Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi,
So in total second auhtby (or you can put it first too) would look like:
AuthBy SQL
DBSource dbi:ODBC:x
DBUsername xx
DBAuth xx
FailureBackoffTime 30
NoDefault
IgnoreAuthentication
#IgnoreAccounting
AccountingStartsOnly
AcctSQLStatement \
update Login \
set Expiry_Date = getdate() + 7, First_Use = getdate() \
where Login_name = %U and \
First_Use is NULL
/AuthBy SQL
Rgds.
Toomas
- Original Message -
From: Mike McCauley [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]; Craig Gittens
[EMAIL PROTECTED]; Radiator [EMAIL PROTECTED]
Sent: Friday, November 28, 2003 8:46 AM
Subject: Re: (RADIATOR) Can you use SQL if statements in radiator?
On Fri, 28 Nov 2003 05:26 pm, Toomas Kärner wrote:
Hi
I'm not sure if AuthSQLStatement is executed when IgnoreAuthentication
is
set.
It is not executed.
I'd suggest to use IgnoreAuthentication, AcctStart only and make an
AcctSQLStatement instead with the same query.
Rgds.
Toomas
ps. I think that then the order change is not needed also.
- Original Message -
From: Craig Gittens [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]; Radiator
[EMAIL PROTECTED]
Sent: Thursday, November 27, 2003 11:55 PM
Subject: RE: (RADIATOR) Can you use SQL if statements in radiator?
Ok, thanks to Toomas I have come up with this solution but it doesn't
work unless I comment out the second AuthBy...it does do an ACCEPT for
the
first
AuthBy but doesn't work for some reason unless I comment out the
second
AuthBy. Log below. It doesn't send a reply unless I comment out the
second AuthBy.
Thanks for your help guys.
Craig.
Realm oneweek.sunbeach.net
#Will log Authentication failures to SQL table.
AuthLog AuthSQLLogger
RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
#Continue to use AuthBy clauses if AccessAccept to get IP Address
assigned AuthByPolicy ContinueUntilReject
#Show Reject Reason From SQL Authenticate SP Query
RejectHasReason
AuthBy SQL
DBSource dbi:ODBC:xx
DBUsername xx
DBAuth xx
FailureBackoffTime 30
NoDefault
AddToReply Service-Type=Framed-User
#DefaultSimultaneousUse 1
CaseInsensitivePasswords
RejectEmptyPassword
# Accounting
AccountingTable CallAccounting
blah
# Authentication query - calls function Authenticate.
AuthSelect \
select \
Blah blah blah
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,GENERIC,check
AuthColumnDef 2,GENERIC,reply
/AuthBy SQL
AuthBy SQL
DBSource dbi:ODBC:x
DBUsername xx
DBAuth xx
FailureBackoffTime 30
NoDefault
IgnoreAuthentication
IgnoreAccounting
AuthSQLStatement \
update Login \
set Expiry_Date = getdate() + 7, First_Use = getdate() \
where Login_name = %U and \
First_Use is NULL
/AuthBy SQL
/Realm oneweek.sunbeach.net
Thu Nov 27 17:36:01 2003: DEBUG: Packet dump:
*** Received from 196.3.210.94 port 2048
Code: Access-Request
Identifier: 209
Authentic: 23_$28T148919426?206229)s207%
Attributes:
User-Password =
n)|220137?216118524115222329/239141
NAS-Identifier = 5
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = 32E9
Called-Station-Id = 2929700
Calling-Station-Id = 2462280430
NAS-Port = 1288
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
Thu Nov 27 17:36:01 2003: DEBUG: Handling request with Handler
'Realm=oneweek.sunbeach.net'
Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to
[EMAIL PROTECTED]
Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to sunweek0
Thu Nov 27 17:36:01 2003: DEBUG: Deleting session for
[EMAIL PROTECTED], 196.3.210.94, 1288
Thu Nov 27 17:36:01 2003: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER = '196.3.210.94' and NASPORT = 1288':
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL:
Thu Nov 27 17:36:01 2003: DEBUG: Query is: 'select LoginPassword,
CheckAttr,
ReplyAttr from Authenticate('sunweek0', '2462280430', '11/27/2003
17:36:01',
'Async')':
Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL looks for match with
sunweek0
Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL ACCEPT:
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL
Thu Nov 27 17:36:03 2003: DEBUG: Packet dump:
*** Received from 196.3.210.94 port 2048
Code: Access-Request
Identifier: 209
Authentic: 23_$28T148919426?206229)s207%
Attributes:
User-Password =
n)|220137?216118524115222329/239141
NAS-Identifier = 5
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = 32E9
Called-Station-Id = 2929700
Calling-Station-Id = 2462280430
NAS-Port = 1288
NAS-Port
Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi,
Here's an example how I do my prepaid cards (it's different now already but
it fit's you) and there's no need for sql if statements.
#
AuthBy SQL
Identifier AcctStartOnlyPrepaidCard
DBSource
DBUsername
DBAuth
IgnoreAuthentication
AccountingStartsOnly
AcctSQLStatementUPDATE cards SET \
START = from_unixtime(%{Timestamp}), \
END = from_unixtime(%{Timestamp} +
START_CREDIT), \
START_CREDIT = NULL \
WHERE username='%n' and \
ACTIVE = 'Yes' and \
START_CREDIT is not null
/AuthBy
#
AuthBy SQL
Identifier AuthPrepaidCard
DBSource
DBUsername
DBAuth
AuthSelect select \
TYPE, \
ACTIVE, \
LOCKED_TO, \
unix_timestamp(end), \
unix_timestamp(expires), \
PASSWORD, \
rate, \
rate, \
start_credit, \
(unix_timestamp(end) - unix_timestamp()) \
from cards where \
USERNAME ='%n'
AuthColumnDef 0, ETC-Realm,check
AuthColumnDef 1, ETC-Active,check
AuthColumnDef 2, NAS-Port, check
AuthColumnDef 3, Expiration, check
AuthColumnDef 4, Expiration, check
AuthColumnDef 5, User-Password, check
AuthColumnDef 6, Nomadix-Bw-Down, reply
AuthColumnDef 7, Nomadix-Bw-Up, reply
AuthColumnDef 8, Session-Timeout, reply
AuthColumnDef 9, Session-Timeout, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AddToReplyIfNotExist
Nomadix-Bw-Down=2000,Nomadix-Bw-Up=2000,Idle-Timeout=900
AcctSQLStatement insert into .
/AuthBy
#
Realm pre1h
AuthLog LoginFailureLog
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
RejectHasReason
AuthByPolicy ContinueUntilReject
AuthBy AcctStartOnlyPrepaidCard
AuthBy AuthPrepaidCard
PostAuthHook file:/home/radius/etc/hooks/wn/PostAuthHook.pl
/Realm pre1h
#
- Original Message -
From: Craig Gittens [EMAIL PROTECTED]
To: Radiator [EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 11:51 PM
Subject: (RADIATOR) Can you use SQL if statements in radiator?
Hey guys,
I am trying to get a new product to work where when the username and
password is used and is valid then it would update the SQL database with
an
end date for the product. So I need this logic to work in a SQL statement
in
Radiator:
User is a valid user and is allowed online,
User entry gets update in SQL with a date I set (today + 30 days)
If not then it would not update the user entry of course
Is this possible? I have tried SQL Functions but they can't update a
permanent table.
Regards,
Craig.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can you use SQL if statements in radiator?
Hi
I'm not sure if AuthSQLStatement is executed when IgnoreAuthentication is
set. I'd suggest to use IgnoreAuthentication, AcctStart only and make an
AcctSQLStatement instead with the same query.
Rgds.
Toomas
ps. I think that then the order change is not needed also.
- Original Message -
From: Craig Gittens [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]; Radiator [EMAIL PROTECTED]
Sent: Thursday, November 27, 2003 11:55 PM
Subject: RE: (RADIATOR) Can you use SQL if statements in radiator?
Ok, thanks to Toomas I have come up with this solution but it doesn't work
unless I comment out the second AuthBy...it does do an ACCEPT for the
first
AuthBy but doesn't work for some reason unless I comment out the second
AuthBy. Log below. It doesn't send a reply unless I comment out the second
AuthBy.
Thanks for your help guys.
Craig.
Realm oneweek.sunbeach.net
#Will log Authentication failures to SQL table.
