(RADIATOR) Hook Between AuthBy
Title: Hook Between AuthBy
Hi,
My problem is adding country code (ie. 852) to Calling-Station-Id attribute after LDAP query,
and _before_ forward to another radius server (see below config). How can I do this?
Regards,
Harrison
AuthBy LDAP2
Identifier GUP_Dipping
AuthenticateAccounting
Host x.x.x.x
Port 389
AuthDN uid=xxx,ou=xxx,o=xxx
AuthPassword xxx
BaseDN ou=xxx,ou=xxx,o=xxx
Scope one
SearchFilter (smcAMSISDN=%{Class})
AuthAttrDef smcSubscriberNumber,Calling-Station-Id,request
/AuthBy LDAP2
AuthBy RADIUS
Identifier test_forwarding
NoForwardAuthentication
IgnoreAccountingResponse
Host x.x.x.x
Secret xxx
StripFromRequest Ericsson-Juniper,Class
AuthPort
AcctPort 1646
Retries 0
RetryTimeout 2
FailureBackoffTime 30
/AuthBy
Handler Client-Id=localhost,Request-Type=Accounting-Request,Calling-Station-Id=852192507893
RejectHasReason
AccountingHandled
PreAuthHook file:%D/MakeClassForGUP
AuthByPolicy ContinueAlways
AuthBy GUP_Dipping
### Remark:-
### I need to add country code to Calling-Station-Id before doing next AuthBy
### How can I add hook here?
AuthBy test_forwarding
AcctLogFileName /%L/%c/%{GlobalVar:servername}.%c.detail.%Y%m%d
PasswordLogFileName /%L/%{GlobalVar:servername}.password.%Y%m%d
/Handler
** This Email is virus-scanned and identified clean.
(RADIATOR) Using LDAP in PreAuthHook
Title: Using LDAP in PreAuthHook Hi, My problem is when radiator processing accounting request packets (ie. accounting-start/accounting-stop), it should query external LDAP database for new attribute-value (a-v) pairs, then either append/replace these a-v pairs to/in current request packet. Can anyone give me direction on how to write PreAuthHook using LDAP and how to call functions in AuthLDAP2.pm modules. Regards, Harrison ** This Email is virus-scanned and identified clean.
(RADIATOR) Radiator Error Logging
Title: Radiator Error Logging Dear Sir, Our radiator generates following messages: INFO: AuthRADIUS: No reply after 0 retransmissions to 123.123.123.123:1813 for void (54) Since our customer doesn't need to enter his username, remote access server sends out 'void' for default. Can we customize the message so that it includes Calling-Station-Id attribute? We need to identify which record doesn't arrive remote accounting server. The new message will look like this: INFO: AuthRADIUS: No reply after 0 retransmissions to 123.123.123.123:1813 for void (85291234567) (54) **where (85291234567) represents Calling-Station-Id attribute Thanks for your help in advance! Regards, Harrison ** This Email is virus-scanned and identified clean.
(RADIATOR) SQL Query with Backslash
Title: SQL Query with Backslash Hi, We have some special usernames such as *99#\ needed for login. But the backslash \ may cause problem to update query like this: Fri Jun 14 10:15:13 2002: ERR: do failed for 'update RADPOOL set STATE=1,TIME_STAMP=1024020913,EXPIRY=1024280113,USERNAME='*99#\',CALLINGSTATIONID='85294546592' where YIADDR='10.25.192.153' and TIME_STAMP=1023961400': You have an error in your SQL syntax near '85294546592' where YIADDR='10.25.192.153' and TIME_STAMP=1023961400' at line 1 The effect is unable to complete authentication for current request. Can you help? Regards, Harrison Ng SmarTone Mobile Communications Limited ** This Email is virus-scanned and identified clean.
FW: (RADIATOR) Re: Please help.
Sam,
For IP
address allocation in Radiator, use AuthBy DYNADDRESS and
AddressAllocator SQL.
Below
is an example of radius.cfg.
