(RADIATOR) some question about the radiator

Foo Donald (Products O2) Donald.Foo at O2.com
Fri Jun 27 18:07:09 CDT 2003


Hi Hugh,
Thank you very much for all the information, I am almost there, i found
something very strange with <AuthBy INTERNAL> during my test.
Herewith is my code

<Handler Calling-Station-Id=/^65987/>
        RejectHasReason
        <AuthBy INTERNAL>
                DefaultResult   REJECT
                RejectReason    You are not our customer

        </AuthBy>

        <AuthLog SQL>
                DBSource        dbi:mysql:radius
                DBUsername      root
                DBAuth          root
                LogFailure
                FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME,
TYPE, REASON, Calling_Station) values (%t, '%n', 0
, %1, '%{Calling-Station-Id}')
        </AuthLog SQL>
</Handler>

It works for all Authentication, but for accounting it can only accept not
reject.
Let me show you some of my debug.
If I put it DefaultResult ACCPET and send a accounting start/stop


Sat Jun 28 06:51:24 2003: DEBUG: Packet dump:
*** Received from xx.xx.xx.xx port 4358 ....
Code:       Accounting-Request
Identifier: 138
Authentic:  <4><229><244>j><129><205>J<154><<28><214><12><18><187><226>
Attributes:
<delete>
        Calling-Station-Id = "6598765432"

Sat Jun 28 06:51:24 2003: DEBUG: Handling request with Handler
'Calling-Station-Id=/65987/'
Sat Jun 28 06:51:24 2003: DEBUG:  Adding session for test, 1.1.1.1, 20
Sat Jun 28 06:51:24 2003: DEBUG: Handling with AuthINTERNAL:
Sat Jun 28 06:51:24 2003: DEBUG: Accounting accepted
Sat Jun 28 06:51:24 2003: DEBUG: Packet dump:
*** Sending to xx.xx.xx.xx port 4358 ....
Code:       Accounting-Response
Identifier: 138
Authentic:  <4><229><244>j><129><205>J<154><<28><214><12><18><187><226>
Attributes:


Work smooth no problem.
If I put it DefaultResult REJECT and send a accounting start/stop


Sat Jun 28 06:58:11 2003: DEBUG: Packet dump:
*** Received from xx.xx.xx.xx port 4359 ....
Code:       Accounting-Request
Identifier: 139
Authentic:  <145><129>)<154><156>q<10><212><21><191><16>5<187><8><134><177>
Attributes:
<delete>
        Calling-Station-Id = "6598765432"

Sat Jun 28 06:58:11 2003: DEBUG: Handling request with Handler
'Calling-Station-Id=/65987/'
Sat Jun 28 06:58:11 2003: DEBUG:  Adding session for test, 1.1.1.1, 20
Sat Jun 28 06:58:11 2003: DEBUG: Handling with AuthINTERNAL:
!!!hang here!!!
Sat Jun 28 06:58:13 2003: DEBUG: Packet dump:
*** Received from xx.xx.xx.xx port 4359 ....
Code:       Accounting-Request
Identifier: 139
Authentic:  <145><129>)<154><156>q<10><212><21><191><16>5<187><8><134><177>
Attributes:
<delete>
        Calling-Station-Id = "6598765432"

Sat Jun 28 06:58:13 2003: INFO: Duplicate request id 139 received from
xx.xx.xx.xx(4359): ignored


Any suggestion?

Regards,
Donald

-----Original Message-----
From: Hugh Irvine
To: Foo Donald (Products O2)
Cc: 'radiator at open.com.au'
Sent: 2003/6/27 ?U?E 01:37
Subject: Re: (RADIATOR) some question about the radiator


Hello Donald -

I am not sure what your configuration file is meant to do, but you 
might consider using seperate Handlers for Authentication and 
Accounting as you can then use different AuthByPolicy's for the two 
cases.

