(RADIATOR) Re: Probelm with Session DB
Hugh Irvine
hugh at open.com.au
Fri Aug 10 18:37:02 CDT 2001
Hello Tom -
What you show below is two identical queries being sent from radpwtst, which
you cannot use for simultaneous use checking. This is because Radiator will
always do a delete (check the log) from the session database for the
Nas-Identifier/Nas-Port combination in the request, because by definition
there cannot be an existing session there. The reason for this is to provide
a measure of self-healing in the face of lost stop packets.
You will also notice that Radiator uses the original username string received
in the request for the session database, because this is the string that must
be used if strict session limits are to be checked (ie - Radiator needs the
same string in the session database as the NAS has in its connection table).
If you want to check simultaneous use with radpwtst, you will need to specify
either a different Nas-Identifier or different Nas-Port for the second
request, using the -nas_ip_address and/or -nas_port parameters.
For details on using radpwtst have a look at section 8 in the Radiator
manual, of just do "radpwtst -h".
regards
Hugh
On Saturday 11 August 2001 04:46, Tom Daly wrote:
> > Hugh,
>
> I have finally achieved the SessonDB thing that I have wanted from day one.
> Take a look at this config.
>
> <AuthBy GROUP>
> Identifier Metro2000Auth
> RewriteUsername s/^METRO2000\/(.*)$/$1/
> AuthByPolicy ContinueWhileReject
> <AuthBy EMERALD>
> DBSource
> dbi:FreeTDS:database=xxx;host=xxx.net;port=1433 DBUsername xxx
> DBAuth xxx
>
> # You can add to or change these if you want.
> AccountingTable calls
> AcctColumnDef UserName,User-Name
> AcctColumnDef CallDate,Timestamp,integer-date
> AcctColumnDef AcctStatusType,Acct-Status-Type,integer
> AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
> AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
> AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
> AcctColumnDef AcctSessionId,Acct-Session-Id
> AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
> AcctColumnDef
> AcctTerminateCause,Acct-Terminate-Cause,integer AcctColumnDef
> NASIdentifier,NAS-IP-Address
> AcctColumnDef UserService,Service-Type,integer
> AcctColumnDef FramedProtocol,Framed-Protocol,integer
> AcctColumnDef FramedAddress,Framed-IP-Address
> AcctColumnDef NASPortType,NAS-Port-Type,integer
> AcctColumnDef NASPortDNIS,Called-Station-Id
> AcctColumnDef CallerID,Calling-Station-Id
>
> AuthSelect
> </AuthBy>
>
> <AuthBy SQL>
> DBSource dbi:mysql:database=xxx;host=127.0.0.1;port=3306;
> DBUsername xxx
> DBAuth xxx
> AuthSelect select
> UName,UPass,SesLmt,SvcType,FrmProto,FrmIPAddr,FrmIPMask,FrmMTU,FrmCmpr,FrmR
>oute,IdleTtl,PortLmt fro$ AuthColumnDef 0, User-Name, check
> AuthColumnDef 1, User-Password, check
> AuthColumnDef 2, Simultaneous-Use, check
> AuthColumnDef 3, Service-Type, reply
> AuthColumnDef 4, Framed-Protocol, reply
> AuthColumnDef 5, Framed-IP-Address, reply
> AuthColumnDef 6, Framed-IP-Netmask, reply
> AuthColumnDef 7, Framed-MTU, reply
> AuthColumnDef 8, Framed-Compression, reply
> AuthColumnDef 9, Framed-Route, reply
> AuthColumnDef 10, Idle-Timeout, reply
> AuthColumnDef 11, Port-Limit, reply
> DefaultSimultaneousUse 2
> </AuthBy>
>
> <AuthBy FILE>
> Filename %D/users
> DefaultSimultaneousUse 2
> </AuthBy>
>
> AuthLog g4logger
> AuthLog g4faillogger
> </AuthBy>
>
> <Handler>
> RewriteUsername s/^(.*)$/METRO2000\/$1/
> AuthBy Metro2000Auth
> </Handler>
>
> This works great because now my session database shows METRO2000/username
> for every login, which seperates all of my wholesalers very very nicely.
