(RADIATOR) Best Way to do this proxy

Hugh Irvine hugh at open.com.au
Wed Nov 6 09:42:37 CST 2002 

Hello Skeeve -

There is no difference using Handlers.

I am not sure I understand your question - could you give me a bit more  
detail please?

regards

Hugh


On Tuesday, November 5, 2002, at 07:54 PM, Skeeve Stevens wrote:

>
> Is there much difference because we use Handlers?
>
> I am not sure how you would integrate the Proxy radius for .... say
> user at customer to be checked before being allowed to continue.
>
> ...Skeeve
>
>
>
> example client:
>
> <Client 203.194.28.131>
> 	Secret  m0d3m5
> 	NasType Ascend
>         Identifier Comindico
> </Client>
>
>
> Session & Address:
>
> <SessionDatabase SQL>
>         Identifier SDB1
>         DBSource dbi:mysql:xxx:xxx
>         DBUsername xxx
>         DBAuth xxx
>
>         AddQuery insert into online
> (acct_handle,nas_id,online_nasport,online_sessionid,online_date,online_ 
> i
> paddress,online_servicetype,online_calling_station,online_called_statio 
> n
> ,online_key,online_group) values
> ('%n','%N','%{NAS-Port}','%{Acct-Session- 
> Id}',from_unixtime(%{Timestamp}
> ),'%{Framed-IP-Address}','%{Service-Type}','%{Calling-Station- 
> Id}','%{Ca
> lled-Station-Id}','%{Ascend-Session-Svr-Key}','%{Client:X-GroupName}')
>
>         DeleteQuery delete from online where acct_handle = '%n' and
> nas_id = '%N' and online_nasport = %{NAS-Port}
>
>         ClearNasQuery delete from online where nas_id = '%N'
>
>         CountQuery select nas_id,online_nasport,online_sessionid from
> online where acct_handle = '%n'
> </SessionDatabase>
>
> <AddressAllocator SQL>
>         Identifier SDB1
>         DBSource dbi:mysql:xxx:xxx
>         DBUsername xxx
>         DBAuth xxx
>
>         FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
> RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP
>
>         AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,
> EXPIRY=%1, USERNAME=%2, NAS='%{Calling-Station-Id}' where YIADDR='%3'
> and TIME_STAMP %4
>
>         AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP, POOL,
> YIADDR, SUBNETMASK, DNSSERVER, USERNAME, NAS) values (0, %t, '%0',  
> '%1',
> '%2', '%3', '%n', '%{Calling-Station-Id}')
>
>         <AddressPool pool1>
>                 Subnetmask              255.255.255.255
>                 DNSServer               203.24.66.204
>                 Range                   203.222.150.192/26
>         </AddressPool>
> </AddressAllocator>
>
>
> The Handler:
>
> <Handler Client-Identifier = Comindico>
>
> #<Realm DEFAULT>
> 	#AuthByPolicy ContinueWhileIgnore#
>
> 	AuthByPolicy ContinueWhileAccept
> 	RewriteUsername   tr/A-Z/a-z/
> 	SessionDatabase SDB1
>
> 	<AuthBy SQL>
> 	Identifier SDB1
> 	DBSource dbi:mysql:xxx:xxx
> 	DBUsername xxx
> 	DBAuth xxx
>
> 	AuthSelect select auth_upass_crypt,((auth_max_sessions)*2) as
> auth_max_sessions,auth_idle_timeout,auth_subnet,auth_netmask,auth_reply 
> p
> airs,auth_dc_time,auth_group from auth where auth_uname='%n' and
> auth_stat_id = 1 and curdate() < auth_expire && auth_server != 1
>
>         RejectEmptyPassword
> 	EncryptedPassword
>
>         AddToReply Ascend-Client-Primary-DNS=203.24.66.204,
> Ascend-Client-Secondary-DNS=203.24.66.193, Ascend-Client-Assign-DNS =
> DNS-Assign-Yes, Framed-Protocol = PPP, Service-Type = Framed-User
>
> 	AccountingTable detail
>
>         AuthColumnDef 0, Encrypted-Password, check
>         AuthColumnDef 1, Simultaneous-Use, check
>         AuthColumnDef 2, Idle-Timeout, reply
>         AuthColumnDef 3, Framed-IP-Address, reply
>         AuthColumnDef 4, Framed-IP-Netmask, reply
>         AuthColumnDef 5, Framed-Route, reply
>         AuthColumnDef 6, Session-Timeout, reply
> 	AuthColumnDef 7, X-GroupName, reply
>
> 	AcctColumnDef detail_acct_handle,User-Name
