(RADIATOR) Best Way to do this proxy

Skeeve Stevens skeeve at skeeve.org
Tue Nov 5 02:54:30 CST 2002 

Is there much difference because we use Handlers?

I am not sure how you would integrate the Proxy radius for .... say
user at customer to be checked before being allowed to continue.

...Skeeve



example client:

<Client 203.194.28.131>
	Secret  m0d3m5
	NasType Ascend
        Identifier Comindico
</Client>


Session & Address:

<SessionDatabase SQL>
        Identifier SDB1
        DBSource dbi:mysql:xxx:xxx
        DBUsername xxx
        DBAuth xxx

        AddQuery insert into online
(acct_handle,nas_id,online_nasport,online_sessionid,online_date,online_i
paddress,online_servicetype,online_calling_station,online_called_station
,online_key,online_group) values
('%n','%N','%{NAS-Port}','%{Acct-Session-Id}',from_unixtime(%{Timestamp}
),'%{Framed-IP-Address}','%{Service-Type}','%{Calling-Station-Id}','%{Ca
lled-Station-Id}','%{Ascend-Session-Svr-Key}','%{Client:X-GroupName}')

        DeleteQuery delete from online where acct_handle = '%n' and
nas_id = '%N' and online_nasport = %{NAS-Port}

        ClearNasQuery delete from online where nas_id = '%N'

        CountQuery select nas_id,online_nasport,online_sessionid from
online where acct_handle = '%n'
</SessionDatabase>

<AddressAllocator SQL>
        Identifier SDB1
        DBSource dbi:mysql:xxx:xxx
        DBUsername xxx
        DBAuth xxx

        FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP

        AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,
EXPIRY=%1, USERNAME=%2, NAS='%{Calling-Station-Id}' where YIADDR='%3'
and TIME_STAMP %4

        AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP, POOL,
YIADDR, SUBNETMASK, DNSSERVER, USERNAME, NAS) values (0, %t, '%0', '%1',
'%2', '%3', '%n', '%{Calling-Station-Id}')

        <AddressPool pool1>
                Subnetmask              255.255.255.255
                DNSServer               203.24.66.204
                Range                   203.222.150.192/26
        </AddressPool>
</AddressAllocator>


The Handler:

<Handler Client-Identifier = Comindico>

#<Realm DEFAULT>
	#AuthByPolicy ContinueWhileIgnore#

	AuthByPolicy ContinueWhileAccept
	RewriteUsername   tr/A-Z/a-z/
	SessionDatabase SDB1

	<AuthBy SQL>
	Identifier SDB1
	DBSource dbi:mysql:xxx:xxx
	DBUsername xxx
	DBAuth xxx

	AuthSelect select auth_upass_crypt,((auth_max_sessions)*2) as
auth_max_sessions,auth_idle_timeout,auth_subnet,auth_netmask,auth_replyp
airs,auth_dc_time,auth_group from auth where auth_uname='%n' and
auth_stat_id = 1 and curdate() < auth_expire && auth_server != 1

        RejectEmptyPassword
	EncryptedPassword

        AddToReply Ascend-Client-Primary-DNS=203.24.66.204,
Ascend-Client-Secondary-DNS=203.24.66.193, Ascend-Client-Assign-DNS =
DNS-Assign-Yes, Framed-Protocol = PPP, Service-Type = Framed-User

	AccountingTable detail

        AuthColumnDef 0, Encrypted-Password, check
        AuthColumnDef 1, Simultaneous-Use, check
        AuthColumnDef 2, Idle-Timeout, reply
        AuthColumnDef 3, Framed-IP-Address, reply
        AuthColumnDef 4, Framed-IP-Netmask, reply
        AuthColumnDef 5, Framed-Route, reply
        AuthColumnDef 6, Session-Timeout, reply
	AuthColumnDef 7, X-GroupName, reply 