AuthLog AuthSQLLogger
RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
#Continue to use AuthBy clauses if AccessAccept to get IP Address assigned
AuthByPolicy ContinueUntilReject
#Show Reject Reason From SQL Authenticate SP Query
RejectHasReason
AuthBy SQL
DBSource dbi:ODBC:xx
DBUsername xx
DBAuth xx
FailureBackoffTime 30
NoDefault
AddToReply Service-Type=Framed-User
#DefaultSimultaneousUse 1
CaseInsensitivePasswords
RejectEmptyPassword
# Accounting
AccountingTable CallAccounting
blah
# Authentication query - calls function Authenticate.
AuthSelect \
select \
Blah blah blah
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,GENERIC,check
AuthColumnDef 2,GENERIC,reply
/AuthBy SQL
AuthBy SQL
DBSource dbi:ODBC:x
DBUsername xx
DBAuth xx
FailureBackoffTime 30
NoDefault
IgnoreAuthentication
IgnoreAccounting
AuthSQLStatement \
update Login \
set Expiry_Date = getdate() + 7, First_Use = getdate() \
where Login_name = %U and \
First_Use is NULL
/AuthBy SQL
/Realm oneweek.sunbeach.net
Thu Nov 27 17:36:01 2003: DEBUG: Packet dump:
*** Received from 196.3.210.94 port 2048
Code: Access-Request
Identifier: 209
Authentic: 23_$28T148919426?206229)s207%
Attributes:
User-Password =
n)|220137?216118524115222329/239141
NAS-Identifier = 5
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = 32E9
Called-Station-Id = 2929700
Calling-Station-Id = 2462280430
NAS-Port = 1288
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
Thu Nov 27 17:36:01 2003: DEBUG: Handling request with Handler
'Realm=oneweek.sunbeach.net'
Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to
[EMAIL PROTECTED]
Thu Nov 27 17:36:01 2003: DEBUG: Rewrote user name to sunweek0
Thu Nov 27 17:36:01 2003: DEBUG: Deleting session for
[EMAIL PROTECTED], 196.3.210.94, 1288
Thu Nov 27 17:36:01 2003: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER = '196.3.210.94' and NASPORT = 1288':
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL:
Thu Nov 27 17:36:01 2003: DEBUG: Query is: 'select LoginPassword,
CheckAttr,
ReplyAttr from Authenticate('sunweek0', '2462280430', '11/27/2003
17:36:01',
'Async')':
Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL looks for match with
sunweek0
Thu Nov 27 17:36:01 2003: DEBUG: Radius::AuthSQL ACCEPT:
Thu Nov 27 17:36:01 2003: DEBUG: Handling with Radius::AuthSQL
Thu Nov 27 17:36:03 2003: DEBUG: Packet dump:
*** Received from 196.3.210.94 port 2048
Code: Access-Request
Identifier: 209
Authentic: 23_$28T148919426?206229)s207%
Attributes:
User-Password =
n)|220137?216118524115222329/239141
NAS-Identifier = 5
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = 32E9
Called-Station-Id = 2929700
Calling-Station-Id = 2462280430
NAS-Port = 1288
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
Thu Nov 27 17:36:03 2003: INFO: Duplicate request id 209 received from
196.3.210.94(2048): ignored
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Major Cisco bug
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, Ok. I have been configuring SMS devices for 3,5 years now and from customer 0. to customer ~40'000. And here is what I know about SMS devices and bandwith management. (at the beginning there is some simple stuff). Fist you can set default parameters that will be applied to all subscribers and these are defined under: subscriber default dns primary 1.2.3.4 dns secondary 4.5.6.7 ip address pool rate-limit rate 450 burst 1 This is context based (defined per each context (Virtual Router) separetly and applies only to subscribers bound to this context durning binding). It is also lower priority than radius, if SMS gets any attributes from radius - they are applied. From radius you can send these parameters with attributes: RB-Rate-Limit-Rate = 450 RB-Rate-Limit-Burst = 1 # #VENDORATTR 2352 RB-Rate-Limit-Rate 10 integer #VENDORATTR 2352 RB-Rate-Limit-Burst 11 integer # Now, from the SW release 6 (I think) is available such a administrative command like: [context]SMSDEVICE#reauthorize ? acct-session-id Reauthorize by account id subscriber Reauthorize by subscriber name Which basically means that you can initialize reauthorization proccess by yourself. Durning that proccess SMS sends Access-Request to radius, receives reply, applies any attributes received to subscriber on filght. So, if it receives now that Rate has to be 2000 (Rate limit rate (Kb/s)) then it will start rateing by 2000. Fist they had some problems - Reauthorization Access-Request didn't include all attribuest that were present in initial Access-Request but that got fixed. I have tested Release 6.0.3.0 and it works fine. And even better, you can initialize reauth by sending SNMP set. It is basically possible to get the status of a session (Acct-Session-Id), kill it and set it to reauth by just reading, seting to 1 or 2 with the same OID and instance calculated from Acct-Session-Id. So, to make it all work you just have to build a portal that authenticates portal login against your userdatabase and against session database (to verify http source ip), edit user record in userdatabase in desired way, then get session-id (I'd prefer that to a username) from session-db, snmp-set SMS device for that session reauth. PS. if this authentication fails - nothing happens and user will not get disconnected, just no attributes will be applied, so it is quite safe to try even with online SMS. I even built db that contained sessions that had their attributes different than per-product. In there I keep also user-desired timeouts (up to what time they desired such parameters). Then it is easy to build a piece of SW that looks up the table, finds expired sessions/users, sets their user-record back to original in user-db and snmp-set's SMS for reauth of their session. I didn't send any code because they are all very old and bad and most of it is rubbish. If I clean it up one day, maybe I'll send it then. Meanwhile, if somebody is interested in launching something like it will have to ask directly over mail ([EMAIL PROTECTED]). (There's lot more that you can find out in 3,5 years in dsl buisness :).) Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED] Cc: Guðbjörn S. Hreinsson [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 2:33 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Hello Toomas - Not really a Radiator issue, but very interesting none the less. And I am sure that there are many subscribers to the list who enjoy this level of discussion as much as I do. Please feel free to continue posting such interesting material. regards Hugh On Wednesday, Jun 25, 2003, at 18:27 Australia/Melbourne, Toomas Kärner wrote: Hi, I have successfully built and tested sord of portal for users where they can SET their desired bandwith for desired ammount of time and it applies to whole connection (not just to certain direction) with RedBack SMS. It uses SNMP set to initialize user reauthentication and then SMS applies new parameters on flight without droping any sessions. Juniper ERX family is capable of doing such things even based on access-lists (you can just order 2Mbps to sertain site) but it uses COPS/LDAP and so on and is much more harder to set up. I haven't spent much time with it also. This is how we will address users problem to spend extra money and get more. Anyway .. not more a radiator list issue ... Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:10 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Cheers, We perform matching 10 min. after the hour every hour. This will analyze the logs, import it into an sql server and it is then compared to the radius logs which are also in an sql server. I
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, I have successfully built and tested sord of portal for users where they can SET their desired bandwith for desired ammount of time and it applies to whole connection (not just to certain direction) with RedBack SMS. It uses SNMP set to initialize user reauthentication and then SMS applies new parameters on flight without droping any sessions. Juniper ERX family is capable of doing such things even based on access-lists (you can just order 2Mbps to sertain site) but it uses COPS/LDAP and so on and is much more harder to set up. I haven't spent much time with it also. This is how we will address users problem to spend extra money and get more. Anyway .. not more a radiator list issue ... Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:10 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Cheers, We perform matching 10 min. after the hour every hour. This will analyze the logs, import it into an sql server and it is then compared to the radius logs which are also in an sql server. I think it should scale pretty good, if you have performance problems use standard techniques, like breaking up the logging in the Collector etc. The problem is tracking live sessions and configuring your whole access system so that as little as possible is lost about sessions. Radius is not the best protocol to insure no session information is lost. Not really very heavy... Flat fee and traffic shaping sounds good, do you think your customers would be willing to pay for keeping the extra bandwidth after they have consumed the included bandwidth? Rgds, -GSH - Original Message - From: Toomas Kärner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:30 AM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. Hi, I wonder up to what point you are able to deal with such a log's? We have at the moment around 5.5M records per month in our DSL customers log and to match that to a NetFlow log about 114TB (that's their generated traffic)... huhh How far this kind a solution scales? Anyway, we give (test period at the moment) to one certian site 2Mbps but to any else accoring to the original bandwith (256kbps to 512kbps) but we don't account for ammount of data - everything is flat fee. This feature is basically traffic shaping based on access-lists. Hardware used is Unisphere/Siemens/(and now already)Juniper ERX family. RedBack's will also have that feature for their SMS series by the end of summer and SE (SmartEdge) is already capable of it (I think - haven't tested jet the latest software). Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 22, 2003 1:25 PM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. We use Cisco Netflow to measure traffic, we exclude certain sites so that traffic does not appear in the logs. We then match radius accounting packets and netflow logs to generate rating data for billing. We don't speed limit customers when they pass their limits, but bill them for the extra download. Rgds, -GSH I am not sure if this soultion is done with Radiator or not. I have noticed many ISP's offering ADSL connections with free traffic to certain web sites. They are also speed limiting customers when they run passed their download limit but not counting the traffic to the free websites. Anyone know how the radius accounting is done. Or does anyone know what product they are using to do this. - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How to restrict the Dial Up on Bandwith.
