Re: [RADIATOR] Insert Accounting to BD Table.

2015-05-28 Thread Hugh Irvine 

Hello -

You should check your accounting requests to see if Event-Timestamp is present 
(I suspect it is not).

A trace 4 debug will show you what you are receiving in the accounting requests.

You may need additional configuration on your Huawei equipment, or you may need 
to use something else like the Radiator Timestamp.

regards

Hugh



> On 28 May 2015, at 22:09, Mohammed Alhaj Ali  wrote:
> 
> Hi Sami,
> 
> System calculate the Session-Timeout biased on the account first login which 
> rely on the Event-Timestamp, when it inserted on the  TIME_STAMP column on 
> the DBN table, then it will check the account number of date to calculate 
> account expiry and then it return this value to Session-Timeout,
> 
> Note that there's no problem for the account already active and having 
> session-timeout configured, but for new subscription we did not get 
> Event-Timestamp to be insert on the DB table.
> 
> Please let me know if you need any other information.
> 
> Thank you!
> 
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
> Behalf Of Sami Keski-Kasari
> Sent: Thursday, May 28, 2015 1:54 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] Insert Accounting to BD Table.
> 
> Hello Mohammed,
> 
> I think that the error message is due your SQL query doesn't return anything 
> to Expiration Check item and you have AddToReply Session-Timeout = "until 
> Expiration" in configuration.
> 
> Could you tell us more how the system should work?
> Who should/will update EXPIRATION field in database?
> 
> Best Regards,
> Sami
> 
> On 05/27/2015 11:32 AM, Mohammed Alhaj Ali wrote:
>> Dears,
>> 
>> 
>> 
>> Recently we had some change on our network, as we replaced cisco
>> platform with Huawei BRAS, now we're unable to get prober accounting
>> specially, when customer account are newly created so we can't get
>> account activation on the first logging in order to calculate
>> Session-timeout, below are the error logs plus the part of the
>> configuration:
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>AccountingTable DSL_ACCOUNTING
>> 
>>AcctColumnDef USERNAME,User-Name,%A
>> 
>>AcctColumnDef TIME_STAMP,Timestamp,integer
>> 
>>AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>> 
>>AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>> 
>>AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>> 
>>AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>> 
>>AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>> 
>>AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>> 
>>AcctColumnDef acctterminatecause, Acct-Terminate-Cause
>> 
>>AcctColumnDef NASIDENTIFIER,NAS-Identifier
>> 
>>AcctColumnDef NASPORT,NAS-Port,integer
>> 
>>AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>> 
>>#AcctInsertQuery insert into %0 (%1) values (%2)
>> 
>>AuthColumnDef 0,User-Password, check
>> 
>>AuthColumnDef 1,Expiration, check
>> 
>>AuthColumnDef 2,Simultaneous-Use, check
>> 
>>AuthColumnDef 3,Huawei-Domain-Name, reply
>> 
>>AuthColumnDef 4,GENERIC, reply
>> 
>> AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd
>> HH24:MI:SS') Expiration, MAXSESSIONS, EXPIRATION_D "Huawei-Domain-Name" ,
>> Session_Timeout   "Session-Timeout" from ITC_ACCOUNTS_H where
>> upper(USERNAME)=upper('%n')
>> 
>>CachePasswordExpiry 86400
>> 
>>AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
>> Framed-MTU=1492, Session-Timeout = "until Expiration"
>> 
>> ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
>> shift;my $dbusername = shift;my $dbauth =
>> shift;$self->log($main::LOG_ERR, "Could not connect to SQL database
>> with
>> DBI->connect $dbsource, $dbusername, $dbauth: $@ $DBI::errstr");}
>> 
>>DBSource dbi:ODBC:ORADB
>> 
>>DBUsername user
>> 
>>  DBAuth password
>> 
>>DateFormat %b %e, %Y %H:%M
>> 
>>EAPAnonymous anonymous
>> 
>>EAPContextTimeout 1000
>> 
>>EAPFAST_PAC_Lifetime 7776000
>> 
>>EAPFAST_PAC_Reprovision 2592000
>> 
>>EAPTLS_MaxFragmentSize 2048
>> 
>>EAPTLS_PEAPVersion 1
>> 
>>EAPTLS_SessionResumption 1
>> 
>>EAPTLS_SessionResumptionLimit 43200
>> 
>>EAPTLS_VerifyDepth 1
>> 
>>FailureBackoffTime 600
>> 
>>Identifier HUW_POOL
>> 
>>  NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR,
>> "Could not connect to any SQL database. Request is ignored. Backing
>> off for $self- >{FailureBackoffTime} seconds");}
>> 
>>NullPasswordMatchesAny 1
>> 
>>PasswordPrompt password
>> 
>>SIPDigestRealm DefaultSipRealm
>> 
>>Timeout 60
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> LOG:
>> 
>> 
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Handling request with Handler
>> 'Realm=/^(512|1024|2

