(RADIATOR) some question about the radiator
Hugh Irvine
hugh at open.com.au
Sat Jun 28 03:54:09 CDT 2003
Hello Donald -
Accounting requests only receive accounting responses - there is no
accept or reject.
regards
Hugh
On Saturday, Jun 28, 2003, at 18:26 Australia/Melbourne, Foo Donald
(Products O2) wrote:
> Hi Hugh,
> Thanks again, since the handler is dealing with the rejction which
> match the
> calling-station-id, is there any way to reject the accounting in
> INTERNAL? I
> know that is rare since accounting will only send when authentication
> pass,
> but in our case the GGSN will only send the accounting to radiator
> while the
> authentication is done by other service.
>
> Thanks and Regards,
> Donald
>
> -----Original Message-----
> From: Hugh Irvine
> To: Foo Donald (Products O2)
> Cc: ''radiator at open.com.au' '
> Sent: 2003/6/28 ?U?E 04:01
> Subject: Re: (RADIATOR) some question about the radiator
>
>
> Hello Donald -
>
> This is very strange, but you can alter your AuthBy INTERNAL as
> follows:
>
> <AuthBy INTERNAL>
> AcctResult ACCEPT
> DefaultResult REJECT
> ....
> </AuthBy>
>
> regards
>
> Hugh
>
>
> On Saturday, Jun 28, 2003, at 09:07 Australia/Melbourne, Foo Donald
> (Products O2) wrote:
>
>> Hi Hugh,
>> Thank you very much for all the information, I am almost there, i
> found
>> something very strange with <AuthBy INTERNAL> during my test.
>> Herewith is my code
>>
>> <Handler Calling-Station-Id=/^65987/>
>> RejectHasReason
>> <AuthBy INTERNAL>
>> DefaultResult REJECT
>> RejectReason You are not our customer
>>
>> </AuthBy>
>>
>> <AuthLog SQL>
>> DBSource dbi:mysql:radius
>> DBUsername root
>> DBAuth root
>> LogFailure
>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>> USERNAME,
>> TYPE, REASON, Calling_Station) values (%t, '%n', 0
>> , %1, '%{Calling-Station-Id}')
>> </AuthLog SQL>
>> </Handler>
>>
>> It works for all Authentication, but for accounting it can only accept
>
>> not
>> reject.
>> Let me show you some of my debug.
>> If I put it DefaultResult ACCPET and send a accounting start/stop
>>
>>
>> Sat Jun 28 06:51:24 2003: DEBUG: Packet dump:
>> *** Received from xx.xx.xx.xx port 4358 ....
>> Code: Accounting-Request
>> Identifier: 138
>> Authentic:
> <4><229><244>j><129><205>J<154><<28><214><12><18><187><226>
>> Attributes:
>> <delete>
>> Calling-Station-Id = "6598765432"
>>
>> Sat Jun 28 06:51:24 2003: DEBUG: Handling request with Handler
>> 'Calling-Station-Id=/65987/'
>> Sat Jun 28 06:51:24 2003: DEBUG: Adding session for test, 1.1.1.1, 20
>> Sat Jun 28 06:51:24 2003: DEBUG: Handling with AuthINTERNAL:
>> Sat Jun 28 06:51:24 2003: DEBUG: Accounting accepted
>> Sat Jun 28 06:51:24 2003: DEBUG: Packet dump:
>> *** Sending to xx.xx.xx.xx port 4358 ....
>> Code: Accounting-Response
>> Identifier: 138
>> Authentic:
> <4><229><244>j><129><205>J<154><<28><214><12><18><187><226>
>> Attributes:
>>
>>
>> Work smooth no problem.
>> If I put it DefaultResult REJECT and send a accounting start/stop
>>
>>
>> Sat Jun 28 06:58:11 2003: DEBUG: Packet dump:
>> *** Received from xx.xx.xx.xx port 4359 ....
>> Code: Accounting-Request
>> Identifier: 139
>> Authentic:
>> <145><129>)<154><156>q<10><212><21><191><16>5<187><8><134><177>
>> Attributes:
>> <delete>
>> Calling-Station-Id = "6598765432"
>>
>> Sat Jun 28 06:58:11 2003: DEBUG: Handling request with Handler
>> 'Calling-Station-Id=/65987/'
>> Sat Jun 28 06:58:11 2003: DEBUG: Adding session for test, 1.1.1.1, 20
>> Sat Jun 28 06:58:11 2003: DEBUG: Handling with AuthINTERNAL:
>> !!!hang here!!!
>> Sat Jun 28 06:58:13 2003: DEBUG: Packet dump:
>> *** Received from xx.xx.xx.xx port 4359 ....