Regards,
Harrison
AddressAllocator SQL
Identifier
myallocator
DBSource
dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsernamexyz DBAuth
xyz
DefaultLeasePeriod
86000 LeaseReclaimInterval
300
FindQuery select
TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOLwhere POOL='%0' and
STATE=0 order by TIME_STAMP limit 1
AllocateQuery update RADPOOL
set
STATE=1,TIME_STAMP=%0,EXPIRY=%1,USERNAME='%2',CALLINGSTATIONID='%{Calling-Station-Id}'
\
where YIADDR='%3' and TIME_STAMP%4
AddressPool trial1
Subnetmask
255.255.255.0
Rangexxx.xxx.xxx.xxx
yyy.yyy.yyy.yyy
/AddressPool
AddressPool
trial2
Subnetmask
255.255.255.0
Rangexxx.xxx.xxx.xxx
yyy.yyy.yyy.yyy
/AddressPool
/AddressAllocator
SQL
Handler Client-Id = x.x.x.x
AuthBy
xxx
AuthBy
yyy
AuthBy
DYNADDRESS
Allocator
myallocator
PoolHint
%{Reply:PoolHint}
MapAttribute yiaddr,
Framed-IP-Address
MapAttribute subnetmask,
Framed-IP-Netmask
StripFromReply
PoolHint
StripFromReply
Framed-IP-Netmask
AddToReplyIfNotExist Service-Type =
Framed-User
AddToReplyIfNotExist Framed-Protocol = PPP
/AuthBy
DYNADDRESS
/Handler
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Sam
CheungSent: Tuesday, December 18, 2001 3:06 PMTo:
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: (RADIATOR) Re:
Please help.Dear Genius, I am trying to config. a radiator (2.19-demo) allocating IP address dynamicallyusing DB1 to get the authentication info. from DB1 (an mysql server stored usernameand password) and using DB2 (another mysql server) to log the dhcp client info.,DHCPpool and leased IP, etc. using the database which created by a script calledmysqlCreate.sql. Can you give me some suggestion what to put down in the config.cfg?Thanks so much for paying attention. Thanks a lot.Best Regards,Sam Cheung
* This Email is virus-scanned and identified clean.
RE: (RADIATOR) HydraRADIUS
Title: RE: (RADIATOR) HydraRADIUS Hello all, BTW why not use Radiator AuthBy LOADBALANCE. The price vs performance is good. You can make 2 box for primary and secondary radius. The hardware switch is too expensive. Regards, Harrison Ng SmarTone Mobile Communication Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Given Sent: Monday, November 19, 2001 6:37 AM To: '[EMAIL PROTECTED]' Subject: FW: (RADIATOR) HydraRADIUS Check out foundry networks, they make a nice product to do this. http://www.foundrynetworks.com/ -Original Message- From: Mike McCauley [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 18, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) HydraRADIUS -- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from [David M. Lloyd [EMAIL PROTECTED]] Date: Fri, 16 Nov 2001 07:40:08 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Fri Nov 16 07:40:08 2001 Received: from lowblow.svc.tds.net (lowblow.svc.tds.net [204.246.1.39]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id fAGDe8300652 for [EMAIL PROTECTED]; Fri, 16 Nov 2001 07:40:08 -0600 Received: from homebody.freemm.org ([216.170.141.248]) by lowblow.svc.tds.net with ESMTP id [EMAIL PROTECTED]; Fri, 16 Nov 2001 09:21:39 -0600 Date: Fri, 16 Nov 2001 09:29:21 -0600 (CST) From: David M. Lloyd [EMAIL PROTECTED] X-X-Sender: [EMAIL PROTECTED] To: Ricardo D. Albano [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) HydraRADIUS In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 15 Nov 2001, Ricardo D. Albano wrote: Any know HydraRADIUS ? I'm searching for a radius load balancer (I have 20 radiators), I read about HydraRADIUS in the Radiator Manual, but I can't contact with this company. The web page (http://www.hydraweb.com/products/hydraradius/index.asp) is down (and the DNS too)... :( HydraWeb is the company that made those things. We got a couple of them right before HydraWeb went out of business... what a nightmare. They were the worst pieces of hardware I've ever had the displeasure of dealing with. Not only that, but people we were trying to contact kept getting laid off. The only reason we got our money back is because one of my coworkers finagled the cellphone number of the VP out of someone. If you want a good loadbalancing appliance, look at F5's BigIP product. That's what most of the big ISPs use. It costs about the same as the Hydras did, but it actually *works*. I would recommend to Hugh/Mike/etc that you drop reference to Hydra since they don't seem to exist anymore. - D [EMAIL PROTECTED] --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddressAllocator SQL
Title: AddressAllocator SQL Hi, Is it possible to have multiple 'AllocateQuery' statement in AddressAllocator, similar to multiple 'AuthSelect' in AuthBy SQL. In some occasion our RAS won't send accounting stop, so we are running out of ip address. So we need to reclaim those unused ip address before actual 'AllocateQuery'. 'ReclaimQuery' won't help in this situation, because our 'DefaultLeasePeriod' is 7 days. Thanks in advance! Harrison SmarTone BroadBand Service Limited
(RADIATOR) Load Balancing
Title: Load Balancing Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. Regards, Harrison SmarTone BroadBand Services Ltd.
