are the most common values); The h323-call-origin can be 'originate' or 'answer'. A 'standard' call leg set is literally: leg 1: Telephony/Answer(call from customer to your gateway) leg 2: VoIP/Originate (VoIP leg leaving your gateway to remote GW) leg 3: VoIP/Answer (the same connection arriving on the remote GW) leg 4: Telephony/Originate (the call into the PSTN made by the remote GW) In the standard case, the accounting records for legs 1 and 2 come from the local gateway and the accounting records for legs 3 and 4 come from the remote gateway. Take a look at the nice pictures on the cisco web site from those URL's I noted above. In cases where the call is hairpinned from the local voice gateway, there may be no VoIP legs at all, or there may (as indicated above) be a zero duration set of VoIP legs due to a remote failure followed by 'local' Telephony/Originate legs. This is actually a degenerate case where the local gw and the remote gw are the same gw, if you see what I mean. Second thing. You can handle this all 'properly', or you can use a hack. Of course :) What I do is get radiator to call an external perl program I wrote (worked out easier for me to deal with it that way), and the following is the logic in my code that decides whether to 'charge' the time inherent in a stop record that comes floating past the code... The critical point? That I decided after a lot of experimentation that the 'best' of the stop records to use is any leg which is of type 'originate' and which is of non-zero call duration, having discarded a few strange cases first. It turns out that there is only one of those per ultimate user session. By the way, what's the non-hack method? Doing it 'right' involves a LOT more work. That work involves using the h323-conf-id, which is the unique key across all legs in a call, to store every received leg of every call into sql tables, and to collect data from each of the legs as they arrive, and make a decision to bill once sufficient information is known about the call. This is actually very non-trivial in practice - some things you need to know are in some legs, some things you need to know are in others, and legs arrive separated in time, from the two gateways concerned, as the call proceeds. BUT: You actually don't need to do the above until you graduate to building a full post-paid billing engine for your VoIP nodes. I've done this, it's really quite non-trivial :) Ok -very- non-trivial :) Again, for prepaid, don't bother. The simple hack is to only 'act' on 'originate' records with nonzero call duration
Re: (RADIATOR) "Code" and hooks
Hello Gustavo -
You cannot do what you are trying to do, because the PostSearchHook fires
*before* the user is authenticated, therefore the hook will never know the
result.
You will need to use a PostAuthHook to check the result.
regards
Hugh
On Fri, 22 Mar 2002 08:10, Gustavo Moreira wrote:
> Hi,
>
> I'm trying to do something depending if in AuthLDAP2 the result was
> Access-Accept , how can I get it in a PostSearchHook ?
>
> [...] In radius.cfg
> AuthAttrDef svcstatus,Svc-Status,request
> PostSearchHook sub { my
> ($self,$p,$rp,$entry)=($_[0],$_[2],$_[5],$_[4]);\
> my @attr = $_[4]->get('svcstatus');\
> my $attr = @attr[0];\
> return unless defined($attr);\
> my $codeone=$rp->code;\
> my $codetwo=$p->code;\
> &main::log($main::LOG_DEBUG,"
> $codeone - $codetwo");\
> return if $rp->code eq 'Access-Reject';\
> [...]
>
> [...] In Log
> Fri Dec 21 17:56:38 2001: DEBUG: LDAP got result for
> cn=cocar,ou=Radius,ou=Internet,ou=Arnet,o=TS
> Fri Dec 21 17:56:38 2001: DEBUG: LDAP got userPassword: NA17122001
> Fri Dec 21 17:56:38 2001: DEBUG: LDAP got svcstatus: 1
> Fri Dec 21 17:56:38 2001: DEBUG: - Access-Request
> Fri Dec 21 17:56:38 2001: DEBUG: Radius::AuthLDAP2 looks for match with
> cocar
> Fri Dec 21 17:56:38 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Fri Dec 21 17:56:38 2001: INFO: Access rejected for cocar: Bad Password
> Fri Dec 21 17:56:38 2001: DEBUG: Packet dump:
> *** Sending to 192.168.212.5 port 36442
> [...]
>
> [...] In AuthLDAP2.pm
> # Perhaps run a hook to do other things with the LDAP data
> if (defined $self->{PostSearchHook})
> {
> # We use an eval so an error in the hook wont
> # kill us.
> eval{ &{$self->{PostSearchHook}}($self, $name, $p, $user,
> $entry, $rp);};
> $self->log($main::LOG_ERR, "Error in PostSearchHook(): $@")
> if $@;
> }
> [...]