>> Code: Accounting-Request
>> Identifier: 139
>> Authentic:
>> <145><129>)<154><156>q<10><212><21><191><16>5<187><8><134><177>
>> Attributes:
>> <delete>
>> Calling-Station-Id = "6598765432"
>>
>> Sat Jun 28 06:58:13 2003: INFO: Duplicate request id 139 received from
>> xx.xx.xx.xx(4359): ignored
>>
>>
>> Any suggestion?
>>
>> Regards,
>> Donald
>>
>> -----Original Message-----
>> From: Hugh Irvine
>> To: Foo Donald (Products O2)
>> Cc: 'radiator at open.com.au'
>> Sent: 2003/6/27 ?U?E 01:37
>> Subject: Re: (RADIATOR) some question about the radiator
>>
>>
>> Hello Donald -
>>
>> I am not sure what your configuration file is meant to do, but you
>> might consider using seperate Handlers for Authentication and
>> Accounting as you can then use different AuthByPolicy's for the two
>> cases.
>>
>> # define Handlers for accounting and authentication
>>
>> <Handler Request-Type = Accounting-Request>
>> AuthByPolicy ContinueAlways
>> ....
>> </Handler>
>>
>> <Handler>
>> AuthByPolicy ContinueWhileAccept
>> ....
>> </Handler>
>>
>> regards
>>
>> Hugh
>>
>>
>> On Friday, Jun 27, 2003, at 15:32 Australia/Melbourne, Foo Donald
>> (Products O2) wrote:
>>
>>> Hi Hugh,
>>> Looks great with my test machine, appreciate. Besides I cannot find
>>> much
>>> information for ContinueAlways, will it got disadvantage when using
>> it?
>>>
>>> Actually I was using ContinueWhileAccept (Continue trying to
>>> authenticate as
>>> long as it is Accepted), it should continue if it accept, but I don't
>>> understand why it did continue with other <auth radius>(cannot see
>>> accounting goto the rest 3 accounting server, only first one)
>>> Previous
>>> AuthByPolicy ContinueWhileAccept
>>> AuthBy CheckSQLBlacklist
>>> AuthBy CheckSQLNormal
>>> follow with 4 auth radius.....
>>>
>>>
>>> Regards,
>>> Donald
>>>
>>> p.s. the detail configuration should be at last of the email.
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: Friday, June 27, 2003 12:42 PM
>>> To: Foo Donald (Products O2)
>>> Cc: 'radiator at open.com.au'
>>> Subject: Re: (RADIATOR) some question about the radiator
>>>
>>>
>>>
>>> Hello Donald -
>>>
>>> It is difficult to say what is happening without a complete
>>> configuration file and an accompanying trace 4 debug.
>>>
>>> I suspect what is happening here is you have not correctly configured
>>> an AuthByPolicy to control the execution of the AuthBy clauses. In
> the
>>> case you show below you should probably use this:
>>>
>>> AuthByPolicy ContinueAlways
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On Friday, Jun 27, 2003, at 13:59 Australia/Melbourne, Foo Donald
>>> (Products O2) wrote:
>>>
>>>> Hi Hugh,
>>>> Sorry for push so hard ,any update for this? We need to fix the
>>>> accounting
>>>> proxy asap.
>>>> The current status is one radiator proxy to 4 accoutning server
>>>> (A,B,C,D).
>>>> Now we only can see the accounting packet from proxy to A, no
>>>> accounting
>>>> arrive to B, C, D. Herewith is the current <auth radius>.
>>>>
>>>> <AuthBy RADIUS>
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.2
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> IgnoreAccountingResponse
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.41
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> IgnoreAccountingResponse
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.201
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> IgnoreAccountingResponse
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.202
>>>> </AuthBy>
>>>>
>>>> Regards,
>>>> Donald
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Foo Donald (Products O2) [mailto:Donald.Foo at O2.com]
>>>> Sent: Thursday, June 26, 2003 10:47 PM
>>>> To: 'radiator at open.com.au'
>>>> Subject: (RADIATOR) some question about the radiator
>>>>
>>>>
>>>> Hi there,
>>>> we found something strange after on production. can you help?
>>>> we have a ggsn pointing to two radiator A and B, their configuration
>>>> are the
>>>> same.
>>>>
>>>> 1. we send the accounting packet to 4 accounting
>>>> server(A1,A2,A3,A4),we only
>>>> need A1 reply. But if A2 or A3 dead, the ggsn will fail to B
>> radiator.
>>>> herewith is the auth radius when we have this problem. with this
>>>> configuration, we can see accounting send to A1, A2 and A3 but not
>> A4,
>>>> why??
>>>> <AuthBy RADIUS>
>>>> Synchronous
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.2
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> Synchronous
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.41
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.201
>>>> </AuthBy>
>>>>
>>>> <AuthBy RADIUS>
>>>> RetryTimeout 25
>>>> NoForwardAuthentication
>>>> Secret radius
>>>> AcctPort 1813
>>>> Host 10.12.1.202
>>>> </AuthBy>
>>>>
>>>>
>>>> 2) When I put the IgnoreAccountingResponse in each of the tag, I can
>>>> now
>>>> only see accounting go A1 and don't see any accouning goto A2, A3,
> A4
>>>> (the
>>>> current configuration is on below).