(RADIATOR) FW: Load Balancing
Title: FW: Load Balancing BTW, can those time related parameters accepts milliseconds, such as RetryTimeout, FailureBackoffTime. Harrison -Original Message- From: Harrison Ng Sent: Monday, September 10, 2001 3:21 PM To: '[EMAIL PROTECTED]' Subject: Load Balancing Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. Regards, Harrison SmarTone BroadBand Services Ltd.
(RADIATOR) MaxSessions
Title: MaxSessions
Hello,
Is it possible to prevent executing AuthBy clauses when MaxSessions exceeds (within a Handler).
When radiator receives Access-Request, it determine an appropriate handler to process request.
Then it checks whether the user has reach MaxSessions.
In this case user has reach MaxSessions, therefore it should send Access-Reject to NAS and stop executing AuthBy clauses.
However radiator still go through the clauses and eventually send out Access-Accept to NAS.
At the same time, our NAS takes in Access-Accept and open a PPP session.
Pls find attached trace 4 capture and extracts of our radius.cfg.
Can anyone give us a hint.
Harrison
SmarTone BroadBand Services Limited
MaxSession.txt radius.cfg
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Received from 202.140.97.153 port 1812
Code: Access-Request
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
User-Name = [EMAIL PROTECTED]
User-Password = 293FVW{V30275k2491511207[
NAS-Identifier = LAPB01
NAS-IP-Address = 202.140.97.153
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100663738
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler User-Name = /(?![\w\.\-@])+/ should
be used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.60 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.67.215.240 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 10.20.2.2 should be used
to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.152 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Check if Handler Client-Id = 202.140.97.153 should be
used to handle this request
Wed Aug 29 16:19:49 2001: DEBUG: Handling request with Handler 'Client-Id =
202.140.97.153'
Wed Aug 29 16:19:49 2001: DEBUG: Rewrote user name to fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: bras Deleting session for
[EMAIL PROTECTED], 202.140.97.153, 100663738
Wed Aug 29 16:19:49 2001: DEBUG: do query is: delete from BBONLINE where
NASIDENTIFIER='202.140.97.153' and NASPORT=100663738
Wed Aug 29 16:19:49 2001: DEBUG: Query is: select NASIDENTIFIER,NASPORT from BBONLINE
where USERNAME='[EMAIL PROTECTED]
'
Wed Aug 29 16:19:49 2001: DEBUG: Checking if user is still online: unknown,
[EMAIL PROTECTED], 202.140.97.153, 10066400
0,
Wed Aug 29 16:19:49 2001: INFO: Access rejected for fieldsvc: MaxSessions exceeded
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Sending to 202.140.97.153 port 1812
Code: Access-Reject
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
Reply-Message = Request Denied
Reply-Message = MaxSessions exceeded
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthLDAPwOBJ
Wed Aug 29 16:19:49 2001: DEBUG: Connecting to 202.140.96.53, port 389
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got result for
cn=fieldsvc,ou=People,o=SmarTone,c=hk
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got authserviceprotocol: Framed-User
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got framedprotocol: PPP
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got sessiontimeoutnumber: 86000
Wed Aug 29 16:19:49 2001: DEBUG: LDAP got userpassword: {crypt}vt3QIHUqVTcGE
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ looks for match with fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthLDAPwOBJ ACCEPT:
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthGROUP
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL
Wed Aug 29 16:19:49 2001: DEBUG: Handling with Radius::AuthSQL
Wed Aug 29 16:19:49 2001: DEBUG: Query is: select FRAMEDIPADDRESS from SUBSCRIBERS
where USERNAME='fieldsvc'
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL looks for match with fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Radius::AuthSQL ACCEPT:
