(RADIATOR) profiles

Fred Albrecht Fred at vwo.co.za
Tue Sep 4 09:24:01 CDT 2001


Thanx Hugh and Rob

I actually got the config working about an hour after I sent my email.  I
just had to look very carefully at the profiles file in the goodies
directory.  Here's my solution:

<Handler Realm=the_realm>
        AcctLogFileName %L/the_realm/%d-%m-%Y.log
                RewriteUsername      s/^([^@]+).*/$1/
                RewriteUsername      s/^.*\/(.*)/$1/
                RewriteUsername      s/^.*\\(.*)/$1/
        AuthByPolicy ContinueWhileAccept
        <AuthBy LDAP2>
                Host            host
                HoldServerConnection
                NoDefaultIfFound

                AuthDN uid=.....
                AuthPassword .....

                BaseDN ou=...

                UsernameAttr    uid
                PasswordAttr    userPassword

                AuthAttrDef accountname,Class,reply
                AuthAttrDef radiusauthentication,Profile,reply
        </AuthBy>
        <AuthBy FILE>
                Filename ./profiles
                StripFromReply Profile
        </AuthBy>
</Handler>

In LDAP the user's profile gets returned with the first authby clause.  The
profile then gets used in the ./profiles file with the Reply: keyword as
follows:

DEFAULT Reply:Profile=ISDN
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Port-Limit = 1

DEFAULT NAS-Port-Type=Async, Reply:Profile=WEB

DEFAULT NAS-Port-Type=Async, Reply:Profile=BEACH
        Filter-Id = "filter.in"

DEFAULT NAS-Port-Type=Async, Reply:Profile=DEFAULT


hehehehehehheheheheheee

:)
fred

 -----Original Message-----
From: 	Hugh Irvine [mailto:hugh at open.com.au] 
Sent:	04 September 2001 08:27
To:	Fred Albrecht; 'radiator at open.com.au'
Subject:	Re: (RADIATOR) profiles


Hello Fred -

I think you can do what you need to much more simply.

Here is part of the configuration file:

# define AuthBy clauses

<AuthBy FILE>
	Identifier CheckUsers
	Filename %D/default.users
	AddToReply Service-Type = Framed-User, \
		Framed-Protocol = PPP
</AuthBy>

<AuthBy NISPLUS>
	Identifier CheckNisPlus
	.....
</AuthBy>

# define Realms or Handlers

<Handler>
	AuthBy CheckUsers
	.....
</Handler>


Then the file default.users would contain something like this:

# this file contains DEFAULT definitions

DEFAULT Suffix = ISDN, Auth-Type = CheckNisPlus
	Class = 01, Port-Limit = 1

DEFAULT Suffix = default, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
	Class = 02

DEFAULT Suffix = B, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
	Class = 03, Filter-Id = "filter.in"

DEFAULT Suffix = T, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
	Class = 04


You shouldn't need to use hooks at all for this.