> However, this broke simultaneous use checking.
>
> Take a look at this trace.
> User-Name = "test"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<<158><25><141><188><238>>F[<19>o<166><170>3<161>L"
>
> Fri Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......3400/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0286/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0536/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0540/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......1677/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......2776/ should be used to handle this request Fri
> Aug 10 14:26:35 2001: DEBUG: Check if Handler
> Called-Station-Id=/......4932/ should be used to handle this request --
> Fri Aug 10 14:26:35 2001: DEBUG: Rewrote user name to METRO2000/test
> Fri Aug 10 14:26:35 2001: DEBUG: Deleting session for test, 203.63.154.1,
> 1234 Fri Aug 10 14:26:35 2001: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='203.63.154.1' and NASPORT=01234
>
> Fri Aug 10 14:26:35 2001: DEBUG: Handling with Radius::AuthGROUP
> Fri Aug 10 14:26:35 2001: DEBUG: Rewrote user name to test
> Fri Aug 10 14:26:35 2001: DEBUG: Handling with Radius::AuthEMERALD
> Fri Aug 10 14:26:35 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Aug 10 14:26:35 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Aug 10 14:26:35 2001: DEBUG: Query is: select
> UName,UPass,SesLmt,SvcType,FrmProto,FrmIPAddr,FrmIPMask,FrmMTU,FrmCmpr,FrmR
>oute,IdleTtl,PortLmt from auth where UName = 'test'
>
> Fri Aug 10 14:26:35 2001: DEBUG: Radius::AuthSQL looks for match with test
> Fri Aug 10 14:26:35 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME= 'test'
>
> Fri Aug 10 14:26:35 2001: DEBUG: Radius::AuthSQL ACCEPT:
> Fri Aug 10 14:26:35 2001: DEBUG: Access accepted for test
> Fri Aug 10 14:26:35 2001: DEBUG: Packet dump:
> *** Sending to 216.177.0.15 port 1142 ....
> Code: Access-Accept
> Identifier: 46
> Authentic: 1234567890123456
> Attributes:
> Framed-IP-Address = 255.255.255.254
> Idle-Timeout = 1200
> Port-Limit = 1
> Service-Type = 2
> Framed-Protocol = 1
> Framed-IP-Netmask = 255.255.255.255
> Framed-MTU = 1500
> Framed-Compression = 0
>
> --
> User-Name = "test"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Framed-IP-Address = 255.255.255.254
>
> Fri Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......3400/ should be used to handle this request Fri
> Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0286/ should be used to handle this request Fri
> Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0536/ should be used to handle this request Fri
> Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......0540/ should be used to handle this request Fri
> Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......1677/ should be used to handle this request --
> Fri Aug 10 14:26:36 2001: DEBUG: Rewrote user name to METRO2000/test
> Fri Aug 10 14:26:36 2001: DEBUG: Adding session for test, 203.63.154.1,
> 1234 Fri Aug 10 14:26:36 2001: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='203.63.154.1' and NASPORT=01234
>
> Fri Aug 10 14:26:36 2001: DEBUG: do query is: insert into RADONLINE
> (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS,NASPORTTYPE, SERVICETYPE, CLID, DNIS) values
> ('METRO2000/test', '203.63.154.1', 1234, '00001234', 997467996,
> '255.255.255.254', 'Async', 'Framed-User','987654321','123456789')
>
> Fri Aug 10 14:26:36 2001: DEBUG: Handling with Radius::AuthGROUP
> Fri Aug 10 14:26:36 2001: DEBUG: Rewrote user name to test
> Fri Aug 10 14:26:36 2001: DEBUG: Handling with Radius::AuthEMERALD
> Fri Aug 10 14:26:36 2001: DEBUG: Handling accounting with
> Radius::AuthEMERALD Fri Aug 10 14:26:36 2001: DEBUG: do query is: insert
> into calls
> (UserName, CallDate, AcctStatusType, AcctSessionId,
> NASIdentifier, NASPort, UserService, FramedAddress, NASPortType,
> NASPortDNIS, CallerID) values
> ('test', 'Aug 10, 2001 14:26', 1, '00001234',
> '203.63.154.1', 1234, 2, '255.255.255.254', 0, '123456789', '987654321')
>
> Fri Aug 10 14:26:36 2001: DEBUG: Accounting accepted
> Fri Aug 10 14:26:36 2001: DEBUG: Packet dump:
> *** Sending to 216.177.0.15 port 1142 ....