Wed Aug 29 16:19:49 2001: DEBUG: Access accepted for fieldsvc
Wed Aug 29 16:19:49 2001: DEBUG: Packet dump:
*** Sending to 202.140.97.153 port 1812
Code: Access-Accept
Identifier: 0
Authentic: )222174255o2336245137.163:2156225244
Attributes:
Reply-Message = Request Denied
Reply-Message = MaxSessions exceeded
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 86000
Framed-IP-Address = 203.133.144.3
Wed Aug 29 16:19:51 2001: DEBUG: Packet dump:
*** Received from 202.140.97.153 port 1812
Code: Accounting-Request
Identifier: 0
Authentic: ?'6192m?193164?Op255206s@
Attributes:
User-Name = [EMAIL PROTECTED]
NAS-Identifier = LAPB01
NAS-IP-Address = 202.140.97.153
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100663738
LAC-Port = 117446876
LAC-Real-Port = 403638128
RE: (RADIATOR) AddressAllocatorSQL
Title: RE: (RADIATOR) AddressAllocatorSQL Hugh, Thanks for your hint :-) Harrison -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Friday, August 24, 2001 8:18 AM To: Harrison Ng; '[EMAIL PROTECTED]' Subject: Re: (RADIATOR) AddressAllocatorSQL Hello Harrison - Having more than one Radiator host will not cause a problem. Note the ReclaimQuery that is run: Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 This will only reclaim leases that have expired, as configured by the DefaultLeasePeriod. This is the correct behaviour. In any case, you can disable the query in the configuration file by specifying an empty string. Ie: ReclaimQuery hth Hugh On Thursday 23 August 2001 20:12, Harrison Ng wrote: Hello, Is there any way to disable ReclaimQuery during radiator startup. Using AddressAllocatorSQL on one radius server with one database should be fine. But not in AuthBy ROUNDROBIN environment. Here is our machine configuration. 1. One Ericsson GSN with 2 radius clients. It send access request, a/c start, a/c stop to radius proxy using AuthBy ROUNDROBIN. 2. The proxy will forward those request to two radius server for enhancing performance. 3. The two radius server use AddressAllocatorSQL to reply ip address to client. They share a RADPOOL reside in mysql db. Serious problem arises when either one radius server restart, it will reset all ip address STATE to zero. Pls see debug message. Even though some ip address is already allocated by another health radius server. Is anyone have different implementation method. Can anyone give me some hint. Pls find attached radius.cfg for your reference. Harrison SmarTone BroadBand Services Limited Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.accept Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.reject Wed Aug 22 19:22:11 2001: DEBUG: Checking address 202.140.74.2 Wed Aug 22 19:22:11 2001: DEBUG: Query is: select STATE from RADPOOL where YIADDR='202.140.74.2' Wed Aug 22 19:22:14 2001: DEBUG: Reclaiming expired leases Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 Wed Aug 22 19:22:14 2001: INFO: Server started: Radiator 2.18.2 on grad1 Wed Aug 22 19:22:14 2001: DEBUG: Packet dump: *** Received from 10.25.157.17 port 1033 Code: Access-Request radius.proxy.txt radius.server.txt Content-Type: text/html; charset=iso-8859-1; name=Attachment: 1 Content-Transfer-Encoding: quoted-printable Content-Description: Content-Type: text/plain; charset=iso-8859-1; name=radius.proxy.txt Content-Transfer-Encoding: 7bit Content-Description: Content-Type: text/plain; charset=iso-8859-1; name=radius.server.txt Content-Transfer-Encoding: quoted-printable Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
RE: (RADIATOR) Ericsson GSN for GPRS
Title: RE: (RADIATOR) Ericsson GSN for GPRS
Ingvar,
Hello my friend! I would like to hear your opinion.
1. We've 3 APN for different kind of service.
Each APN should has its ip address range for handsets.
What we are doing now is using radiator AddressAllocatorSQL with different POOLHINT to allocate ip address.
Which one is better in allocating ip address, from APN internally or radiator server.
2. Your words: 'It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address)'
Our session ID is very urgly. It concat six zero and CLASS attribute to be session ID. See below sample.
