(RADIATOR) Session Database issues.
Utku Er
erutku at netone.net.tr
Thu Jan 17 17:02:11 CST 2002
Hi Griff,
The reason of that strange lines that you mention is the radiator's default session database implementation which is right. Its because only one user can be connected from the same nasidentifier and nas port at any time...
When a user access request comes, radiator first erases the line with the same nas and same nas port in the database just in case of a problem... this means it has to run DeleteQuery first...
Since your two radpwtst tests sends the same nasidentifier and nasport, regardless of the other things, you will always get OK for that... Try changing nas_ip_address or nas_port to see the real behaviour...
The other conceptual problem is changing the calling-number attribute does not affect anything since this attribute either not exists in the countquery or the deletequery.
Utku Er.
----- Original Message -----
From: Griff Hamlin, III
To: radiator at open.com.au
Sent: Thursday, January 17, 2002 9:02 PM
Subject: (RADIATOR) Session Database issues.
I am using Radiator 2.18.3 on AIX. I find that even though in my config
file I have DefaultSimultaneousUse 1 set, all users are still allowed
on. I use an SQL session database, and when I try tests using radpwtst I
find something peculiar.
I first run the following command:
/usr/local/Radiator-2.18/radpwtst -nostop -user=hamlin -password=XXXX
-auth_port=1645 -acct_port=1646 -calling_station_id 9095551212
-nas_ip_address 127.0.0.1
This gives me an accesss accept and place the user information into my
sql 'online' table. I purposely do not let radpwtst send a stop packet
so that the information will remain in the online table.
I then change the phone number (because I have a hook that checks for
it) and run the following command from radpwtst.
/usr/local/Radiator-2.18/radpwtst -noacct -user=hamlin -password=XXXX
-auth_port=1645 -acct_port=1646 -calling_station_id 9495551213
-nas_ip_address 127.0.0.1
Notice that now, I have changed it to -noacct since all I want is the
access reply.
Strangely enough, it is accepted! Yet I can see the row in the online
database. I get the following from the logfile on trace 4. This is the
access request after the user is already in the online sql database.
---------logfile output ----------------------------
*** Received from 127.0.0.1 port 46269 ....
Code: Access-Request
Identifier: 17
Authentic: 1234567890123456
Attributes:
User-Name = "hamlin"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "9491234546"
NAS-Port-Type = Async
User-Password =
"<207><184>f<154><223>5p<246><188>8<9><160><216>}x<153>"
Fri Jan 18 05:39:47 2002: INFO: Checking :hamlin: call-id :9491234546:
Fri Jan 18 05:39:47 2002: INFO: CallIDHook: returned row ---> 'hamlin',
'9095551212'
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler Service-Type =
Call-Check should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler User-Name = admin
should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler
Request-Type=Accounting-Request should be used to handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler should be used to
handle this request
Fri Jan 18 05:39:47 2002: DEBUG: Handling request with Handler ''
Fri Jan 18 05:39:47 2002: DEBUG: Rewrote user name to hamlin
Fri Jan 18 05:39:47 2002: DEBUG: Deleting session for hamlin,
127.0.0.1, 1234 <-----### This seems odd to me
Fri Jan 18 05:39:47 2002: DEBUG: do query is: delete from online where
(nasidentifier='127.0.0.1')&&(nasport='1234')
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL
Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL:
Fri Jan 18 05:39:47 2002: DEBUG: Query is: select check_items,
reply_items, case when (prepay='false') then
if(session_timeout,session_timeout,NULL) when
((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
((prepay='true')&&(!(ISNULL(session_timeout)))) then
if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
end from users where (username='hamlin' && handler_group='defau')
Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL looks for match with
hamlin
Fri Jan 18 05:39:47 2002: DEBUG: Query is: select username,
acctsessionid from online where username='hamlin'
Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL ACCEPT:
Fri Jan 18 05:39:47 2002: DEBUG: Access accepted for hamlin
Fri Jan 18 05:39:47 2002::hamlin accepted from 127.0.0.1, called
123456789 from
9491234546
Fri Jan 18 05:39:47 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 46269 ....
