(RADIATOR) profiles
Fred Albrecht
Fred at vwo.co.za
Tue Sep 4 09:24:01 CDT 2001
Thanx Hugh and Rob
I actually got the config working about an hour after I sent my email. I
just had to look very carefully at the profiles file in the goodies
directory. Here's my solution:
<Handler Realm=the_realm>
AcctLogFileName %L/the_realm/%d-%m-%Y.log
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^.*\/(.*)/$1/
RewriteUsername s/^.*\\(.*)/$1/
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
Host host
HoldServerConnection
NoDefaultIfFound
AuthDN uid=.....
AuthPassword .....
BaseDN ou=...
UsernameAttr uid
PasswordAttr userPassword
AuthAttrDef accountname,Class,reply
AuthAttrDef radiusauthentication,Profile,reply
</AuthBy>
<AuthBy FILE>
Filename ./profiles
StripFromReply Profile
</AuthBy>
</Handler>
In LDAP the user's profile gets returned with the first authby clause. The
profile then gets used in the ./profiles file with the Reply: keyword as
follows:
DEFAULT Reply:Profile=ISDN
Service-Type = Framed-User,
Framed-Protocol = PPP,
Port-Limit = 1
DEFAULT NAS-Port-Type=Async, Reply:Profile=WEB
DEFAULT NAS-Port-Type=Async, Reply:Profile=BEACH
Filter-Id = "filter.in"
DEFAULT NAS-Port-Type=Async, Reply:Profile=DEFAULT
hehehehehehheheheheheee
:)
fred
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: 04 September 2001 08:27
To: Fred Albrecht; 'radiator at open.com.au'
Subject: Re: (RADIATOR) profiles
Hello Fred -
I think you can do what you need to much more simply.
Here is part of the configuration file:
# define AuthBy clauses
<AuthBy FILE>
Identifier CheckUsers
Filename %D/default.users
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP
</AuthBy>
<AuthBy NISPLUS>
Identifier CheckNisPlus
.....
</AuthBy>
# define Realms or Handlers
<Handler>
AuthBy CheckUsers
.....
</Handler>
Then the file default.users would contain something like this:
# this file contains DEFAULT definitions
DEFAULT Suffix = ISDN, Auth-Type = CheckNisPlus
Class = 01, Port-Limit = 1
DEFAULT Suffix = default, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
Class = 02
DEFAULT Suffix = B, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
Class = 03, Filter-Id = "filter.in"
DEFAULT Suffix = T, Nas-Port-Type = Async, Auth-Type = CheckNisPlus
Class = 04
You shouldn't need to use hooks at all for this.
hth
Hugh
At 10:41 +0200 01/9/3, Fred Albrecht wrote:
>Hi All
>
>I managed to get my company to buy copies of Radiator ... but forgot to
tell
>them about a support contract (ugh). And now I need support :-) . Can you
>guys and gals perhaps help? Phulease?
>
>Here's my situation. I need to move one of our userbases (which we bought
>from another ISP) off Cistron Radius ASAP and onto LDAP with Radiator. The
>users.db file that Cistron uses looks something like this:
>
>fredISDN:Class="01",User-Category="ISDN"
>freddefault:Class="02",User-Category="DEFAULT"
>fredB:Class="03",User-Category="Blank"
>fredT:Class="04",User-Category="Tank"
>(and Lots more entries)
>
>The users file contains:
>
>#-----------------
>Blank
> Filter-Id = "filter.in",
> User-Category = "DEFAULT"
>
>Tank
> User-Category = "DEFAULT"
>
>ISDN Auth-Type = System
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Port-Limit = 1
>
>DEFAULT NAS-Port-Type = Async, Auth-Type=System
>#------------------
>
>This is how I understand the config.
>User fredISDN user will be authenticated with NIS (system authentication),
>and will be sent Service-Type = Framed-User,Framed-Protocol =
PPP,Port-Limit
>= 1.
>User fredB can only dial in with Async as port-type, will be NIS auth'ed,
>and will get Filter-Id="filter.in".
>Users fredT and freddefault can only dial as Async and will be NIS auth'ed.
>
>Note that The ISDN user's NAS-Port-Type is not specified, thus Sync and
>Async will work (meaning he can dial with a normal or isdn modem).