Hi, I wonder up to what point you are able to deal with such a log's? We have at the moment around 5.5M records per month in our DSL customers log and to match that to a NetFlow log about 114TB (that's their generated traffic)... huhh How far this kind a solution scales? Anyway, we give (test period at the moment) to one certian site 2Mbps but to any else accoring to the original bandwith (256kbps to 512kbps) but we don't account for ammount of data - everything is flat fee. This feature is basically traffic shaping based on access-lists. Hardware used is Unisphere/Siemens/(and now already)Juniper ERX family. RedBack's will also have that feature for their SMS series by the end of summer and SE (SmartEdge) is already capable of it (I think - haven't tested jet the latest software). Rgds. Toomas Kärner - Original Message - From: Guðbjörn S. Hreinsson [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 22, 2003 1:25 PM Subject: Re: (RADIATOR) How to restrict the Dial Up on Bandwith. We use Cisco Netflow to measure traffic, we exclude certain sites so that traffic does not appear in the logs. We then match radius accounting packets and netflow logs to generate rating data for billing. We don't speed limit customers when they pass their limits, but bill them for the extra download. Rgds, -GSH I am not sure if this soultion is done with Radiator or not. I have noticed many ISP's offering ADSL connections with free traffic to certain web sites. They are also speed limiting customers when they run passed their download limit but not counting the traffic to the free websites. Anyone know how the radius accounting is done. Or does anyone know what product they are using to do this. - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL
Hi,
Actually I don't need special hooks per client. My problem is that when I do
my $identifier = $p-{Client}-{Identifier}; in PreClientHook (the client is
not selected jet) I will get nothing so I just need to execute my hook a
little later than PreClient and PreHandler would be perfect. So if there
were a keyword in ClientList SQL with what I could call for hook that would
be executed with every client. I need this Identifier (from SQL) for NAS
detection, to be abel to send back correct set of parameters needed for tis
NAS in order to set up session.
So the thing that I relly need is to add an attribute to every request with
a NAS type and this type should come from SQL.
Rgds.
Toomas
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Claudio Lapidus [EMAIL PROTECTED]; [EMAIL PROTECTED];
Toomas Kärner [EMAIL PROTECTED]
Sent: Friday, January 31, 2003 1:04 AM
Subject: Re: (RADIATOR) Retrieving a hook by filename from inside
ClientListSQL
Hello Toomas, Hello Claudio -
I have been thinking about this a bit more, and there are alternative
approaches that you could consider.
The first would be a StartupHook that compiles code with multiple entry
points and then patches those entry points into the Client structures
that have been built from the database (probably using the Identifier
tags).
The second would be a generic PreClientHook that checks to see for
which Client clause the current request is destined for, then does the
processing for that Client.
Both of these approaches are a bit more complicated than using
PreHandlerHooks in the Client clauses directly, but at least its
possible.
regards
Hugh
On Friday, Jan 31, 2003, at 09:38 Australia/Melbourne, Mike McCauley
wrote:
Hello Claudio and Toomas,
On Fri, 31 Jan 2003 09:27 am, Hugh Irvine wrote:
Mikey -
Could you answer this please?
ta
Hugh
Begin forwarded message:
From: Toomas Kärner [EMAIL PROTECTED]
Date: Fri Jan 31, 2003 02:36:44 Australia/Melbourne
To: Claudio Lapidus [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Retrieving a hook by filename from inside
ClientListSQL
Hi,
Any comments? ... I have the same issue.
Rgds.
Toomas Kärner
- Original Message -
From: Claudio Lapidus [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 07, 2002 12:01 AM
Subject: (RADIATOR) Retrieving a hook by filename from inside
ClientListSQL
Hello,
I need to get the PreHandlerHook for certain clients from our
standard
RADCLIENTLIST SQL table. The problem is that I'd prefer to store the
hook
code in a file and not directly inside the table, for various
reasons.
I've setup this config and it works fine:
Client x.x.x.x
Secret s
PreHandlerHook file:%D/preauth.pl
/Client
As expected, the hook gets executed for this particular client.
However,
this one doesn't work:
ClientListSQL
DBSource dbi:mysql:radiator
DBUsername sqluser
DBAuth donttellya
/ClientListSQL
from the table we get:
mysql select NASIDENTIFIER, SECRET, PREHANDLERHOOK from
RADCLIENTLIST;
+---+-+--+
| NASIDENTIFIER | SECRET | PREHANDLERHOOK |
+---+-+--+
| x.x.x.x | s | file:%D/preauth.pl |
+---+-+--+
1 row in set (0.00 sec)
By seeing further action it is apparent that the hook doesn't get
executed
this time. However, even at level 4 trace doesn't show anything
regarding
this step. I also tried changing double quotes to single quotes in
the
field
contents, to no avail. So:
1. Is it legal to store the hook's filename into the table instead
of
the
code itself? (I hope so :-)
No. The file:..syntax is recognised by the config file parser, so it
only
works in the config file.
2. Is there a way to increase debug verbosity for ClientListSQL
operations?
Only by adding more
$self-log($main::LOG_DEBUG, ...);
lines.
If you have a particular need for more debug, let me know where, and I
will
see if we can add it.
Cheers.
TIA,
cl.
_
Chat with friends online, try MSN Messenger:
http://messenger.msn.com
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator
Re: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL
Hi, Any comments? ... I have the same issue. Rgds. Toomas Kärner - Original Message - From: Claudio Lapidus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 07, 2002 12:01 AM Subject: (RADIATOR) Retrieving a hook by filename from inside ClientListSQL Hello, I need to get the PreHandlerHook for certain clients from our standard RADCLIENTLIST SQL table. The problem is that I'd prefer to store the hook code in a file and not directly inside the table, for various reasons. I've setup this config and it works fine: Client x.x.x.x Secret s PreHandlerHook file:%D/preauth.pl /Client As expected, the hook gets executed for this particular client. However, this one doesn't work: ClientListSQL DBSource dbi:mysql:radiator DBUsername sqluser DBAuth donttellya /ClientListSQL from the table we get: mysql select NASIDENTIFIER, SECRET, PREHANDLERHOOK from RADCLIENTLIST; +---+-+--+ | NASIDENTIFIER | SECRET | PREHANDLERHOOK | +---+-+--+ | x.x.x.x | s | file:%D/preauth.pl | +---+-+--+ 1 row in set (0.00 sec) By seeing further action it is apparent that the hook doesn't get executed this time. However, even at level 4 trace doesn't show anything regarding this step. I also tried changing double quotes to single quotes in the field contents, to no avail. So: 1. Is it legal to store the hook's filename into the table instead of the code itself? (I hope so :-) 2. Is there a way to increase debug verbosity for ClientListSQL operations? TIA, cl. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Anyone here used a Hot Spot Gateway ?
