(RADIATOR) Totalcontrol Manager entries
Hugh Irvine
hugh at open.com.au
Thu Aug 8 16:37:38 CDT 2002
Hello Frank, Hello Gib -
This question comes up from time to time, so here is what happens.
The Radiator configuration file can contain Realms and/or Handlers (and
sometimes things like CalledStationIds) and the way that Radiator deals
with them is as follows:
1. evaluate any Realms if present (by lookup in a hash)
2. evaluate any Handlers (by checking the expression in each one in the
order they appear)
What this means when you mix Realms and Handlers is that a Realm that
matches will always take precedence over a Handler that would also match
(keeping in mind that the first match is the only match).
Therefore, you should change any Realms to Handlers as follows:
<Realm foo.bar>
becomes
<Handler Realm = foo.bar>
And of course you need to make sure that the order of the Handlers is
correct with the more specific appearing before the more general and
with the ones that get hit the most as close to the top of the list as
possible.
The historical reason for this is that in the early days Radiator only
supported Realms, and Handlers were added some little time after the
initial release. If you are interested, the history file makes
fascinating reading ("doc/history.html").
regards
Hugh
On Friday, August 9, 2002, at 02:07 AM, Frank Danielson wrote:
> Make sure that the Handler is before any other handlers and try writing
> the
> username as a regular expression like this: <Handler User-
> Name=/Manager/> .
> It looks like you have a rewrite username that is converting the
> usernames
> to lower case so you may need to specify <Handler User-Name=/manager/>
> to
> get it to work. Also as David Kramer's email said you need to convert
> from
> Realms to Handlers, mixing Realms and Handlers is always wierd and is
> not
> reccomended.
>
>
>
> -----Original Message-----
> From: Gib Salisbury [mailto:gsalisbu at qtm.net]
> Sent: Thursday, August 08, 2002 10:39 AM
> To: 'radiator at open.com.au'
> Subject: RE: (RADIATOR) Totalcontrol Manager entries
>
>
> Thanks frank for the tip about handlers, I'm a bit of a newbie to this
> and
> appreciate your understanding. I tried putting in the handler you
> specified but it is still treating it like another user in the realm.
> This
> is the handler that I put in my config file.
>
> <Handler User-Name = "Manager">
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </Handler>
>
>
> Thanks in advance for dealing with such mundane questions!
>
> -Gib
>
>
> Thu Aug 8 10:04:11 2002: DEBUG: Packet dump:
> *** Received from 216.163.62.138 port 1646 ....
> Code: Accounting-Request
> Identifier: 70
> Authentic: }<247>;<181><245><31>&<6>rYUe<221><18>B<215>
> Attributes:
> User-Name = "Manager"
> NAS-IP-Address = 216.163.38.2
> NAS-Identifier = "216.163.38.2"
> Acct-Status-Type = Stop
> Acct-Session-Id = "134217728"
> Acct-Delay-Time = 60
> Acct-Authentic = Local
> Service-Type = Administrative-User
> NAS-Port-Type = Virtual
> Login-Service = Telnet
> Login-TCP-Port = 3326
> Login-IP-Host = 216.163.32.50
> Acct-Session-Time = 0
> Acct-Terminate-Cause = User-Request
>
> Thu Aug 8 10:04:11 2002: DEBUG: Rewrote user name to Manager
> Thu Aug 8 10:04:11 2002: DEBUG: Rewrote user name to manager
> Thu Aug 8 10:04:11 2002: DEBUG: Rewrote user name to manager
> Thu Aug 8 10:04:11 2002: DEBUG: Handling request with Handler
> 'Realm=realmusers'
> Thu Aug 8 10:04:11 2002: DEBUG: Rewrote user name to manager
> Thu Aug 8 10:04:11 2002: DEBUG: SessionSQL Deleting session for
> Manager,
> 216.163.38.2,
> Thu Aug 8 10:04:11 2002: DEBUG: do query is: delete from RADONLINE
> where
> NASIDENTIFIER='216.163.38.2' and NASPORT=0
>
> Thu Aug 8 10:04:11 2002: DEBUG: Handling with Radius::AuthSQL
> Thu Aug 8 10:04:11 2002: DEBUG: Handling accounting with
> Radius::AuthSQL
> Thu Aug 8 10:04:11 2002: DEBUG: do query is: insert into ACCOUNTING
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
> ACCTSESSIONID, ACCTSESSIONTIME, ACCTTERMINATECAUSE, NASIDENTIFIER)
> values
> ('manager', 1028815391, 'Stop', 60, '134217728', 0,
> 'User-Request', '216.163.38.2')
>
> Thu Aug 8 10:04:11 2002: DEBUG: Handling with Radius::AuthFILE: users
> Thu Aug 8 10:04:11 2002: DEBUG: Accounting accepted
> Thu Aug 8 10:04:11 2002: DEBUG: Packet dump:
> *** Sending to 216.163.62.138 port 1646 ....
> Code: Accounting-Response
> Identifier: 70
> Authentic: }<247>;<181><245><31>&<6>rYUe<221><18>B<215>
> Attributes:
>
> -----Original Message-----
> From: Hugh Irvine [SMTP:hugh at open.com.au]
> Sent: Wednesday, August 07, 2002 7:51 PM
> To: Gib Salisbury
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) Totalcontrol Manager entries
>
>
> Hello Gib -
>
> If you send me a trace 4 debug from Radiator showing what is happening
> with these packets, I will take a look.
