(RADIATOR) Hook Between AuthBy
Title: Hook Between AuthBy Hi, My problem is adding country code (ie. 852) to Calling-Station-Id attribute after LDAP query, and _before_ forward to another radius server (see below config). How can I do this? Regards, Harrison AuthBy LDAP2 Identifier GUP_Dipping AuthenticateAccounting Host x.x.x.x Port 389 AuthDN uid=xxx,ou=xxx,o=xxx AuthPassword xxx BaseDN ou=xxx,ou=xxx,o=xxx Scope one SearchFilter (smcAMSISDN=%{Class}) AuthAttrDef smcSubscriberNumber,Calling-Station-Id,request /AuthBy LDAP2 AuthBy RADIUS Identifier test_forwarding NoForwardAuthentication IgnoreAccountingResponse Host x.x.x.x Secret xxx StripFromRequest Ericsson-Juniper,Class AuthPort AcctPort 1646 Retries 0 RetryTimeout 2 FailureBackoffTime 30 /AuthBy Handler Client-Id=localhost,Request-Type=Accounting-Request,Calling-Station-Id=852192507893 RejectHasReason AccountingHandled PreAuthHook file:%D/MakeClassForGUP AuthByPolicy ContinueAlways AuthBy GUP_Dipping ### Remark:- ### I need to add country code to Calling-Station-Id before doing next AuthBy ### How can I add hook here? AuthBy test_forwarding AcctLogFileName /%L/%c/%{GlobalVar:servername}.%c.detail.%Y%m%d PasswordLogFileName /%L/%{GlobalVar:servername}.password.%Y%m%d /Handler ** This Email is virus-scanned and identified clean.
(RADIATOR) Using LDAP in PreAuthHook
Title: Using LDAP in PreAuthHook Hi, My problem is when radiator processing accounting request packets (ie. accounting-start/accounting-stop), it should query external LDAP database for new attribute-value (a-v) pairs, then either append/replace these a-v pairs to/in current request packet. Can anyone give me direction on how to write PreAuthHook using LDAP and how to call functions in AuthLDAP2.pm modules. Regards, Harrison ** This Email is virus-scanned and identified clean.
(RADIATOR) Radiator Error Logging
Title: Radiator Error Logging Dear Sir, Our radiator generates following messages: INFO: AuthRADIUS: No reply after 0 retransmissions to 123.123.123.123:1813 for void (54) Since our customer doesn't need to enter his username, remote access server sends out 'void' for default. Can we customize the message so that it includes Calling-Station-Id attribute? We need to identify which record doesn't arrive remote accounting server. The new message will look like this: INFO: AuthRADIUS: No reply after 0 retransmissions to 123.123.123.123:1813 for void (85291234567) (54) **where (85291234567) represents Calling-Station-Id attribute Thanks for your help in advance! Regards, Harrison ** This Email is virus-scanned and identified clean.
(RADIATOR) SQL Query with Backslash
Title: SQL Query with Backslash Hi, We have some special usernames such as *99#\ needed for login. But the backslash \ may cause problem to update query like this: Fri Jun 14 10:15:13 2002: ERR: do failed for 'update RADPOOL set STATE=1,TIME_STAMP=1024020913,EXPIRY=1024280113,USERNAME='*99#\',CALLINGSTATIONID='85294546592' where YIADDR='10.25.192.153' and TIME_STAMP=1023961400': You have an error in your SQL syntax near '85294546592' where YIADDR='10.25.192.153' and TIME_STAMP=1023961400' at line 1 The effect is unable to complete authentication for current request. Can you help? Regards, Harrison Ng SmarTone Mobile Communications Limited ** This Email is virus-scanned and identified clean.
FW: (RADIATOR) Re: Please help.