Hi I have tried Nokia Access Controller, now I'm useing Nomadix USG and today I will look at one box from Cisco. There are some feature differences and Nomadix USG (Universal Subscriber Gateway) is actually L2 device. It can do pretty nice stuff (for example no L3 reconfiguration is needed on customers PC, even with wrong static IP aadress). They all do basically the same thing but I would like to have even more features than they support today. Lets see what the Cisco is capable of. Rgds. Toomas Kärner - Original Message - From: Wayne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 10:33 PM Subject: (RADIATOR) Anyone here used a Hot Spot Gateway ? Hi, I'm looking to authenticate my wireless and IP DSL customers using Radius. Has anybody used a Hot Spot Gateway like MicroTik router to do this ? I don't have a very large wireless or DSL network only about 500 users. I would like to know if anyone had any suggestions for edge routers or servers to limit customers bandwidth and keep track of there IP via Radius. Wayne === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) WiFi - Business
Hi, We also in Estonia have alse set up some WiFi HotSpot's. I'm involved with it on access controller and AAA side. Rgds. Toomas Kärner - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, January 17, 2003 3:35 AM Subject: (RADIATOR) WiFi - Business Hi All, We are looking to provide Hotspot business but based on the current hotspot model arounds we find no business case. I will appriecate someone could share he/her opinions. Best Regards [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bug?
Hi all,
Sorry, my bad
I looked at the code, understanded it and looked at the manual again and
realized that NoDefault is affective in case of REJECT and NOT only in case
on Not found. That started my little snowball. Only real idea that grew out
of this is that maybe $defaultNumber should have a limit. With my loop I
created 52000 request's to SQL and I can't think a reason why someone should
need so many defaults and would allow them in so big cost of load. I think
512 should by way enough.
Rgds and appologies.
Toomas Kärner
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, December 13, 2002 11:50 PM
Subject: Re: (RADIATOR) Bug?
Hello Toomas -
The fundamental issue is the architecture of Radiator itself and
specifically the AuthBy clauses, all of which fundamentally implement a
find_user routine which is why you see the problem that you do.
You are correct that what I show below is a workaround, ie. the first
AuthBy uses a couple of DEFAULT entries so that find_user works, then
passes off the request using the Auth-Type construct to an AuthBy
clause in which you can do anything you like.
The extra processing overhead is minimal, as the AuthBy FILE will cache
the DEFAULT lines in memory and will simply do a couple of memory
lookups.
I encourage you to have a look at the code in Radius/AuthGeneric.pm
and Radius/AuthSQL.pm to see what goes on.
I have also copied this mail to Mike for his additional comments.
regards
Hugh
On Friday, Dec 13, 2002, at 22:26 Australia/Melbourne, Toomas Kärner
wrote:
Hi,
So, AuthBy's like:
AuthBy SQL
Identifier AuthBlacklistCheck
DBSourcedbi:mysql:
DBUsername
DBAuth
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, Service-Type,check
AuthColumnDef 1, Reply-Message,reply
NoDefault
AcceptIfMissing
/AuthBy
and
AuthBy SQL
Identifier AuthUser
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
REPLYATTR \
from xx where USERNAME ='%n'
AuthColumnDef 0, ETC-Admin-Active, check
AuthColumnDef 1, ETC-Admin-Wireless, check
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, User-Password, check
AuthColumnDef 4, GENERIC, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AccountingTable log
AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d'
.
.
.
/AuthBy
and realm like
Realm admin
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueUntilReject
AuthBy AuthBlacklistCheck
AuthBy AuthUser
/Realm admin
is impossible because AuthBlacklistCheck has nothing to do with
usernames
and that freaks it out to go to loop with DEFAULT? I think that this
is more
than configuration issue and configuration that you gave me is more
like a
workaround that probably takes more load. If this is true that if no
such
thing as username is received from sql results in a new query with
default
username then it is impossible to use radiator for authentication of
layer
2. If you are confused what I mean by Layer 2 authentication, this is
checking layer 2 information for given request and if that succeeds
then go
forward with username authentication.
Also from the Archive: 17. oct. 2002 to [EMAIL PROTECTED] you said:
{
The reason for doing it this way is because the AuthBy processing is
looking for a user, which the AuthBy SQL clause is not doing.
}
I don't want to do anything with user in that AuthBy, I just want to
verify
2L information. Is that a limitation in Radiator?
Rgds.
Toomas
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, December 13, 2002 12:59 AM
Subject: Re: (RADIATOR) Bug?
Hello Toomas -
This is not a bug really - it is more a configuration issue.
The problem that you show below is due to the fact that the AuthBy is
looking for the username, and you are overriding it to look for
something else. This leads to the AuthBy continuing to look for
DEFAULT... .
The correct way to build a configuration file to do blacklist checking
is to use cascaded AuthBy clauses.
Something like this:
# define AuthBy clauses
AuthBy SQL
Identifier CheckMACAddress
..
/AuthBy
AuthBy FILE
Identifier CheckBlacklist
Filename %D/blacklist
/AuthBy
Re: (RADIATOR) Bug?
Hi,
So, AuthBy's like:
AuthBy SQL
Identifier AuthBlacklistCheck
DBSourcedbi:mysql:
DBUsername
DBAuth
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, Service-Type,check
AuthColumnDef 1, Reply-Message,reply
NoDefault
AcceptIfMissing
/AuthBy
and
AuthBy SQL
Identifier AuthUser
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
REPLYATTR \
from xx where USERNAME ='%n'
AuthColumnDef 0, ETC-Admin-Active, check
AuthColumnDef 1, ETC-Admin-Wireless, check
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, User-Password, check
AuthColumnDef 4, GENERIC, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AccountingTable log
AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d'
.
.
.
/AuthBy
and realm like
Realm admin
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueUntilReject
AuthBy AuthBlacklistCheck
AuthBy AuthUser
/Realm admin
is impossible because AuthBlacklistCheck has nothing to do with usernames
and that freaks it out to go to loop with DEFAULT? I think that this is more
than configuration issue and configuration that you gave me is more like a
workaround that probably takes more load. If this is true that if no such
thing as username is received from sql results in a new query with default
username then it is impossible to use radiator for authentication of layer
2. If you are confused what I mean by Layer 2 authentication, this is
checking layer 2 information for given request and if that succeeds then go
forward with username authentication.
Also from the Archive: 17. oct. 2002 to [EMAIL PROTECTED] you said:
{
The reason for doing it this way is because the AuthBy processing is
looking for a user, which the AuthBy SQL clause is not doing.
}
I don't want to do anything with user in that AuthBy, I just want to verify
2L information. Is that a limitation in Radiator?
Rgds.
Toomas
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Toomas Kärner [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, December 13, 2002 12:59 AM
Subject: Re: (RADIATOR) Bug?
Hello Toomas -
This is not a bug really - it is more a configuration issue.
The problem that you show below is due to the fact that the AuthBy is
looking for the username, and you are overriding it to look for
something else. This leads to the AuthBy continuing to look for
DEFAULT... .
The correct way to build a configuration file to do blacklist checking
is to use cascaded AuthBy clauses.
Something like this:
# define AuthBy clauses
AuthBy SQL
Identifier CheckMACAddress
..
/AuthBy
AuthBy FILE
Identifier CheckBlacklist
Filename %D/blacklist
/AuthBy
..
# define Realms or Handlers
Realm ...
AuthByPolicy ContinueWhileAccept
.
AuthBy CheckBlacklist
.
/Realm
.
The SQL table would contain something like this:
MACADDRESS ACTION
nn.nn.nn.nn.nn.nn Auth-Type = Reject
oo.oo.oo.oo.oo.oo Auth-Type = Reject
.
The file blacklist would contain this:
# blacklist
DEFAULT Auth-Type = CheckMACAddress
DEFAULT Auth-Type = Accept
This topic has been discussed on the list many times, so check the
archive if you are interested.
www.open.com.au/archives/radiator
regards
Hugh
On Thursday, Dec 12, 2002, at 21:38 Australia/Melbourne, Toomas Kärner
wrote:
Hi
When I have config like:
Realm plah
AuthByPolicy ContinueUntilReject
AuthBy Identifier_of_some_authby_that_gives_reject
AuthBy SQL
plahplah
/AuthBy
/Realm plah
This kind a conf results loop in
Identifier_of_some_authby_that_gives_reject
and never goes to AuthBy SQL.
debug 4 of such config (it had other problems as well but it shouldnt
have
gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT52061
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
Service-Type expression '00-50-04-E8-B4-AF' does not match
'Login-User' in
request
Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS,
REPLYMESSAGE
from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE
=
'Yes'
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT52062
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
Service-Type expression '00-50-04-E8-B4-AF' does not match
'Login-User' in
request
Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS,
REPLYMESSAGE
from macblacklist where MACADDRESS
Re: (RADIATOR) Bug?
