(RADIATOR) Net Accelerator Config?
Hugh Irvine
hugh at open.com.au
Thu Feb 19 16:12:55 CST 2004
Hello Kyle -
I suspect your best bet will be a PreClientHook that does the SQL query
and adds the Accelerator pseudo-attribute to the incoming request.
Then you can use Handlers instead of Realms for your processing.
<Handler Accelerator = Y>
.....
<AuthBy RADIUS>
......
StripFromRequest Accelerator
......
</AuthBy>
......
</Handler>
.....
<Handler>
.....
</Handler>
You will find some example hooks in the file "goodies/hooks.txt".
regards
Hugh
On 20 Feb 2004, at 04:04, Kyle Hultman wrote:
> Hi, I've got an interesting question, that I havent really seen on the
> message board (maybe I havent looked hard enough). We're starting to
> do a net accelerator with a third party company. I want it to be as
> seamless as possible to my customers, so what I would like to do is
> have a Y,N flag in the subscribers table in a field called
> Accelerator. If it's set to Y then radius calls an <authby radius>,
> strips Accelerator from the reply, and goes about it's business. If
> Accelerator = N, then it just gets striped from the reply and goes
> about it's business as normal. I'm not quite sure how to incorporate
> this though. Below is my config file, secrets removed. Thanks.
>
>
>
> # radius.cfg
> #
> # This is the LCS radius configuration file.
>
> # Run the server in the Foreground
> Foreground
>
> # Set the information level
> # 0 ERR
> # 1 WARNING
> # 2 NOTICE
> # 3 INFO
> # 4 DEBUG
> # 5 DEBUG with raw packet dumps
> Trace 3
>
> # Bind to only a specific IP Address
> BindAddress 24.75.105.102,127.0.0.1
>
> # Listen for Authentication on port 1812 per RFC 2138
> # Also bind to the deprecated port 1645 for legacy
> AuthPort 1812,1645
>
> # Listen for Accounting on port 1813 per RFC 2139
> # Also bind to the deprecated port 1646 for legacy
> AcctPort 1813,1646
>
> # Load the dictionary
> DictionaryFile /usr/local/etc/radiator/dictionary
>
> # Log to Standard output as well
> LogStdout
>
> # Set the default log directory for file based logging
> LogDir /var/log/radius
>
> # Set the default dbDir for file based authentication
> DbDir /usr/local/etc/radiator
>
> # Set the Username Character set to reject based on line noise
> UsernameCharset a-zA-Z0-9\._ at -
>
> # Set the Username of who we want radiator to run as
> User radiusd
>
> # Set the Group of who we want radiator to run as
> Group radiusd
>
> # Tell radiator where snmpget is
> SnmpgetProg /usr/local/bin/snmpget
>
> <ClientListSQL>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
> </ClientListSQL>
>
> <AuthLog SQL>
>
> Identifier AuthLog_1
>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> ## Set the default Table
> Table RADAUTHLOG
>
> FailureQuery INSERT INTO RADAUTHLOG VALUES('%n', %t , %0,
> %1)
> </AuthLog>
>
> <AddressAllocator SQL>
>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> Identifier myallocator
>
> <AddressPool pool1>
> Subnetmask 255.255.255.255
> DNSServer 24.75.105.103
> Range 24.75.107.2 24.75.107.96
> </AddressPool>
> <AddressPool pool2>
> Subnetmask 255.255.255.255
> DNSServer 12.155.97.27
> Range 10.246.0.1 10.246.0.254
> Range 10.246.1.0 10.246.1.254
> Range 10.246.2.0 10.246.2.254
> </AddressPool>
> </AddressAllocator>
>
> <Realm nesbeonline.com>
>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy SQL>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> AuthSelect select PASSWORD, \
> ENCRYPTEDPASSWORD, \
> PROTOCOL, \
> CHECKATTR, \
> REPLYATTR, \
> PROFILE \
> from NESBEONLINE \
