(RADIATOR) Bug in AuthSQL/AuthEMERALD when handling AcctSqlStatement

Wed Jun 19 19:12:01 CDT 2002

Hello Robert -

Could you please send me a trace 4 debug from Radiator showing the problem?

thanks

Hugh

On Thu, 20 Jun 2002 03:26, Robert G. Fisher wrote:
>     There appears to be a bug in the way that AuthSQL and
> thus AuthEMERALD handle the AcctSqlStatement in different
> Handler sections.
>     I have two Handler declarations, each with 2 AuthBy
> Emerald modules to handle accounting and authentication
> requests.  I am only using AcctSqlStatement in the first
> AuthBy of the first Handler -- however, this SQL Statement
> is being executed irregardles of which handler is called.
>
>    I am not having the same problem with the places that
> I am utilizing AddToReply, AddToReplyIfNotExist, or the
> AuthEMERALD's TimeBanking flag -- only on AcctSqlStatement
> and have tested this on Radiator 2.18.9 and 3.1.
>
>    Below is a copy of my config file to demonstrate:
>
>
> #plat.cfg
>
>
> LogDir		C:\Radiator
> DbDir		C:\Radiator
>
> PidFile		%D\radiator.pid
> DictionaryFile	%D\dictionary.new
>
> Foreground
> LogStdout
> #LogFile		C:\Radiator\debug.log
> #Trace 5
>
> AuthPort 1645
> AcctPort 1646
>
>
>
> SnmpgetProg	/usr/bin/snmpget
>
> DefineGlobalVar	PUBLISHER_DB	dbi:ODBC:PLAT_PUBLISHER
> DefineGlobalVar	SUBSCRIBER_DB	dbi:ODBC:PLAT_SUBSCRIBER
> DefineGlobalVar	databaseuser	dbuser
> DefineGlobalVar	databasepass	dbpass
>
> # Strip any initial P's which used to serve as a hint for PPP,
> # as well as any whitespace or NetBIOS realms and NetSurfer's
> # "DISABLED" mess.  Finally, convert any remaining upper case
> # letters to lowercase.
>
> RewriteUsername 	s/^P(\S+)/$1/
> RewriteUsername		s/\s+//g
> RewriteUsername 	s/(.*)\\(.*)/$2/
> RewriteUsername 	s/DISABLED(\S+)DISABLED/$1/
> RewriteUsername		tr/[A-Z]/[a-z]/
>
>
> <Log EMERALD>
>         DBSource        	%{GlobalVar:PUBLISHER_DB}
> 	DBUsername		%{GlobalVar:databaseuser}
>         DBAuth          	%{GlobalVar:databasepass}
> 	FailureBackoffTime	300
> 	Trace			3
> </Log>
>
> <ClientListSQL>
>         DBSource        	%{GlobalVar:SUBSCRIBER_DB}
> 	DBUsername		%{GlobalVar:databaseuser}
>         DBAuth          	%{GlobalVar:databasepass}
> 	FailureBackoffTime	300
> 	GetClientQuery		select
> IPAddress,secret,NULL,NULL,NULL,ServerType,Community,NULL,NULL,NULL,NULL,NU
>LL,NULL,NULL,Comments from Servers </ClientListSQL>
>
>
> <Realm	sitestarsat.net>
> 	<AuthBy RADIUS>
> 		Host 216.53.136.112
> 		Secret ISiteSatStar
> 		AuthPort 1645
> 		AcctPort 1646
> 	</AuthBy>
> </Realm>
>
>
> <Handler Client-Identifier = "QwestRoaming">
>
> 	# Strip any REALM information.
>
> 	RewriteUsername s/^([^@]+).*/$1/
>
>
> 	AuthByPolicy	ContinueAlways
>
> 	<AuthBy EMERALD>
> 		DBSource        %{GlobalVar:PUBLISHER_DB}
> 		DBUsername	%{GlobalVar:databaseuser}
> 		DBAuth          %{GlobalVar:databasepass}
>
> 		FailureBackoffTime	300
>
> 		# Empty AuthSelect turns off authentication.
> 		# We want to update only Accounting data to
> 		# the publisher as it uses this for billing.
>
> 		AuthSelect
>
> 		AccountingTable	Calls
>
