(RADIATOR) Session Database issues.

Utku Er erutku at netone.net.tr
Thu Jan 17 17:02:11 CST 2002


Hi Griff, 

The reason of that strange lines that you mention is the radiator's default session database implementation which is right. Its because only one user can be connected from the same nasidentifier and nas port at any time...  

 When a user access request comes, radiator first erases the line with the same nas and same nas port in the database just in case of a problem... this means it has to run DeleteQuery first... 

 Since your two radpwtst tests sends the same nasidentifier and nasport, regardless of the other things, you will always get OK for that... Try changing nas_ip_address or nas_port to see the real behaviour... 

 The other conceptual problem is changing the calling-number attribute does not affect anything since this attribute either not exists in the countquery or the deletequery.

Utku Er.

  ----- Original Message ----- 
  From: Griff Hamlin, III 
  To: radiator at open.com.au 
  Sent: Thursday, January 17, 2002 9:02 PM
  Subject: (RADIATOR) Session Database issues.


  I am using Radiator 2.18.3 on AIX. I find that even though in my config
  file I have DefaultSimultaneousUse 1 set, all users are still allowed
  on. I use an SQL session database, and when I try tests using radpwtst I
  find something peculiar.

  I first run the following command:
  /usr/local/Radiator-2.18/radpwtst -nostop -user=hamlin -password=XXXX
  -auth_port=1645 -acct_port=1646 -calling_station_id 9095551212
  -nas_ip_address 127.0.0.1

  This gives me an accesss accept and place the user information into my
  sql 'online' table. I purposely do not let radpwtst send a stop packet
  so that the information will remain in the online table.

  I then change the phone number (because I have a hook that checks for
  it) and run the following command from radpwtst.
  /usr/local/Radiator-2.18/radpwtst -noacct -user=hamlin -password=XXXX
  -auth_port=1645 -acct_port=1646 -calling_station_id 9495551213
  -nas_ip_address 127.0.0.1

  Notice that now, I have changed it to -noacct since all I want is the
  access reply.

  Strangely enough, it is accepted! Yet I can see the row in the online
  database. I get the following from the logfile on trace 4. This is the
  access request after the user is already in the online sql database.

  ---------logfile output ----------------------------
  *** Received from 127.0.0.1 port 46269 ....
  Code:       Access-Request
  Identifier: 17
  Authentic:  1234567890123456
  Attributes:
     User-Name = "hamlin"
     Service-Type = Framed-User
     NAS-IP-Address = 127.0.0.1
     NAS-Port = 1234
     Called-Station-Id = "123456789"
     Calling-Station-Id = "9491234546"
     NAS-Port-Type = Async
     User-Password =
  "<207><184>f<154><223>5p<246><188>8<9><160><216>}x<153>"

  Fri Jan 18 05:39:47 2002: INFO: Checking :hamlin: call-id :9491234546:
  Fri Jan 18 05:39:47 2002: INFO: CallIDHook: returned row --->  'hamlin',
  '9095551212'
  Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler Service-Type =
  Call-Check should be used to handle this request
  Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler User-Name = admin
  should be used to handle this request
  Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler
  Request-Type=Accounting-Request should be used to handle this request
  Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler  should be used to
  handle this request
  Fri Jan 18 05:39:47 2002: DEBUG: Handling request with Handler ''
  Fri Jan 18 05:39:47 2002: DEBUG: Rewrote user name to hamlin
  Fri Jan 18 05:39:47 2002: DEBUG:  Deleting session for hamlin,
  127.0.0.1, 1234   <-----### This seems odd to me
  Fri Jan 18 05:39:47 2002: DEBUG: do query is: delete from online where
  (nasidentifier='127.0.0.1')&&(nasport='1234')

  Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthGROUP
  Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL
  Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL:
  Fri Jan 18 05:39:47 2002: DEBUG: Query is: select check_items,
  reply_items, case when (prepay='false') then
  if(session_timeout,session_timeout,NULL) when
  ((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
  ((prepay='true')&&(!(ISNULL(session_timeout)))) then
  if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
  end from users where (username='hamlin' && handler_group='defau')

  Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL looks for match with
  hamlin
  Fri Jan 18 05:39:47 2002: DEBUG: Query is: select username,
  acctsessionid from online where username='hamlin'

  Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL ACCEPT:
  Fri Jan 18 05:39:47 2002: DEBUG: Access accepted for hamlin
  Fri Jan 18 05:39:47 2002::hamlin accepted from 127.0.0.1, called
  123456789 from
  9491234546
  Fri Jan 18 05:39:47 2002: DEBUG: Packet dump:
  *** Sending to 127.0.0.1 port 46269 ....
  Code:       Access-Accept
  Identifier: 17
  Authentic:  1234567890123456
  Attributes:
     Framed-IP-Address = 255.255.255.254
     Framed-Routing = None
     Framed-Compression = Van-Jacobson-TCP-IP
     Framed-IP-Netmask = 255.255.255.255
     Idle-Timeout = 900
     Framed-Protocol = PPP
     Service-Type = Framed-User
  ----------end logfile
  output---------------------------------------------------

  I have labelled the line above that seems strange to me. Why would it
  delete the session from the online sql database before doing anything
  else? I found the line in Handler.pm that does this and commented it
  out. When I then tried this test, it works like a champ (It's line 257
  in Handler.pm). Perhaps I am doing something wrong. My radius.cfg file
  is as follows:

  ---------- radius.cfg --------------
  # Values for testing only
  Trace 4
  #Trace 3
  #AuthPort 1812
  #AcctPort 1813

  # Directory where logfile and details file are
  LogDir /var/adm/radacct

  # Database directory. Should contain:
  # users           The user database
  # dictionary      The dictionary for your NAS
  DbDir /etc/raddb

  AuthPort 1645
  AcctPort 1646

  # client list
  include %D/client_list.cfg
  SnmpgetProg /usr/bin/snmp_aix.pl
  PreClientHook file:"/etc/raddb/CallIdCheck.hook"

  # Global parameters
  LivingstonOffs 29
  LivingstonHole 2
  LivingstonMIB 1.3.6.1.4.1.307

  # Define Global Variables
  # DbHost should be localhost
  DefineGlobalVar DbHost ns2.quik.com.au
  DefineGlobalVar DbServer xxxxxx
  DefineGlobalVar DbUser  xxxxx
  DefineGlobalVar DbPass  xxxxxx

  # Online Session Database
  <SessionDatabase SQL>

     DBSource %{GlobalVar:DbServer}
     DBUsername %{GlobalVar:DbUser}
     DBAuth %{GlobalVar:DbPass}

     AddQuery insert into online (username, nasidentifier, nasport,\
              acctsessionid, callingid, framedaddress) values ('%U','%c',\

              '%{NAS-Port}','%{Acct-Session-Id}','%{Calling-Station-Id}',\

              '%{Framed-IP-Address}')

     DeleteQuery delete from online where
  (nasidentifier='%1')&&(nasport='%2')

     CountQuery select username, acctsessionid from online where
  username='%n'

  </SessionDatabase>

  <AuthLog FILE>
    Identifier log1
    Filename %L/logfile
    LogSuccess 1
    LogFailure 1
  @

    SuccessFormat %l::%n accepted from %c, called %{Called-Station-Id}
  from %{Calling-Station-Id}
    FailureFormat %l::%n rejected from %c, %1, Called %{Called-Station-Id}
  from %{Calling-Station-Id}, password=%P
  </AuthLog>

  # Process call-check requests.
  <Handler Service-Type = Call-Check>
     AcctLogFileName %L/callcheck.log
     <AuthBy SQL>
        DBSource    %{GlobalVar:DbServer}
        DBUsername  %{GlobalVar:DbUser}
        DBAuth      %{GlobalVar:DbPass}
        Timeout 8
        FailureBackoffTime 10

        AuthSelect select handler_group from check where \
           (dialing_number='%{Calling-Station-Id}')&& \
           (handler_group='%{Handler-Group}')

        AuthColumnDef 0,Handler-Group,check


     </AuthBy>
  </Handler>

  # Get rid of admin accounting requests
  <Handler User-Name = admin>
  </Handler>

  # Handle all accounting here.
  <Handler Request-Type=Accounting-Request>
    RewriteUsername s/^([^@]+).*/$1/
    # Need a little hook here to determine if this is an accounting packet