Sam, For IP address allocation in Radiator, use AuthBy DYNADDRESS and AddressAllocator SQL. Below is an example of radius.cfg. Regards, Harrison AddressAllocator SQL Identifier myallocator DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx DBUsernamexyz DBAuth xyz DefaultLeasePeriod 86000 LeaseReclaimInterval 300 FindQuery select TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOLwhere POOL='%0' and STATE=0 order by TIME_STAMP limit 1 AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,EXPIRY=%1,USERNAME='%2',CALLINGSTATIONID='%{Calling-Station-Id}' \ where YIADDR='%3' and TIME_STAMP%4 AddressPool trial1 Subnetmask 255.255.255.0 Rangexxx.xxx.xxx.xxx yyy.yyy.yyy.yyy /AddressPool AddressPool trial2 Subnetmask 255.255.255.0 Rangexxx.xxx.xxx.xxx yyy.yyy.yyy.yyy /AddressPool /AddressAllocator SQL Handler Client-Id = x.x.x.x AuthBy xxx AuthBy yyy AuthBy DYNADDRESS Allocator myallocator PoolHint %{Reply:PoolHint} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint StripFromReply Framed-IP-Netmask AddToReplyIfNotExist Service-Type = Framed-User AddToReplyIfNotExist Framed-Protocol = PPP /AuthBy DYNADDRESS /Handler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sam CheungSent: Tuesday, December 18, 2001 3:06 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: (RADIATOR) Re: Please help.Dear Genius, I am trying to config. a radiator (2.19-demo) allocating IP address dynamicallyusing DB1 to get the authentication info. from DB1 (an mysql server stored usernameand password) and using DB2 (another mysql server) to log the dhcp client info.,DHCPpool and leased IP, etc. using the database which created by a script calledmysqlCreate.sql. Can you give me some suggestion what to put down in the config.cfg?Thanks so much for paying attention. Thanks a lot.Best Regards,Sam Cheung * This Email is virus-scanned and identified clean.
RE: (RADIATOR) HydraRADIUS
Title: RE: (RADIATOR) HydraRADIUS Hello all, BTW why not use Radiator AuthBy LOADBALANCE. The price vs performance is good. You can make 2 box for primary and secondary radius. The hardware switch is too expensive. Regards, Harrison Ng SmarTone Mobile Communication Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Given Sent: Monday, November 19, 2001 6:37 AM To: '[EMAIL PROTECTED]' Subject: FW: (RADIATOR) HydraRADIUS Check out foundry networks, they make a nice product to do this. http://www.foundrynetworks.com/ -Original Message- From: Mike McCauley [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 18, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) HydraRADIUS -- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from [David M. Lloyd [EMAIL PROTECTED]] Date: Fri, 16 Nov 2001 07:40:08 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Fri Nov 16 07:40:08 2001 Received: from lowblow.svc.tds.net (lowblow.svc.tds.net [204.246.1.39]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id fAGDe8300652 for [EMAIL PROTECTED]; Fri, 16 Nov 2001 07:40:08 -0600 Received: from homebody.freemm.org ([216.170.141.248]) by lowblow.svc.tds.net with ESMTP id [EMAIL PROTECTED]; Fri, 16 Nov 2001 09:21:39 -0600 Date: Fri, 16 Nov 2001 09:29:21 -0600 (CST) From: David M. Lloyd [EMAIL PROTECTED] X-X-Sender: [EMAIL PROTECTED] To: Ricardo D. Albano [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) HydraRADIUS In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 15 Nov 2001, Ricardo D. Albano wrote: Any know HydraRADIUS ? I'm searching for a radius load balancer (I have 20 radiators), I read about HydraRADIUS in the Radiator Manual, but I can't contact with this company. The web page (http://www.hydraweb.com/products/hydraradius/index.asp) is down (and the DNS too)... :( HydraWeb is the company that made those things. We got a couple of them right before HydraWeb went out of business... what a nightmare. They were the worst pieces of hardware I've ever had the displeasure of dealing with. Not only that, but people we were trying to contact kept getting laid off. The only reason we got our money back is because one of my coworkers finagled the cellphone number of the VP out of someone. If you want a good loadbalancing appliance, look at F5's BigIP product. That's what most of the big ISPs use. It costs about the same as the Hydras did, but it actually *works*. I would recommend to Hugh/Mike/etc that you drop reference to Hydra since they don't seem to exist anymore. - D [EMAIL PROTECTED] --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddressAllocator SQL
Title: AddressAllocator SQL Hi, Is it possible to have multiple 'AllocateQuery' statement in AddressAllocator, similar to multiple 'AuthSelect' in AuthBy SQL. In some occasion our RAS won't send accounting stop, so we are running out of ip address. So we need to reclaim those unused ip address before actual 'AllocateQuery'. 'ReclaimQuery' won't help in this situation, because our 'DefaultLeasePeriod' is 7 days. Thanks in advance! Harrison SmarTone BroadBand Service Limited
(RADIATOR) Load Balancing
Title: Load Balancing Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. Regards, Harrison SmarTone BroadBand Services Ltd.