	AcctColumnDef detail_acct_handle,User-Name
	AcctColumnDef detail_nas_id,NAS-IP-Address
	AcctColumnDef
detail_date,Timestamp,formatted-date,from_unixtime(%s)
	AcctColumnDef detail_type,Acct-Status-Type
	AcctColumnDef detail_delay,Acct-Delay-Time,integer
	AcctColumnDef detail_called_station,Called-Station-Id
	AcctColumnDef detail_calling_station,Calling-Station-Id
	AcctColumnDef detail_inbytes,Acct-Input-Octets,integer
	AcctColumnDef detail_outbytes,Acct-Output-Octets,integer
	AcctColumnDef detail_sessionid,Acct-Session-Id
	AcctColumnDef detail_sessiontime,Acct-Session-Time,integer
	AcctColumnDef detail_termcause,Acct_Terminate-Cause
	AcctColumnDef detail_termcause,Ascend-Disconnect-Cause
	AcctColumnDef detail_nasport,NAS-Port,integer
	AcctColumnDef detail_ipaddress,Framed-IP-Address

	</AuthBy>

        <AuthBy DYNADDRESS>
        Allocator SDB1
        PoolHint pool1
        MapAttribute   yiaddr, Framed-IP-Address
        MapAttribute   subnetmask, Framed-IP-Netmask
        </AuthBy>

	<AuthLog SQL>
          DBSource dbi:mysql:xxx:xxx
          DBUsername root
	  DBAuth tekflex
	  Table RADAUTHLOG
	  LogSuccess 0
	  LogFailure 1

	  FailureQuery  INSERT INTO authlog
(username,timestamp,priority,message,password) VALUES ('%n', %t, %0,
%1%r%r, '%P')
	</AuthLog>

	<Log SQL>
        DBSource dbi:mysql:xxx:xxx
        DBUsername xxx
        DBAuth xxx
	Table radlog
	</Log>
</Handler>












> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> Sent: Monday, November 04, 2002 2:22 AM
> To: skeeve at skeeve.org
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Best Way to do this proxy
> 
> 
> 
> Hello Skeeve -
> 
> You should use two AuthBy clauses under the control of an 
> AuthByPolicy, 
> something like this:
> 
> # define AuthBy clauses (FILE/SQL/whatever)
> 
> <AuthBy FILE>
> 	Identifier CheckLocal
> 	.....
> </AuthBy>
> 
> <AuthBy RADIUS>
> 	Identifier CheckRemote
> 	....
> </AuthBy>
> 
> <Realm customer>
> 	AuthByPolicy ContinueWhileAccept
> 	AuthBy CheckLocal
> 	AuthBy CheckRemote
> 	.....
> </Realm>
> 
> 
> regards
> 
> Hugh
> 
> 
> On Saturday, November 2, 2002, at 09:53 PM, Skeeve Stevens wrote:
> 
> >
> > Question...
> >
> > I have a customer who wants to do their own Radius 
> authentication.....
> > but... I don't want this customer to be able to create 
> their own user
> > accounts and so on.
> >
> > I want them to call us, get the account put in our radius 
> server and we
> > would provide at the first level:
> > - port usage limit check (for that customer)
> > - see if account exists
> > - see if account is active
> > - then check REMOTE customer radius server for authentication - the
> > password
> > - if success, pass back details of IP and such from our 
> master radius
> > server.
> >
> > In essence... giving the customer the ability to change 
> passwords and
> > lock accounts of their users.
> >
> > Can anyone suggest a good way to implement this? or is there any
> > existing hooks which can do a local verification check 
> before passing 
> > on
> > the request to another radius server..
> >
> > Users would use 'username at customer'
> >
> > ...Skeeve
> >
> >
> > _______________________________________________________
> > Skeeve Stevens, RHCE     Email: skeeve at skeeve.org
> > Website: www.skeeve.org  - Telephone: (0414) 753 383
> > Address: P.O Box 1035, Epping, NSW, 1710, Australia
> >
> > eIntellego - skeeve at eintellego.net - www.eintellego.net
> > _______________________________________________________
> > Si vis pacem, para bellum
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
> 
> NB: I am travelling this week, so there may be delays in our 
> correspondence.
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list