    # whether we use the Livingston or Acct-Terminate-Cause attributes.
    # This gets the attribute Livingston if it exists, if not, gets
    # Acct-Terminate-Cause, if not gets Ascend-Disconnect-Cause
    # Put the correct one in new attribute %{Term-Cause} to be used later
    PreAuthHook file:"/etc/raddb/accounting.hook"

    <AuthBy GROUP>
      AuthByPolicy ContinueWhileAccept
      <AuthBy SQL>
        DBSource    dbi:mysql:cheetah:ns.quik.com.au
        DBUsername  %{GlobalVar:DbUser}
        DBAuth      %{GlobalVar:DbPass}
        AccountingTable dialupusage
        AccountingStopsOnly
        Timeout 8
        FailureBackoffTime 10

        AcctColumnDef username, %U, formatted
        AcctColumnDef session_id, %{Acct-Session-Id}%m-%d, formatted
        AcctColumnDef router_ip, %c, formatted
        AcctColumnDef date, %f-%g-%i %j:%k:%p, formatted
        AcctColumnDef session_time, %{Acct-Session-Time}, formatted
        AcctColumnDef ip_address, %{Framed-IP-Address}, formatted
        AcctColumnDef phone, %{Calling-Station-Id}, formatted
        AcctColumnDef terminate_cause, %{Term-Cause}, formatted
      </AuthBy>
      <AuthBy SQL>
        DBSource    %{GlobalVar:DbServer}
        DBUsername  %{GlobalVar:DbUser}
        DBAuth      %{GlobalVar:DbPass}
        AccountingStopsOnly
        Timeout 8
        FailureBackoffTime 10

        AcctSQLStatement update users set
  prepaid_timeleft=prepaid_timeleft-0%{Acct-Session-Time} where
  (prepay='true')&&(username='%U')
      </AuthBy> # SQL
    </AuthBy> # Group
  </Handler>

  # Handle the bulk of the users using our radius:users SQL table
  <Handler>
    # remove the realm
    RewriteUsername s/^([^@]+).*/$1/

    <AuthBy GROUP>
      AuthByPolicy ContinueWhileIgnore
      <AuthBy SQL>
        IgnoreAccounting
        Timeout 8
        FailureBackoffTime 10

        DBSource    %{GlobalVar:DbServer}
        DBUsername  %{GlobalVar:DbUser}
        DBAuth      %{GlobalVar:DbPass}
        NoDefault
        DefaultSimultaneousUse 1

        # This AuthSelect gets a comma separated list of check items, a
  comma
        # separated list of reply items from the radius:users table

         AuthSelect select check_items, reply_items, case when
  (prepay='false') then if(session_timeout,session_timeout,NULL) when
  ((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
  ((prepay='true')&&(!(ISNULL(session_timeout)))) then
  if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
  end from users where (username='%U' && handler_group='%{Handler-Group}')

        # As it turns out, an attributename of GENERIC means that it is a
        # comma separated list of attribute=value pairs.
        # AuthColumnDef statements define the returned value from the
  database
        # AuthColumnDef <position number in select starting with 0>,
  attribute
        # name (or GENERIC if list), and whether check, reply, or request
  (to be
        # used in later sql statement).
        AuthColumnDef 0,GENERIC, check
        AuthColumnDef 1,GENERIC,reply
        AuthColumnDef 2,Session-Timeout,reply

      </AuthBy> #SQL
  #   <AuthBy FILE>
  #     # if db fails
  #     Filename %D/users
  #   </AuthBy>
    </AuthBy> # Group
    PostAuthHook file:"/etc/raddb/prepay_overuse.hook"
    AuthLog log1
  </Handler>

  ------- end radius.cfg

  Any help is greatly appreciated.

  Griff Hamlin, III




  ===
  Archive at http://www.open.com.au/archives/radiator/
  Announcements on radiator-announce at open.com.au
  To unsubscribe, email 'majordomo at open.com.au' with
  'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020118/ac48bd87/attachment.html>


More information about the radiator mailing list