(RADIATOR) FW: Load Balancing
Title: FW: Load Balancing BTW, can those time related parameters accepts milliseconds, such as RetryTimeout, FailureBackoffTime. Harrison -Original Message- From: Harrison Ng Sent: Monday, September 10, 2001 3:21 PM To: '[EMAIL PROTECTED]' Subject: Load Balancing Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. Regards, Harrison SmarTone BroadBand Services Ltd.
(RADIATOR) MaxSessions
Title: MaxSessions Hello, Is it possible to prevent executing AuthBy clauses when MaxSessions exceeds (within a Handler). When radiator receives Access-Request, it determine an appropriate handler to process request. Then it checks whether the user has reach MaxSessions. In this case user has reach MaxSessions, therefore it should send Access-Reject to NAS and stop executing AuthBy clauses. However radiator still go through the clauses and eventually send out Access-Accept to NAS. At the same time, our NAS takes in Access-Accept and open a PPP session. Pls find attached trace 4 capture and extracts of our radius.cfg. Can anyone give us a hint. Harrison SmarTone BroadBand Services Limited MaxSession.txt radius.cfg Wed Aug 29 16:19:49 2001: DEBUG: Packet dump: *** Received from 202.140.97.153 port 1812 Code: Access-Request Identifier: 0 Authentic: )222174255o2336245137.163:2156225244 Attributes: User-Name = [EMAIL PROTECTED] User-Password = 293FVW{V30275k2491511207[ NAS-Identifier = LAPB01 NAS-IP-Address = 202.140.97.153 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 100663738 Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler User-Name = /(?![\w\.\-@])+/ should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.60 should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.240 should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 10.20.2.2 should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.152 should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.153 should be used to handle this request Wed Aug 29 16:19:49 2001: DEBUG: Handling request with Handler 'Client-Id = 202.140.97.153' Wed Aug 29 16:19:49 2001: DEBUG: Rewrote user name to fieldsvc Wed Aug 29 16:19:49 2001: DEBUG: bras Deleting session for [EMAIL PROTECTED], 202.140.97.153, 100663738 Wed Aug 29 16:19:49 2001: DEBUG: do query is: delete from BBONLINE where NASIDENTIFIER='202.140.97.153' and NASPORT=100663738 Wed Aug 29 16:19:49 2001: DEBUG: Query is: select NASIDENTIFIER,NASPORT from BBONLINE where USERNAME='[EMAIL PROTECTED] ' Wed Aug 29 16:19:49 2001: DEBUG: Checking if user is still online: unknown, [EMAIL PROTECTED], 202.140.97.153, 10066400 0, Wed Aug 29 16:19:49 2001: INFO: Access rejected for fieldsvc: MaxSessions exceeded Wed Aug 29 16:19:49 2001: DEBUG: Packet dump: *** Sending to 202.140.97.153 port 1812 Code: Access-Reject Identifier: 0 Authentic: )222174255o2336245137.163:2156225244 Attributes: Reply-Message = Request Denied Reply-Message = MaxSessions exceeded Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthLDAPwOBJ Wed Aug 29 16:19:49 2001: DEBUG: Connecting to 202.140.96.53, port 389 Wed Aug 29 16:19:49 2001: DEBUG: LDAP got result for cn=fieldsvc,ou=People,o=SmarTone,c=hk Wed Aug 29 16:19:49 2001: DEBUG: LDAP got authserviceprotocol: Framed-User Wed Aug 29 16:19:49 2001: DEBUG: LDAP got framedprotocol: PPP Wed Aug 29 16:19:49 2001: DEBUG: LDAP got sessiontimeoutnumber: 86000 Wed Aug 29 16:19:49 2001: DEBUG: LDAP got userpassword: {crypt}vt3QIHUqVTcGE Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ looks for match with fieldsvc Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ ACCEPT: Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL Wed Aug 29 16:19:49 2001: DEBUG: Query is: select FRAMEDIPADDRESS from SUBSCRIBERS where USERNAME='fieldsvc' Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL looks for match with fieldsvc Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL ACCEPT: Wed Aug 29 16:19:49 2001: DEBUG: Access accepted for fieldsvc Wed Aug 29 16:19:49 2001: DEBUG: Packet dump: *** Sending to 202.140.97.153 port 1812 Code: Access-Accept Identifier: 0 Authentic: )222174255o2336245137.163:2156225244 Attributes: Reply-Message = Request Denied Reply-Message = MaxSessions exceeded Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 86000 Framed-IP-Address = 203.133.144.3 Wed Aug 29 16:19:51 2001: DEBUG: Packet dump: *** Received from 202.140.97.153 port 1812 Code: Accounting-Request Identifier: 0 Authentic: ?'6192m?193164?Op255206s@ Attributes: User-Name = [EMAIL PROTECTED] NAS-Identifier = LAPB01 NAS-IP-Address = 202.140.97.153 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 100663738 LAC-Port = 117446876 LAC-Real-Port = 403638128
RE: (RADIATOR) AddressAllocatorSQL
Title: RE: (RADIATOR) AddressAllocatorSQL Hugh, Thanks for your hint :-) Harrison -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Friday, August 24, 2001 8:18 AM To: Harrison Ng; '[EMAIL PROTECTED]' Subject: Re: (RADIATOR) AddressAllocatorSQL Hello Harrison - Having more than one Radiator host will not cause a problem. Note the ReclaimQuery that is run: Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 This will only reclaim leases that have expired, as configured by the DefaultLeasePeriod. This is the correct behaviour. In any case, you can disable the query in the configuration file by specifying an empty string. Ie: ReclaimQuery hth Hugh On Thursday 23 August 2001 20:12, Harrison Ng wrote: Hello, Is there any way to disable ReclaimQuery during radiator startup. Using AddressAllocatorSQL on one radius server with one database should be fine. But not in AuthBy ROUNDROBIN environment. Here is our machine configuration. 1. One Ericsson GSN with 2 radius clients. It send access request, a/c start, a/c stop to radius proxy using AuthBy ROUNDROBIN. 2. The proxy will forward those request to two radius server for enhancing performance. 3. The two radius server use AddressAllocatorSQL to reply ip address to client. They share a RADPOOL reside in mysql db. Serious problem arises when either one radius server restart, it will reset all ip address STATE to zero. Pls see debug message. Even though some ip address is already allocated by another health radius server. Is anyone have different implementation method. Can anyone give me some hint. Pls find attached radius.cfg for your reference. Harrison SmarTone BroadBand Services Limited Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.accept Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.reject Wed Aug 22 19:22:11 2001: DEBUG: Checking address 202.140.74.2 Wed Aug 22 19:22:11 2001: DEBUG: Query is: select STATE from RADPOOL where YIADDR='202.140.74.2' Wed Aug 22 19:22:14 2001: DEBUG: Reclaiming expired leases Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 Wed Aug 22 19:22:14 2001: INFO: Server started: Radiator 2.18.2 on grad1 Wed Aug 22 19:22:14 2001: DEBUG: Packet dump: *** Received from 10.25.157.17 port 1033 Code: Access-Request radius.proxy.txt radius.server.txt Content-Type: text/html; charset=iso-8859-1; name=Attachment: 1 Content-Transfer-Encoding: quoted-printable Content-Description: Content-Type: text/plain; charset=iso-8859-1; name=radius.proxy.txt Content-Transfer-Encoding: 7bit Content-Description: Content-Type: text/plain; charset=iso-8859-1; name=radius.server.txt Content-Transfer-Encoding: quoted-printable Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
RE: (RADIATOR) Ericsson GSN for GPRS