# define Handlers for accounting and authentication

<Handler Request-Type = Accounting-Request>
	AuthByPolicy ContinueAlways
	....
</Handler>

<Handler>
	AuthByPolicy ContinueWhileAccept
	....
</Handler>

regards

Hugh


On Friday, Jun 27, 2003, at 15:32 Australia/Melbourne, Foo Donald 
(Products O2) wrote:

> Hi Hugh,
> Looks great with my test machine, appreciate. Besides I cannot find 
> much
> information for ContinueAlways, will it got disadvantage when using
it?
>
> Actually I was using ContinueWhileAccept (Continue trying to 
> authenticate as
> long as it is Accepted), it should continue if it accept, but I don't
> understand why it did continue with other <auth radius>(cannot see
> accounting goto the rest 3 accounting server, only first one)
> Previous
>          AuthByPolicy    ContinueWhileAccept
>          AuthBy          CheckSQLBlacklist
>          AuthBy          CheckSQLNormal
> follow with 4 auth radius.....
>
>
> Regards,
> Donald
>
> p.s. the detail configuration should be at last of the email.
>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, June 27, 2003 12:42 PM
> To: Foo Donald (Products O2)
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) some question about the radiator
>
>
>
> Hello Donald -
>
> It is difficult to say what is happening without a complete
> configuration file and an accompanying trace 4 debug.
>
> I suspect what is happening here is you have not correctly configured
> an AuthByPolicy to control the execution of the AuthBy clauses. In the
> case you show below you should probably use this:
>
> 	AuthByPolicy ContinueAlways
>
> regards
>
> Hugh
>
>
> On Friday, Jun 27, 2003, at 13:59 Australia/Melbourne, Foo Donald
> (Products O2) wrote:
>
>> Hi Hugh,
>> Sorry for push so hard ,any update for this? We need to fix the
>> accounting
>> proxy asap.
>> The current status is one radiator proxy to 4 accoutning server
>> (A,B,C,D).
>> Now we only can see the accounting packet from proxy to A, no
>> accounting
>> arrive to B, C, D. Herewith is the current <auth radius>.
>>
>>         <AuthBy RADIUS>
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.2
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 IgnoreAccountingResponse
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.41
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 IgnoreAccountingResponse
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.201
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 IgnoreAccountingResponse
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.202
>>         </AuthBy>
>>
>> Regards,
>> Donald
>>
>>
>>
>> -----Original Message-----
>> From: Foo Donald (Products O2) [mailto:Donald.Foo at O2.com]
>> Sent: Thursday, June 26, 2003 10:47 PM
>> To: 'radiator at open.com.au'
>> Subject: (RADIATOR) some question about the radiator
>>
>>
>> Hi there,
>> we found something strange after on production. can you help?
>> we have a ggsn pointing to two radiator A and B, their configuration
>> are the
>> same.
>>
>> 1. we send the accounting packet to 4 accounting
>> server(A1,A2,A3,A4),we only
>> need A1 reply. But if A2 or A3 dead, the ggsn will fail to B
radiator.
>> herewith is the auth radius when we have this problem. with this
>> configuration, we can see accounting send to A1, A2 and A3 but not
A4,
>> why??
>>         <AuthBy RADIUS>
>>                 Synchronous
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.2
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 Synchronous
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.41
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.201
>>         </AuthBy>
>>
>>         <AuthBy RADIUS>
>>                 RetryTimeout 25
>>                 NoForwardAuthentication
>>                 Secret radius
>>                 AcctPort 1813
>>                 Host 10.12.1.202
>>         </AuthBy>
>>
>>
>> 2) When I put the IgnoreAccountingResponse in each of the tag, I can
>> now
>> only see accounting go A1 and don't see any accouning goto A2, A3, A4
>> (the
>> current configuration is on below).
>>
>> 3) When I do a radiator/mysql process restart (we wrote a script to
do
>> start
>> and stop) after change the configuration, it will not take effect
>> until we
>> reboot it, but the script works fine when test, is this relate to 
>> stack
>> buffer or cache problem?
>>
>> 4) we found that the mysql database is growth fast. so it will take
>> longer
>> time to start it. is there anything in radiator which can detail the
>> database ready before it can connect to it?
