(RADIATOR) AuthBy LDAP + SQL accounting
Andrew D. Clark
andrew.clark at ucsb.edu
Thu Jul 15 13:18:35 CDT 2004
OS upgrade on the BlueSocket fixed the problem (I was running v2, moved
to v3.1). Just responding for the next poor sod that might find this
in the archives. Thanks!
--
Andrew Clark
Campus Network Programmer
Office of Information Technology
University of California, Santa Barbara
andrew.clark at ucsb.edu (805) 893-5311
--On Thursday, July 15, 2004 10:35:51 AM -0700 "Andrew D. Clark"
<andrew.clark at ucsb.edu> wrote:
> Thanks for the pointer. Unfortunately, it doesn't seem to be
> working. The NAS should be returning the Class attribute in it's
> subsequent accounting requests, but doesn't appear to be:
>
> Code: Access-Accept
> Identifier: 2
> Authentic:
> <154><18>-G<181><20><14>'<229><193>)<212><241><211><189><251>
> Attributes:
> Class = "ucsbCampusId = blahablah"
>
> Thu Jul 15 10:31:47 2004: DEBUG: Packet dump:
> *** Received from 128.111.218.250 port 45292 ....
> Code: Accounting-Request
> Identifier: 3
> Authentic: T<213>+4""<238>X<157>7?<168>7<204><250>d
> Attributes:
> User-Name = "andrew.clark"
> Acct-Status-Type = Start
> Acct-Session-Id = "9834"
> Acct-Authentic = RADIUS
> NAS-Identifier = "Bluesocket"
> NAS-IP-Address = 128.111.218.250
> Calling-Station-Id = "00:01:03:84:4c:c1"
> Framed-IP-Address = 128.111.166.123
>
> Assuming I can get the NAS to respond properly, will this approach
> also work for storing arbitrary data in the session database (I'm
> using an external MySQL session DB)?
>
> --
> Andrew Clark
> Campus Network Programmer
> Office of Information Technology
> University of California, Santa Barbara
> andrew.clark at ucsb.edu (805) 893-5311
>
>
> --On Thursday, July 15, 2004 05:56:54 PM +1000 Hugh Irvine
> <hugh at open.com.au> wrote:
>
>>
>> Hello Andrew -
>>
>> Keep in mind that the radius accounting happens _after_ the
>> authentication, so you can use the Class attribute when you do the
>> authentication to carry the LDAP attribute in the access accept that
>> is returned to the NAS. The Class attribute will then be included in
>> all subsequent accounting requests for the session and you can store
>> it into the accounting table.
>>
>> What you describe is one way of setting up your configuration file -
>> the other is to use Handlers:
>>
>># deal with accounting
>>
>> <Handler Request-Type = Accounting-Request>
>> <AuthBy SQL>
>> .....
>> AuthSelect
>> .....
>> AccountingTable ACCOUNTING
>> AcctColumnDef ....
>> .....
>> </AuthBy>
>> </Handler>
>>
>># deal with authentication
>>
>> <Handler>
>> <AuthBy LDAP2>
>> .....
>> </AuthBy>
>> </Handler>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 15 Jul 2004, at 08:26, Andrew D. Clark wrote:
>>
>>> Hello all,
>>>
>>> I have a small problem. I'm using a do-nothing AuthBy SQL stanza in
>>> order to get SQL accounting (do-nothing by virtue of an empty
>>> AuthSelect statement (is there a better way to do this?)). Since
>>> I'm using AuthByPolicy ContinueWhileReject, the request falls
>>> through to my later auth methods. What I'd like to do is get a
>>> particular LDAP attribute into the accounting table. The problem
>>> is that the AuthBy LDAP happens after the SQL accounting, so I'm
>>> not sure how to shove that particular LDAP attribute into the
>>> accounting statement before it's inserted. Clear as mud? Any
>>> suggestions? I'm using the stock ACCOUNTING table definition plus
>>> one additional column for the LDAP attribute I'd like to capture.
>>>
>>> --
>>> Andrew Clark
>>> Campus Network Programmer
>>> Office of Information Technology
>>> University of California, Santa Barbara
>>> andrew.clark at ucsb.edu (805) 893-5311
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list