Title: RE: (RADIATOR) Ericsson GSN for GPRS Ingvar, Hello my friend! I would like to hear your opinion. 1. We've 3 APN for different kind of service. Each APN should has its ip address range for handsets. What we are doing now is using radiator AddressAllocatorSQL with different POOLHINT to allocate ip address. Which one is better in allocating ip address, from APN internally or radiator server. 2. Your words: 'It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address)' Our session ID is very urgly. It concat six zero and CLASS attribute to be session ID. See below sample. I think it should be a integer, hex, or some number. Do you know any workaround. *** Received from 10.25.155.1 port 3645 Code: Accounting-Request Identifier: 95 Authentic: ?I144143227'243139I191203160132N12b Attributes: User-Name = rad_user Class = SI=Testing Acct-Session-Id = 00Testing NAS-IP-Address = 10.25.155.1 Acct-Status-Type = Stop NAS-Port = 1 Acct-Authentic = RADIUS NAS-Identifier = rad Framed-Protocol = PPP Calling-Station-Id = 85298699517 Framed-IP-Address = 10.25.155.3 3. Are you still working on GSN product. Do you know any GSN resource, specification, books, pdf, or anything on Ericsson website, so we can make use of it. Thanks :-) Harrison -Original Message- From: Harrison Ng Sent: Thursday, August 23, 2001 5:32 PM To: 'Ingvar Berg (ERA)' Subject: RE: (RADIATOR) Ericsson GSN for GPRS Ingvar, Hello my friend! I would like to hear your opinion. 1. We've 3 APN for different kind of service. Each APN should has its ip address range for handsets. What we are doing now is using radiator AddressAllocatorSQL with different POOLHINT to allocate ip address. Which one is better in allocating ip address, from APN internally or radiator server. 2. Your words: 'It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address)' Our session ID is very urgly. It concat six zero and CLASS attribute to be session ID. See below sample. I think it should be a integer, hex, or some number. Do you know any workaround. *** Received from 10.25.155.1 port 3645 Code: Accounting-Request Identifier: 95 Authentic: ?I144143227'243139I191203160132N12b Attributes: User-Name = rad_user Class = SI=Testing Acct-Session-Id = 00Testing NAS-IP-Address = 10.25.155.1 Acct-Status-Type = Stop NAS-Port = 1 Acct-Authentic = RADIUS NAS-Identifier = rad Framed-Protocol = PPP Calling-Station-Id = 85298699517 Framed-IP-Address = 10.25.155.3 3. Are you still working on GSN product. Do you know any GSN resource, specification, books, pdf, or anything on Ericsson website, so we can make use of it. Thanks :-) Harrison -Original Message- From: Ingvar Berg (ERA) [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 23, 2001 2:34 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: (RADIATOR) Ericsson GSN for GPRS Hello Harrison, I have a GGSN parameter list from a lab setup we did early this year: APN : ucb.gsn.lkp Number of Configured APNs : 3 First Supported IP Segment : 172.44.220.0 GGSN IP Address : 172.44.220.254 // Not so brilliant choice... Last Supported IP Segment : 172.44.220.0 // More segments in reality Netmask : 255.255.255.0 // - - Authenticate MS Using RADIUS : true // Yes Send MSISDN in Access Req. : true // Yes Send MSISDN in Accounting Req. : true // Yes Primary RADIUS Server Address : 192.168.240.12 Primary Query Time-out [ms] : 3 Primary Query Retries : 10 Primary Encryption Key : thesharedsecret Origin of MS IP Address : RADIUS // Yes Allow Select from SGSN : false Allow Select from Subscription : true Allow Select from User : true Enable Ingress Filter : false Routing Method : IP The RADIUS client in the GGSN has a couple of annoying problems, at least the version we did the work on: - It doesn't include the Framed-IP-Address in accounting stop - It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address) The first one is a serious one, that has to be handled, or your address allocator will run dry. Hugh's suggestion was to use the Class attribute to put a copy of the allocated IP address when you send the access accept (AddToReply...). Then when the acct stop comes, you pick the IP address from the Class attribute if Framed-IP-Address is missing. Sample code: # Handle Accounting-Requests. # Make sure there is a Framed-IP-Address in the request # (from the contents of the Class attribute). elsif ($code eq 'Accounting-Request') { my $address = $p-get_attr('Framed-IP-Address'); if (!defined $address) { # Get the IP address from the Class attribute $address = $p-get_attr('Class'); $p-add_attr('Framed-IP-Address', $address) if (defined $address); } # Print a debug line main::log($main::LOG_DEBUG, Framed-IP-Address = $address); } That's about all I can come to think of right away, pls feel free to come back to me if more
