(RADIATOR) AuthbyRADIUS with DYNADDRESS

Matt Scifo mscifo at o1.com
Mon Jan 7 17:17:51 CST 2002 

Hugh

We have had some confusion regarding issuing dynamic ip's when using
AuthbyRADIUS in a proxy situation.  We understand that once an
AuthbyRADIUS clause is processed, it returns immediatly to the nas
without waiting for a reply from the proxy server.  In order to issue a
dynamic ip in this situation, either Synchronous mode or a ReplyHook
must be used according to the manual.  Synchronous mode can severely
impact performance, even when specifying Fork.  Our setup includes well
over a 100 handlers which are used based on called-station-id and/or
realm.  We setup our handlers to use a ReplyHook instead of Synchronous
mode to assign a dynamic ip back to the nas.  However, when using a
ReplyHook, an ip never gets sent back to the nas successfully.  The
attached debug file (replyhook_example.log) shows that as soon as
AuthbyRADIUS sends the Access-Request to the proxy server, an
Access-Accept is sent back to our nas containing no attributes, even
with the ReplyHook.  The nas then authenticates the user but assigns
them an IP of 0.0.0.0 and kicks him a few seconds later.  As soon as the
proxy server responds, another response is sent to the nas with the
correct attributes, including the IP taken from our SQLAllocator, but is
dismissed by the nas because it already received a repsonse regarding
that session.  

Isn't the ReplyHook supposed to allow a dynamic IP to be sent back to
the nas even though the AuthbyRADIUS clause returns immediately?  How is
it supposed to work?  

We then enabled Synchronous mode and everything worked fine.  Radiator
waited for a response from the proxy server before sending a dynamic IP
with the reply back to the nas as shown in the attached debug file
(sync_example.log).  However, using a ReplyHook is supposed to
circumvent the need to use Synchronous mode and still maintain the
ability to assign dynamic ip's.  

Also attached is our radius.cfg.  Are we implementing the ReplyHook
(AllocateIPAddressOnReplyFromProxy taken from goodies/hooks.txt)
incorrectly?  Can our needs be met without using Synchronous/Fork mode? 

Thanks

Matt


-------------- next part --------------
Foreground
#LogStdout
LogDir		/var/log/radius
LogFile		/var/log/radius/%Y%m%d-radius.log
AuthPort	1812
AcctPort	1813

# User a lower trace level in production systems:
Trace   5	

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<ClientListSQL>
	DBSource	dbi:mysql:radius
	DBUsername	xxxxxxxxxxxx
	DBAuth		xxxxxxxxxxxx
	GetClientQuery	select NASIDENTIFIER, SECRET from RADCLIENTLIST
</ClientListSQL>

# Setup the address allocator
<AddressAllocator SQL>
	Identifier 	SQLAllocator
        DBSource        dbi:mysql:radius
        DBUsername      xxxxxxxxxxxx
        DBAuth          xxxxxxxxxxxx
	DefaultLeasePeriod	604800
	FindQuery select TIME_STAMP, YIADDR from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP limit 1 
	#include /usr/local/radiator/configs/ippools.cfg
	<AddressPool GLOBAL>
	        Range   xxxxxxx      xxxxxxxxx
	</AddressPool>
</AddressAllocator>

<AuthBy SQL>
        Identifier CheckBlacklist
        DBSource        dbi:mysql:radius
        DBUsername      xxxxxxxxx
        DBAuth          xxxxxxxxx
        AuthSelect select ATTRIBUTE from BLACKLIST \
                where VALUE = '%{Calling-Station-Id}'
        AuthColumnDef 0, GENERIC, check
        NoDefaultIfFound
        AccountingTable
</AuthBy>

# dynamic address allocation tables
#include /usr/local/radiator/configs/dynaddress.cfg
<AuthBy DYNADDRESS>
	Identifier	AllocateIPAddressGLOBAL
	Allocator	SQLAllocator
	PoolHint	GLOBAL
</AuthBy>
# Get configs from specified directory
#include /usr/local/radiator/configs/dnislist.cfg

<Handler Called-Station-Id = /1155$/>
        AuthByPolicy ContinueWhileAccept
 	Identifier AllocateIPAddressGLOBAL
        #
	# FORWARD AUTHENTICATION INFORMATION
	#  
	<AuthBy RADIUS>
                Identifier CheckRemoteRadius
                #NoForwardAuthentication
                NoForwardAccounting
		Synchronous
		 
		<Host xx.xx.xx.xx>
			Secret	xxxxxxx
			AuthPort	11155
			Retries	3
			RetryTimeout	10
		</Host>
		ReplyHook file:"/usr/local/radiator/hooks/AllocateIPAddressOnReplyFromProxy"
		# FILTER NAME: STATIC-ALLOW
		AllowInReply Framed-IP-Address,Session-Timeout,Ascend-Data-Filter,Idle-Timeout,Ascend-Idle-Limit,Ascend-Maximum-Call-Duration
		AddToReply Framed-Netmask=255.255.255.255
	</AuthBy>
	#
	# FORWARD ACCOUNTING INFORMATION TO NECESSARY RADIUS SERVERS
        #
	<AuthBy RADIUS>
                NoForwardAuthentication
                # NoForwardAccounting 
		<Host xx.xx.xx.xx>
			Secret	xxxxxxxx
			AcctPort	11156
			Retries	3
			RetryTimeout	10
		</Host>
	</AuthBy>
</Handler>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: replyhook_example.log
Type: text/x-patch
Size: 6890 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020107/8541078a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sync_example.log
Type: text/x-patch
Size: 17987 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020107/8541078a/attachment-0001.bin>

More information about the radiator mailing list