I think it should be a integer, hex, or some number. Do you know any workaround.
*** Received from 10.25.155.1 port 3645
Code: Accounting-Request
Identifier: 95
Authentic: ?I144143227'243139I191203160132N12b
Attributes:
User-Name = rad_user
Class = SI=Testing
Acct-Session-Id = 00Testing
NAS-IP-Address = 10.25.155.1
Acct-Status-Type = Stop
NAS-Port = 1
Acct-Authentic = RADIUS
NAS-Identifier = rad
Framed-Protocol = PPP
Calling-Station-Id = 85298699517
Framed-IP-Address = 10.25.155.3
3. Are you still working on GSN product. Do you know any GSN resource, specification, books, pdf, or anything on Ericsson website, so we can make use of it.
Thanks :-)
Harrison
-Original Message-
From: Harrison Ng
Sent: Thursday, August 23, 2001 5:32 PM
To: 'Ingvar Berg (ERA)'
Subject: RE: (RADIATOR) Ericsson GSN for GPRS
Ingvar,
Hello my friend! I would like to hear your opinion.
1. We've 3 APN for different kind of service.
Each APN should has its ip address range for handsets.
What we are doing now is using radiator AddressAllocatorSQL with different POOLHINT to allocate ip address.
Which one is better in allocating ip address, from APN internally or radiator server.
2. Your words: 'It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address)'
Our session ID is very urgly. It concat six zero and CLASS attribute to be session ID. See below sample.
I think it should be a integer, hex, or some number. Do you know any workaround.
*** Received from 10.25.155.1 port 3645
Code: Accounting-Request
Identifier: 95
Authentic: ?I144143227'243139I191203160132N12b
Attributes:
User-Name = rad_user
Class = SI=Testing
Acct-Session-Id = 00Testing
NAS-IP-Address = 10.25.155.1
Acct-Status-Type = Stop
NAS-Port = 1
Acct-Authentic = RADIUS
NAS-Identifier = rad
Framed-Protocol = PPP
Calling-Station-Id = 85298699517
Framed-IP-Address = 10.25.155.3
3. Are you still working on GSN product. Do you know any GSN resource, specification, books, pdf, or anything on Ericsson website, so we can make use of it.
Thanks :-)
Harrison
-Original Message-
From: Ingvar Berg (ERA) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 23, 2001 2:34 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: (RADIATOR) Ericsson GSN for GPRS
Hello Harrison,
I have a GGSN parameter list from a lab setup we did early this year:
APN : ucb.gsn.lkp
Number of Configured APNs : 3
First Supported IP Segment : 172.44.220.0
GGSN IP Address : 172.44.220.254 // Not so brilliant choice...
Last Supported IP Segment : 172.44.220.0 // More segments in reality
Netmask : 255.255.255.0 // - -
Authenticate MS Using RADIUS : true // Yes
Send MSISDN in Access Req. : true // Yes
Send MSISDN in Accounting Req. : true // Yes
Primary RADIUS Server Address : 192.168.240.12
Primary Query Time-out [ms] : 3
Primary Query Retries : 10
Primary Encryption Key : thesharedsecret
Origin of MS IP Address : RADIUS // Yes
Allow Select from SGSN : false
Allow Select from Subscription : true
Allow Select from User : true
Enable Ingress Filter : false
Routing Method : IP
The RADIUS client in the GGSN has a couple of annoying problems, at least the version we did the work on:
- It doesn't include the Framed-IP-Address in accounting stop
- It has a binary value for session ID (4 bytes GGSN IP address + 4 bytes Framed-IP-Address)
The first one is a serious one, that has to be handled, or your address allocator will run dry. Hugh's suggestion was to use the Class attribute to put a copy of the allocated IP address when you send the access accept (AddToReply...). Then when the acct stop comes, you pick the IP address from the Class attribute if Framed-IP-Address is missing.