Yes, I know but as you can see it finds the account and then the NoDefault shouldn't be affective at all. NoDefault is useful ONLY if Select gives back Empty Set. So ... this is another issue ... - Original Message - From: Ingvar Berg (EAB) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 1:23 PM Subject: RE: (RADIATOR) Bug? There is some NoDefault parameter you could use in the looping AuthBy /Ingvar -Original Message- From: Toomas Kärner [mailto:[EMAIL PROTECTED]] Sent: den 12 december 2002 11:39 To: [EMAIL PROTECTED] Subject: (RADIATOR) Bug? Hi When I have config like: Realm plah AuthByPolicy ContinueUntilReject AuthBy Identifier_of_some_authby_that_gives_reject AuthBy SQL plahplah /AuthBy /Realm plah This kind a conf results loop in Identifier_of_some_authby_that_gives_reject and never goes to AuthBy SQL. debug 4 of such config (it had other problems as well but it shouldnt have gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found). Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52061 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52062 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with DEFAULT52063 Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in request Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE = 'Yes' Anyway I think it would be good idea to add a keyword RejectIfFound to features for blacklist buliding pruposes. Rgds. Toomas Kärner === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bug?
Hi,
It works (partly - some problems with AuthByPolicy's) if you put it into
realm.
I added some comments and also I haven't tested it (I tested earlyer version
which I already changed and this is recreation).
#
AuthBy SQL
Identifier AuthBlacklistCheck
DBSourcedbi:mysql:
DBUsername
DBAuth
AuthSQLStatement UPDATE macblacklist SET \
LASTTRY = '%Y-%m-%d %H:%M:%S', \ - PS. HERE I CAN'T USE
'%{Timestamp}'
LASTTRYUSERNAME = '%n', \
LASTTRYLOCATION = '%{NAS-Port}' \
where MACADDRESS = '%{Calling-Station-Id}' \
and ACTIVE = 'Yes'
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, Service-Type,check
AuthColumnDef 1, Reply-Message,reply
#MAC Address is compared with Service-Type to get REJECT if found.
#NoDefault
AcceptIfMissing
/AuthBy
#
Realm admin
#
PreAuthHook sub { \
my $p=${$_[0]}; \
if ((${$_[0]}-code) eq 'Access-Request') { \
$p-add_attr('ETC-Admin-Wireless','Admin'); \
$p-add_attr('ETC-Admin-Active','Yes'); \
} \
}
#
AuthLog AdminLoginFailuresLog
RewriteUsername s/^([^@]+).*/$1/
RejectHasReason
AuthByPolicy ContinueUntilReject
AuthBy AuthBlacklistCheck
#
AuthBy SQL
Identifier AcctStartOnlyAdmin
DBSourcedbi:mysql
DBUsername
DBAuth
IgnoreAuthentication
AccountingStartsOnly
AcctSQLStatementUPDATE X SET \
LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \
LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \
LAST_LOGIN_LOCATION = '%{NAS-Port}' \
WHERE username='%U'
/AuthBy
#
AuthBy SQL
Identifier AdminAuth
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
REPLYATTR \
from where USERNAME ='%n'
AuthColumnDef 0, ETC-Admin-Active, check
AuthColumnDef 1, ETC-Admin-Wireless, check
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, User-Password, check
AuthColumnDef 4, GENERIC, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AccountingTable XXX
AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d'
AcctColumnDef TIME,Timestamp ,formatted-date,'%H:%M:%S'
AcctColumnDef TIMESTAMP,Timestamp
AcctColumnDef USERNAME,User-Name
AcctColumnDef REALM,ETC-Realm
AcctColumnDef CONNECTION,ETC-Network-Type
AcctColumnDef LOCATION, NAS-Port
AcctColumnDef MAC_ADDRESS,Calling-Station-Id
AcctColumnDef SESSION_ID,Acct-Session-Id
AcctColumnDef BRAS,NAS-IP-Address
AcctColumnDef FRAMED_IP,Framed-IP-Address
AcctColumnDef TYPE,Acct-Status-Type
AcctColumnDef DURATION,Acct-Session-Time,integer
AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer
AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer
AcctColumnDef ERR_CODE,Session-Error-Code
AcctColumnDef ERR_MSG,Acct-Terminate-Cause
AcctFailedLogFileName %L/SQLacct-Admin-radius-%Y-%m-%d
AddToReplyIfNotExist
Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600
/AuthBy
PostAuthHook file:./wn/AdminPostAuthHook.pl
/Realm admin
#
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, December 12, 2002 4:12 PM
Subject: RE: (RADIATOR) Bug?
Hi,
I think you should show important part
AuthBy SQL
plahplah
/AuthBy
with complet plahplah ( without secret pw,db,user,IP)
David
-Pùvodní zpráva-
Od: Toomas Kärner [mailto:[EMAIL PROTECTED]]
Odesláno: 12. prosince 2002 12:43
Komu: Ingvar Berg (EAB); [EMAIL PROTECTED]
Pøedmìt: Re: (RADIATOR) Bug?
Yes, I know but as you can see it finds the account and then the NoDefault
shouldn't be affective at all. NoDefault is useful ONLY if Select gives back
Empty Set. So ... this is another issue ...
- Original Message -
From: Ingvar Berg (EAB) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, December 12, 2002 1:23 PM
Subject: RE: (RADIATOR) Bug?
There is some NoDefault parameter you could use in the looping AuthBy
/Ingvar
-Original Message-
From: Toomas Kärner [mailto:[EMAIL PROTECTED]]
Sent: den 12 december 2002 11:39
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Bug?
Hi
When I have config like:
Realm plah
AuthByPolicy ContinueUntilReject
AuthBy Identifier_of_some_authby_that_gives_reject
AuthBy SQL
plahplah
/AuthBy
/Realm plah
This kind a conf results loop
Re: (RADIATOR) Bug?
Please do read comments two lines below the check. The point is to GET
REJECT if found (mac address in blacklist). Easiest way to do - compare it
with something that will never be the same (Service-Type) and then you can
do also some bogus in PostAuthHook that rewrites Reply-Message if it
consists Service-Type to something like MAC address in blacklist.
Rgds.
Toomas
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, December 12, 2002 5:17 PM
Subject: RE: (RADIATOR) Bug?
Hi
I see first error in this part - you dont check Service-Type but MACADDRESS,
so have to use special check GENERIC
##
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, GENERIC,check
AuthColumnDef 1, Reply-Message,reply
Hope help
David
-Pùvodní zpráva-
Od: Toomas Kärner [mailto:[EMAIL PROTECTED]]
Odesláno: 12. prosince 2002 15:52
Komu: kramar; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Pøedmìt: Re: (RADIATOR) Bug?
Hi,
It works (partly - some problems with AuthByPolicy's) if you put it into
realm.
I added some comments and also I haven't tested it (I tested earlyer version
which I already changed and this is recreation).
#
AuthBy SQL
Identifier AuthBlacklistCheck
DBSourcedbi:mysql:
DBUsername
DBAuth
AuthSQLStatement UPDATE macblacklist SET \
LASTTRY = '%Y-%m-%d %H:%M:%S', \ - PS. HERE I CAN'T USE
'%{Timestamp}'
LASTTRYUSERNAME = '%n', \
LASTTRYLOCATION = '%{NAS-Port}' \
where MACADDRESS = '%{Calling-Station-Id}' \
and ACTIVE = 'Yes'
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, Service-Type,check
AuthColumnDef 1, Reply-Message,reply
#MAC Address is compared with Service-Type to get REJECT if found.