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5008
Hello Edward -
A Cisco usually requires the same Service-Type value that is present in the
radius request to be returned in the radius response, which usually means
Service-Type = Framed-User
However, as mentioned below, the best source of Cisco configuration
information is the Cisco web site.
regards
Hugh
On Sat, 22 Dec 2001 01:25, Cheng T K, Edward (TECH_NP&IP NWT) wrote:
> I have the same problem, how can i solve it
>
> Hello Howard -
>
> On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
> > I am having problems configuring Radiator v2.18.2 to authenticate to a
> > Cisco VPN 5001.
> >
> > I have been testing the using the following configuration files:
> >
> > goodies\simple2.cfg:
> > # simple2.cfg
> > #
> > # Example Radiator configuration file.
> > # This very simple file will allow you to get started with
> > # a simple system. You can then add and change features.
> > # We suggest you start simple, prove to yourself that it
> > # works and then develop a more complicated configuration.
> > #
> > # This example will authenticate from a standard users file in
> > # the current directory and log accounting to a file in the current
> > # directory.
> > # It will accept requests from any client and try to handle request
> > # for any realm.
> > # And it will print out what its doing in great detail.
> > #
> > # See radius.cfg for more complete examples of features and
> > # syntax, and refer to the reference manual for a complete description
> > # of all the features and syntax.
> > #
> > # You should consider this file to be a starting point only
> > # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
> >
> > Foreground
> > LogStdout
> > LogDir .
> > DbDir .
> > DictionaryFile ./dictionary
> > # User a lower trace level in production systems:
> > Trace 4
> > # Added by Howard Jares
> > AuthPort 1812
> > AcctPort 1813
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> >
> > Secret *
> > DupInterval 0
> >
> >
> >
> >
> > Filename ./users2
> >
> > # Log accounting to a detail file
> > AcctLogFileName ./detail
> >
> >
> >
> > Users2:
> > DEFAULT Service-Type = Administrative-User, Auth-Type = System
> > Idle-Timeout = 2000,
> >
> > DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
> > Idle-Timeout = 2001,
> > Fall-Through = yes
> >
> > # User-Password can be in a number of formats: plaintext,
> > # UNIX encrypted,
> > # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
> > # defaults to plaintext
> > pwtest1 User-Password = "fred"
> > pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> > pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE"
> > pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> > # Encrypted-Password can by in a variety of encryption standards too
> > # but defaults to Unix crypt
> > pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> > pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
> > pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> > pwtest8 Encrypted-Password = "1xMKc0GIVUNbE"
> > pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> > pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> >
> >
> > [EMAIL PROTECTED] User-Password=fred
> > cisco-VPNGroupInfo=Test,
> > cisco-VPNPassword=fred
> > # Connect-Info = "Test"
> >
> > I modified the standard dictionary file to include:
> >
> > #HJ
> > VENDORATTR 9 cisco-VPNPassword 66 string
> > VENDORATTR 9 cisco-VPNGroupInfo 67 string
> > #HJ
> >
> > On the server running Radiator:
> > F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
> > Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
> > Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
> > Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> > *** Received from 129.7.209.253 port 2050
> > Code: Access-Request
> > Identifier: 41
> > Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> > Attributes:
> > NAS-IP-Address = 129.7.209.253
> > NAS-Port-Type = Virtual
> > Service-Type = Authenticate-Only
> > NAS-Port = 268435459
> > User-Name = "[EMAIL PROTECTED]"
> > CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
> >
> > Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
> > 129.7.209.253, 268435459
> > Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
> > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
> > [EMAIL PROTECTED]
> > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
> > Wed Sep 5 16:35:24 2001: DEB
Re: (RADIATOR) where is radwho.cgi
Hello Utku -
On Sat, 22 Dec 2001 00:20, Utku Er wrote:
> Hi,
>
> is radwho.cgi in the Radmin package? I installed radiator rpm but couldn't
> see radwho.cgi in it ?
>
The top level directory of the Radiator source distribution contains both the
radwho.cgi and the radacct.cgi scripts.
> where is radwho.cgi explained in the manual ?
>
Section 12.0 in the Radiator reference manual ("doc/ref.html").
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) "Code" and hooks
Hi,
I'm trying to do something depending if in AuthLDAP2 the result was
Access-Accept , how can I get it in a PostSearchHook ?
[...] In radius.cfg
AuthAttrDef svcstatus,Svc-Status,request
PostSearchHook sub { my
($self,$p,$rp,$entry)=($_[0],$_[2],$_[5],$_[4]);\
my @attr = $_[4]->get('svcstatus');\
my $attr = @attr[0];\
return unless defined($attr);\
my $codeone=$rp->code;\
my $codetwo=$p->code;\
&main::log($main::LOG_DEBUG,"
$codeone - $codetwo");\
return if $rp->code eq 'Access-Reject';\
[...]