Re: [RADIATOR] Farmsize and ServerTACACSPLUS

2015-05-28 Thread Heikki Vatiainen 
On 05/28/2015 03:26 PM, Vangelis Kyriakakis wrote:

>I would like to know if the ServerTACACSPLUS is compatible with
> Farmsize X. Is it possible to have more farm childs serving TCP port 49?

Yes, that's possible. Please see goodies/tacacsplusserver.cfg in
Radiator 4.14 distribution and look for AllowAuthorizeOnly. There's the
option and a Handler related to it.

With FarmSize, the initial authentication (if TACACS+ used for auth) and
the subsequent authorization requests can be processed by different farm
workers. The above option allows radiusd to query the backend for
authorization requests even if it has not received requests for the user
yet.

The option defaults to disable and it's intended for FarmSize or
configurations where, for example, authentication is not done with TACACS+

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Farmsize and ServerTACACSPLUS

2015-05-28 Thread Vangelis Kyriakakis 
Hello,

   I would like to know if the ServerTACACSPLUS is compatible with
Farmsize X. Is it possible to have more farm childs serving TCP port 49?

  Kind regards
 Vangelis
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Insert Accounting to BD Table.

2015-05-28 Thread Mohammed Alhaj Ali 
Hi Sami,

System calculate the Session-Timeout biased on the account first login which 
rely on the Event-Timestamp, when it inserted on the  TIME_STAMP column on the 
DBN table, then it will check the account number of date to calculate account 
expiry and then it return this value to Session-Timeout,

Note that there's no problem for the account already active and having 
session-timeout configured, but for new subscription we did not get 
Event-Timestamp to be insert on the DB table.

Please let me know if you need any other information.

Thank you!








-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Sami Keski-Kasari
Sent: Thursday, May 28, 2015 1:54 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] Insert Accounting to BD Table.

Hello Mohammed,

I think that the error message is due your SQL query doesn't return anything to 
Expiration Check item and you have AddToReply Session-Timeout = "until 
Expiration" in configuration.

Could you tell us more how the system should work?
Who should/will update EXPIRATION field in database?