#NoDefault
AcceptIfMissing
/AuthBy
#
Realm admin
#
PreAuthHook sub { \
my $p=${$_[0]}; \
if ((${$_[0]}-code) eq 'Access-Request') { \
$p-add_attr('ETC-Admin-Wireless','Admin'); \
$p-add_attr('ETC-Admin-Active','Yes'); \
} \
}
#
AuthLog AdminLoginFailuresLog
RewriteUsername s/^([^@]+).*/$1/
RejectHasReason
AuthByPolicy ContinueUntilReject
AuthBy AuthBlacklistCheck
#
AuthBy SQL
Identifier AcctStartOnlyAdmin
DBSourcedbi:mysql
DBUsername
DBAuth
IgnoreAuthentication
AccountingStartsOnly
AcctSQLStatementUPDATE X SET \
LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \
LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \
LAST_LOGIN_LOCATION = '%{NAS-Port}' \
WHERE username='%U'
/AuthBy
#
AuthBy SQL
Identifier AdminAuth
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
REPLYATTR \
from where USERNAME ='%n'
AuthColumnDef 0, ETC-Admin-Active, check
AuthColumnDef 1, ETC-Admin-Wireless, check
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, User-Password, check
AuthColumnDef 4, GENERIC, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AccountingTable XXX
AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d'
AcctColumnDef TIME,Timestamp ,formatted-date,'%H:%M:%S'
AcctColumnDef TIMESTAMP,Timestamp
AcctColumnDef USERNAME,User-Name
AcctColumnDef REALM,ETC-Realm
AcctColumnDef CONNECTION,ETC-Network-Type
AcctColumnDef LOCATION, NAS-Port
AcctColumnDef MAC_ADDRESS,Calling-Station-Id
AcctColumnDef SESSION_ID,Acct-Session-Id
AcctColumnDef BRAS,NAS-IP-Address
AcctColumnDef FRAMED_IP,Framed-IP-Address
AcctColumnDef TYPE,Acct-Status-Type
AcctColumnDef DURATION,Acct-Session-Time,integer
AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer
AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer
AcctColumnDef ERR_CODE,Session-Error-Code
AcctColumnDef ERR_MSG,Acct-Terminate-Cause
AcctFailedLogFileName %L/SQLacct-Admin-radius-%Y-%m-%d
AddToReplyIfNotExist
Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600
/AuthBy
PostAuthHook file:./wn/AdminPostAuthHook.pl
/Realm admin
#
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, December 12, 2002 4:12 PM
Subject: RE: (RADIATOR) Bug?
Hi,
I think you should show important part
AuthBy SQL
plahplah
/AuthBy
Re: (RADIATOR) Multiple Items in the same AcctColumnDef
Hi Brian, Probably this is not possible by standard ways of radiator but you can make a preauthhook where you join these to parameters into one (your own) parameter and the log it. Rgds. Toomas Kärner - Original Message - From: Brian Morris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 09, 2002 9:38 AM Subject: (RADIATOR) Multiple Items in the same AcctColumnDef Hi All, We receive session info from a few different NAS's but I would like to store all the connection specific information in a single table element. EG: I would like to store the Ascend-Disconnect-Cause as well as the standard Account-Terminate-Cause into the same table column. Is this possible to do? If so, what is the syntax for the ACCTCOLUMNDEF entry? Thanks in advance. Brian Morris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: Do you have an update to the dictionary
VENDORATTR 2352 Session-Error-Code 142 integer VENDORATTR 2352 Session-Error-Msg 143 string - Original Message - From: Karel van der Velden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 14, 2002 10:02 AM Subject: (RADIATOR) RE: Do you have an update to the dictionary Hello Hugh, Did you already receive the latest dictionary from Redback? I have the same statements in my logs. Regards, Karel van der Velden Hello - We don't have these definitions yet either, but I have copied this mail to Onno Becker at Redback who will send them to us I'm sure. Hi Onno! :-) regards Hugh On Wed, 5 Jun 2002 17:55, [EMAIL PROTECTED] wrote: Wed Jun 5 09:55:30 2002: ERR: Attribute number 143 (vendor 2352) is not defined in your dictionary Wed Jun 5 09:55:30 2002: ERR: Attribute number 142 (vendor 2352) is not defined in your dictionary It came from a RedBack machine , new version . === - Karel van der Velden | telnr: +31 50 5881003 Leonard Springerlaan 29| faxnr: +31 50 5883216 9727 AR Groningen | e-mail: [EMAIL PROTECTED] The Netherlands DISCLAIMER: This Statement is not an official statement from, nor does it represent an official postion of Planet Technologies or KPN - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Editing Reply-Message
Hi All,
I have seen in the examples and it also partly works but not as I would
expect.
PostAuthHooksub { \
${$_[1]}-change_attr('Reply-Message' , 'MyMessage') \
if (${$_[2]} == $main::REJECT ); \
}
results in:
Code: Access-Reject
Identifier: 208
Authentic: 5800=`00231;00oY00
Attributes:
Reply-Message = MyMessage
Reply-Message = Bad Password
Somehow it results in two Reply-Messages, but I would like to send only
mine.
Rgds.
Toomas
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) IP Lease problem
Hi Skeeve, Maybe it would be a good idea to give Session-Timeout also and set it to 24 hours. So if even the user is online and useing the address for longer than 23:59 then it will be disconnected and ip address we bee released. Of cource then you have to make official policy out of it that you don't allow longer than 24 hour sessions (what is not a bad thing and I hope that I would have done it when my network was starting - release unused resources). Rgds Toomas - Original Message - From: Skeeve Stevens [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 11:55 PM Subject: Re: (RADIATOR) IP Lease problem If there is a problem with stop records, and people are staying on for 1 or 2 days... then there is quite possibly a chance for problems. Using static IP for a large number of customer without good reason could cause us to bleed higher usage on Address Space which APNIC would also not be responsive to so I am trying to be conservative. Is there no solution? or is it just complicated. ...Skeeve On Thu, Sep 26, 2002 at 07:38:33AM +1000, Hugh Irvine wrote into the ether: Hello Skeeve - The short answer is to use static addresses for long-held connections. By definition, dynamic addresses are designed for frequent re-use. regards Hugh On Wednesday, September 25, 2002, at 11:50 PM, Skeeve Stevens wrote: Question We currently have a pool of 64 IP's stored in a database, and when a user connects AND they don't have a static IP they get assigned one from the database of dynamic IP's... The problem I have is that the pool has the Lease Period set to 24 hours after 24 hours the dynamic IP is reclaimed... which is all good.. But what if the user was dedicated and did not disconnect after 24 hours. The IP still gets reclaimed.. and can be assigned by the database to a new connection even though the user is still using it.. If I set it to have no Lease or a Lease longer than, lets say a week and the user has no stop record, then I risk not getting the IP back for a while if not at all... and the pool can fill. Any Thoughts ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ Si vis pacem, para bellum === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- - | Skeeve Stevens url: http://www.skeeve.org/ | | email:[EMAIL PROTECTED]/ url: http://www.eIntellego.org/ | - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Nomadix VSA's
Found it .. thanx anyway... - Original Message - From: Toomas Kärner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 17, 2002 4:08 PM Subject: Nomadix VSA's Hello, I cant find all Nomadix VSA's and there is no use of http://www.nomadix.com As I have found out they are included in the latest dictionary of radiator. Could somebody send me only the Nomadix VSA part. Rgds. Toomas === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500
Same in here - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: User BALGAA System Engineer [EMAIL PROTECTED] Cc: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, September 13, 2002 12:18 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Balgaa - I have not heard anything further. Toomas? regards Hugh On Friday, September 13, 2002, at 02:21 AM, User BALGAA System Engineer wrote: Hi Toomas/Hugh, We get Radiator 3.2 work with Redback SMS1800. Any update on NasType? Thanks, Balgaa On Fri, 2 Aug 2002, [iso-8859-1] Toomas Kärner wrote: Hi Hugh, Thanks. I have worked together with Onno on one project when he visited us in Estonia. I'll send you any information as I get it. Rgds. Toomas Kärner Estonian Telephone Company Head Administrator of DSL - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Toomas Kärner [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 7:33 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Toomas - You should check with Redback to see what is possible as far as querying the device is concerned, as well as what is recorded in the accounting requests (and the correspondence of course). I have copied this mail to Onno Becker at Redback who may be able to help, as there are many of Onno's customers using Radiator already. Please copy us on what you discover so we can add the correct NasType code. regards Hugh On Friday, August 2, 2002, at 04:05 PM, Toomas Kärner wrote: Hi Hugh, We also use Redback equipment. At the moment we always assume that session DB is correct, but I'd like to chek also. So far I haven't found a suitable NasType parameter. Only place where Redback is mentioned in the ref.pdf is section about dictionaries (v.2.19 v.3.1). Could you tell us what type might be most suitable? I have also the same problem with Unisphere ERX family equipment. Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:08 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Sven - There are many readers of this list who use Redback equipment, and there are people at Redback on this list as well. Radiator maintains one or more session databases (in memory, SQL, DBM, ...) and tries to keep track of current sessions by using the accounting starts to add records and accounting stops (and access requests) to delete records. The NAS itself is only contacted if Radiator detects what it thinks is a simultaneous-use exception, and then only if the NasType parameter is set in the corresponding Client clause(s). In this situation, Radiator goes through the list of sessions for the particular user and queries the NAS(s) to verify that the sessions are still active. If any session has gone away, that record in the session database is deleted and the connection is allowed to proceed. If on the other hand, all the sessions are still active, then the connection is rejected. You will find the mechanisms used to query the different NasTypes in section 6.5.5 of the Radiator 3.1 reference manual (doc/ref.html) and you will find the corresponding code in the Radius/Nas directory. regards Hugh Hi, has anyone any eyperiences with the upper configuration? I'm also interested in the function, how radiator checks via snmp that an account is use. I did a snmpwalk on a portmaster and i haven't found any information about needfull data (what does not mean that it isn't there :-) And please don't tell me that cisco is better, it was not my decision ;-) with kind regards || Mit freundlichen Gruessen Sven Holz -- Sven Holz - IP-Services - WOBCOM GmbHPhone : +49.5361.189.473 Hesslinger Str. 1-5, D-38440 Wolfsburg Fax : +49.5361.189.199 Email: [EMAIL PROTECTED] - IRC: bofw2Mobile : +49.170.920.153.5 --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL
Re: (RADIATOR) FW: As requested.