> where USERNAME='%n' and STATUS='A'
>
>
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, Encrypted-Password, check
> AuthColumnDef 2, Framed-Protocol, reply
> AuthColumnDef 3, GENERIC, check
> AuthColumnDef 4, GENERIC, reply
> AuthColumnDef 5, Profile, reply
>
> AddToReply Service-Type = Framed-User
> #cisco-avpair="ip:addr_pool=cm"
> #cisco-avpair="lcp:interface-config=ip policy
> route-map nesbe"
>
> </AuthBy>
>
> <AuthBy SQL>
>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> AuthSelect SELECT IDLETIMEOUT, SESSIONTIMEOUT \
> FROM PROFILES WHERE
> PROFILE='%{Reply:Profile}'
>
> AuthColumnDef 0, Idle-Timeout, reply
> AuthColumnDef 1, Session-Timeout, reply
>
> StripFromReply Profile
> </AuthBy>
> <AuthBy DYNADDRESS>
>
> # Point to the address allocator
>
> Allocator myallocator
> PoolHint pool2
> </AuthBy>
>
> </Realm>
>
>
> <Realm DEFAULT>
>
> AuthByPolicy ContinueWhileAccept
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy SQL>
>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> Timeout 30
> FailureBackoffTime 300
> RejectEmptyPassword
>
> # Set the default IP address group
> #FramedGroup = 0
>
> AuthSelect select PASSWORD, \
> ENCRYPTEDPASSWORD, \
> CRYPTPASSWD, \
> PROTOCOL, \
> IPADDRESS, \
> IPNETMASK, \
> MAXSESSIONS, \
> PORTLIMIT, \
> CHECKATTR, \
> REPLYATTR, \
> PROFILE \
> from LCSUBSCRIBERS \
> where USERNAME='%n' and STATUS='A'
>
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, Encrypted-Password, check
> AuthColumnDef 2, Encrypted-Password, check
> AuthColumnDef 3, Framed-Protocol, reply
> AuthColumnDef 4, Framed-IP-Address, reply
> AuthColumnDef 5, Framed-Netmask, reply
> AuthColumnDef 6, Simultaneous-Use, check
> AuthColumnDef 7, Port-Limit, reply
> AuthColumnDef 8, GENERIC, check
> AuthColumnDef 9, GENERIC, reply
> AuthColumnDef 10, Profile, reply
>
>
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef
> ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> AcctFailedLogFileName %D/missedaccounting
> </AuthBy>
>
> <AuthBy SQL>
>
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> AuthSelect SELECT IDLETIMEOUT, SESSIONTIMEOUT \
> FROM PROFILES WHERE
> PROFILE='%{Reply:Profile}'
>
> AuthColumnDef 0, Idle-Timeout, reply
> AuthColumnDef 1, Session-Timeout, reply
>
> AddToReply Service-Type = Framed-User
>
> StripFromReply Profile
> </AuthBy>
>
> <AuthBy DYNADDRESS>
>
> # Point to the address allocator
>
> Allocator myallocator
> PoolHint pool1
> </AuthBy>
>
> SessionDatabase SDB1
> AuthLog AuthLog_1
>
> </Realm>
>
> <SessionDatabase SQL>
>
> ## Set the database Identifier
> Identifier SDB1
>
> ## Set the database source
> DBSource dbi:mysql:x
> DBUsername x
> DBAuth x
>
> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER,
> NASPORT, \
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
> SERVICETYPE) values
> ('%n','%N',%{NAS-Port},'%{Acct-Session-Id}', \
> %{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}', \
> '%{Service-Type}')
>
> DeleteQuery delete from RADONLINE where USERNAME='%n' and \
> NASIDENTIFIER='%N' and NASPORT=%{NAS-Port}
>
> ClearNasQuery delete from RADONLINE where NASIDENTIFIER="%N'
>
> CountQuery select NASIDENTIFIER,NASPORT,ACCTSESSIONID from \
> RADONLINE where USERNAME='%n'
>
> </SessionDatabase>
>
> <StatsLog SQL>
> DBSource dbi:mysql:X
> DBUsername X
> DBAuth X
>
> # Enter a statistic every 5 minutes
> Interval 300
> </StatsLog>
> --
> Kyle Hultman Lynchburg Computer Systems
> Network Engineer 7605 Timberlake Road
> khultman at lcmail.net Lynchburg, VA 24502
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list