hth

Hugh



At 10:41 +0200 01/9/3, Fred Albrecht wrote:
>Hi All
>
>I managed to get my company to buy copies of Radiator ... but forgot to
tell
>them about a support contract (ugh).  And now I need support :-) .  Can you
>guys and gals perhaps help?  Phulease?
>
>Here's my situation.  I need to move one of our userbases (which we bought
>from another ISP) off Cistron Radius ASAP and onto LDAP with Radiator.  The
>users.db file that Cistron uses looks something like this:
>
>fredISDN:Class="01",User-Category="ISDN"
>freddefault:Class="02",User-Category="DEFAULT"
>fredB:Class="03",User-Category="Blank"
>fredT:Class="04",User-Category="Tank"
>(and Lots more entries)
>
>The users file contains:
>
>#-----------------
>Blank
>         Filter-Id = "filter.in",
>         User-Category = "DEFAULT"
>
>Tank
>         User-Category = "DEFAULT"
>
>ISDN    Auth-Type = System
>         Service-Type = Framed-User,
>         Framed-Protocol = PPP,
>         Port-Limit = 1
>
>DEFAULT NAS-Port-Type = Async, Auth-Type=System
>#------------------
>
>This is how I understand the config.
>User fredISDN user will be authenticated with NIS (system authentication),
>and will be sent Service-Type = Framed-User,Framed-Protocol =
PPP,Port-Limit
>= 1.
>User fredB can only dial in with Async as port-type, will be NIS auth'ed,
>and will get Filter-Id="filter.in".
>Users fredT and freddefault can only dial as Async and will be NIS auth'ed.
>
>Note that The ISDN user's NAS-Port-Type is not specified, thus Sync and
>Async will work (meaning he can dial with a normal or isdn modem).
>
>My switch to LDAP looks like this.
>
><Handler Realm=dummy>
>         # Get rid of all the funny stuff
>         RewriteUsername      s/^([^@]+).*/$1/
>         RewriteUsername      s/^.*\/(.*)/$1/
>         RewriteUsername      s/^.*\\(.*)/$1/
>         <AuthBy LDAP2>
>                 Host            my.host.name
>                 HoldServerConnection
>                 NoDefaultIfFound
>
>                 AuthDN uid=manager
>                 AuthPassword XXXXXXX
>
>                 BaseDN ou=stuff
>
>                 UsernameAttr    uid
>                 PasswordAttr    userPassword
>                 AuthAttrDef accountname,Class,reply
>                 AuthAttrDef radiusauthentication,Radius-Category,request
>
>                 PostSearchHook file:"%D/handle_DUMMY_users"
>
>         </AuthBy>
></Handler>
>
>The handle_DUMMY_users file looks like this:
>(When I learnt Perl I read somewhere that there are no pointers like in C,
>so I never bothered to look further into it, but when I look at the
Radiator
>code it seems like there are pointers everywhere! (I'm an old C
programmer).
>So while trying to get the code to work (and figure it out at the same
time)
>I used lots of log prints to help show me what the variables are doing.)
>sub
>{
>         my @category_array=$_[4]->get('radiusauthentication');
>         my $category=$category_array[0];
>         my $port_type=$_[2]->getAttrByNum(61);
>
>         &main::log($main::LOG_DEBUG, "--- " . $_[2]->code . " ---");
>         &main::log($main::LOG_DEBUG, "Port_type=$port_type");
>         &main::log($main::LOG_DEBUG, "Category=$category ============= ");
>         #if ($_[2]->code eq 'Access-Accept')
>         if (1)
>         {
>                 &main::log($main::LOG_ERR, "HHEHEHEHEHEHEHE");
>                 if (!defined $port_type)
>                 {
>                         $port_type="Async";
>                 }
>
>                 if (!defined $category)
>                 {
>                         $category="DEFAULT";
>                 }
>
>                 if ($category eq "DUMMY_ISDN")
>                 {
>                         if ($port_type ne "Async")
>                         {
>                                 $_[2]->set_code( $main::REJECT);
>                                 #$_[2]->set_code('Access-Reject');
>
>$_[2]->addAttrByNum($Radius::Radius::REPLY_MESSAGE, 'Request Denied');
>
>                                 &main::log($main::LOG_ERR, "Access
Rejected:
>Port not Async");
>                         }
>                         else
>                         {
>
>                         }
>                 }
>         }
>}
>
>Now, when I try to authenticate an ISDN user like so:
>radpwtst -trace -secret xxx -noacct -auth_port 1814 -acct_port 1815 -user
>fredisdn at dummy -password 123456 -nas_ip_address x.x.x.x -nas_port 1
>-nas_port_type "Sync", the server does not send a reply.  In fact the debug
>looks as follows:
>
>Code:       Access-Request
>Identifier: 128
>Authentic:  1234567890123456
>Attributes:
>         User-Name = "testisdn at dummy"
>         Service-Type = Framed-User
>         NAS-IP-Address = 196.41.131.10
>         NAS-Port = 1
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Sync
>         User-Password =
