(RADIATOR) using the class atribute for a special purpose
Hugh Irvine
hugh at open.com.au
Fri May 2 18:41:47 CDT 2003
Hello Tunde -
The simplest way to do what you describe is to put Identifiers in your
Client clauses that you can then use to select the corresponding IP
address pool.
# define Client clauses with Identifiers
<Client 1.1.1.1>
Identifier SomeTag
....
</Client>
....
Note that you can use the same Identifier in multiple Client clauses if
you want to group them.
regards
Hugh
On Friday, May 2, 2003, at 21:32 Australia/Melbourne, Ayotunde Itayemi
wrote:
> Hi Hugh, Hi All,
>
> Here is an explanation of what I was trying to do.
>
> A client has a set of patton RASes connected to a number of e1s to
> which the phone numbers are
> in a hunt group. The client wanted email-only clients to be able to
> call ONLY one particular phone
> number in the hunt group and to be denied access if they call the main
> hunt number say 18002
>
> In the process I came up with the AuthNASIPPOOLS.pm which actually
> solves a long standing
> problem I had - desciption.
>
> I have a set of patton RASES at different locations that normally hand
> out public-ips to clients.
> Later I wanted email-only clients to be able to dial any of those
> pattons and get private-ips.
> This wasn't possible with the standard method of adding a particular
> poolhint attribute to the
> email-only-user database record. I needed to be able to dynamically
> assign a poolhint attribute
> to a reply to an access-request-reply packet based on the NAS that the
> email-only client
> connects to.
>
> Pls find attached the AuthNASIPPOOLS.pm
>
> BTW, for the particular client I mentioned earlier I wrote a little
> AuthBY that sends back a REJECT
> if the client has the class attribute set to "emailonly". I then call
> this AuthBy from the Handler for
> calls to the hunt number.
>
> Regards,
> Tunde Itayemi.
>
>
> sample radius.cfg file (usage)
>
> <AddressAllocator SQL>
> Identifier mySQLallocator
> DBSource
> DBUsername
> DBAuth
> <AddressPool mypool1>
> Range 192.168.60.1 192.168.60.10
> </AddressPool>
> <AddressPool mypool2>
> Range 192.168.65.1 192.168.65.10
> </AddressPool>
> <AddressPool mypool3>
> Range 192.168.70.1 192.168.70.10
> </AddressPool>
> </AddressAllocator>
>
> <AuthBy DYNADDRESS>
> Identifier pattonIPADDRESSauth
> Allocator mySQLallocator
> MapAttribute yiaddr, Framed-IP-Address
> MapAttribute subnetmask, Framed-IP-Netmask
> StripFromReply PoolHint
> DefaultSimultaneousUse 1
> </AuthBy>
>
> <AuthBy NASIPPOOLS>
> Identifier ippools
> NASIPsAndPoolHints 212.192.142.8 mypool1 212.192.142.18
> mypool2 \
> 217.193.140.41 mypool3
> 17.194.145.20 mypool4
> </AuthBy>
>
> <Handler Called-Station-Id=/18002/>
> AuthByPolicy ContinueUntilReject
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> UsernameCharset a-zA-Z0-9\._ at -
> RejectHasReason
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
> SessionDatabase SDB1
> AuthBy SQLClientauth
> AuthBy ippools
> AuthBy pattonIPADDRESSauth
> AuthBy ACCESSAccountingStart
> AuthBy ACCESSAccountingStop
> </Handler>
>
>
>
> ----- Original Message -----
> From: Hugh Irvine
> To: Ayotunde Itayemi
> Cc: radiator at open.com.au
> Sent: Wednesday, April 30, 2003 11:09 PM
> Subject: Re: (RADIATOR) using the class atribute for a special purpose
>
>
> Hello Tunde -
>
> You should have a look at a trace 4 debug to see what attributes are
> actually present in the request. I suspect there is no NAS-IP-Address
> in the packet which is why you are not finding anything.
>
> regards
>
> Hugh
>
>
> On Thursday, May 1, 2003, at 04:52 Australia/Melbourne, Ayotunde
> Itayemi wrote:
>
>
> Hi Hugh,
>
> Please I am actually in a hurry at the moment but I will explain
> everything and possibly offer a new
> AuthBY to the list - (AuthNASIPPOOLS.pm :-)
>
> My main problem now is that I can seem to be able to retrieve the NAS
> IP address from the authby.
> I based the authby on the generic XYZ file that comes with radiator.
>
> I have tried $p->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS)
> and $p->get_attr('NAS-IP-Address') but neither returned anything.
>
>
> Well, I also
> tried $self->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS) by the way!
>
> Please help - I need to retrieve the NAS-IP-Address. Hope to hear
> from you soon.
>
> Regards,
> Tunde Itayemi.
>
>
> Some relevant parts of the AuthBY module:
>
> #=================================================================
>
> %Radius::AuthGeneric::ConfigKeywords =
> ('NASIPsAndPoolHints' => 'string',
> );
> sub initialize
> {
> my ($self) = @_;
> $self->SUPER::initialize;
> $self->{NASIPsAndPoolHints} = '';
> }
>
> sub handle_request
> {
> my ($self, $p, $dummy, $extra_checks) = @_;
>
>
>
> ----- Original Message -----
> From: Hugh Irvine
> To: Ayotunde Itayemi
> Cc: radiator at open.com.au
> Sent: Tuesday, April 29, 2003 4:47 AM
> Subject: Re: (RADIATOR) using the class atribute for a special purpose
>
>
> Hello Tunde -
>
> I am afraid I don't quite understand what you are trying to do.
>
> It seems logically inconsistent to me that you are allowing calls for
> users you don't want to connect?