> 		AcctColumnDef	UserName,User-Name
> 		AcctColumnDef	CallDate,Timestamp,integer-date
> 		AcctColumnDef	AcctStatusType,Acct-Status-Type,integer
> 		AcctColumnDef	AcctDelayTime,Acct-Delay-Time,integer
> 		AcctColumnDef	AcctInputOctets,Acct-Input-Octets,integer
> 		AcctColumnDef	AcctOutputOctets,Acct-Output-Octets,integer
> 		AcctColumnDef	AcctSessionId,Acct-Session-Id
> 		AcctColumnDef	AcctSessionTime,Acct-Session-Time,integer
> 		AcctColumnDef	AcctTerminateCause,Acct-Terminate-Cause,integer
> 		AcctColumnDef	AcctTerminateCause,Ascend-Disconnect-Cause,integer
> 		AcctColumnDef	NASIdentifier,NAS-Identifier
> 		AcctColumnDef	NASIdentifier,NAS-IP-Address
> 		AcctColumnDef	NASIdentifier,Client-Id
> 		AcctColumnDef	NASPort,NAS-Port,integer
> 		AcctColumnDef	UserService,User-Service,integer
> 		AcctColumnDef	UserService,Service-Type,integer
> 		AcctColumnDef	FramedProtocol,Framed-Protocol,integer
> 		AcctColumnDef	FramedAddress,Framed-Address
> 		AcctColumnDef	FramedAddress,Framed-IP-Address
> 		AcctColumnDef	NASPortType,NAS-Port-Type,integer
> 		AcctColumnDef	NASPortDNIS,Called-Station-Id
> 		AcctColumnDef	CallerID,Calling-Station-Id
> 		AcctColumnDef	ConnectInfo,Connect-Info
>
> 		AcctSQLStatement  UPDATE Customer SET TimeLeft = TimeLeft - (
> 0%{AcctSessionTime} / 60 ) WHERE TimeLeft is NOT NULL AND BlockUser = 'Y'
> AND Username = %U
>
> 	</AuthBy>
>
> 	<AuthBy EMERALD>
>                 DBSource        %{GlobalVar:SUBSCRIBER_DB}
> 		DBUsername	%{GlobalVar:databaseuser}
>                 DBAuth          %{GlobalVar:databasepass}
>
> 		# If we can't connect to the local db, let's
> 		# wait 5 minutes instead of 10.
> 		FailureBackoffTime	300
>
> 		# Empty AccountingTable turns off Accounting.
>
> 		# You can use this to force Radiator to limit
> 		# maximum session times to how many minutes
> 		# are left in subaccounts.timeleft
> 		TimeBanking
>
> 		# Management wants case-insentive passwords.
> 		CaseInsensitivePasswords
>
>
> 		# You can optionally honour the LoginLimit
> 		# column in the emerald database
> 		# or any other column like this:
> 		# AuthSelect ,sa.LoginLimit
> 		# AuthColumnDef 0,Simultaneous-Use,check
>
> 		# Therefore you can add support for any number
> 		# of additional columns, if you wish.
> 		# Note that Platypus fixes LoginLimit at 1, so
> 		# if you enable this with Platypus, all your
> 		# users will be forced to a Sumultaneous-Use limit
> 		# of 1
>
> 		# We're going to experiment with adding on the
> 		# default entries, even if the user has their own
> 		# set of avpairs.
> 		FallThrough
> 		AddATDefaults
>
> 		# We use AddToReplyIfNotExist to duplicate any measure of
> 		# Port-Limit, Session-Timeout, and Idle-TImeout into the
> 		# Ascend style attributes if they have not been added already.
>
> 		AddToReply Ascend-Data-Filter="ip in forward tcp est",\
> 			Ascend-Data-Filter="ip in forward dstip 205.160.234.0/24",\
> 			Ascend-Data-Filter="ip in forward dstip 208.11.77.0/24",\
> 			Ascend-Data-Filter="ip in forward dstip 208.27.43.0/24",\
> 			Ascend-Data-Filter="ip in forward dstip 208.31.78.0/24",\