>"<200><185>l<153><154>j<4><246><188>8<9><160><216>}x<153>"
>
>Fri Aug 31 21:52:50 2001: DEBUG: Check if Handler Realm=dummy should be
used
>to handle this request
>Fri Aug 31 21:52:50 2001: DEBUG: Handling request with Handler
'Realm=dummy'
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG:  Deleting session for fredisdn at dummy,
>x.x.x.x, 1
>Fri Aug 31 21:52:50 2001: DEBUG: Handling with Radius::AuthLDAP2
>Fri Aug 31 21:52:50 2001: DEBUG: Attempting to bind with uid=....
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got result for
uid=fredisdn,ou=.......
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got userPassword: {SHA}goobledygook=
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
>Fri Aug 31 21:52:50 2001: DEBUG: --- Access-Request ---
>Fri Aug 31 21:52:50 2001: DEBUG: Port_type=Sync
>Fri Aug 31 21:52:50 2001: DEBUG: Category=DUMMY_ISDN =============
>Fri Aug 31 21:52:50 2001: ERR: HHEHEHEHEHEHEHE
>Fri Aug 31 21:52:50 2001: ERR: Access Rejected: Port not Async
>Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
>
>
>
>
>
>
>
>
>And then the server debug repeats the above DEBUG.
>
>Trying as the same user, but with "Async" instead of "Sync" gives the
>following:
>
>
>
>Code:       Access-Request
>Identifier: 129
>Authentic:  1234567890123456
>Attributes:
>         User-Name = "fredisdn at dummy"
>         Service-Type = Framed-User
>         NAS-IP-Address = x.x.x.x
>         NAS-Port = 1
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password = "ummmm"
>
>Mon Sep  3 10:08:00 2001: DEBUG: Check if Handler Realm=dummy should be
used
>to handle this request
>Mon Sep  3 10:08:00 2001: DEBUG: Handling request with Handler
'Realm=dummy'
>Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep  3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep  3 10:08:00 2001: DEBUG:  Deleting session for fredisdn at dummy,
>x.x.x.x, 1
>Mon Sep  3 10:08:00 2001: DEBUG: Handling with Radius::AuthLDAP2
>Mon Sep  3 10:08:00 2001: DEBUG: Connecting to ........, port 389
>Mon Sep  3 10:08:01 2001: DEBUG: Attempting to bind with uid=...........
>Mon Sep  3 10:08:01 2001: DEBUG: LDAP got result for
>uid=fredisdn,ou=..............
>Mon Sep  3 10:08:01 2001: DEBUG: LDAP got userPassword: {SHA}stuff=
>Mon Sep  3 10:08:01 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
>Mon Sep  3 10:08:01 2001: DEBUG: --- Access-Request ---
>Mon Sep  3 10:08:01 2001: DEBUG: Port_type=Async
>Mon Sep  3 10:08:01 2001: DEBUG: Category=DUMMY_ISDN =============
>Mon Sep  3 10:08:01 2001: ERR: HHEHEHEHEHEHEHE
>Mon Sep  3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>fredisdn
>Mon Sep  3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
>Mon Sep  3 10:08:01 2001: DEBUG: Access accepted for fredisdn
>Mon Sep  3 10:08:01 2001: DEBUG: Packet dump:
>*** Sending to 196.41.131.10 port 37361 ....
>
>Packet length = 20
>02 81 00 14 e1 d4 3c 44 ce 1c 76 b0 c6 83 9e ce
>a9 8f 4f 69
>Code:       Access-Accept
>Identifier: 129
>Authentic:  1234567890123456
>Attributes:
>
>
>
>
>
>Which looks ok (right?!).
>
>I think my problem is that I do not know how to specify a reject properly.
>I seem to set it with set_code($main::REJECT) but the reject never gets
sent
>back to the user.
>
>I have looked at the hooks file in the goodies directory, but my lack of
>pointer programming in Perl (give me C anyday! :-)) and the lack of an API
>for Perl in the documentation puts me at a slight disadvantage.  I've also
>looked at the profiles file in the goodies directory which looks like a
>promising way to go, but I need to figure out still how I can integrate
that
>with my LDAP config.
>
>So, I hope that someone could shed some light on my situation, or show me
>another direction I could pursue.  I'd really appreciate it.  If you need
>more info from my side then I'll help wherever I can.
>
>Radiator newby :-)
>
>"Try there is not." - Yoda
>
>
>
>Disclaimer: This email is considered a business record and is therefore
>property of Vodacom World Online (Pty) Ltd. This email, and any files
>transmitted with it are confidential and are intended solely for the use of
>the individual or entity to whom they are addressed. This communication
>represents the originator's personal views and opinions, which do not
>necessarily reflect those of Vodacom World Online (Pty) Ltd. If you are not
>the original recipient or the person responsible for delivering the email
to
>the intended recipient, be advised that you have this email in error, and
>that any use, dissemination, forwarding, printing, or copying of this email
>is strictly prohibited. If you received this email in error, please
>immediately notify disclaimer at vwo.co.za <mailto:disclaimer at vwo.co.za>.
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.

-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list