(RADIATOR) Radiator Proxy GNU Radius
Antonio Mórtigo
amortigo at andinet.com
Tue Jun 8 13:19:20 CDT 2004
Hello,
I'm running Radiator 3.5 with Solaris 9 and perl 5.8.0 on a sparc box.
Last week I tried to make "talk" GNU-radius (version 1.2) to my radiator
in a radius proxy configuration. What I need is to make GNU-radius to
pass radius access and accounting requests from an especific realm to my
radiator. The radiator configuration has in the authorized clients
clause the IP address and secret for that remote GNU server and also
GNU-radius has configured realms, clients, and secrets as well... all
configurations seems to be good. In fact I tried the GNU-radius
configuration with a diferent radiator running on another ISP and it
worked well but when my Radiator send back the authentication reply
packet to the GNU-radius, GNU-radiator says:
Jun 07 22:30:21 [15250]: Unrecognized proxy reply from server
xxx.xxx.xxx.xxx, proxy ID XX
The Trace of request packet in my Radiator says "No Reply"
radpwtst -s xxx.xxx.xxx.xxx -user USER at DOMAIN -password XXX -trace
Reading dictionary file '/etc/radiator/dictionary'
sending Access-Request...
Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1645 ....
Code: Access-Request
Identifier: 229
Authentic: 1234567890123456
Attributes:
User-Name = "USER at DOMAIN"
Service-Type = Framed-User
NAS-IP-Address = 208.221.129.201
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"B:<132><198><132>Q<167><194><4><30><251>0<131><245><203>O"
No reply
I thought it might be a problem with my Radiator version (too old?) so,
as I said above, I ran a radius-proxy test "against" a Radiator 3.9
version with a simpler configuration (simpler than mine) and it worked.
Then I ran the test with another radiator in another ISP and the
radius-proxy worked also with an older version of (3.3 version) so I
just saw the problem has nothing to do with the version.
Any Ideas?... I attached my configuration file may be this is the problem.
Regards,
Antonio
DbDir /etc/radiator
LogDir /logs/radiator
LogFile /logs/radiator/Radiator.log
DictionaryFile /etc/radiator/dictionary
UsernameCharset a-zA-Z0-9\/\.\_\@\-\^\+
AuthPort 1645
AcctPort 1646
DefineFormattedGlobalVar CHKREJECT Auth-Type = Reject
DefineFormattedGlobalVar REPLYNTSVR Filter-Id = mail,\
Reply-Message = NAVEGACION
RESTRINGIDA CDACCESS
DefineFormattedGlobalVar REPLYLCENT Ascend-Route-IP = Route-IP-Yes,\
Ascend-Data-Filter = ip in
forward icmp,\
Ascend-Data-Filter = ip in
forward dstip xxx.xxx.xxx.xxx/0 udp dstport = 53,\
Ascend-Data-Filter = ip in
forward dstip xxx.xxx.xxx.xxx/32 tcp dstport = 80,\
Reply-Message = NAVEGACION
RESTRINGIDA CDACCESS
DefineFormattedGlobalVar REPLYHIPER USR-IP-Input-Filter = 10 ACCEPT
udp-dst-port=53,\
USR-IP-Input-Filter = 20 AND
tcp-dst-port=80,\
USR-IP-Input-Filter = 32 ACCEPT
dst-addr=xxx.xxx.xxx.xxx,\
USR-IP-Input-Filter = 100 DENY,\
Reply-Message = NAVEGACION
RESTRINGIDA CDACCESS
<Client localhost>
Identifier Lucent
Secret XXXX
IgnoreAcctSignature
IdenticalClients xxx.xxx.xxx.xxx
IdenticalClients xxx.xxx.xxx.xxx
PreHandlerHook file:"test.pl"
</Client>
<Client xxx.xxx.xxx.xxx>
Identifier Lucent
Secret XXXX
DupInterval 2
IgnoreAcctSignature
# BOG, BOG, BOG, CAL, CAL
IdenticalClients xxx.xxx.xxx.xxx