Best Regards,
 Sami

On 05/27/2015 11:32 AM, Mohammed Alhaj Ali wrote:
> Dears,
>
>
>
> Recently we had some change on our network, as we replaced cisco
> platform with Huawei BRAS, now we're unable to get prober accounting
> specially, when customer account are newly created so we can't get
> account activation on the first logging in order to calculate
> Session-timeout, below are the error logs plus the part of the
> configuration:
>
>
>
>
>
>
>
>
>
>
>
> 
>
>
>
> 
>
> AccountingTable DSL_ACCOUNTING
>
> AcctColumnDef USERNAME,User-Name,%A
>
> AcctColumnDef TIME_STAMP,Timestamp,integer
>
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>
> AcctColumnDef acctterminatecause, Acct-Terminate-Cause
>
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>
> AcctColumnDef NASPORT,NAS-Port,integer
>
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> #AcctInsertQuery insert into %0 (%1) values (%2)
>
> AuthColumnDef 0,User-Password, check
>
> AuthColumnDef 1,Expiration, check
>
> AuthColumnDef 2,Simultaneous-Use, check
>
> AuthColumnDef 3,Huawei-Domain-Name, reply
>
> AuthColumnDef 4,GENERIC, reply
>
> AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd
> HH24:MI:SS') Expiration, MAXSESSIONS, EXPIRATION_D "Huawei-Domain-Name" ,
> Session_Timeout   "Session-Timeout" from ITC_ACCOUNTS_H where
> upper(USERNAME)=upper('%n')
>
> CachePasswordExpiry 86400
>
> AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
> Framed-MTU=1492, Session-Timeout = "until Expiration"
>
> ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
> shift;my $dbusername = shift;my $dbauth =
> shift;$self->log($main::LOG_ERR, "Could not connect to SQL database
> with
> DBI->connect $dbsource, $dbusername, $dbauth: $@ $DBI::errstr");}
>
> DBSource dbi:ODBC:ORADB
>
> DBUsername user
>
>   DBAuth password
>
> DateFormat %b %e, %Y %H:%M
>
> EAPAnonymous anonymous
>
> EAPContextTimeout 1000
>
> EAPFAST_PAC_Lifetime 7776000
>
> EAPFAST_PAC_Reprovision 2592000
>
> EAPTLS_MaxFragmentSize 2048
>
> EAPTLS_PEAPVersion 1
>
> EAPTLS_SessionResumption 1
>
> EAPTLS_SessionResumptionLimit 43200
>
> EAPTLS_VerifyDepth 1
>
> FailureBackoffTime 600
>
> Identifier HUW_POOL
>
>   NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR,
> "Could not connect to any SQL database. Request is ignored. Backing
> off for $self- >{FailureBackoffTime} seconds");}
>
> NullPasswordMatchesAny 1
>
> PasswordPrompt password
>
> SIPDigestRealm DefaultSipRealm
>
> Timeout 60
>
> 
>
>
>
>
>
>
>
> LOG:
>
>
>
> Wed May 27 09:09:39 2015: DEBUG: Handling request with Handler
> 'Realm=/^(512|1024|2048)\.itc\.net\.sa$/'
>
> Wed May 27 09:09:39 2015: DEBUG:  Deleting session for
> testhua...@2048.itc.net.sa, 87.101.255.184, 33554442
>
> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL:
> HUW_POOL
>
> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL:
> HUW_POOL
>
> Wed May 27 09:09:39 2015: DEBUG: Query is: 'select PASSWORD,
> to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS,
> EXPIRATION_D "Huawei-Domain-Name" , Session_Timeout "Session-Timeout"
> from ITC_ACCOUNTS_H where
> upper(USERNAME)=upper('testhua...@2048.itc.net.sa')':
>
> Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL looks for matc

Re: [RADIATOR] Insert Accounting to BD Table.

2015-05-28 Thread Sami Keski-Kasari 
Hello Mohammed,

I think that the error message is due your SQL query doesn't return
anything to Expiration Check item and you have AddToReply
Session-Timeout = "until Expiration" in configuration.

Could you tell us more how the system should work?
Who should/will update EXPIRATION field in database?