>
>My switch to LDAP looks like this.
>
><Handler Realm=dummy>
> # Get rid of all the funny stuff
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/^.*\/(.*)/$1/
> RewriteUsername s/^.*\\(.*)/$1/
> <AuthBy LDAP2>
> Host my.host.name
> HoldServerConnection
> NoDefaultIfFound
>
> AuthDN uid=manager
> AuthPassword XXXXXXX
>
> BaseDN ou=stuff
>
> UsernameAttr uid
> PasswordAttr userPassword
> AuthAttrDef accountname,Class,reply
> AuthAttrDef radiusauthentication,Radius-Category,request
>
> PostSearchHook file:"%D/handle_DUMMY_users"
>
> </AuthBy>
></Handler>
>
>The handle_DUMMY_users file looks like this:
>(When I learnt Perl I read somewhere that there are no pointers like in C,
>so I never bothered to look further into it, but when I look at the
Radiator
>code it seems like there are pointers everywhere! (I'm an old C
programmer).
>So while trying to get the code to work (and figure it out at the same
time)
>I used lots of log prints to help show me what the variables are doing.)
>sub
>{
> my @category_array=$_[4]->get('radiusauthentication');
> my $category=$category_array[0];
> my $port_type=$_[2]->getAttrByNum(61);
>
> &main::log($main::LOG_DEBUG, "--- " . $_[2]->code . " ---");
> &main::log($main::LOG_DEBUG, "Port_type=$port_type");
> &main::log($main::LOG_DEBUG, "Category=$category ============= ");
> #if ($_[2]->code eq 'Access-Accept')
> if (1)
> {
> &main::log($main::LOG_ERR, "HHEHEHEHEHEHEHE");
> if (!defined $port_type)
> {
> $port_type="Async";
> }
>
> if (!defined $category)
> {
> $category="DEFAULT";
> }
>
> if ($category eq "DUMMY_ISDN")
> {
> if ($port_type ne "Async")
> {
> $_[2]->set_code( $main::REJECT);
> #$_[2]->set_code('Access-Reject');
>
>$_[2]->addAttrByNum($Radius::Radius::REPLY_MESSAGE, 'Request Denied');
>
> &main::log($main::LOG_ERR, "Access
Rejected:
>Port not Async");
> }
> else
> {
>
> }
> }
> }
>}
>
>Now, when I try to authenticate an ISDN user like so:
>radpwtst -trace -secret xxx -noacct -auth_port 1814 -acct_port 1815 -user
>fredisdn at dummy -password 123456 -nas_ip_address x.x.x.x -nas_port 1
>-nas_port_type "Sync", the server does not send a reply. In fact the debug
>looks as follows:
>
>Code: Access-Request
>Identifier: 128
>Authentic: 1234567890123456
>Attributes:
> User-Name = "testisdn at dummy"
> Service-Type = Framed-User
> NAS-IP-Address = 196.41.131.10
> NAS-Port = 1
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Sync
> User-Password =
>"<200><185>l<153><154>j<4><246><188>8<9><160><216>}x<153>"
>
>Fri Aug 31 21:52:50 2001: DEBUG: Check if Handler Realm=dummy should be
used
>to handle this request
>Fri Aug 31 21:52:50 2001: DEBUG: Handling request with Handler
'Realm=dummy'
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Rewrote user name to fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Deleting session for fredisdn at dummy,
>x.x.x.x, 1
>Fri Aug 31 21:52:50 2001: DEBUG: Handling with Radius::AuthLDAP2
>Fri Aug 31 21:52:50 2001: DEBUG: Attempting to bind with uid=....
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got result for
uid=fredisdn,ou=.......
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got userPassword: {SHA}goobledygook=
>Fri Aug 31 21:52:50 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
>Fri Aug 31 21:52:50 2001: DEBUG: --- Access-Request ---
>Fri Aug 31 21:52:50 2001: DEBUG: Port_type=Sync
>Fri Aug 31 21:52:50 2001: DEBUG: Category=DUMMY_ISDN =============
>Fri Aug 31 21:52:50 2001: ERR: HHEHEHEHEHEHEHE
>Fri Aug 31 21:52:50 2001: ERR: Access Rejected: Port not Async
>Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>fredisdn
>Fri Aug 31 21:52:50 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
>
>
>
>
>
>
>
>
>And then the server debug repeats the above DEBUG.
