(RADIATOR) Proxy server client id's
Griff Hamlin, III
griff3 at quik.com
Tue Sep 18 09:53:51 CDT 2001
Hugh,
In setting up my system with a single radiusd process acting as a proxy
and other radiusd processes doing the authentication, I have found that
the proxy server always sends the request to the other servers with the
client being 127.0.0.1 which is the localhost, instead of the actual
Client-Id of the request which my backline radius server needs to
determine NasType information for snmp. How can I have the proxy server
send that information ?
Here is my radius.cfg file for the proxy server:
Trace 3
# Directory where logfile and details file are
LogDir /var/log/radacct.proxy
# Database directory. Should contain:
# users The user database
# dictionary The dictionary for your NAS
DbDir /etc/raddb
AuthPort 1645
AcctPort 1646
SnmpgetProg /usr/local/bin/snmpget
PreClientHook file:"/etc/raddb/CallIdCheck.hook"
# Global parameters
LivingstonOffs 23
LivingstonHole 1
# Define Global Variables
# Online Session Database
<SessionDatabase SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AddQuery insert into online (username, nasidentifier, nasport,\
acctsessionid, framedaddress) values ('%U','%c',\
DeleteQuery delete from online where(username='%U')&& \
(acctsessionid='%{Acct-Session-Id}')
CountQuery select nasidentifier, nasport, acctsessionid from online \
where username='%n'
</SessionDatabase>
<AuthLog FILE>
Identifier log1
Filename %L/logfile
LogSuccess 1
LogFailure 1
SuccessFormat %l::%n accepted from %c
FailureFormat %l::%n rejected from %c, %1
</AuthLog>
# Proxy all requests, handle none
<Handler>
<AuthBy LOADBALANCE>
FailureBackoffTime 15
Secret mysecret
RetryTimeout 3
Retries 0
AddToRequest Login-IP-Host=%c
# Hosts to proxy for
<Host localhost>
AuthPort 1812
AcctPort 1813
</Host>
<Host localhost>
AuthPort 1647
AcctPort 1648
</Host>
<Host localhost>
AuthPort 1649
AcctPort 1650
</Host>
</AuthBy>
</Handler>
###Client List
# many clients listed here of different NasTypes.
And the config file for the servers is
Trace 3
AuthPort 1812
AcctPort 1813
# Directory where logfile and details file are
LogDir /var/log/radacct.serv1
# Database directory. Should contain:
# users The user database
# dictionary The dictionary for your NAS
DbDir /etc/raddb
SnmpgetProg /usr/local/bin/snmpget
PreClientHook file:"/etc/raddb/CallIdCheck.hook"
# Global parameters
LivingstonOffs 23
LivingstonHole 1
# Define Global Variables
# Online Session Database
<SessionDatabase SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AddQuery insert into online (username, nasidentifier, nasport,\
acctsessionid, framedaddress) values ('%U','%c',\
'%{NAS-Port}','%{Acct-Session-Id}','%{Framed-IP-Address}')
DeleteQuery delete from online where(username='%U')&& \
(acctsessionid='%{Acct-Session-Id}')
CountQuery select nasidentifier, nasport, acctsessionid from online \
where username='%n'
</SessionDatabase>
<AuthLog FILE>
Identifier log1
Filename %L/logfile
LogSuccess 1
LogFailure 1
SuccessFormat %l::%n accepted from %{Login-IP-Host}
FailureFormat %l::%n rejected from %{Login-IP-Host}, pass :%P:
</AuthLog>
# Handle all accounting here.
<Handler Request-Type=Accounting-Request>
RewriteUsername s/^([^@]+).*/$1/
# Need a little hook here to determine if this is an accounting packet
# whether we use the Livingston or Acct-Terminate-Cause attributes.
# This gets the attribute Livingston if it exists, if not, gets
# Acct-Terminate-Cause, if not gets Ascend-Disconnect-Cause
# Put the correct one in new attribute %{Term-Cause} to be used later
PreAuthHook sub { my $p = ${$_[0]}; my $term; \
my $stat = $p->get_attr('Acct-Status-Type'); \
if ($stat eq 'Stop') {
$term=$p->get_attr('Livingston'); \
if ($term eq '') { \
$term=$p->get_attr('Acct-Terminate-Cause'); \
if ($term eq '') { \
$term=$p->get_attr('Ascend-Disconnect-Cause');} } \
$p->add_attr('Term-Cause',"$term"); } }
<AuthBy SQL>
DBSource dbi:mysql:
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AccountingTable dialupusage
AccountingStopsOnly
AcctColumnDef username, %U, formatted
AcctColumnDef session_id, %{Acct-Session-Id}%m-%d, formatted
AcctColumnDef router_ip, %c, formatted
AcctColumnDef date, %f-%g-%i %j:%k:%p, formatted
AcctColumnDef session_time, %{Acct-Session-Time}, formatted
AcctColumnDef ip_address, %{Framed-IP-Address}, formatted
AcctColumnDef phone, %{Calling-Station-Id}, formatted
AcctColumnDef terminate_cause, %{Term-Cause}, formatted
</AuthBy>
</Handler>
# Handle the bulk of the users using our radius:users SQL table
<Handler Handler-Group = defquik>
# remove the realm
RewriteUsername s/^([^@]+).*/$1/
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
Filename %D/users.head
</AuthBy> # FILE
<AuthBy SQL>
IgnoreAccounting
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
NoDefault
DefaultSimultaneousUse 1
# This AuthSelect gets a comma separated list of check items, a
comma
# separated list of reply items from the radius:users table
AuthSelect select check_items, reply_items from users \
where (username='%U' && handler_group='%{Handler-Group}')
AuthColumnDef 0,GENERIC, check
AuthColumnDef 1,GENERIC,reply
</AuthBy> #SQL
</AuthBy> # Group
AuthLog log1
</Handler>
### many radius clients in the list.
Thanks for the help.
Griff Hamlin, III
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list