Best Regards,
 Sami

On 05/27/2015 11:32 AM, Mohammed Alhaj Ali wrote:
> Dears,
> 
>  
> 
> Recently we had some change on our network, as we replaced cisco
> platform with Huawei BRAS, now we’re unable to get prober accounting
> specially, when customer account are newly created so we can’t get
> account activation on the first logging in order to calculate
> Session-timeout, below are the error logs plus the part of the
> configuration:
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
>  
> 
> 
> 
> AccountingTable DSL_ACCOUNTING
> 
> AcctColumnDef USERNAME,User-Name,%A
> 
> AcctColumnDef TIME_STAMP,Timestamp,integer
> 
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> 
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> 
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> 
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> 
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> 
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> 
> AcctColumnDef acctterminatecause, Acct-Terminate-Cause
> 
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> 
> AcctColumnDef NASPORT,NAS-Port,integer
> 
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> 
> #AcctInsertQuery insert into %0 (%1) values (%2)
> 
> AuthColumnDef 0,User-Password, check
> 
> AuthColumnDef 1,Expiration, check
> 
> AuthColumnDef 2,Simultaneous-Use, check
> 
> AuthColumnDef 3,Huawei-Domain-Name, reply
> 
> AuthColumnDef 4,GENERIC, reply
> 
> AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd HH24:MI:SS')
> Expiration, MAXSESSIONS, EXPIRATION_D "Huawei-Domain-Name" ,
> Session_Timeout   "Session-Timeout" from ITC_ACCOUNTS_H where
> upper(USERNAME)=upper('%n') 
> 
> CachePasswordExpiry 86400
> 
> AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
> Framed-MTU=1492, Session-Timeout = "until Expiration"
> 
> ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
> shift;my $dbusername = shift;my $dbauth =
> shift;$self->log($main::LOG_ERR, "Could not connect to SQL database with
> DBI->connect $dbsource, $dbusername, $dbauth: $@ $DBI::errstr");}  
> 
> DBSource dbi:ODBC:ORADB
> 
> DBUsername user
> 
>   DBAuth password
> 
> DateFormat %b %e, %Y %H:%M
> 
> EAPAnonymous anonymous
> 
> EAPContextTimeout 1000
> 
> EAPFAST_PAC_Lifetime 7776000
> 
> EAPFAST_PAC_Reprovision 2592000
> 
> EAPTLS_MaxFragmentSize 2048
> 
> EAPTLS_PEAPVersion 1
> 
> EAPTLS_SessionResumption 1
> 
> EAPTLS_SessionResumptionLimit 43200
> 
> EAPTLS_VerifyDepth 1
> 
> FailureBackoffTime 600
> 
> Identifier HUW_POOL
> 
>   NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR,
> "Could not connect to any SQL database. Request is ignored. Backing off
> for $self- >{FailureBackoffTime} seconds");}
> 
> NullPasswordMatchesAny 1
> 
> PasswordPrompt password
> 
> SIPDigestRealm DefaultSipRealm
> 
> Timeout 60
> 
> 
> 
>  
> 
>  
> 
>  
> 
> LOG:
> 
>  
> 
> Wed May 27 09:09:39 2015: DEBUG: Handling request with Handler
> 'Realm=/^(512|1024|2048)\.itc\.net\.sa$/'
> 
> Wed May 27 09:09:39 2015: DEBUG:  Deleting session for
> testhua...@2048.itc.net.sa, 87.101.255.184, 33554442
> 
> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL: HUW_POOL
> 
> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL: HUW_POOL
> 
> Wed May 27 09:09:39 2015: DEBUG: Query is: 'select PASSWORD,
> to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS,
> EXPIRATION_D "Huawei-Domain-Name" , Session_Timeout "Session-Timeout"
> from ITC_ACCOUNTS_H where
> upper(USERNAME)=upper('testhua...@2048.itc.net.sa')':
> 
> Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL looks for match with
> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> 
> Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL ACCEPT: :
> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> 
> Wed May 27 09:09:39 2015: DEBUG: Session-Timeout="until ValidTo" was
> specified, but there was no ValidTo or Expiration check item for this
> user. Ignored.
> 
> Wed May 27 09:09:39 2015: DEBUG: AuthBy SQL result: ACCEPT,
> 
> Wed May 27 09:09:39 2015: DEBUG: Access accepted for
> testhua...@2048.itc.net.sa 
> 
>  
> 
> Wed May 27 09:09:39 2015: ERR: There is no value named until Expiration
> for attribute Session-Timeout. Using 0.
> 
>  
> 
> Wed May 27 09:09:39 2015: DEBUG: Packet dump:
> 
> *** Send