Sample code:
# Handle Accounting-Requests.
# Make sure there is a Framed-IP-Address in the request
# (from the contents of the Class attribute).
elsif ($code eq 'Accounting-Request')
{
my $address = $p-get_attr('Framed-IP-Address');
if (!defined $address)
{
# Get the IP address from the Class attribute
$address = $p-get_attr('Class');
$p-add_attr('Framed-IP-Address', $address)
if (defined $address);
}
# Print a debug line
main::log($main::LOG_DEBUG, Framed-IP-Address = $address);
}
That's about all I can come to think of right away, pls feel free to come back to me if more
(RADIATOR) AddressAllocatorSQL
Title: AddressAllocatorSQL Hello, Is there any way to disable ReclaimQuery during radiator startup. Using AddressAllocatorSQL on one radius server with one database should be fine. But not in AuthBy ROUNDROBIN environment. Here is our machine configuration. 1. One Ericsson GSN with 2 radius clients. It send access request, a/c start, a/c stop to radius proxy using AuthBy ROUNDROBIN. 2. The proxy will forward those request to two radius server for enhancing performance. 3. The two radius server use AddressAllocatorSQL to reply ip address to client. They share a RADPOOL reside in mysql db. Serious problem arises when either one radius server restart, it will reset all ip address STATE to zero. Pls see debug message. Even though some ip address is already allocated by another health radius server. Is anyone have different implementation method. Can anyone give me some hint. Pls find attached radius.cfg for your reference. Harrison SmarTone BroadBand Services Limited Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.accept Wed Aug 22 19:22:11 2001: DEBUG: Reading users file /usr/local/etc/raddb/users.reject Wed Aug 22 19:22:11 2001: DEBUG: Checking address 202.140.74.2 Wed Aug 22 19:22:11 2001: DEBUG: Query is: select STATE from RADPOOL where YIADDR='202.140.74.2' ... ... Wed Aug 22 19:22:14 2001: DEBUG: Reclaiming expired leases Wed Aug 22 19:22:14 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY 998479334 Wed Aug 22 19:22:14 2001: INFO: Server started: Radiator 2.18.2 on grad1 Wed Aug 22 19:22:14 2001: DEBUG: Packet dump: *** Received from 10.25.157.17 port 1033 Code: Access-Request ... ... radius.proxy.txt radius.server.txt ## Global Parameters ## Trace 4 AuthPort1812 AcctPort1813 LogDir /var/log/radius DbDir /usr/local/etc/raddb LogFile %L/grad3.logfile.%Y%m%d DictionaryFile %D/dictionary PidFile %L/radiusd.pid ### ## NAS Client # Client 202.140.74.1 Secret xxx /Client Client 10.25.155.1 Secret xxx /Client Client localhost Secret mysecret DupInterval 0 /Client ### ## Log SQL Log SQL Identifier logsql DBSource dbi:mysql:radius:10.25.157.33 DBUsername xxx DBAuth xxx Table RADLOG Trace 3 LogQuery insert into RADLOG (TIME_STAMP,PRIORITY,MESSAGE,HOST) values (%t,%0,%2,'%h') /Log SQL ### ## AuthBy Module ## AuthBy FILE Identifier defaultaccept Filename %D/users.accept /AuthBy AuthBy FILE Identifier defaultreject Filename %D/users.reject /AuthBy AuthBy ROUNDROBIN Identifier roundrobin Host 10.25.157.19 Secret xxx AuthPort 1812 AcctPort 1813 /Host Host 10.25.157.18 Secret xxx AuthPort 1812 AcctPort 1813 /Host /AuthBy ### ## Handler Module # Handler Client-Id = 202.140.74.1,NAS-Identifier = radius RejectHasReason RewriteUsername s/^([^@]+).*/$1/ #SessionDatabase simultaneous AuthBy roundrobin AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler Handler Client-Id = 10.25.155.1,NAS-Identifier = rad RejectHasReason RewriteUsername s/^([^@]+).*/$1/ #SessionDatabase simultaneous AuthBy roundrobin AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler Handler Client-Id = localhost RejectHasReason RewriteUsername s/^([^@]+).*/$1/ AuthBy defaultaccept AcctLogFileName %L/%c/grad3.%c.detail.%Y%m%d PasswordLogFileName %L/grad3.password.%Y%m%d /Handler ### ## Global Parameters ## Trace 4 AuthPort1812 AcctPort1813 LogDir /var/log/radius DbDir /usr/local/etc/raddb LogFile %L/grad1.logfile.%Y%m%d DictionaryFile %D/dictionary PidFile %L/radiusd.pid ### ## NAS Client # Client 10.25.157.17 Secret xxx /Client Client localhost Secret mysecret DupInterval 0 /Client ### ## Log SQL Log SQL Identifier logsql DBSource dbi:mysql:radius:10.25.157.33 DBUsername xxx DBAuth xxx Table RADLOG Trace 3 LogQuery insert into RADLOG (TIME_STAMP,PRIORITY,MESSAGE,HOST) values
(RADIATOR) Ericsson GSN for GPRS
Title: Ericsson GSN for GPRS Hello, Is there anyone who can share their experience in using Ericsson GSN with Radiator. Could you tell your GSN version, Radiator version, how to distribute IP address (thru GSN or Radiator). Maybe more! Your help is highly appreciated and perhaps we can share our experience with you too. Harrison SmarTone BroadBand Services Limited
(RADIATOR) AllocateQuery
Title: AllocateQuery
Hello,
Does anyone know is it valid to include %{attribute-name} in AllocateQuery of AddressAllocator SQL.