>
> Perhaps if you give me a more detailed description of your
> requirements I will be able to help.
>
> regards
>
> Hugh
>
>
> On Monday, Apr 28, 2003, at 21:21 Australia/Melbourne, Ayotunde
> Itayemi wrote:
>
> Hi Hugh, Hi All,
>
> Ok. It seems that approach won't work then. I was hoping
> radiator would do a check on the Class field before selecting
> an Handler and thus match it to the Handler Class="EmailOnly".
>
> My (new) idea is something like this:
>
> Given the following scenario:
> the 18002 access number is connected to a group of NASes. If the
> user trying to connect has the Class attribute set to "emailonly",
> REJECT (deny) the connection attempt with the <AuthBy
> EmailNoAccessauth>
> otherwise allow access i.e., return accept so that the other AuthBys
> may
> be considered. All other access requests (on other numbers) fall
> naturally to <Handler Client-Identifier=mypattonrases>.
>
> Please I need the code to implement the <AuthBy EmailNoAccessauth>
> given that Class = "emailonly" is set in the replyattr field of the
> "emailonly" user records - which would have been retrieved via
> <AuthBy SQLClientauth> - that is why I put <AuthBy SQLClientauth>
> before
> <AuthBy EmailNoAccessauth>
> Of course if anyone reads this mail before Hugh does and you can
> provide
> me with the code for the <AuthBy EmailNoAccessauth> please go right
> ahead :-)
>
> Thanks.
> Tunde Itayemi.
>
> ===============================================================
>
> <AuthBy EmailNoAccessauth>
> if Class = "emailonly" return REJECT
> </AuthBy>
>
> <Handler Called-Station-Id="18002">
> AuthByPolicy ContinueUntilReject
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> UsernameCharset a-zA-Z0-9\._ at -
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
> SessionDatabase SDB1
> AuthBy SQLClientauth
> AuthBy EmailNoAccessauth
> AuthBy pattonIPADDRESSauth
> AuthBy ACCESSAccountingStart
> AuthBy ACCESSAccountingStop
> </Handler>
>
> <Handler Client-Identifier=mypattonrases>
> # AuthByPolicy ContinueUntilReject
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> UsernameCharset a-zA-Z0-9\._ at -
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
> SessionDatabase SDB1
> AuthBy SQLClientauth
> AuthBy pattonIPADDRESSauth
> AuthBy ACCESSAccountingStart
> AuthBy ACCESSAccountingStop
> </Handler>
>
> ----- Original Message -----
> From: Hugh Irvine
> To: Ayotunde Itayemi
> Cc: radiator at open.com.au
> Sent: Friday, April 25, 2003 10:54 PM
> Subject: Re: (RADIATOR) using the class atribute for a special purpose
>
>
> Hello Tunde -
>
> The Class attribute is added to an access accept that is returned to
> the NAS and it will be included in all subsequent accounting requests
> from the NAS for the session.
>
> There will never be a Class attribute in an access request.
>
> The Called-Station-Id can be matched either on the exact string or on
> a regular expression. Regular expressions are delimited by "/.../".
> Check the Radiator reference manual and your Perl book for details.
>
> regards
>
> Hugh
>
>
> On Friday, Apr 25, 2003, at 23:07 Australia/Melbourne, Ayotunde
> Itayemi wrote:
>
> Hi Hugh,
>
> Still no luck. I noticed from the (attached) trace 4 debug log that
> the authentication request
> somehow skips the Class="EmailOnly" Handler and ends up being
> authenticated by the
> next handler (Client-Identifier=pattonrases) - please see attached
> radius.cfg
> The strange thing is that the accounting requests are then handled by
> the (correct) Handler !?
>
> I hope to hear from you soon.
> Please note that I have tried both
> Class="EmailOnly", Called-Station-Id=/15000/
> and
> Class="EmailOnly", Called-Station-Id="15000"
> Which is actually the correct way of specifying the the
> Called-Station-id by the way
>
> Regards,
> Tunde I.
>
>
> ----- Original Message -----
> From: Hugh Irvine
> To: Ayotunde Itayemi
> Cc: radiator at open.com.au
> Sent: Friday, April 25, 2003 12:42 AM
> Subject: Re: (RADIATOR) using the class atribute for a special purpose
>
>
> Hello Tunde -
>
> Yes this the correct approach and this is what the Class attribute is
> designed for.
>
> You will find quite a bit of discussion on the Class attribute on the
> mailing list archive.
>
> www.open.com.au/archives/radiator
>
> regards
>
> Hugh
>
>
> On Friday, Apr 25, 2003, at 05:52 Australia/Melbourne, Ayotunde
> Itayemi wrote:
>
> Hi All, Hi Hugh,
>
> I need a special variable that I can set in a particular group of
> users (email-only) records in my
> user database (an oracle table). Can I use the class atribute?
>
> I was thinking of something along the line of:
>
> Replyattr = ' Framed-Protocol = PPP,Session-Timeout="until Time",
> Class="Email-Only"'
>
>
> Then in the Handler section of my radiator config file:
>
> <Handler Class="Email-Only", Called-Station-Id=2001024>
> .... do something ...
> </Handler>
>
> .... other handlers ...
>
> The idea is to process this group of users specially before the
> general users who connect to
> the same set of NASes. Also I won't set the Class attribute for my
> other class(es) of users.
>
> Do you think this will work? Do I lose anything by using the class
> attribute this way? Thanks.
>
> Regards,
> Tunde Itayemi.
>
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> <logfile.txt><radius.cfg>
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> <AuthNASIPPOOLS.pm>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 15011 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030503/0daa12f6/attachment.bin>
More information about the radiator
mailing list