> Code: Accounting-Response
> Identifier: 47
> Authentic: <221><194>E<20><243><145><9><184><4>r<0><210><127><170><226>S
> Attributes:
>
> Fri Aug 10 14:26:36 2001: DEBUG: SNMPAgent: received request 129,
> 1840502690, metro2000private Fri Aug 10 14:26:36 2001: DEBUG: Packet dump:
> *** Received from 216.177.0.15 port 1142 ....
> Code: Accounting-Request
> Identifier: 48
> Authentic: <253><251><217>7<223>Bj<136>G<5><140><152>ky4<203>
> --
> User-Name = "test"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Framed-IP-Address = 255.255.255.254
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
> Fri Aug 10 14:26:36 2001: DEBUG: Check if Handler
> Called-Station-Id=/......3400/ should be used to handle this request --
> Fri Aug 10 14:26:36 2001: DEBUG: Rewrote user name to METRO2000/test
> Fri Aug 10 14:26:36 2001: DEBUG: Deleting session for test, 203.63.154.1,
> 1234 Fri Aug 10 14:26:36 2001: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='203.63.154.1' and NASPORT=01234
>
> Fri Aug 10 14:26:36 2001: DEBUG: Handling with Radius::AuthGROUP
> Fri Aug 10 14:26:36 2001: DEBUG: Rewrote user name to test
> Fri Aug 10 14:26:36 2001: DEBUG: Handling with Radius::AuthEMERALD
> Fri Aug 10 14:26:36 2001: DEBUG: Handling accounting with
> Radius::AuthEMERALD Fri Aug 10 14:26:36 2001: DEBUG: do query is: insert
> into calls
> (UserName, CallDate, AcctStatusType, AcctDelayTime,
> AcctInputOctets, AcctOutputOctets, AcctSessionId, AcctSessionTime,
> NASIdentifier, NASPort, UserService, FramedAddress, NASPortType,
> NASPortDNIS, CallerID) values
> ('test', 'Aug 10, 2001 14:26', 2, 0, 20000, 30000,
> '00001234', 1000, '203.63.154.1', 1234, 2, '255.255.255.254', 0,
> '123456789', '987654321')
>
>
> These are my SessionDB Queries:
>
> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS
> from RADONLINE where USERNAME= '%u'
>
> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,\ NASPORTTYPE, SERVICETYPE,
> CLID, DNIS) values ('%n', '%N', %{NAS-Port}, '%{Acct-Session-Id}',
> %{Timestamp}, \ '%{Framed-IP-Address}', '%{NAS-Port-Type}',
> '%{Service-Type}','%{Calling-Station-Id}','%{Called-Station-Id}')
>
>
> Now, I believe the problem here is the point at which the CountQuery
> happens. The AddQuery occurs between the time just after I add METRO2000\
> to the username, but the CountQuery happens after the METRO2000\ is
> stripped off in the AuthBy Metro2000Auth Section. Is there a way to modify
> this so I can fix my simultaneous use checking?
>
> Any help would be great, Thanks in advance,
>
> Tom Daly
> Network Operations Administrator
> G4 Communications Corp. / Metro2000 Internet Services
> V: 603.296.4413 / F: 603.647.7576
> E: tomdaly at metro2000.net / W3: www.metro2000.net
----------------------------------------
Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Description:
----------------------------------------
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list