We've append a new column called MSISDN in RADPOOL to record Calling-Station-Id. Then add custom AllocateQuery as below.
Under trace 4, it seems that radiator return empty value for %{Calling-Station-Id}.
However we tried similar things in AuthSelect of AuthBy SQL, %{Calling-Station-Id} works properly.
Can anyone give me a hint.
Harrison
SmarTone Mobile Communications Ltd.
This is an extract of radius.cfg
AuthBy SQL
Identifier getpoolhint
DBSource dbi:mysql:radius:10.25.157.33
DBUsername dbuser1
DBAuth netra323
AuthSelect select POOLHINT from APN where ROAMDIGIT = left(%{Calling-Station-Id},3)
AuthColumnDef 0, PoolHint, reply
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CLASS,Class
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef TIMESTAMP,Timestamp,integer
AcctFailedLogFileName %L/grad1.%c.missing.%Y%m%d
/AuthBy SQL
AddressAllocator SQL
Identifier myallocator
DBSource dbi:mysql:radius:10.25.157.33
DBUsername dbuser1
DBAuth netra323
AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,EXPIRY=%1,USERNAME='%2',MSISDN='%{Calling-Station-Id}' \
where YIADDR='%3' and TIME_STAMP%4
AddressPool local
Subnetmask 255.255.255.0
Range 202.140.74.11 202.140.74.20
/AddressPool
AddressPool roam
Subnetmask 255.255.255.0
Range 10.25.155.11 10.25.155.20
/AddressPool
/AddressAllocator SQL
This is radiator trace 4
Tue Aug 21 10:48:09 2001: DEBUG: Packet dump:
*** Received from 202.140.74.1 port 2859
Code: Access-Request
Identifier: 199
Authentic: 00'_00724900bm007T
Attributes:
User-Name =
User-Password = A22831204205(27166-v150Z220180207U
NAS-IP-Address = 202.140.74.1
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
Calling-Station-Id = 85298699517
NAS-Identifier = radius
Tue Aug 21 10:48:09 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request
Tue Aug 21 10:48:09 2001: DEBUG: Handling request with Handler 'Client-Id = 202.140.74.1,NAS-Identifier = radius'
Tue Aug 21 10:48:09 2001: DEBUG: simultaneous Deleting session for , 202.140.74.1, 1
Tue Aug 21 10:48:09 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='202.140.74.1' and NASPORT=1
Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthFILE
Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE looks for match with
Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthFILE ACCEPT: Accept explicitly by Auth-Type=Accept
Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthSQL
Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthSQL
Tue Aug 21 10:48:09 2001: DEBUG: Query is: select POOLHINT from APN where ROAMDIGIT = left(85298699517,3)
Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthSQL looks for match with
Tue Aug 21 10:48:09 2001: DEBUG: Radius::AuthSQL ACCEPT:
Tue Aug 21 10:48:09 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
Tue Aug 21 10:48:09 2001: DEBUG: Query is: select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL
where POOL='local' and STATE=0 order by TIME_STAMP
Tue Aug 21 10:48:09 2001: DEBUG: do query is: update RADPOOL set STATE=1,TIME_STAMP=998362089,EXPIRY=998448489,USERNAME='',MSISDN='' where YIADDR='202.140.74.11' and TIME_STAMP=998362069
Tue Aug 21 10:48:09 2001: DEBUG: Access accepted for
Tue Aug 21 10:48:09 2001: DEBUG: Packet dump:
*** Sending to 202.140.74.1 port 2859
Code: Access-Accept
Identifier: 199
Authentic: 00'_00724900bm007T
Attributes:
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = 202.140.74.11
Class = SI=Testing
Tue Aug 21 10:48:09 2001: DEBUG: Packet dump:
*** Received from 202.140.74.1 port 2860
Code: Accounting-Request
Identifier: 200
Authentic: 181135T224207t172mc239$206c*W182
Attributes:
User-Name =
Class = SI=Testing
Acct-Session-Id = 00Testing
NAS-IP-Address = 202.140.74.1
Acct-Status-Type = Start
NAS-Port = 1
Acct-Authentic = RADIUS
NAS-Identifier = radius