Identifier: 167
- Original Message -
From: Martin Edge [EMAIL PROTECTED]
To: Radiator [EMAIL PROTECTED]
Sent: Thursday, September 05, 2002 9:16 AM
Subject: (RADIATOR) FW: As requested.
Hey Guys,
On what conditions does a packet appear to Radiator as Duplicate?
Below I attach two RADIUS packets I received, within 1 second of each
other.
Of course, the second packet was said to be duplicated, but the packets
themselves would show they are completely different..
Thanks,
Martin :-)
-- FIRST PACKET IN
Thu Sep 5 00:14:46 2002: DEBUG: Packet dump:
*** Received from 203.194.56.121 port 1813
Code: Accounting-Request
Identifier: 167
Authentic: h254]166V243.18245V2480Y236211v
Attributes:
NAS-IP-Address = 203.220.252.241
NAS-Port = 7204
NAS-Port-Type = Async
Called-Station-Id = 142330886300424
Calling-Station-Id = 886324356
Acct-Status-Type = Alive
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = 0009E3D8
Framed-Protocol = PPP
Ascend-Session-Svr-Key = AA9D6ABD
Acct-Link-Count = 1
Ascend-Num-In-Multilink = 1
Acct-Multi-Session-Id = 25972
Framed-IP-Address = 203.220.230.249
Ascend-PreSession-Time = 24
Ascend-Pre-Input-Octets = 157
Ascend-Pre-Output-Octets = 113
Ascend-Pre-Input-Packets = 5
Ascend-Pre-Output-Packets = 4
Acct-Input-Octets = 706094
Acct-Output-Octets = 2766801
Acct-Input-Packets = 5904
Acct-Output-Packets = 5436
Acct-Session-Time = 2286
Ascend-Multilink-ID = 25972
Acct-Delay-Time = 0
User-Name = andym
Proxy-State =
BSP2ims01-syd/72480B24F09399CB54AE56B24540BA02B5A54B62BCBA8CA37CCA09027797F0
3488D35E66BCBA8CADB716F56D71F9EC12
430FB8C3BCA889FA4DB97DF311AEA447CFE22D4ED3DCB5B22B8D68F213EE81
Thu Sep 5 00:14:46 2002: DEBUG: Handling request with Handler ''
Thu Sep 5 00:14:46 2002: DEBUG: mysessiondb Adding session for andym,
203.220.252.241, 7204
Thu Sep 5 00:14:46 2002: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='203.220.252.241' and NASPORT=07204
--- FIRST PACKET END ---
--- FIRST PACKET RESPONSE START
Thu Sep 5 00:14:46 2002: DEBUG: Accounting accepted
Thu Sep 5 00:14:46 2002: DEBUG: Packet dump:
*** Sending to 203.194.56.121 port 1813
Code: Accounting-Response
Identifier: 167
Authentic: h254]166V243.18245V2480Y236211v
Attributes:
Proxy-State =
BSP2ims01-syd/72480B24F09399CB54AE56B24540BA02B5A54B62BCBA8CA37CCA09027797F0
3488D35E66BCBA8CADB716F56D71F9EC12
430FB8C3BCA889FA4DB97DF311AEA447CFE22D4ED3DCB5B22B8D68F213EE81
--- FIRST PACKET RESPONSE STOP -
--- SECOND PACKET START-
Thu Sep 5 00:14:47 2002: DEBUG: Packet dump:
*** Received from 203.194.56.121 port 1813
Code: Accounting-Request
Identifier: 167
Authentic: 2I136PA3s244{30k191143hN196
Attributes:
Acct-Session-Id = 3541
Framed-Protocol = PPP
Framed-IP-Address = 203.220.218.5
Ascend-Connect-Progress = prLanSessionUp
Ascend-PreSession-Time = 36
Ascend-Xmit-Rate = 33600
Ascend-Data-Rate = 33600
Acct-Session-Time = 12200
Connect-Info = 33600 V34+/V42bis/LAPM
Acct-Input-Octets = 817119
Acct-Output-Octets = 4990544
Ascend-Pre-Input-Octets = 122
Ascend-Pre-Output-Octets = 114
Acct-Input-Packets = 9177
Acct-Output-Packets = 11655
Ascend-Pre-Input-Packets = 5
Ascend-Pre-Output-Packets = 5
Acct-Terminate-Cause = Session-Timeout
Ascend-Disconnect-Cause = sessTimeOut
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
NAS-Port = 7241
Called-Station-Id = 142320198333414
Calling-Station-Id = 891881736
NAS-Port-Type = Async
Service-Type = Framed-User
NAS-IP-Address = 203.220.251.113
Ascend-Session-Svr-Key = EE3451F2
Event-Timestamp = 103114
Acct-Delay-Time = 0
User-Name = noseeds
Proxy-State =
BSP2ims01-syd/7685C184EE7199F2CBEA363B011E321B84656D6D2109E1F70235F83144
1D0F6D91616D6D21E52A2BF9E7FE5F5856
C4B14B386D7F2682D08476F99E081003485CE249020B18CAB6B06CF98B543D307C
Thu Sep 5 00:14:47 2002: INFO: Duplicate request id 167 received from
203.194.56.121(1813): ignored
--- SECOND PACKET STOP -
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL
Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500
Hi Hugh, We also use Redback equipment. At the moment we always assume that session DB is correct, but I'd like to chek also. So far I haven't found a suitable NasType parameter. Only place where Redback is mentioned in the ref.pdf is section about dictionaries (v.2.19 v.3.1). Could you tell us what type might be most suitable? I have also the same problem with Unisphere ERX family equipment. Rgds. Toomas Kärner - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:08 AM Subject: Re: (RADIATOR) SNMP, Simultaneous-Use and Redback SMS500 Hello Sven - There are many readers of this list who use Redback equipment, and there are people at Redback on this list as well. Radiator maintains one or more session databases (in memory, SQL, DBM, ...) and tries to keep track of current sessions by using the accounting starts to add records and accounting stops (and access requests) to delete records. The NAS itself is only contacted if Radiator detects what it thinks is a simultaneous-use exception, and then only if the NasType parameter is set in the corresponding Client clause(s). In this situation, Radiator goes through the list of sessions for the particular user and queries the NAS(s) to verify that the sessions are still active. If any session has gone away, that record in the session database is deleted and the connection is allowed to proceed. If on the other hand, all the sessions are still active, then the connection is rejected. You will find the mechanisms used to query the different NasTypes in section 6.5.5 of the Radiator 3.1 reference manual (doc/ref.html) and you will find the corresponding code in the Radius/Nas directory. regards Hugh Hi, has anyone any eyperiences with the upper configuration? I'm also interested in the function, how radiator checks via snmp that an account is use. I did a snmpwalk on a portmaster and i haven't found any information about needfull data (what does not mean that it isn't there :-) And please don't tell me that cisco is better, it was not my decision ;-) with kind regards || Mit freundlichen Gruessen Sven Holz -- Sven Holz - IP-Services - WOBCOM GmbHPhone : +49.5361.189.473 Hesslinger Str. 1-5, D-38440 Wolfsburg Fax : +49.5361.189.199 Email: [EMAIL PROTECTED] - IRC: bofw2Mobile : +49.170.920.153.5 --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Pre Handler hook help...
