(RADIATOR) AuthBy LDAP + SQL accounting

Andrew D. Clark andrew.clark at ucsb.edu
Thu Jul 15 12:35:51 CDT 2004


Thanks for the pointer.  Unfortunately, it doesn't seem to be working. 
The NAS should be returning the Class attribute in it's subsequent 
accounting requests, but doesn't appear to be:

Code:       Access-Accept
Identifier: 2
Authentic: 
<154><18>-G<181><20><14>'<229><193>)<212><241><211><189><251>
Attributes:
        Class = "ucsbCampusId = blahablah"

Thu Jul 15 10:31:47 2004: DEBUG: Packet dump:
*** Received from 128.111.218.250 port 45292 ....
Code:       Accounting-Request
Identifier: 3
Authentic:  T<213>+4""<238>X<157>7?<168>7<204><250>d
Attributes:
        User-Name = "andrew.clark"
        Acct-Status-Type = Start
        Acct-Session-Id = "9834"
        Acct-Authentic = RADIUS
        NAS-Identifier = "Bluesocket"
        NAS-IP-Address = 128.111.218.250
        Calling-Station-Id = "00:01:03:84:4c:c1"
        Framed-IP-Address = 128.111.166.123

Assuming I can get the NAS to respond properly, will this approach also 
work for storing arbitrary data in the session database (I'm using an 
external MySQL session DB)?

--
Andrew Clark
Campus Network Programmer
Office of Information Technology
University of California, Santa Barbara
andrew.clark at ucsb.edu (805) 893-5311


--On Thursday, July 15, 2004 05:56:54 PM +1000 Hugh Irvine 
<hugh at open.com.au> wrote:

>
> Hello Andrew -
>
> Keep in mind that the radius accounting happens _after_ the
> authentication, so you can use the Class attribute when you do the
> authentication to carry the LDAP attribute in the access accept that
> is returned to the NAS. The Class attribute will then be included in
> all subsequent accounting requests for the session and you can store
> it into the accounting table.
>
> What you describe is one way of setting up your configuration file -
> the other is to use Handlers:
>
># deal with accounting
>
> <Handler Request-Type = Accounting-Request>
> 	<AuthBy SQL>
> 		.....
> 		AuthSelect
> 		.....
> 		AccountingTable ACCOUNTING
> 		AcctColumnDef ....
> 		.....
> 	</AuthBy>
> </Handler>
>
># deal with authentication
>
> <Handler>
> 	<AuthBy LDAP2>
> 		.....
> 	</AuthBy>
> </Handler>
>
>
> regards
>
> Hugh
>
>
> On 15 Jul 2004, at 08:26, Andrew D. Clark wrote:
>
>> Hello all,
>>
>> I have a small problem.  I'm using a do-nothing AuthBy SQL stanza in
>> order to get SQL accounting (do-nothing by virtue of an empty
>> AuthSelect statement (is there a better way to do this?)).  Since
>> I'm  using AuthByPolicy ContinueWhileReject, the request falls
>> through to  my later auth methods.  What I'd like to do is get a
>> particular LDAP  attribute into the accounting table.  The problem
>> is that the AuthBy  LDAP happens after the SQL accounting, so I'm
>> not sure how to shove  that particular LDAP attribute into the
>> accounting statement before  it's inserted.  Clear as mud?  Any
>> suggestions?  I'm using the stock  ACCOUNTING table definition plus
>> one additional column for the LDAP  attribute I'd like to capture.
>>
>> --
>> Andrew Clark
>> Campus Network Programmer
>> Office of Information Technology
>> University of California, Santa Barbara
>> andrew.clark at ucsb.edu (805) 893-5311
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list