(RADIATOR) AddressAllocatorSQL
Title: AddressAllocatorSQL Hello, Is there any way to disable ReclaimQuery during radiator startup. Using AddressAllocatorSQL on one radius server with one database should be fine. But not in AuthBy ROUNDROBIN environment. Here is our machine configuration. 1. One Ericsson GSN with 2 radius clients. It send access request, a/c start, a/c stop to radius proxy using AuthBy ROUNDROBIN. 2. The proxy will forward those request to two radius server for enhancing performance. 3. The two radius server use AddressAllocatorSQL to reply ip address to client. They share a RADPOOL reside in mysql db. Serious problem arises when either one radius server restart, it will reset all ip address STATE to zero. Pls see debug message. Even though some ip address is already allocated by another health radius server. Is anyone have different implementation method. Can anyone give me some hint. Pls find attached radius.cfg for your reference. Harrison SmarTone BroadBand Services Limited Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.accept Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.reject Wed Aug 22 19:22:11 2001: DEBUG: Checking address 202.140.74.2 Wed Aug 22 19:22:11 2001: DEBUG: Query is: select STATE from RADPOOL where YIADDR='202.140.74.2' ... ... Wed Aug 22 19:22:14 2001: DEBUG: Reclaiming expired leases Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 Wed Aug 22 19:22:14 2001: INFO: Server started: Radiator 2.18.2 on grad1 Wed Aug 22 19:22:14 2001: DEBUG: Packet dump: *** Received from 10.25.157.17 port 1033 Code: Access-Request ... ... radius.proxy.txt radius.server.txt ## Global Parameters ## Trace 4 AuthPort1812 AcctPort1813 LogDir /var/log/radius DbDir /usr/local/etc/raddb LogFile %L/grad3.logfile.%Y%m%d DictionaryFile %D/dictionary PidFile %L/radiusd.pid ### ## NAS Client # Client 202.140.74.1 Secret xxx /Client Client 10.25.155.1 Secret xxx /Client Client localhost Secret mysecret DupInterval 0 /Client ### ## Log SQL Log SQL Identifier logsql DBSource dbi:mysql:radius:10.25.157.33 DBUsername xxx DBAuth xxx Table RADLOG Trace 3 LogQuery insert into RADLOG (TIME_STAMP,PRIORITY,MESSAGE,HOST) values (%t,%0,%2,'%h') /Log SQL ### ## AuthBy Module ## AuthBy FILE Identifier defaultaccept Filename %D/users.accept /AuthBy AuthBy FILE Identifier defaultreject Filename %D/users.reject /AuthBy AuthBy ROUNDROBIN Identifier roundrobin Host 10.25.157.19 Secret xxx AuthPort 1812 AcctPort 1813 /Host Host 10.25.157.18 Secret xxx AuthPort 1812 AcctPort 1813 /Host /AuthBy ### ## Handler Module # Handler Client-Id = 202.140.74.1,NAS-Identifier = radius RejectHasReason RewriteUsername s/^([^@]+).*/$1/ #SessionDatabase simultaneous AuthBy roundrobin AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler Handler Client-Id = 10.25.155.1,NAS-Identifier = rad RejectHasReason RewriteUsername s/^([^@]+).*/$1/ #SessionDatabase simultaneous AuthBy roundrobin AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler Handler Client-Id = localhost RejectHasReason RewriteUsername s/^([^@]+).*/$1/ AuthBy defaultaccept AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler ### ## Global Parameters ## Trace 4 AuthPort1812 AcctPort1813 LogDir /var/log/radius DbDir /usr/local/etc/raddb LogFile %L/grad1.logfile.%Y%m%d DictionaryFile %D/dictionary PidFile %L/radiusd.pid ### ## NAS Client # Client 10.25.157.17 Secret xxx /Client Client localhost Secret mysecret DupInterval 0 /Client ### ## Log SQL Log SQL Identifier logsql DBSource dbi:mysql:radius:10.25.157.33 DBUsername xxx DBAuth xxx Table RADLOG Trace 3 LogQuery insert into RADLOG (TIME_STAMP,PRIORITY,MESSAGE,HOST) values
(RADIATOR) Ericsson GSN for GPRS