Hi,
You can also do it like this:
$p-add_attr( 'Calling-Station-Id',(($p-get_attr( 'RB-NAS-Real-Port')
0xff) 16) .\
.. ($p-get_attr( 'RB-NAS-Real-Port') 0x)); \
Here is only vpi.vci because i dont need more ...
rgds.
Tomkar
- Original Message -
From: Robert Blayzor [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 12, 2002 10:21 PM
Subject: (RADIATOR) Pre Handler hook help...
We have an handler which uses the following hook:
Client 64.246.152.18
Identifier DSL1
Secret s
DupInterval 2
NasType ignore
PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type',
'SDSL'); my $i_p = ${$_[0]\
}-get_attr('RB-NAS-Real-Port'); my $i_a = sprintf(%s/%s/%s.%s, map
oct(0b$_), unpack(\
B32, pack(N, $i_p)) =~ /(.{5})(.{3})(.{8})(.*)/);
${$_[0]}-add_attr('Calling-Station-Id\
', $i_a);}
/Client
In a nutshell the Hander basically adds a NAS-Port-Type and is to take a
32bit integer representation of DSL ports and put them in the
'Calling-Station-Id' attribute.
The output should come out to be soething like: 5/0/0/233, etc.
However everything comes out at 0/0/0.0, like $i_p is null, but it's not
because the following code (if I reverse things) works fine...
PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type',
'SDSL'); my $i_p = ${$_[0]\
}-get_attr('RB-NAS-Real-Port');
${$_[0]}-add_attr('Calling-Station-Id', $i_p);}
Output the following code right from PERL works fine too:
perl -e 'print sprintf(%s/%s/%s.%s, map(oct(0b$_), unpack(B32,
pack(N, 671088873)) =~ /(.{5})(.{3})(.{8})(.*)/)) .\n;'
5/0/0.233
Any ideas? I really need to get this to work. Thanks!
--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
Pinky, you've left the lens cap of your mind on again.
- The Brain
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple Realm Forwarding
Hi I think he wants to build a tree of realms. I cant think the use of it yet but it might be useful on some ways. You could logon to username@serviceprovider@service@subservice. Tomkar - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 7:53 AM Subject: Re: (RADIATOR) Multiple Realm Forwarding Hello Julien - Sorry, but I don't quite understand what you are wanting to do. Could you give me an example please? thanks Hugh Hi, Here is what I mean about Multiple realm forwarding: user1@realm1@realm2 is forwarded and then striped to user1@realm2 then forwarded again. I think it can be done using RewriteUsername but I dont have any idea of how to modify this syntax : s/^([^@]+)@realm1 Does someone know how to remove the midle realm in user1@realm1@realm2 using rewriteusername ? I think this can be usefull in many case ! Thanks, Julien --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) How to make to SQL querys out of one ClearNasQuery?
Hi, My problem is that I cant find a way to execute two SQL querys because of single accounting-on or accounting-off packet. Wher the box goes down or comes up everything works with session database (it get's cleared) but I want to have that message also in the user accounting log table. We are planning to start counting time and then if the box goes down and I have only start records then, I can't count anything because that message is not in the log. As I tried and as it was writen in here ; between the querys doesn't help. Only way to do it is in some sord of PreClientHook but I'm afraid of the impact to preformance (because this is executed on every incomeing packet - the longer it is the slower it is ). Rgds. Toomas Kärner === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AcctSQLStatement in v.2.19
Hi Mike.
Here is a working example for you.
AuthBy SQL
Identifier AcctStartOnlyLight
DBSource
DBUsername
DBAuth
IgnoreAuthentication
AccountingStartsOnly
AcctSQLStatement UPDATE users SET LOCKED_TO_PVC=%{NAS-Real-Port} \
WHERE username='%n' and ACTIV = 'Enabled'
/AuthBy
AuthBy SQL
Identifier Auth
DBSource
DBUsername
DBAuth
AuthSelect select PASSWORD,CHECKATTR,LOCKED_TO_PVC,REPLYATTR,RATE,BURST from
users \
where USERNAME ='%n' and ACTIV = 'Enabled'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, RB-NAS-Real-Port, check
AuthColumnDef 3, GENERIC, reply
AuthColumnDef 4, RB-Rate-Limit-Rate, reply
AuthColumnDef 5, RB-Rate-Limit-Burst, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AddToReplyIfNotExist Rate-Limit-Rate=100,Rate-Limit-Burst=1
AccountingTable log
AcctColumnDef USERNAME,User-Name
AcctColumnDef DATE,Timestamp,formatted-date,'%Y-%m-%d'
AcctColumnDef TIME,Timestamp,formatted-date,'%H:%M:%S'
AcctColumnDef TYPE,Acct-Status-Type
AcctColumnDef FRAMED_IP,Framed-IP-Address
AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer
AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer
AcctColumnDef SESSION_ID,Acct-Session-Id
AcctColumnDef RATE,Rate-Limit-Rate
AcctColumnDef BURST,Rate-Limit-Burst
AcctColumnDef DURATION,Acct-Session-Time,integer
AcctColumnDef BRAS,NAS-Identifier
AcctColumnDef VPI_VCI,NAS-Real-Port
AcctFailedLogFileName %L/SQLacct-failed-mudapingviin-%Y-%m-%d
/AuthBy
Rgds.
Toomas Kärner
- Original Message -
From: Mike McCauley [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 13, 2002 4:24 AM
Subject: Re: (RADIATOR) AcctSQLStatement in v.2.19
-- Forwarded Message --
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from
[Quintin [EMAIL PROTECTED]]
Date: Tue, 12 Mar 2002 17:48:30 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
From [EMAIL PROTECTED] Tue Mar 12 17:48:30 2002
Received: from ctmsun4.macau.ctm.net (ctmsun4.macau.ctm.net
[202.175.36.44])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g2CNmS308583;
Tue, 12 Mar 2002 17:48:29 -0600
Received: from C2035 (quintin.office.ctm.net [202.175.4.50])
by ctmsun4.macau.ctm.net (8.12.2/8.12.2) with SMTP id g2D1JsRb021759;
Wed, 13 Mar 2002 09:19:54 +0800 (CST)
Message-ID: 156e01c1ca2e$8077b640$cc65010a@C2035
From: Quintin [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
References: [EMAIL PROTECTED]
[EMAIL PROTECTED] Subject: Re: (RADIATOR)
AcctSQLStatement in v.2.19
Date: Wed, 13 Mar 2002 09:29:21 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.
Dear Hugh,
Thanks for ur quick response. Actually, I just want to add some
information
into another table (it's not required to authenticate here) after the
SessionDatabase and before any LDAP/UNIX authentication.
I have tried many configuration even with two Auth Groups, do you have
any
ideas?
Thanks Rgds,
Quintin
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Quintin [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, March 13, 2002 7:28 AM
Subject: Re: (RADIATOR) AcctSQLStatement in v.2.19
Hello Quintin -
Dear Hughes,
Actually, I like to insert some information into the database when my
=
customer login. The following config is from Hughes long time ago and
it
=
is still working in 2.18.2 . However, if the same config running in =
2.19, it rejects and will show Authentication disabled in the log =
file. Could you please help??
AuthBy SQL
Identifier debitinfo
DBSourceDBI:mysql:ewallet:192.168.1.239:3306
DBUsername radius
DBAuth radius
FailureBackoffTime 60
AccountingStartsOnly
AuthSelect
AcctSQLStatement delete from DEBITINFO where USERNAME=3D'%U'
AcctSQLStatement insert into DEBITINFO (USERNAME, NASIDENTIFIER, =
NASPORT, \
TIME_STAMP, DEBIT_TIMESTAMP, DEBIT_AMOUNT) values ('%U',
'%N',
=
\
0%{NAS-Port}, %{Timestamp}, %{Timestamp}, 1000)
/AuthBy
Handler
RewriteUsername s/^([^@]+).*/$1/
SessionDatabase MarkStart
MaxSessions 1
AuthBy GROUP
AuthByPolicy ContinueUntilReject
AuthBy GROUP
AuthByPolicy ContinueWhileAccept
AuthBy debitinfo
AuthBy authen-ewallet
AuthBy debitwhenauth-ewallet
/AuthBy
/AuthBy
AuthLog authlog
AcctLogFileName /var/adm/radacct/%C/detail
/Handler
I don't quite understand what your Handler is meant to do.
The AuthBy SQL with Identifier debitinfo has authentication turned off
with
the empty