> 	AcctColumnDef detail_nas_id,NAS-IP-Address
> 	AcctColumnDef
> detail_date,Timestamp,formatted-date,from_unixtime(%s)
> 	AcctColumnDef detail_type,Acct-Status-Type
> 	AcctColumnDef detail_delay,Acct-Delay-Time,integer
> 	AcctColumnDef detail_called_station,Called-Station-Id
> 	AcctColumnDef detail_calling_station,Calling-Station-Id
> 	AcctColumnDef detail_inbytes,Acct-Input-Octets,integer
> 	AcctColumnDef detail_outbytes,Acct-Output-Octets,integer
> 	AcctColumnDef detail_sessionid,Acct-Session-Id
> 	AcctColumnDef detail_sessiontime,Acct-Session-Time,integer
> 	AcctColumnDef detail_termcause,Acct_Terminate-Cause
> 	AcctColumnDef detail_termcause,Ascend-Disconnect-Cause
> 	AcctColumnDef detail_nasport,NAS-Port,integer
> 	AcctColumnDef detail_ipaddress,Framed-IP-Address
>
> 	</AuthBy>
>
>         <AuthBy DYNADDRESS>
>         Allocator SDB1
>         PoolHint pool1
>         MapAttribute   yiaddr, Framed-IP-Address
>         MapAttribute   subnetmask, Framed-IP-Netmask
>         </AuthBy>
>
> 	<AuthLog SQL>
>           DBSource dbi:mysql:xxx:xxx
>           DBUsername root
> 	  DBAuth tekflex
> 	  Table RADAUTHLOG
> 	  LogSuccess 0
> 	  LogFailure 1
>
> 	  FailureQuery  INSERT INTO authlog
> (username,timestamp,priority,message,password) VALUES ('%n', %t, %0,
> %1%r%r, '%P')
> 	</AuthLog>
>
> 	<Log SQL>
>         DBSource dbi:mysql:xxx:xxx
>         DBUsername xxx
>         DBAuth xxx
> 	Table radlog
> 	</Log>
> </Handler>
>
>
>
>
>
>
>
>
>
>
>
>
>> -----Original Message-----
>> From: owner-radiator at open.com.au
>> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
>> Sent: Monday, November 04, 2002 2:22 AM
>> To: skeeve at skeeve.org
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) Best Way to do this proxy
>>
>>
>>
>> Hello Skeeve -
>>
>> You should use two AuthBy clauses under the control of an
>> AuthByPolicy,
>> something like this:
>>
>> # define AuthBy clauses (FILE/SQL/whatever)
>>
>> <AuthBy FILE>
>> 	Identifier CheckLocal
>> 	.....
>> </AuthBy>
>>
>> <AuthBy RADIUS>
>> 	Identifier CheckRemote
>> 	....
>> </AuthBy>
>>
>> <Realm customer>
>> 	AuthByPolicy ContinueWhileAccept
>> 	AuthBy CheckLocal
>> 	AuthBy CheckRemote
>> 	.....
>> </Realm>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On Saturday, November 2, 2002, at 09:53 PM, Skeeve Stevens wrote:
>>
>>>
>>> Question...
>>>
>>> I have a customer who wants to do their own Radius
>> authentication.....
>>> but... I don't want this customer to be able to create
>> their own user
>>> accounts and so on.
>>>
>>> I want them to call us, get the account put in our radius
>> server and we
>>> would provide at the first level:
>>> - port usage limit check (for that customer)
>>> - see if account exists
>>> - see if account is active
>>> - then check REMOTE customer radius server for authentication - the
>>> password
>>> - if success, pass back details of IP and such from our
>> master radius
>>> server.
>>>
>>> In essence... giving the customer the ability to change
>> passwords and
>>> lock accounts of their users.
>>>
>>> Can anyone suggest a good way to implement this? or is there any
>>> existing hooks which can do a local verification check
>> before passing
>>> on
>>> the request to another radius server..
>>>
>>> Users would use 'username at customer'
>>>
>>> ...Skeeve
>>>
>>>
>>> _______________________________________________________
>>> Skeeve Stevens, RHCE     Email: skeeve at skeeve.org
>>> Website: www.skeeve.org  - Telephone: (0414) 753 383
>>> Address: P.O Box 1035, Epping, NSW, 1710, Australia
>>>
>>> eIntellego - skeeve at eintellego.net - www.eintellego.net
>>> _______________________________________________________
>>> Si vis pacem, para bellum
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>

NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list