Title: Ericsson GSN for GPRS Hello, Is there anyone who can share their experience in using Ericsson GSN with Radiator. Could you tell your GSN version, Radiator version, how to distribute IP address (thru GSN or Radiator). Maybe more! Your help is highly appreciated and perhaps we can share our experience with you too. Harrison SmarTone BroadBand Services Limited
(RADIATOR) AllocateQuery
Title: AllocateQuery Hello, Does anyone know is it valid to include %{attribute-name} in AllocateQuery of AddressAllocator SQL. We've append a new column called MSISDN in RADPOOL to record Calling-Station-Id. Then add custom AllocateQuery as below. Under trace 4, it seems that radiator return empty value for %{Calling-Station-Id}. However we tried similar things in AuthSelect of AuthBy SQL, %{Calling-Station-Id} works properly. Can anyone give me a hint. Harrison SmarTone Mobile Communications Ltd. This is an extract of radius.cfg AuthBy SQL Identifier getpoolhint DBSource dbi:mysql:radius:10.25.157.33 DBUsername dbuser1 DBAuth netra323 AuthSelect select POOLHINT from APN where ROAMDIGIT = left(%{Calling-Station-Id},3) AuthColumnDef 0, PoolHint, reply AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef CLASS,Class AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef NASIPADDRESS,NAS-IP-Address AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef ACCTAUTHENTIC,Acct-Authentic AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol AcctColumnDef CALLINGSTATIONID,Calling-Station-Id AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef TIMESTAMP,Timestamp,integer AcctFailedLogFileName %L/grad1.%c.missing.%Y%m%d /AuthBy SQL AddressAllocator SQL Identifier myallocator DBSource dbi:mysql:radius:10.25.157.33 DBUsername dbuser1 DBAuth netra323 AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,EXPIRY=%1,USERNAME='%2',MSISDN='%{Calling-Station-Id}' \ where YIADDR='%3' and TIME_STAMP%4 AddressPool local Subnetmask 255.255.255.0 Range 202.140.74.11 202.140.74.20 /AddressPool AddressPool roam Subnetmask 255.255.255.0 Range 10.25.155.11 10.25.155.20 /AddressPool /AddressAllocator SQL This is radiator trace 4 Tue Aug 21 10:48:09 2001: DEBUG: Packet dump: *** Received from 202.140.74.1 port 2859 Code: Access-Request Identifier: 199 Authentic: 00'_00724900bm007T Attributes: User-Name = User-Password = A22831204205(27166-v150Z220180207U NAS-IP-Address = 202.140.74.1 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 Calling-Station-Id = 85298699517 NAS-Identifier = radius Tue Aug 21 10:48:09 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request Tue Aug 21 10:48:09 2001: DEBUG: Handling request with Handler 'Client-Id = 202.140.74.1,NAS-Identifier = radius' Tue Aug 21 10:48:09 2001: DEBUG: simultaneous Deleting session for , 202.140.74.1, 1 Tue Aug 21 10:48:09 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='202.140.74.1' and NASPORT=1 Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthFILE Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE looks for match with Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE looks for match with DEFAULT Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE ACCEPT: Accept explicitly by Auth-Type=Accept Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthSQL Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthSQL Tue Aug 21 10:48:09 2001: DEBUG: Query is: select POOLHINT from APN where ROAMDIGIT = left(85298699517,3) Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthSQL looks for match with Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthSQL ACCEPT: Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthDYNADDRESS Tue Aug 21 10:48:09 2001: DEBUG: Query is: select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where POOL='local' and STATE=0 order by TIME_STAMP Tue Aug 21 10:48:09 2001: DEBUG: do query is: update RADPOOL set STATE=1,TIME_STAMP=998362089,EXPIRY=998448489,USERNAME='',MSISDN='' where YIADDR='202.140.74.11' and TIME_STAMP=998362069 Tue Aug 21 10:48:09 2001: DEBUG: Access accepted for Tue Aug 21 10:48:09 2001: DEBUG: Packet dump: *** Sending to 202.140.74.1 port 2859 Code: Access-Accept Identifier: 