Framed-Protocol = PPP
Calling-Station-Id = 85298699517
Framed-IP-Address = 202.140.74.11
Tue Aug 21 10:48:09 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request
Tue Aug 21 10:48:09 2001: DEBUG: Handling request with Handler 'Client-Id =
(RADIATOR) BindAddress
Title: BindAddress Hello, We are using Radiator 2.18.2 on RH6.2. The BindAddress parameter works only on radius authentication but not accounting request. We use tcpdump to check where has the packet gone, it said udp port radacct unreachable. I have no idea how to solve it, can anyone give me a hint. Harrison SmarTone Mobile Communications Ltd. Running radpwtst - There is no value named Async for attribute NAS-Port-Type. Using 0. sending Access-Request... OK There is no value named Async for attribute NAS-Port-Type. Using 0. sending Accounting-Request Start... No reply There is no value named Async for attribute NAS-Port-Type. Using 0. sending Accounting-Request Stop... No reply time for 1 iterations: 10 s Radiator logfile - Mon Aug 20 10:05:24 2001: INFO: Server started: Radiator 2.18.2 on grad1 Mon Aug 20 10:05:24 2001: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1024 Code: Access-Request Identifier: 143 Authentic: 1234567890123456 Attributes: User-Name = lmds1 Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Asynchronous User-Password = 200185l153154j424618889160216}x153 Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 202.140.74.1,NAS-Identifier = radius should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 10.25.155.1,NAS-Identifier = rad should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = 10.25.157.18,NAS-Identifier = radius should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Check if Handler Client-Id = localhost should be used to handle this request Mon Aug 20 10:05:24 2001: DEBUG: Handling request with Handler 'Client-Id = localhost' Mon Aug 20 10:05:24 2001: DEBUG: Rewrote user name to lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Deleting session for lmds1, 203.63.154.1, 1234 Mon Aug 20 10:05:24 2001: DEBUG: Handling with Radius::AuthFILE Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE looks for match with lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Aug 20 10:05:24 2001: DEBUG: Radius::AuthFILE ACCEPT: Accept explicitly by Auth-Type=Accept Mon Aug 20 10:05:24 2001: DEBUG: Access accepted for lmds1 Mon Aug 20 10:05:24 2001: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1024 Code: Access-Accept Identifier: 143 Authentic: 1234567890123456 Attributes: Running tcpdump - [root@grad1 /root]# tcpdump host 127.0.0.1 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:19:34.615660 lo localhost.radacct localhost.radius: udp 91 10:19:34.615660 lo localhost.radacct localhost.radius: udp 91 10:19:34.632010 lo localhost.radius localhost.radacct: udp 20 10:19:34.632010 lo localhost.radius localhost.radacct: udp 20 10:19:34.637640 lo localhost.radacct localhost.radacct: udp 89 10:19:34.637640 lo localhost.radacct localhost.radacct: udp 89 10:19:34.637686 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:34.637686 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:39.640813 lo localhost.radacct localhost.radacct: udp 113 10:19:39.640813 lo localhost.radacct localhost.radacct: udp 113 10:19:39.640849 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0] 10:19:39.640849 lo localhost localhost: icmp: localhost udp port radacct unreachable [tos 0xc0]
(RADIATOR) Radiator License Registration
Title: Radiator License Registration Hi! We've purchased Radiator from Automated Systems (HK) Ltd in August 2000. Until now we not yet receive username and password to download latest Radiator patch. Could you help? Regards, Harrison Ng SmarTone Mobile Communications Ltd