>
> As Frank mentioned (thanks Frank), one way to deal with them is with a
> Handler if there is a suitable attribute in the requests.
>
> regards
>
> Hugh
>
>
> On Thursday, August 8, 2002, at 06:52 AM, Gib Salisbury wrote:
>
>> Hello again all,
>>
>> I'm working on the configuration for using Radiator 3.1 with Total
>> Control
>> modem racks. The problem is that the TC rack is putting several
>> Manager
>> entries into my SQL table, so that in a period of a day or two there
>> are
>> several thousand bogus accounting entries in my table. I read through
>> all
>> of my documentation and it seems like this is the TC's way of making
>> sure
>> that the accounting server is still active, is there any way to have
>> the
>> accouting server respond but not place all the entries in the table?
>> If
>> anyone else has encountered anything like this please let me know.
>>
>> Gib Salisbury
>> Technician
>> Quantum Connections, LLC
>> 211 Hilltop Ave
>> St. Joseph, MI 49085
>> http://www.qtm.net
>> Phone (616) or (888) 926-4242 x 215
>>
>> Radiator Configuration
>> Top File: /usr/local/etc/raddb/radius.cfg
>> ------------------------------------------------------------------------
>> --------
>>
>> # Radiator configuration file.
>> # Produced by /~kenreicj/radconfig.cgi Thu Jun 13 12:54:42 2002
>> #REMOTE_USER: , REMOTE_ADDR: 216.163.33.250
>>
>> DbDir /raddb
>> DictionaryFile /raddb/dictionary
>> LogDir /raddb
>> LogFile %L\radius
>> PidFile radius.pid
>> SnmpgetProg /usr/local/bin/snmpget
>> RewriteUsername s/^([^@]+).*/$1/
>> RewriteUsername tr/[A-Z]/[a-z]/
>> RewriteUsername s/\s+//g
>> Trace 4
>> LogStdout
>>
>> <AuthBy UNIX>
>> DefaultSimultaneousUse 1
>> Description unix pw auth
>> Filename /etc/master.passwd
>> GroupFilename /etc/group
>> Identifier password
>> </AuthBy>
>>
>> <AuthBy FILE>
>> DefaultSimultaneousUse 1
>> Description users std
>> Filename %D/users
>> Identifier users
>> </AuthBy>
>>
>> <AuthBy FILE>
>> DefaultSimultaneousUse 1
>> Description tc8 users
>> Filename %D/tc8.users
>> Identifier tc8users
>> </AuthBy>
>>
>> <AuthBy FILE>
>> DefaultSimultaneousUse 1
>> Description dsl
>> Filename %D/dsl.users
>> Identifier dslusers
>> </AuthBy>
>>
>> <AuthBy FILE>
>> DefaultSimultaneousUse 1
>> Description x2 user auth
>> Filename %D/x2.users
>> Identifier x2users
>> </AuthBy>
>>
>> <AuthBy SQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth XXXX
>> AuthSelect
>> Identifier sqlacct
>> AcctColumnDef USERNAME,User-Name
>> AcctColumnDef TIME_STAMP,Timestamp,integer
>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>> AcctColumnDef NASPORT,NAS-Port,integer
>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>> AcctColumnDef CALLINGSTATION,Calling-Station-Id,integer
>> </AuthBy>
>>
>> <ClientListSQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth XXXX
>> </ClientListSQL>
>>
>> <Log SQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth XXXX
>> </Log>
>>
>> <StatsLog SQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth XXXX
>> Interval 86400
>> </StatsLogSQL>
>>
>> <Realm realmusers>
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthByPolicy null
>> AuthBy sqlacct
>> AuthBy users
>> PasswordLogFileName pwd.log
>> SessionDatabase
>> </Realm>
>>
>> <Realm x2realm>
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthByPolicy Null
>> AuthBy sqlacct
>> AuthBy x2users
>> PasswordLogFileName pwd.log
>> SessionDatabase
>> </Realm>
>>
>> <Realm dslrealm>
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthByPolicy Null
>> AuthBy sqlacct
>> AuthBy dslusers
>> PasswordLogFileName pwd.log
>> SessionDatabase
>> </Realm>
>>
>> <Realm tc8realm>
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthByPolicy Null
>> AuthBy sqlacct
>> AuthBy tc8users
>> PasswordLogFileName pwd.log
>> SessionDatabase
>> </Realm>
>>
>> <SessionDatabase SQL>
>> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
>> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE)
>> va
>> lues ('%u', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}', %{Timestamp},
>> '%{Framed-IP-Address}', '%{NAS-Port-Type}', '%{Service-Type}')
>> ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
>> CountNasSessionsQuery select ACCTSESSIONID from RADONLINE where
>> NASIDENTIFIER='%N'
>> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from
>> RADONLINE
>> where USERNAME='%u'
>> DBAuth XXXX
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DeleteQuery delete from RADONLINE where NASIDENTIFIER='%N' and
>> NASPORT=0%{NAS-Port}
>> Description Current Session database
>> Identifier SessionSQL
>> </SessionDatabase>
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list