# CAR, CAR, MED, BAR
IdenticalClients xxx.xxx.xxx.xxx
IdenticalClients xxx.xxx.xxx.xxx
# BAR, BAR, BUC, PER
IdenticalClients xxx.xxx.xxx.xxx
IdenticalClients xxx.xxx.xxx.xxx
# BUC, MAN
IdenticalClients xxx.xxx.xxx.xxx
PreHandlerHook file:"test.pl"
</Client>
<Client xxx.xxx.xxx.xxx>
Identifier Netserver
Secret XXXX
DupInterval 2
IgnoreAcctSignature
IdenticalClients xxx.xxx.xxx.xxx
PreHandlerHook file:"test.pl"
</Client>
<Client xxx.xxx.xxx.xxx>
Identifier HiperARC
Secret XXXX
DupInterval 2
IgnoreAcctSignature
IdenticalClients xxx.xxx.xxx.xxx
IdenticalClients xxx.xxx.xxx.xxx
PreHandlerHook file:"test.pl"
</Client>
<Client xxx.xxx.xxx.xxx>
Secret XXXX
IgnoreAcctSignature
DefaultRealm andinetdsl.com
IdenticalClients xxx.xxx.xxx.xxx
</Client>
<AuthBy SQL>
Identifier authsql
DBSource dbi:mysql:xxxxxx
DBUsername xxx
DBAuth xxx
AddToReply Class=%{ClassDB}
EncryptedPassword
NoDefault
AccountingStopsOnly
AuthenticateAccounting
AccountingTable %{ClassDB}.ACCT%v%Y
AcctColumnDef USERNAME,%U,formatted
AcctColumnDef TIMESTAMP,Timestamp,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASPORTTYPE,NAS-Port-Type
AcctColumnDef USRCONNECTSPEED,USR-Connect-Speed
AcctColumnDef CALLEDID,Called-Station-Id
AcctColumnDef CALLINGID,Calling-Station-Id
AuthSelect SELECT ENCRYPTEDPASSWORD, CHECKATTR, \
IF("%{Client-Type}"="Lucent",REPLYATTRLCENT,IF("%{Client-Type}"="Netserver",REPLYATTRNTSVR,REPLYATTRHIPER))
AS REPLYATTR \
FROM %{ClassDB}.USER WHERE USERNAME = '%U'
AddToReplyIfNotExist Service-Type=Framed-User,\
Framed-Protocol=PPP,\
Idle-Timeout=900,\
Session-Timeout=86400,\
Framed-Compression=Van-Jacobson-TCP-IP
AcctSQLStatement UPDATE %{ClassDB}.USER SET
TIMELEFT=TIMELEFT-IF(HORAS>0,0%{Acct-Session-Time},0) \
WHERE USERNAME = '%U'
</AuthBy>
<AuthBy RADIUS>
Identifier authroamserver
Host xxx.xxx.xxx.xxx
AuthPort 11812
AcctPort 11813
Secret XXXX
AddToReply Class="externos"
</AuthBy>
<AuthBy RADIUS>
Identifier express
Host xxx.xxx.xxx.xxx
AuthPort 1645
AcctPort 1646
Secret XXXX
AddToReply Class="externos"
</AuthBy>
<AuthBy SQL>
Identifier authipass
DBSource dbi:mysql:xxxxxx
DBUsername xxx
DBAuth xxx
EncryptedPassword
NoDefault
AuthSelect Select ENCRYPTEDPASSWORD from %{ClassDB}.USER where
USERNAME = '%U' AND IPASS = 1
</AuthBy>
<AuthBy SQL>
Identifier acctexternos
DBSource dbi:mysql:xxxxxx
DBUsername xxx
DBAuth xxx
AccountingStopsOnly
AuthSelect
AccountingTable ACCT%v%Y
AcctColumnDef USERNAME,%n,formatted
AcctColumnDef TIMESTAMP,Timestamp,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASPORTTYPE,NAS-Port-Type
AcctColumnDef USRCONNECTSPEED,USR-Connect-Speed
AcctColumnDef CALLEDID,Called-Station-Id
AcctColumnDef CALLINGID,Calling-Station-Id
</AuthBy>
<AuthBy SQL>
Identifier virtualnet
DBSource dbi:mysql:xxxxxx
DBUsername xxx
DBAuth xxx
DefaultSimultaneousUse 1
AccountingStopsOnly
#AuthSelect SELECT EXPIRATION,TIMELEFT from PIN WHERE PIN = '%U'
AND TIMELEFT>0 AND LOCKED=0
AuthSelect SELECT
EXPIRATION,TIMELEFT,IF(TIMELEFT>0,"","Auth-Type=Reject:Consumo Agotado") \
FROM PIN WHERE PIN = '%U' AND LOCKED=0
AuthColumnDef 0, Expiration, check
AuthColumnDef 1, Session-Timeout, reply
AuthColumnDef 2, GENERIC, check
#AcctSQLStatement UPDATE PIN SET TIMELEFT=TIMELEFT-IF('%U' LIKE
