(RADIATOR) LDAP AUTH and MySQL Accounting
Hugh Irvine
hugh at open.com.au
Fri Oct 5 04:27:43 CDT 2001
Hello Andreas -
Have you got the correct AuthByPolicy set (as shown in my example)?
It should be AuthByPolicy ContinueAlways.
The trace file would seem to indicate that you are using the default, which
is continue until accept or reject.
Either that or you have the AuthBy clauses in the wrong order - the AuthBy
SQL that does the accounting must be before the AuthBy clause that actually
does the authentication, so the result of the last AuthBy is the result of
the authentication (again as shown in my example).
regards
Hugh
On Friday 05 October 2001 18:12, Andreas Häggander wrote:
> Hi again !
>
> >This is fairly straightforward to implement.
> >
> >Here is how to do it:
>
> I thought so to, but it still dont work.
>
> I used the config file you sent but i got:
>
> # Fri Oct 5 10:10:31 2001: DEBUG: Packet dump:
> *** Received from 212.73.0.14 port 49152 ....
> Code: Access-Request
> Identifier: 76
> Authentic: <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
> Attributes:
> User-Name = "mike at test.net"
> User-Password =
> "-T<206>_<241><222><29>R<10><194>v<190>i<17><196>3" Acct-Session-Id =
> "9800004c"
> NAS-IP-Address = 212.73.0.14
> Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 123965696
>
> Fri Oct 5 10:10:31 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Fri Oct 5 10:10:31 2001: DEBUG: SQLSDB Deleting session
> for mike at test.net, 212.73.0.14, 123965696
> Fri Oct 5 10:10:31 2001: DEBUG: do query is: delete from RADONLINE where
> NASIDENTIFIER='212.73.0.14' and NASPORT=0123965696
>
> Fri Oct 5 10:10:31 2001: DEBUG: Handling with Radius::AuthFILE: CheckFILE
> Fri Oct 5 10:10:31 2001: DEBUG: Radius::AuthFILE looks for match with
> mike at test.net
> Fri Oct 5 10:10:31 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='mike at test.net'
>
> Fri Oct 5 10:10:31 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Oct 5 10:10:31 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Oct 5 10:10:31 2001: INFO: Access rejected for mike at test:
> Authentication disabled
> Fri Oct 5 10:10:31 2001: DEBUG: Packet dump:
> *** Sending to 212.73.0.14 port 49152 ....
> Code: Access-Reject
> Identifier: 76
> Authentic: <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
> Attributes:
> Framed-IP-Address = 0.0.0.0
> Framed-IP-Netmask = 0.0.0.0
> Reply-Message = "Request Denied"
>
>
> I dont want to hold the user-table in mysql.
>
> /Andreas
>
> At 09:02 2001-10-05 +1000, Hugh Irvine wrote:
> >Hello Andreas -
> >
> >This is fairly straightforward to implement.
> >
> >Here is how to do it:
> >
> ># radius.cfg
> >
> >AuthPort 1645
> >AcctPort 1646
> >
> ># define Client(s)
> >
> ><Client x.x.x.x>
> > Secret mysecret
> > DupInterval 0
> ></Client>
> >
> ># define AuthBy(s)
> >
> ><AuthBy FILE>
> > Identifier CheckFILE
> > Filename /usr/local/etc/users
> > DefaultSimultaneousUse 1
> > AcctLogFileName /usr/local/etc/detail
> ></AuthFile>
> >
> ><AuthBy LDAP2>
> > Identifier CheckLDAP
> > ......
