(RADIATOR) profiles

Fred Albrecht Fred at vwo.co.za
Mon Sep 3 03:41:04 CDT 2001


Hi All

I managed to get my company to buy copies of Radiator ... but forgot to tell
them about a support contract (ugh).  And now I need support :-) .  Can you
guys and gals perhaps help?  Phulease?

Here's my situation.  I need to move one of our userbases (which we bought
from another ISP) off Cistron Radius ASAP and onto LDAP with Radiator.  The
users.db file that Cistron uses looks something like this:

fredISDN:Class="01",User-Category="ISDN"
freddefault:Class="02",User-Category="DEFAULT"
fredB:Class="03",User-Category="Blank"
fredT:Class="04",User-Category="Tank"
(and Lots more entries)

The users file contains:

#-----------------
Blank
        Filter-Id = "filter.in",
        User-Category = "DEFAULT"

Tank
        User-Category = "DEFAULT"

ISDN    Auth-Type = System
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Port-Limit = 1

DEFAULT NAS-Port-Type = Async, Auth-Type=System
#------------------

This is how I understand the config.
User fredISDN user will be authenticated with NIS (system authentication),
and will be sent Service-Type = Framed-User,Framed-Protocol = PPP,Port-Limit
= 1.
User fredB can only dial in with Async as port-type, will be NIS auth'ed,
and will get Filter-Id="filter.in".
Users fredT and freddefault can only dial as Async and will be NIS auth'ed.

Note that The ISDN user's NAS-Port-Type is not specified, thus Sync and
Async will work (meaning he can dial with a normal or isdn modem).

My switch to LDAP looks like this.

<Handler Realm=dummy>
        # Get rid of all the funny stuff	
        RewriteUsername      s/^([^@]+).*/$1/
        RewriteUsername      s/^.*\/(.*)/$1/
        RewriteUsername      s/^.*\\(.*)/$1/
        <AuthBy LDAP2>
                Host            my.host.name
                HoldServerConnection
                NoDefaultIfFound

                AuthDN uid=manager
                AuthPassword XXXXXXX

                BaseDN ou=stuff

                UsernameAttr    uid
                PasswordAttr    userPassword
                AuthAttrDef accountname,Class,reply
                AuthAttrDef radiusauthentication,Radius-Category,request

                PostSearchHook file:"%D/handle_DUMMY_users"

        </AuthBy>
</Handler>

The handle_DUMMY_users file looks like this:
(When I learnt Perl I read somewhere that there are no pointers like in C,
so I never bothered to look further into it, but when I look at the Radiator
code it seems like there are pointers everywhere! (I'm an old C programmer).
So while trying to get the code to work (and figure it out at the same time)
I used lots of log prints to help show me what the variables are doing.)
sub
{
        my @category_array=$_[4]->get('radiusauthentication');
        my $category=$category_array[0];
        my $port_type=$_[2]->getAttrByNum(61);

        &main::log($main::LOG_DEBUG, "--- " . $_[2]->code . " ---");
        &main::log($main::LOG_DEBUG, "Port_type=$port_type");
        &main::log($main::LOG_DEBUG, "Category=$category ============= ");
        #if ($_[2]->code eq 'Access-Accept')
        if (1)
        {
                &main::log($main::LOG_ERR, "HHEHEHEHEHEHEHE");
                if (!defined $port_type)
                {
                        $port_type="Async";
                }

                if (!defined $category)
                {
                        $category="DEFAULT";
                }

                if ($category eq "DUMMY_ISDN")
                {
                        if ($port_type ne "Async")
                        {
                                $_[2]->set_code( $main::REJECT);
                                #$_[2]->set_code('Access-Reject');
 
$_[2]->addAttrByNum($Radius::Radius::REPLY_MESSAGE, 'Request Denied');

                                &main::log($main::LOG_ERR, "Access Rejected:
Port not Async");
                        }
                        else
                        {

                        }
                }
        }
}

Now, when I try to authenticate an ISDN user like so:
radpwtst -trace -secret xxx -noacct -auth_port 1814 -acct_port 1815 -user
fredisdn at dummy -password 123456 -nas_ip_address x.x.x.x -nas_port 1
-nas_port_type "Sync", the server does not send a reply.  In fact the debug
looks as follows:

Code:       Access-Request
Identifier: 128
Authentic:  1234567890123456
Attributes:
        User-Name = "testisdn at dummy"
        Service-Type = Framed-User
        NAS-IP-Address = 196.41.131.10
        NAS-Port = 1
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Sync
        User-Password =
"<200><185>l<153><154>j<4><246><188>8<9><160><216>}x<153>"