>>>>
>>>> 3) When I do a radiator/mysql process restart (we wrote a script to
>> do
>>>> start
>>>> and stop) after change the configuration, it will not take effect
>>>> until we
>>>> reboot it, but the script works fine when test, is this relate to
>>>> stack
>>>> buffer or cache problem?
>>>>
>>>> 4) we found that the mysql database is growth fast. so it will take
>>>> longer
>>>> time to start it. is there anything in radiator which can detail the
>>>> database ready before it can connect to it?
>>>>
>>>>
>>>> The current configuration
>>>>
>>> #Foreground
>>> #LogStdout
>>> LogDir /var/radiator
>>> LogFile %L/detail
>>> DbDir /usr/local/radiator
>>> DictionaryFile %D/dictionary,%D/goodies/dictionary.usr
>>> PidFile %L/radiusd.pid
>>> Trace 4
>>>
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client DEFAULT>
>>> Secret xxxxx
>>> </Client>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <Client xxxxx>
>>> Secret xxxxx
>>> DupInterval 3
>>> </Client>
>>>
>>> <AuthBy SQL>
>>> Identifier CheckSQLBlacklist
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>> AuthSelect select REJECT from CALLER_BLACKLIST where
>>> Calling_Station='%{Calling-Station-Id}'
>>> AuthColumnDef 0, GENERIC, check
>>> AcceptIfMissing
>>> NoDefaultIfFound
>>> </AuthBy>
>>>
>>> <AuthBy SQL>
>>> Identifier CheckSQLNormal
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>>
>>> AccountingTable ACCOUNTING
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>>> AcctColumnDef ACCTCALLINGSTATIONID,Calling-Station-Id
>>> </AuthBy>
>>>
>>> # M1 Blacklist
>>> <Handler Calling-Station-Id=/^123/>
>>> RejectHasReason
>>> <AuthBy INTERNAL>
>>> DefaultResult REJECT
>>> RejectReason You are not StarHub Customer
>>> </AuthBy>
>>>
>>> <AuthLog SQL>
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>> LogFailure
>>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME,
>>> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
>>> '%{Calling-Station-Id}')
>>> </AuthLog SQL>
>>> </Handler>
>>>
>>> # SingTel Blacklist
>>> <Handler Calling-Station-Id=/^123/>
>>> RejectHasReason
>>> <AuthBy INTERNAL>
>>> DefaultResult RREJECT
>>> RejectReason You are not StarHub Customer
>>> </AuthBy>
>>>
>>> <AuthLog SQL>
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>> LogFailure
>>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME,
>>> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
>>> '%{Calling-Station-Id}')
>>> </AuthLog SQL>
>>> </Handler>
>>>
>>> <Handler>
>>> RejectHasReason
>>> AuthByPolicy ContinueWhileAccept
>>> AuthBy CheckSQLBlacklist
>>> AuthBy CheckSQLNormal
>>> <AuthBy RADIUS>
>>> RetryTimeout 5
>>> NoForwardAuthentication
>>> Secret xxxxx
>>> AcctPort 1813
>>> Host xxxxx
>>> </AuthBy>
>>>
>>> <AuthBy RADIUS>
>>> IgnoreAccountingResponse
>>> RetryTimeout 5
>>> NoForwardAuthentication
>>> Secret xxxxx
>>> AcctPort 1813
>>> Host xxxxx
>>> </AuthBy>
>>>
>>> <AuthBy RADIUS>
>>> IgnoreAccountingResponse
>>> RetryTimeout 25
>>> NoForwardAuthentication
>>> Secret xxxxx
>>> AcctPort 1813
>>> Host xxxxx
>>> </AuthBy>
>>>
>>> <AuthBy RADIUS>
>>> IgnoreAccountingResponse
>>> RetryTimeout 25
>>> NoForwardAuthentication
>>> Secret xxxxx
>>> AcctPort 1813
>>> Host xxxxx
>>> </AuthBy>
>>>
>>> <AuthLog SQL>
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>> LogSuccess
>>> SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME,
>>> TYPE, REASON, Calling_Station) values (%t, '%n', 1, 'Authorized',
>>> '%{Calling-Station-Id}')
>>> LogFailure
>>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME,
>>> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
>>> '%{Calling-Station-Id}')
>>> </AuthLog>
>>>
>>> </Handler>
>>>
>>> <StatsLog SQL>
>>> DBSource dbi:mysql:radius
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>> Interval 3600
>>> </StatsLog>
>>>
>>>
>>>
>>>> Regards,
>>>> Donald
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list