(RADIATOR) Re: cisco-avpairs via LDAP

Hugh Irvine hugh at open.com.au
Tue Nov 19 14:17:55 CST 2002 

Hello Riza -

AddToReply will not work in the way you show below (it expects an 
attribute = value pair).

I would be inclined to simply add the attributes in the AuthBy LDAP2 
clause:

	<AuthBy LDAP2>
		....
		AuthAttrDef radiusciscoavpair, GENERIC, reply
		....
	</AuthBy>

regards

Hugh


On Tuesday, Nov 19, 2002, at 22:13 Australia/Melbourne, Riza Kamalie 
wrote:

>
>
> guys,
>  
> running radiator 3.3.1 authenticating users via LDAP. 
>  
> I'm having a problem with assigning cisco-avpairs via an LDAP 
> attribute to the AddToReply function,
> calling it via Radiator doesnt work correclty. It fails with "Bad 
> attribute=value pair: %{RadiusCisco}"
> below is a part of teh config and output trace 4 of the log file.
>  
> <radius.cfg>
>         <AuthBy LDAP2
>                
>                 UsernameAttr    uid
>
>                 AuthAttrDef radiusciscoavpair,RadiusCisco,request
>                 AuthAttrDef radiusmaxsessions,RadiusMaxSessions,request
>  
>         </AuthBy>
>
>         <AuthBy FILE>
>                 Identifier LDAP_NETWORK_PROFILES
>                 Filename ./eldappy.profile
>                 StripFromReply 
> RadiusEnabled,RadiusAuthenticationNumber,RadiusAuthentication
>  
>                 AddToReply      %{RadiusCisco}  
>  
>         </AuthBy>
>  
> </Handler>
> </radius.cfg>
>  
> <radiator.log>
> *** Received from 127.0.0.1 port 47049 ....
> Code:       Access-Request
> Identifier: 208
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "50000328 at worldonline.co.za"
>         Service-Type = Framed-User
>         NAS-IP-Address = 196.25.1.1
>         NAS-Port = 1
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password = 
> "<152><233>n<159><156>h<4><246><188>8<9><160><216>}x<153>"
>  
> Mon Nov 18 17:18:14 2002: DEBUG: Handling request with Handler 
> 'Request-Type = Access-Request'
> Mon Nov 18 17:18:14 2002: DEBUG: Rewrote user name to 
> 50000328 at worldonline.co.za
> Tue Nov 19 12:09:35 2002: INFO: Connecting to xxxx, port xxx
> Tue Nov 19 12:09:35 2002: INFO: Attempting to bind with 
> uid=xx,ou=xx,o=xx,c=xx, unlink (server eldap.worldonline.co.za:
> 389)
> Tue Nov 19 12:09:35 2002: DEBUG: LDAP got result for 
> uid=50000328,ou=xxx,ou=xxx,o=xxx,c=xx
> Tue Nov 19 12:09:35 2002: DEBUG: LDAP got passwordcleartext: xxxx
> Tue Nov 19 12:09:35 2002: DEBUG: LDAP got userpassword: xxxxxx
>
> Tue Nov 19 12:09:35 2002: DEBUG: LDAP got radiusciscoavpair: 
> cisco-avpair="ip:inacl#10=permit udp any any eq 
> 53",cisco-avpair="ip:inacl#40=permit icmp any 
> any",cisco-avpair="ip:inacl#60=permit tcp any 196.41.0.0 
> 0.0.255.255",cisco-avpair="ip:inacl#70=deny ip any any"
>
> Tue Nov 19 12:09:35 2002: DEBUG: LDAP got radiusmaxsessions: 2
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthLDAP2 looks for match 
> with 50000328
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Nov 19 12:09:35 2002: DEBUG: AuthWOL handle_request: Received from 
> 127.0.0.1 port 59299
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthWOL ACCEPT:
> Tue Nov 19 12:09:35 2002: DEBUG: Handling with PORTLIMITCHECK: 
> LDAP_PORTLIMITCHECK
> Tue Nov 19 12:09:35 2002: DEBUG: Query is: select count(userid) from 
> radonline where userid='50000328' and CLI not like 'IPASS%'
>  
> Tue Nov 19 12:09:35 2002: DEBUG: PORTLIMITCHECK got a current session 
> count of 0
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with 
> 50000328
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with 
> DEFAULT
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE REJECT: Check item 
> RadiusEnabled expression 'suspend' does not match 'active' in request
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with 
> DEFAULT1
> Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE ACCEPT:
>
> Tue Nov 19 12:09:35 2002: ERR: Bad attribute=value pair: %{RadiusCisco}
>
> Tue Nov 19 12:09:35 2002: DEBUG: Access accepted for 50000328
> Tue Nov 19 12:09:35 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 59299 ....
> Code:       Access-Accept
> Identifier: 3
> Authentic:  1234567890123456
> Attributes:
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>  
> </radiator.log>
>  
>  
>  
>  
>  
> Thanks
>  
> Riza Kamalie
> Technical Systems Manager
> Engineering
>
> Worldonline 
> A Division of Tiscali (Pty) Ltd
> +27 (21) 940 9791
> +27(0) 82 992 2027  
> riza at za.tiscali.com
> http://www.worldonline.co.za
>  
>  
> Disclaimer:This email is considered a business record and is therefore 
> property of Tiscali. This email, and any files transmitted with it are 
> confidential and are intended solely for the use of the individual or 
> entity to whom they are addressed. This communication represents the 
> originator's personal views and opinions, which do not necessarily 
> reflect those of Tiscali. If you are not the original recipient or the 
> person responsible for delivering the email to the intended recipient, 
> be advised that you have this email in error, and that any use, 
> dissemination, forwarding, printing, or copying of this email is 
> strictly prohibited. If you received this email in error, please 
> immediately notify mailto:disclaimer at za.tiscali.com.
> Very funny Scotty... Now beam down my clothes!!
>
>  
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 9010 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20021120/b1755acc/attachment.bin>

More information about the radiator mailing list