[...] In Log
Fri Dec 21 17:56:38 2001: DEBUG: LDAP got result for
cn=cocar,ou=Radius,ou=Internet,ou=Arnet,o=TS
Fri Dec 21 17:56:38 2001: DEBUG: LDAP got userPassword: NA17122001
Fri Dec 21 17:56:38 2001: DEBUG: LDAP got svcstatus: 1
Fri Dec 21 17:56:38 2001: DEBUG: - Access-Request
Fri Dec 21 17:56:38 2001: DEBUG: Radius::AuthLDAP2 looks for match with
cocar
Fri Dec 21 17:56:38 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Fri Dec 21 17:56:38 2001: INFO: Access rejected for cocar: Bad Password
Fri Dec 21 17:56:38 2001: DEBUG: Packet dump:
*** Sending to 192.168.212.5 port 36442
[...]
[...] In AuthLDAP2.pm
# Perhaps run a hook to do other things with the LDAP data
if (defined $self->{PostSearchHook})
{
# We use an eval so an error in the hook wont
# kill us.
eval{ &{$self->{PostSearchHook}}($self, $name, $p, $user,
$entry, $rp);};
$self->log($main::LOG_ERR, "Error in PostSearchHook(): $@")
if $@;
}
[...]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5008
Title: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5008
I have the same problem, how can i solve it
Hello Howard -
On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
> I am having problems configuring Radiator v2.18.2 to authenticate to a
> Cisco VPN 5001.
>
> I have been testing the using the following configuration files:
>
> goodies\simple2.cfg:
> # simple2.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate from a standard users file in
> # the current directory and log accounting to a file in the current
> # directory.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # And it will print out what its doing in great detail.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # You should consider this file to be a starting point only
> # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
>
> Foreground
> LogStdout
> LogDir .
> DbDir .
> DictionaryFile ./dictionary
> # User a lower trace level in production systems:
> Trace 4
> # Added by Howard Jares
> AuthPort 1812
> AcctPort 1813
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
>
> Secret *
> DupInterval 0
>
>
>
>
> Filename ./users2
>
> # Log accounting to a detail file
> AcctLogFileName ./detail
>
>
>
> Users2:
> DEFAULT Service-Type = Administrative-User, Auth-Type = System
> Idle-Timeout = 2000,
>
> DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
> Idle-Timeout = 2001,
> Fall-Through = yes
>
> # User-Password can be in a number of formats: plaintext,
> # UNIX encrypted,
> # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
> # defaults to plaintext
> pwtest1 User-Password = "fred"
> pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> # Encrypted-Password can by in a variety of encryption standards too
> # but defaults to Unix crypt
> pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> pwtest8 Encrypted-Password = "1xMKc0GIVUNbE"
> pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
>
>
> [EMAIL PROTECTED] User-Password=fred
> cisco-VPNGroupInfo=Test,
> cisco-VPNPassword=fred
> # Connect-Info = "Test"
>
> I modified the standard dictionary file to include:
>
> #HJ
> VENDORATTR 9 cisco-VPNPassword 66 string
> VENDORATTR 9 cisco-VPNGroupInfo 67 string
> #HJ
>
> On the server running Radiator:
> F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
> Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
> Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
> Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> *** Received from 129.7.209.253 port 2050
> Code: Access-Request
> Identifier: 41
> Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
> NAS-IP-Address = 129.7.209.253
> NAS-Port-Type = Virtual
> Service-Type = Authenticate-Only
> NAS-Port = 268435459
> User-Name = "[EMAIL PROTECTED]"
> CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
>
> Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
> 129.7.209.253, 268435459
> Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
> Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
> [EMAIL PROTECTED]
> Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
> Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> *** Sending to 129.7.209.253 port 2050
> Code: Access-Accept
> Identifier: 41
> Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
> cisco-VPNGroupInfo = "Test"
> cisco-VPNPassword = "fred"
> Connect-Info = "Test"
>
> On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
> connect using [EMAIL PROTECTED], the system sits there and then eventually times
> out.
>
> On the Cisco VPN 5001, I do a
> show sys
(RADIATOR) where is radwho.cgi
Hi, is radwho.cgi in the Radmin package? I installed radiator rpm but couldn't see radwho.cgi in it ? where is radwho.cgi explained in the manual ? thanks in advance Hugh, Utku.