>>
>>
>> The current configuration
>>
> #Foreground
> #LogStdout
> LogDir          /var/radiator
> LogFile         %L/detail
> DbDir           /usr/local/radiator
> DictionaryFile  %D/dictionary,%D/goodies/dictionary.usr
> PidFile         %L/radiusd.pid
> Trace           4
>
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
>         Secret  xxxxx
> </Client>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <Client xxxxx>
>         Secret xxxxx
>         DupInterval 3
> </Client>
>
> <AuthBy SQL>
>         Identifier      CheckSQLBlacklist
>         DBSource        dbi:mysql:radius
>         DBUsername      xxxxx
>         DBAuth          xxxxx
>         AuthSelect      select REJECT from CALLER_BLACKLIST where
> Calling_Station='%{Calling-Station-Id}'
>         AuthColumnDef   0, GENERIC, check
>         AcceptIfMissing
>         NoDefaultIfFound
> </AuthBy>
>
> <AuthBy SQL>
>         Identifier      CheckSQLNormal
>         DBSource        dbi:mysql:radius
>         DBUsername      xxxxx
>         DBAuth          xxxxx
>
>         AccountingTable ACCOUNTING
>         AcctColumnDef   USERNAME,User-Name
>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>         AcctColumnDef   NASPORT,NAS-Port,integer
>         AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>         AcctColumnDef   ACCTCALLINGSTATIONID,Calling-Station-Id
> </AuthBy>
>
> # M1 Blacklist
> <Handler Calling-Station-Id=/^123/>
>         RejectHasReason
>         <AuthBy INTERNAL>
>                 DefaultResult   REJECT
>                 RejectReason    You are not StarHub Customer
>         </AuthBy>
>
>         <AuthLog SQL>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      xxxxx
>                 DBAuth          xxxxx
>                 LogFailure
>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME,
> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
> '%{Calling-Station-Id}')
>         </AuthLog SQL>
> </Handler>
>
> # SingTel Blacklist
> <Handler Calling-Station-Id=/^123/>
>         RejectHasReason
>         <AuthBy INTERNAL>
>                 DefaultResult   RREJECT
>                 RejectReason    You are not StarHub Customer
>         </AuthBy>
>
>          <AuthLog SQL>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      xxxxx
>                 DBAuth          xxxxx
>                 LogFailure
>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME,
> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
> '%{Calling-Station-Id}')
>         </AuthLog SQL>
> </Handler>
>
> <Handler>
>         RejectHasReason
>         AuthByPolicy    ContinueWhileAccept
>         AuthBy          CheckSQLBlacklist
>         AuthBy          CheckSQLNormal
>         <AuthBy RADIUS>
>                 RetryTimeout 5
>                 NoForwardAuthentication
>                 Secret xxxxx
>                 AcctPort 1813
>                 Host xxxxx
>         </AuthBy>
>
>         <AuthBy RADIUS>
>                 IgnoreAccountingResponse
>                 RetryTimeout 5
>                 NoForwardAuthentication
>                 Secret xxxxx
>                 AcctPort 1813
>                 Host xxxxx
>         </AuthBy>
>
>         <AuthBy RADIUS>
>                 IgnoreAccountingResponse
>                 RetryTimeout 25
>                 NoForwardAuthentication
>                 Secret xxxxx
>                 AcctPort 1813
>                 Host xxxxx
>         </AuthBy>
>
>         <AuthBy RADIUS>
>                 IgnoreAccountingResponse
>                 RetryTimeout 25
>                 NoForwardAuthentication
>                 Secret xxxxx
>                 AcctPort 1813
>                 Host xxxxx
>         </AuthBy>
>
>         <AuthLog SQL>
>                 DBSource        dbi:mysql:radius
>                 DBUsername      xxxxx
>                 DBAuth          xxxxx
>                 LogSuccess
>                 SuccessQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME,
> TYPE, REASON, Calling_Station) values (%t, '%n', 1, 'Authorized',
> '%{Calling-Station-Id}')
>                 LogFailure
>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME,
> TYPE, REASON, Calling_Station) values (%t, '%n', 0, %1,
> '%{Calling-Station-Id}')
>         </AuthLog>
>
> </Handler>
>
> <StatsLog SQL>
>         DBSource        dbi:mysql:radius
>         DBUsername      xxxxx
>         DBAuth          xxxxx
>         Interval 3600
> </StatsLog>
>
>
>
>> Regards,
>> Donald
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list