(RADIATOR) Session Database issues.
Griff Hamlin, III
griff3 at quik.com
Thu Jan 17 13:02:37 CST 2002
I am using Radiator 2.18.3 on AIX. I find that even though in my config
file I have DefaultSimultaneousUse 1 set, all users are still allowed
on. I use an SQL session database, and when I try tests using radpwtst I
find something peculiar.
I first run the following command:
/usr/local/Radiator-2.18/radpwtst -nostop -user=hamlin -password=XXXX
-auth_port=1645 -acct_port=1646 -calling_station_id 9095551212
-nas_ip_address 127.0.0.1
This gives me an accesss accept and place the user information into my
sql 'online' table. I purposely do not let radpwtst send a stop packet
so that the information will remain in the online table.
I then change the phone number (because I have a hook that checks for
it) and run the following command from radpwtst.
/usr/local/Radiator-2.18/radpwtst -noacct -user=hamlin -password=XXXX
-auth_port=1645 -acct_port=1646 -calling_station_id 9495551213
-nas_ip_address 127.0.0.1
Notice that now, I have changed it to -noacct since all I want is the
access reply.
Strangely enough, it is accepted! Yet I can see the row in the online
database. I get the following from the logfile on trace 4. This is the
access request after the user is already in the online sql database.
---------logfile output ----------------------------
*** Received from 127.0.0.1 port 46269 ....
Code: Access-Request
Identifier: 17
Authentic: 1234567890123456
Attributes:
User-Name = "hamlin"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "9491234546"
NAS-Port-Type = Async
User-Password =
"<207><184>f<154><223>5p<246><188>8<9><160><216>}x<153>"
Fri Jan 18 05:39:47 2002: INFO: Checking :hamlin: call-id :9491234546:
Fri Jan 18 05:39:47 2002: INFO: CallIDHook: returned row ---> 'hamlin',
'9095551212'
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler Service-Type =
Call-Check should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler User-Name = admin
should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler
Request-Type=Accounting-Request should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler should be used to
handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Handling request with Handler ''
Fri Jan 18 05:39:47 2002: DEBUG: Rewrote user name to hamlin
Fri Jan 18 05:39:47 2002: DEBUG: Deleting session for hamlin,
127.0.0.1, 1234 <-----### This seems odd to me
Fri Jan 18 05:39:47 2002: DEBUG: do query is: delete from online where
(nasidentifier='127.0.0.1')&&(nasport='1234')
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL:
Fri Jan 18 05:39:47 2002: DEBUG: Query is: select check_items,
reply_items, case when (prepay='false') then
if(session_timeout,session_timeout,NULL) when
((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
((prepay='true')&&(!(ISNULL(session_timeout)))) then
if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
end from users where (username='hamlin' && handler_group='defau')
Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL looks for match with
hamlin
Fri Jan 18 05:39:47 2002: DEBUG: Query is: select username,
acctsessionid from online where username='hamlin'
Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL ACCEPT:
Fri Jan 18 05:39:47 2002: DEBUG: Access accepted for hamlin
Fri Jan 18 05:39:47 2002::hamlin accepted from 127.0.0.1, called
123456789 from
9491234546
Fri Jan 18 05:39:47 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 46269 ....
Code: Access-Accept
Identifier: 17
Authentic: 1234567890123456
Attributes:
Framed-IP-Address = 255.255.255.254
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Netmask = 255.255.255.255
Idle-Timeout = 900
Framed-Protocol = PPP
Service-Type = Framed-User
----------end logfile
output---------------------------------------------------
I have labelled the line above that seems strange to me. Why would it
delete the session from the online sql database before doing anything
else? I found the line in Handler.pm that does this and commented it
out. When I then tried this test, it works like a champ (It's line 257
in Handler.pm). Perhaps I am doing something wrong. My radius.cfg file
is as follows:
---------- radius.cfg --------------
# Values for testing only
Trace 4
#Trace 3
#AuthPort 1812
#AcctPort 1813
# Directory where logfile and details file are
LogDir /var/adm/radacct
# Database directory. Should contain:
# users The user database
# dictionary The dictionary for your NAS
DbDir /etc/raddb
AuthPort 1645
AcctPort 1646
# client list
include %D/client_list.cfg
SnmpgetProg /usr/bin/snmp_aix.pl
PreClientHook file:"/etc/raddb/CallIdCheck.hook"
# Global parameters
LivingstonOffs 29
LivingstonHole 2
LivingstonMIB 1.3.6.1.4.1.307
# Define Global Variables
# DbHost should be localhost
DefineGlobalVar DbHost ns2.quik.com.au
DefineGlobalVar DbServer xxxxxx
DefineGlobalVar DbUser xxxxx
DefineGlobalVar DbPass xxxxxx
# Online Session Database
<SessionDatabase SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AddQuery insert into online (username, nasidentifier, nasport,\
acctsessionid, callingid, framedaddress) values ('%U','%c',\
'%{NAS-Port}','%{Acct-Session-Id}','%{Calling-Station-Id}',\
'%{Framed-IP-Address}')
DeleteQuery delete from online where
(nasidentifier='%1')&&(nasport='%2')
CountQuery select username, acctsessionid from online where
username='%n'