Code: Access-Accept
Identifier: 17
Authentic: 1234567890123456
Attributes:
Framed-IP-Address = 255.255.255.254
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Netmask = 255.255.255.255
Idle-Timeout = 900
Framed-Protocol = PPP
Service-Type = Framed-User
----------end logfile
output---------------------------------------------------
I have labelled the line above that seems strange to me. Why would it
delete the session from the online sql database before doing anything
else? I found the line in Handler.pm that does this and commented it
out. When I then tried this test, it works like a champ (It's line 257
in Handler.pm). Perhaps I am doing something wrong. My radius.cfg file
is as follows:
---------- radius.cfg --------------
# Values for testing only
Trace 4
#Trace 3
#AuthPort 1812
#AcctPort 1813
# Directory where logfile and details file are
LogDir /var/adm/radacct
# Database directory. Should contain:
# users The user database
# dictionary The dictionary for your NAS
DbDir /etc/raddb
AuthPort 1645
AcctPort 1646
# client list
include %D/client_list.cfg
SnmpgetProg /usr/bin/snmp_aix.pl
PreClientHook file:"/etc/raddb/CallIdCheck.hook"
# Global parameters
LivingstonOffs 29
LivingstonHole 2
LivingstonMIB 1.3.6.1.4.1.307
# Define Global Variables
# DbHost should be localhost
DefineGlobalVar DbHost ns2.quik.com.au
DefineGlobalVar DbServer xxxxxx
DefineGlobalVar DbUser xxxxx
DefineGlobalVar DbPass xxxxxx
# Online Session Database
<SessionDatabase SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AddQuery insert into online (username, nasidentifier, nasport,\
acctsessionid, callingid, framedaddress) values ('%U','%c',\
'%{NAS-Port}','%{Acct-Session-Id}','%{Calling-Station-Id}',\
'%{Framed-IP-Address}')
DeleteQuery delete from online where
(nasidentifier='%1')&&(nasport='%2')
CountQuery select username, acctsessionid from online where
username='%n'
</SessionDatabase>
<AuthLog FILE>
Identifier log1
Filename %L/logfile
LogSuccess 1
LogFailure 1
@
SuccessFormat %l::%n accepted from %c, called %{Called-Station-Id}
from %{Calling-Station-Id}
FailureFormat %l::%n rejected from %c, %1, Called %{Called-Station-Id}
from %{Calling-Station-Id}, password=%P
</AuthLog>
# Process call-check requests.
<Handler Service-Type = Call-Check>
AcctLogFileName %L/callcheck.log
<AuthBy SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
Timeout 8
FailureBackoffTime 10
AuthSelect select handler_group from check where \
(dialing_number='%{Calling-Station-Id}')&& \
(handler_group='%{Handler-Group}')
AuthColumnDef 0,Handler-Group,check
</AuthBy>
</Handler>
# Get rid of admin accounting requests
<Handler User-Name = admin>
</Handler>
# Handle all accounting here.
<Handler Request-Type=Accounting-Request>
RewriteUsername s/^([^@]+).*/$1/
# Need a little hook here to determine if this is an accounting packet
# whether we use the Livingston or Acct-Terminate-Cause attributes.
# This gets the attribute Livingston if it exists, if not, gets
# Acct-Terminate-Cause, if not gets Ascend-Disconnect-Cause
# Put the correct one in new attribute %{Term-Cause} to be used later
PreAuthHook file:"/etc/raddb/accounting.hook"
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
DBSource dbi:mysql:cheetah:ns.quik.com.au
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AccountingTable dialupusage
AccountingStopsOnly
Timeout 8
FailureBackoffTime 10
AcctColumnDef username, %U, formatted
AcctColumnDef session_id, %{Acct-Session-Id}%m-%d, formatted
AcctColumnDef router_ip, %c, formatted
AcctColumnDef date, %f-%g-%i %j:%k:%p, formatted
AcctColumnDef session_time, %{Acct-Session-Time}, formatted
AcctColumnDef ip_address, %{Framed-IP-Address}, formatted
AcctColumnDef phone, %{Calling-Station-Id}, formatted
AcctColumnDef terminate_cause, %{Term-Cause}, formatted
</AuthBy>
<AuthBy SQL>
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
AccountingStopsOnly
Timeout 8
FailureBackoffTime 10
AcctSQLStatement update users set
prepaid_timeleft=prepaid_timeleft-0%{Acct-Session-Time} where
(prepay='true')&&(username='%U')
</AuthBy> # SQL
</AuthBy> # Group
</Handler>
# Handle the bulk of the users using our radius:users SQL table
<Handler>
# remove the realm
RewriteUsername s/^([^@]+).*/$1/
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
<AuthBy SQL>
IgnoreAccounting
Timeout 8
FailureBackoffTime 10
DBSource %{GlobalVar:DbServer}
DBUsername %{GlobalVar:DbUser}
DBAuth %{GlobalVar:DbPass}
NoDefault
DefaultSimultaneousUse 1
# This AuthSelect gets a comma separated list of check items, a
comma
# separated list of reply items from the radius:users table
AuthSelect select check_items, reply_items, case when
(prepay='false') then if(session_timeout,session_timeout,NULL) when
((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when
((prepay='true')&&(!(ISNULL(session_timeout)))) then
if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout)
end from users where (username='%U' && handler_group='%{Handler-Group}')
# As it turns out, an attributename of GENERIC means that it is a
# comma separated list of attribute=value pairs.
# AuthColumnDef statements define the returned value from the
database
# AuthColumnDef <position number in select starting with 0>,
attribute
# name (or GENERIC if list), and whether check, reply, or request
(to be
# used in later sql statement).
AuthColumnDef 0,GENERIC, check
AuthColumnDef 1,GENERIC,reply
AuthColumnDef 2,Session-Timeout,reply
</AuthBy> #SQL
# <AuthBy FILE>
# # if db fails
# Filename %D/users
# </AuthBy>
</AuthBy> # Group
PostAuthHook file:"/etc/raddb/prepay_overuse.hook"
AuthLog log1
</Handler>
------- end radius.cfg
Any help is greatly appreciated.
Griff Hamlin, III
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020118/ac48bd87/attachment.html>
More information about the radiator
mailing list