> ></AuthBy>
> >
> ><AuthBy SQL>
> > Identifier AcctSQL
> > DBSource dbi:mysql:radius
> > DBUsername root
> > DBAuth hegge74
> > AuthSelect
> > AccountingTable ACCOUNTING
> > AcctColumnDef USERNAME,User-Name
> > AcctColumnDef TIME_STAMP,Timestamp,integer
> > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > AcctColumnDef NASPORT,NAS-Port,integer
> > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> ></AuthBy>
> >
> ># define SessionDatabase
> >
> ><SessionDatabase SQL>
> > Identifier SQLSDB
> > DBSource dbi:mysql:radius:localhost
> > DBUsername mysqluser
> > DBAuth mysqlpasswd
> ></SessionDatabase>
> >
> ># define Realm(s)
> >
> ><Realm DEFAULT>
> > AuthByPolicy ContinueAlways
> > AuthBy AcctSQL
> > AuthBy CheckLDAP
> > SessionDatabase SQLSDB
> ></Realm>
> >
> >
> >If you have any other questions, please ask.
> >
> >regards
> >
> >Hugh
> >
> >On Thursday 04 October 2001 22:36, Andreas Häggander wrote:
> > > Hi !
> > >
> > > I want use LDAP for Authentucation and store the Accounting in a MySQL
> > > database. At the same time i want to use a MySQL database for a session
> > > database.
> > >
> > > Is this possible ?
> > >
> > > I have tried this (AUTH by FILE and not LDAP for so long) , see below,
> > > but i can´t get it working with the SessionDB and the Accunting.
> > > A
> > >
> > >
> > > radius.cfg
> > >
> > > AuthPort 1645
> > > AcctPort 1646
> > >
> > > <Client x.x.x.x>
> > > Secret mysecret
> > > DupInterval 0
> > > </Client>
> > >
> > > <Realm DEFAULT>
> > >
> > > <AuthBy FILE>
> > > Filename /usr/local/etc/users
> > > DefaultSimultaneousUse 1
> > > AcctLogFileName /usr/local/etc/detail
> > > </AuthFile>
> > >
> > > <AuthBy SQL>
> > >
> > > DBSource dbi:mysql:radius
> > > DBUsername root
> > > DBAuth hegge74
> > >
> > > AccountingTable ACCOUNTING
> > > AcctColumnDef USERNAME,User-Name
> > > AcctColumnDef TIME_STAMP,Timestamp,integer
> > > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> > > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> > > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> > > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > > AcctColumnDef NASPORT,NAS-Port,integer
> > > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> > >
> > > </AuthBy>
> > > </Realm>
> > >
> > > <SessionDatabase SQL>
> > >
> > > DBSource dbi:mysql:radius:localhost
> > > DBUsername mysqluser
> > > DBAuth mysqlpasswd
> > >
> > > </SessionDatabase>
> > >
> > >
> > >
> > > Code: Access-Request
> > > Identifier: 62
> > > Authentic: <0><0>b<25><0><0>:<129><0><0>w<19><0><0>HS
> > > Attributes:
> > > User-Name = "mike at test.net"
> > > User-Password =
> > > "<4><255>i<14><204>Ol<177><242>h<207><127><168><180><247><194>"
> > > Acct-Session-Id = "9800003e"
> > > NAS-IP-Address = x.x.x.x
> > > Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
> > > Service-Type = Framed-User
> > > Framed-Protocol = PPP
> > > NAS-Port = 123965696
> > >
> > > Thu Oct 4 14:12:11 2001: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Thu Oct 4 14:12:11 2001: DEBUG: Deleting session for
> > > mike at test.net, x.x.x.x, 123965696
> > > Thu Oct 4 14:12:11 2001: DEBUG: Handling with Radius::AuthFILE:
> > > Thu Oct 4 14:12:11 2001: DEBUG: Radius::AuthFILE looks for match with
> > > mike at test.net
> > > Thu Oct 4 14:12:11 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > > Thu Oct 4 14:12:11 2001: DEBUG: Access accepted for mike at test.net
> > > Thu Oct 4 14:12:11 2001: DEBUG: Packet dump:
> > > *** Sending to 212.73.0.14 port 49152 ....
> > > Code: Access-Accept
> > > Identifier: 62
> > > Authentic: <0><0>b<25><0><0>:<129><0><0>w<19><0><0>HS
> > >
> > > Attributes:
> > > Framed-IP-Address = 0.0.0.0
> > > Framed-IP-Netmask = 0.0.0.0
> > >
> > >
> > > Thu Oct 4 14:12:11 2001: DEBUG: Packet dump:
> > > *** Received from x.x.x.x port 49153 ....