Fri Aug 31 21:52:50 2001: DEBUG: Check if Handler Realm=dummy should be used
to handle this request
Fri Aug 31 21:52:50 2001: DEBUG: Handling request with Handler 'Realm=dummy'
Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
Fri Aug 31 21:52:50 2001: DEBUG:  Deleting session for fredisdn at dummy,
x.x.x.x, 1
Fri Aug 31 21:52:50 2001: DEBUG: Handling with Radius::AuthLDAP2
Fri Aug 31 21:52:50 2001: DEBUG: Attempting to bind with uid=....
Fri Aug 31 21:52:50 2001: DEBUG: LDAP got result for uid=fredisdn,ou=.......
Fri Aug 31 21:52:50 2001: DEBUG: LDAP got userPassword: {SHA}goobledygook=
Fri Aug 31 21:52:50 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
Fri Aug 31 21:52:50 2001: DEBUG: --- Access-Request ---
Fri Aug 31 21:52:50 2001: DEBUG: Port_type=Sync
Fri Aug 31 21:52:50 2001: DEBUG: Category=DUMMY_ISDN =============
Fri Aug 31 21:52:50 2001: ERR: HHEHEHEHEHEHEHE
Fri Aug 31 21:52:50 2001: ERR: Access Rejected: Port not Async
Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with
fredisdn
Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:








And then the server debug repeats the above DEBUG.

Trying as the same user, but with "Async" instead of "Sync" gives the
following:



Code:       Access-Request
Identifier: 129
Authentic:  1234567890123456
Attributes:
        User-Name = "fredisdn at dummy"
        Service-Type = Framed-User
        NAS-IP-Address = x.x.x.x
        NAS-Port = 1
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "ummmm"

Mon Sep  3 10:08:00 2001: DEBUG: Check if Handler Realm=dummy should be used
to handle this request
Mon Sep  3 10:08:00 2001: DEBUG: Handling request with Handler 'Realm=dummy'
Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
Mon Sep  3 10:08:00 2001: DEBUG:  Deleting session for fredisdn at dummy,
x.x.x.x, 1
Mon Sep  3 10:08:00 2001: DEBUG: Handling with Radius::AuthLDAP2
Mon Sep  3 10:08:00 2001: DEBUG: Connecting to ........, port 389
Mon Sep  3 10:08:01 2001: DEBUG: Attempting to bind with uid=...........
Mon Sep  3 10:08:01 2001: DEBUG: LDAP got result for
uid=fredisdn,ou=..............
Mon Sep  3 10:08:01 2001: DEBUG: LDAP got userPassword: {SHA}stuff=
Mon Sep  3 10:08:01 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
Mon Sep  3 10:08:01 2001: DEBUG: --- Access-Request ---
Mon Sep  3 10:08:01 2001: DEBUG: Port_type=Async
Mon Sep  3 10:08:01 2001: DEBUG: Category=DUMMY_ISDN =============
Mon Sep  3 10:08:01 2001: ERR: HHEHEHEHEHEHEHE
Mon Sep  3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 looks for match with
fredisdn
Mon Sep  3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Sep  3 10:08:01 2001: DEBUG: Access accepted for fredisdn
Mon Sep  3 10:08:01 2001: DEBUG: Packet dump:
*** Sending to 196.41.131.10 port 37361 ....

Packet length = 20
02 81 00 14 e1 d4 3c 44 ce 1c 76 b0 c6 83 9e ce
a9 8f 4f 69
Code:       Access-Accept
Identifier: 129
Authentic:  1234567890123456
Attributes:





Which looks ok (right?!).

I think my problem is that I do not know how to specify a reject properly.
I seem to set it with set_code($main::REJECT) but the reject never gets sent
back to the user.

I have looked at the hooks file in the goodies directory, but my lack of
pointer programming in Perl (give me C anyday! :-)) and the lack of an API
for Perl in the documentation puts me at a slight disadvantage.  I've also
looked at the profiles file in the goodies directory which looks like a
promising way to go, but I need to figure out still how I can integrate that
with my LDAP config.

So, I hope that someone could shed some light on my situation, or show me
another direction I could pursue.  I'd really appreciate it.  If you need
more info from my side then I'll help wherever I can.

Radiator newby :-)

"Try there is not." - Yoda



Disclaimer: This email is considered a business record and is therefore
property of Vodacom World Online (Pty) Ltd. This email, and any files
transmitted with it are confidential and are intended solely for the use of
the individual or entity to whom they are addressed. This communication
represents the originator's personal views and opinions, which do not
necessarily reflect those of Vodacom World Online (Pty) Ltd. If you are not
the original recipient or the person responsible for delivering the email to
the intended recipient, be advised that you have this email in error, and
that any use, dissemination, forwarding, printing, or copying of this email
is strictly prohibited. If you received this email in error, please
immediately notify disclaimer at vwo.co.za <mailto:disclaimer at vwo.co.za>.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list