</SessionDatabase>
<AuthLog FILE>
Identifier log1
Filename %L/logfile
LogSuccess 1
LogFailure 1
@
SuccessFormat %l::%n accepted from %c, called %{Called-Station-Id}
from %{Calling-Station-Id}
FailureFormat %l::%n rejected from %c, %1, Called %{Called-Station-Id}
from %{Calling-Station-Id}, password=%P
</AuthLog>
# Process call-check requests.
<Handler Service-Type = Call-Check>
AcctLogFileName %L/callcheck.log
<AuthBy SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
Timeout 8
FailureBackoffTime 10
AuthSelect select handler_group from check where \
(dialing_number='%{Calling-Station-Id}')&& \
(handler_group='%{Handler-Group}')
AuthColumnDef 0,Handler-Group,check
</AuthBy>
</Handler>
# Get rid of admin accounting requests
<Handler User-Name = admin>
</Handler>
# Handle all accounting here.
<Handler Request-Type=Accounting-Request>
RewriteUsername s/^([^@]+).*/$1/
# Need a little hook here to determine if this is an accounting packet
# whether we use the Livingston or Acct-Terminate-Cause attributes.
# This gets the attribute Livingston if it exists, if not, gets
# Acct-Terminate-Cause, if not gets Ascend-Disconnect-Cause
# Put the correct one in new attribute %{Term-Cause} to be used later
PreAuthHook file:"/etc/raddb/accounting.hook"
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
DBSource dbi:mysql:cheetah:ns.quik.com.au
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AccountingTable dialupusage
AccountingStopsOnly
Timeout 8
FailureBackoffTime 10
AcctColumnDef username, %U, formatted
AcctColumnDef session_id, %{Acct-Session-Id}%m-%d, formatted
AcctColumnDef router_ip, %c, formatted
AcctColumnDef date, %f-%g-%i %j:%k:%p, formatted
AcctColumnDef session_time, %{Acct-Session-Time}, formatted
AcctColumnDef ip_address, %{Framed-IP-Address}, formatted
AcctColumnDef phone, %{Calling-Station-Id}, formatted
AcctColumnDef terminate_cause, %{Term-Cause}, formatted
</AuthBy>
<AuthBy SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AccountingStopsOnly
Timeout 8
FailureBackoffTime 10
AcctSQLStatement update users set
prepaid_timeleft=prepaid_timeleft-0%{Acct-Session-Time} where
(prepay='true')&&(username='%U')
</AuthBy> # SQL
</AuthBy> # Group
</Handler>
# Handle the bulk of the users using our radius:users SQL table
<Handler>
# remove the realm
RewriteUsername s/^([^@]+).*/$1/
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
<AuthBy SQL>
IgnoreAccounting
Timeout 8
FailureBackoffTime 10
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
NoDefault
DefaultSimultaneousUse 1
# This AuthSelect gets a comma separated list of check items, a
comma
# separated list of reply items from the radius:users table
AuthSelect select check_items, reply_items, case when
(prepay='false') then if(session_timeout,session_timeout,NULL) when
((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
((prepay='true')&&(!(ISNULL(session_timeout)))) then
if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
end from users where (username='%U' && handler_group='%{Handler-Group}')
# As it turns out, an attributename of GENERIC means that it is a
# comma separated list of attribute=value pairs.
# AuthColumnDef statements define the returned value from the
database
# AuthColumnDef <position number in select starting with 0>,
attribute
# name (or GENERIC if list), and whether check, reply, or request
(to be
# used in later sql statement).
AuthColumnDef 0,GENERIC, check
AuthColumnDef 1,GENERIC,reply
AuthColumnDef 2,Session-Timeout,reply
</AuthBy> #SQL
# <AuthBy FILE>
# # if db fails
# Filename %D/users
# </AuthBy>
</AuthBy> # Group
PostAuthHook file:"/etc/raddb/prepay_overuse.hook"
AuthLog log1
</Handler>
------- end radius.cfg
Any help is greatly appreciated.
Griff Hamlin, III
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list