> > > Code: Accounting-Request
> > > Identifier: 89
> > > Authentic: <227>O<zl<146>#qn<4>9<238><209>3<253><138>
> > > Attributes:
> > > Acct-Status-Type = Start
> > > User-Name = "mike at test.net"
> > > Event-Timestamp = 1002204666
> > > Service-Type = Annex-Framed-Tunnel
> > > NAS-IP-Address = x.x.x.x
> > > Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
> > > NAS-Port = 180
> > > Acct-Session-Id = "9800003e"
> > > Acct-Authentic = RADIUS
> > > Framed-IP-Address = 10.75.0.222
> > > Framed-IP-Netmask = 255.255.255.255
> > >
> > > Thu Oct 4 14:12:11 2001: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Thu Oct 4 14:12:11 2001: DEBUG: Adding session for
> > > mike at test.net, x.x.x.x, 180
> > > Thu Oct 4 14:12:11 2001: DEBUG: Handling with Radius::AuthFILE:
> > > Thu Oct 4 14:12:11 2001: DEBUG: Accounting accepted
> > > Thu Oct 4 14:12:11 2001: DEBUG: Packet dump:
> > > *** Sending to 212.73.0.14 port 49153 ....
> > > Code: Accounting-Response
> > > Identifier: 89
> > > Authentic: <227>O<zl<146>#qn<4>9<238><209>3<253><138>
> > > Attributes:
> > >
> > > Thu Oct 4 14:14:49 2001: DEBUG: Packet dump:
> > > *** Received from x.x.x.x port 49153 ....
> > > Code: Accounting-Request
> > > Identifier: 90
> > > Authentic: <196><132><231>`<7><1><155><198>MGZ<173><31><25>Wn
> > > Attributes:
> > > Acct-Status-Type = Stop
> > > User-Name = "mike at test.net"
> > > Event-Timestamp = 1002204823
> > > Service-Type = Annex-Framed-Tunnel
> > > NAS-IP-Address = x.x.x.x
> > > Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
> > > NAS-Port = 180
> > > Acct-Session-Id = "9800003e"
> > > Acct-Authentic = RADIUS
> > > Framed-IP-Address = 10.75.0.222
> > > Framed-IP-Netmask = 255.255.255.255
> > > Acct-Input-Octets = 10224
> > > Acct-Output-Octets = 46328
> > > Acct-Input-Packets = 92
> > > Acct-Output-Packets = 95
> > > Acct-Terminate-Cause = Lost-Carrier
> > > Acct-Session-Time = 157
> > >
> > > Thu Oct 4 14:14:49 2001: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Thu Oct 4 14:14:49 2001: DEBUG: Deleting session for
> > > mike at test.net, x.x.x.x, 180
> > > Thu Oct 4 14:14:49 2001: DEBUG: Handling with Radius::AuthFILE:
> > > Thu Oct 4 14:14:49 2001: DEBUG: Accounting accepted
> > > Thu Oct 4 14:14:49 2001: DEBUG: Packet dump:
> > > *** Sending to 212.73.0.14 port 49153 ....
> > > Code: Accounting-Response
> > > Identifier: 90
> > > Authentic: <196><132><231>`<7><1><155><198>MGZ<173><31><25>Wn
> > > Attributes:
> > >
> > >
> > > mysql> select * from ACCOUNTING;
> > > Empty set (0.00 sec)
> > >
> > > mysql> select * from RADONLINE;
> > > Empty set (0.00 sec)
> > >
> > >
> > >
> > > Cheers
> > >
> > > /Andreas
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> >--
> >Radiator: the most portable, flexible and configurable RADIUS server
> >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >-
> >Nets: internetwork inventory and management - graphical, extensible,
> >flexible with hardware, software, platform and database independence
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list