> 			Ascend-Data-Filter="ip in forward dstip 66.221.18.170",\
> 			Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> 			Ascend-Data-Filter="ip in forward"
>
> 	</AuthBy>
> </Handler>
>
> <Handler>
>
> 	# Strip any REALM information
>
> 	RewriteUsername s/^([^@]+).*/$1/
>
> 	AuthByPolicy	ContinueAlways
> 	<AuthBy EMERALD>
>                 DBSource        %{GlobalVar:PUBLISHER_DB}
> 		DBUsername	%{GlobalVar:databaseuser}
>                 DBAuth          %{GlobalVar:databasepass}
>
> 		FailureBackoffTime	300
>
> 		# Empty AuthSelect turns off authentication.
> 		# We want to update only Accounting data to
> 		# the publisher as it uses this for billing.
>
> 		AuthSelect
>
> 		# You can add to or change these if you want.
> 		AccountingTable	Calls
> 		AcctColumnDef	UserName,User-Name
> 		AcctColumnDef	CallDate,Timestamp,integer-date
> 		AcctColumnDef	AcctStatusType,Acct-Status-Type,integer
> 		AcctColumnDef	AcctDelayTime,Acct-Delay-Time,integer
> 		AcctColumnDef	AcctInputOctets,Acct-Input-Octets,integer
> 		AcctColumnDef	AcctOutputOctets,Acct-Output-Octets,integer
> 		AcctColumnDef	AcctSessionId,Acct-Session-Id
> 		AcctColumnDef	AcctSessionTime,Acct-Session-Time,integer
> 		AcctColumnDef	AcctTerminateCause,Acct-Terminate-Cause,integer
> 		AcctColumnDef	AcctTerminateCause,Ascend-Disconnect-Cause,integer
> 		AcctColumnDef	NASIdentifier,NAS-Identifier
> 		AcctColumnDef	NASIdentifier,NAS-IP-Address
> 		AcctColumnDef	NASIdentifier,Client-Id
> 		AcctColumnDef	NASPort,NAS-Port,integer
> 		AcctColumnDef	UserService,User-Service,integer
> 		AcctColumnDef	UserService,Service-Type,integer
> 		AcctColumnDef	FramedProtocol,Framed-Protocol,integer
> 		AcctColumnDef	FramedAddress,Framed-Address
> 		AcctColumnDef	FramedAddress,Framed-IP-Address
> 		AcctColumnDef	NASPortType,NAS-Port-Type,integer
> 		AcctColumnDef	NASPortDNIS,Called-Station-Id
> 		AcctColumnDef	CallerID,Calling-Station-Id
> 		AcctColumnDef	ConnectInfo,Connect-Info
>
> 	</AuthBy>
>
> 	<AuthBy EMERALD>
>                 DBSource        %{GlobalVar:SUBSCRIBER_DB}
> 		DBUsername	%{GlobalVar:databaseuser}
>                 DBAuth          %{GlobalVar:databasepass}
>
> 		FailureBackoffTime	300
>
> 		# Empty AccountingTable turns off Accounting.
>
> 		AccountingTable
>
> 		# Management wants case-insentive passwords.
>
> 		CaseInsensitivePasswords
>
>
> 		# You can optionally honour the LoginLimit column in the emerald database
> 		# or any other column like this:
> 		# AuthSelect ,sa.LoginLimit
> 		# AuthColumnDef 0,Simultaneous-Use,check
>
>
> 		# We're going to experiment with adding on the	default entries,
> 		# even if the user has their own set of avpairs.
>
> 		FallThrough
> 		AddATDefaults
>
> 		# We use AddToReplyIfNotExist to duplicate any measure of
> 		# Port-Limit, Session-Timeout, and Idle-TImeout into the
> 		# Ascend style attributes if they have not been added already.
>
> 		AddToReplyIfNotExist Ascend-Maximum-Channels=%{Reply:Port-Limit}, \
> 			Ascend-Maximum-Time=%{Reply:Session-Timeout}, \
> 			Ascend-Idle-Limit=%{Reply:Idle-Timeout}
>
>
> 	</AuthBy>
> </Handler>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.