199 Authentic: 00'_00724900bm007T Attributes: Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 202.140.74.11 Class = SI=Testing Tue Aug 21 10:48:09 2001: DEBUG: Packet dump: *** Received from 202.140.74.1 port 2860 Code: Accounting-Request Identifier: 200 Authentic: 181135T224207t172mc239$206c*W182 Attributes: User-Name = Class = SI=Testing Acct-Session-Id = 00Testing NAS-IP-Address = 202.140.74.1 Acct-Status-Type = Start NAS-Port = 1 Acct-Authentic = RADIUS NAS-Identifier = radius Framed-Protocol = PPP Calling-Station-Id = 85298699517 Framed-IP-Address = 202.140.74.11 Tue Aug 21 10:48:09 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request Tue Aug 21 10:48:09 2001: DEBUG: Handling request with Handler 'Client-Id =
(RADIATOR) BindAddress
Title: BindAddress Hello, We are using Radiator 2.18.2 on RH6.2. The BindAddress parameter works only on radius authentication but not accounting request. We use tcpdump to check where has the packet gone, it said udp port radacct unreachable. I have no idea how to solve it, can anyone give me a hint. Harrison SmarTone Mobile Communications Ltd. Running radpwtst - There is no value named Async for attribute NAS-Port-Type. Using 0. sending Access-Request... OK There is no value named Async for attribute NAS-Port-Type. Using 0. sending Accounting-Request Start... No reply There is no value named Async for attribute NAS-Port-Type. Using 0. sending Accounting-Request Stop... No reply time for 1 iterations: 10 s Radiator logfile - Mon Aug 20 10:05:24 2001: INFO: Server started: Radiator 2.18.2 on grad1 Mon Aug 20 10:05:24 2001: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1024 Code: Access-Request Identifier: 143 Authentic: 1234567890123456 Attributes: User-Name = lmds1 Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Asynchronous User-Password = 200185l153154j424618889160216}x153 Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 10.25.155.1,NAS-Identifier = rad should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 10.25.157.18,NAS-Identifier = radius should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = localhost should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Handling request with Handler 'Client-Id = localhost' Mon Aug 20 10:05:24 2001: DEBUG: Rewrote user name to lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Deleting session for lmds1, 203.63.154.1, 1234 Mon Aug 20 10:05:24 2001: DEBUG: Handling with Radius::AuthFILE Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE looks for match with lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE ACCEPT: Accept explicitly by Auth-Type=Accept Mon Aug 20 10:05:24 2001: DEBUG: Access accepted for lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1024 Code: Access-Accept Identifier: 143 Authentic: 1234567890123456 Attributes: Running tcpdump - [root@grad1 /root]# tcpdump host 127.0.0.1 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:19:34.615660 lo localhost.radacct localhost.radius: udp 91 10:19:34.615660 lo localhost.radacct localhost.radius: udp 91 10:19:34.632010 lo localhost.radius localhost.radacct: udp 20 10:19:34.632010 lo localhost.radius localhost.radacct: udp 20 10:19:34.637640 lo localhost.radacct localhost.radacct: udp 89 10:19:34.637640 lo localhost.radacct localhost.radacct: udp 89 10:19:34.637686 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:34.637686 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:39.640813 lo localhost.radacct localhost.radacct: udp 113 10:19:39.640813 lo localhost.radacct localhost.radacct: udp 113 10:19:39.640849 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:39.640849 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0]
(RADIATOR) Radiator License Registration
Title: Radiator License Registration Hi! We've purchased Radiator from Automated Systems (HK) Ltd in August 2000. Until now we not yet receive username and password to download latest Radiator patch. Could you help? Regards, Harrison Ng SmarTone Mobile Communications Ltd