>
>Trying as the same user, but with "Async" instead of "Sync" gives the
>following:
>
>
>
>Code: Access-Request
>Identifier: 129
>Authentic: 1234567890123456
>Attributes:
> User-Name = "fredisdn at dummy"
> Service-Type = Framed-User
> NAS-IP-Address = x.x.x.x
> NAS-Port = 1
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "ummmm"
>
>Mon Sep 3 10:08:00 2001: DEBUG: Check if Handler Realm=dummy should be
used
>to handle this request
>Mon Sep 3 10:08:00 2001: DEBUG: Handling request with Handler
'Realm=dummy'
>Mon Sep 3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep 3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep 3 10:08:00 2001: DEBUG: Rewrote user name to fredisdn
>Mon Sep 3 10:08:00 2001: DEBUG: Deleting session for fredisdn at dummy,
>x.x.x.x, 1
>Mon Sep 3 10:08:00 2001: DEBUG: Handling with Radius::AuthLDAP2
>Mon Sep 3 10:08:00 2001: DEBUG: Connecting to ........, port 389
>Mon Sep 3 10:08:01 2001: DEBUG: Attempting to bind with uid=...........
>Mon Sep 3 10:08:01 2001: DEBUG: LDAP got result for
>uid=fredisdn,ou=..............
>Mon Sep 3 10:08:01 2001: DEBUG: LDAP got userPassword: {SHA}stuff=
>Mon Sep 3 10:08:01 2001: DEBUG: LDAP got radiusauthentication: DUMMY_ISDN
>Mon Sep 3 10:08:01 2001: DEBUG: --- Access-Request ---
>Mon Sep 3 10:08:01 2001: DEBUG: Port_type=Async
>Mon Sep 3 10:08:01 2001: DEBUG: Category=DUMMY_ISDN =============
>Mon Sep 3 10:08:01 2001: ERR: HHEHEHEHEHEHEHE
>Mon Sep 3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>fredisdn
>Mon Sep 3 10:08:01 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
>Mon Sep 3 10:08:01 2001: DEBUG: Access accepted for fredisdn
>Mon Sep 3 10:08:01 2001: DEBUG: Packet dump:
>*** Sending to 196.41.131.10 port 37361 ....
>
>Packet length = 20
>02 81 00 14 e1 d4 3c 44 ce 1c 76 b0 c6 83 9e ce
>a9 8f 4f 69
>Code: Access-Accept
>Identifier: 129
>Authentic: 1234567890123456
>Attributes:
>
>
>
>
>
>Which looks ok (right?!).
>
>I think my problem is that I do not know how to specify a reject properly.
>I seem to set it with set_code($main::REJECT) but the reject never gets
sent
>back to the user.
>
>I have looked at the hooks file in the goodies directory, but my lack of
>pointer programming in Perl (give me C anyday! :-)) and the lack of an API
>for Perl in the documentation puts me at a slight disadvantage. I've also
>looked at the profiles file in the goodies directory which looks like a
>promising way to go, but I need to figure out still how I can integrate
that
>with my LDAP config.
>
>So, I hope that someone could shed some light on my situation, or show me
>another direction I could pursue. I'd really appreciate it. If you need
>more info from my side then I'll help wherever I can.
>
>Radiator newby :-)
>
>"Try there is not." - Yoda
>
>
>
>Disclaimer: This email is considered a business record and is therefore
>property of Vodacom World Online (Pty) Ltd. This email, and any files
>transmitted with it are confidential and are intended solely for the use of
>the individual or entity to whom they are addressed. This communication
>represents the originator's personal views and opinions, which do not
>necessarily reflect those of Vodacom World Online (Pty) Ltd. If you are not
>the original recipient or the person responsible for delivering the email
to
>the intended recipient, be advised that you have this email in error, and
>that any use, dissemination, forwarding, printing, or copying of this email
>is strictly prohibited. If you received this email in error, please
>immediately notify disclaimer at vwo.co.za <mailto:disclaimer at vwo.co.za>.
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list