'rep-%',0,0%{Acct-Session-Time}) \
# WHERE PIN = '%n'
AcctSQLStatement UPDATE PIN SET
TIMELEFT=TIMELEFT-0%{Acct-Session-Time} WHERE PIN = '%n'
AcctSQLStatement INSERT INTO ACCOUNTING VALUES ( '%U',
'%{Timestamp}','%{Acct-Session-Id}', \
'%{Acct-Session-Time}','%{NAS-IP-Address}','%{Framed-IP-Address}','%{Calling-Station-Id}'
)
</AuthBy>
<AuthBy SQL>
Identifier wirelnet
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
DefaultSimultaneousUse 1
AccountingStopsOnly
AuthSelect SELECT
EXPIRATION,TIMELEFT,IF(TIMELEFT>0,"","Auth-Type=Reject:Consumo Agotado") \
FROM PIN WHERE PIN = '%U' AND LOCKED=0
AuthColumnDef 0, Expiration, check
AuthColumnDef 1, Session-Timeout, reply
AuthColumnDef 2, GENERIC, check
AcctSQLStatement UPDATE PIN SET
TIMELEFT=TIMELEFT-0%{Acct-Session-Time} WHERE PIN = '%n'
AcctSQLStatement INSERT INTO ACCOUNTING VALUES ( '%U',
'%{Timestamp}','%{Acct-Session-Id}', \
'%{Acct-Session-Time}','%{NAS-IP-Address}','%{Framed-IP-Address}','%{Calling-Station-Id}'
)
</AuthBy>
<AuthLog FILE>
Identifier authlog
Filename %L/authlogs/%{ClassDB}.log
LogSuccess 1
LogFailure 1
FailureFormat %l: FAIL : Access rejected for %U: %1 :%P
</AuthLog>
<AuthLog SQL>
Identifier authlogsql
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
LogFailure
FailureQuery insert into %{ClassDB}.RADLOG%v%Y
(USERNAME,TIMESTAMP,REASON,PASSWORD) values ('%U',%t,%1,'%P')
</AuthLog>
<Realm geo.net.co>
SessionDatabase externos
AuthByPolicy ContinueAlways
AuthBy acctexternos
<AuthBy RADIUS>
Host xxx.xxx.xxx.xxx
Secret xxx
AddToReply Class="externos"
</AuthBy>
AcctLogFileName %L/GEONET.ACCT
</Realm>
<Realm ixp.net>
SessionDatabase sqlsess
AuthByPolicy ContinueAlways
<AuthBy RADIUS>
Host xxx.xxx.xxx.xxx
Secret xxx
AuthPort 1645
AcctPort 1646
</AuthBy>
<AuthBy PORTLIMITCHECK>
CountQuery SELECT COUNT(*) FROM ixp.RADONLINE
LimitQuery SELECT MAXPORTS FROM gestion.VISP WHERE IDVISP='ixp'
</AuthBy>
AcctLogFileName %L/IXPNET.ACCT
AuthLog authlog
AuthLog authlogsql
</Realm>
<Realm coldecon.net.co>
SessionDatabase sqlsess
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueAlways
<AuthBy RADIUS>
Host xxx.xxx.xxx.xxx
Secret xxx
AuthPort 1645
AcctPort 1646
</AuthBy>
<AuthBy PORTLIMITCHECK>
CountQuery SELECT COUNT(*) FROM coldecon.RADONLINE
LimitQuery SELECT MAXPORTS FROM gestion.VISP WHERE
IDVISP='coldecon'
</AuthBy>
AcctLogFileName %L/COLDECON.ACCT
AuthLog authlog
AuthLog authlogsql
</Realm>
<Realm andinetdsl.com>
SessionDatabase externos
RewriteUsername s/^([^@]+).*/$1/
AddToReply Class="externos"
AuthByPolicy ContinueAlways
AuthBy acctexternos
<AuthBy FILE>
Filename /etc/radiator/users.emtelco
</AuthBy>
AcctLogFileName %L/EMTELCO.ACCT
</Realm>
<Realm cdaccess>
SessionDatabase cdsess
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueAlways
AddToReply Class="cdaccess"
<AuthBy SQL>
Identifier cdaccess
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
DefaultSimultaneousUse 1
AccountingStopsOnly
AuthSelect SELECT IF( UNIX_TIMESTAMP()-ACTIVATION -
DAYS*86400>0 AND ACTIVATION<>0 , "%{GlobalVar:CHKREJECT}" , "" ) AS
CHECKATTR, \
IF( ACTIVATION<>0, "", \
IF("%{Client-Type}"="Lucent","%{GlobalVar:REPLYLCENT}",IF("%{Client-Type}"="Netserver","%{GlobalVar:REPLYNTSVR}","%{GlobalVar:REPLYHIPER}")))
AS REPLYATTR \
FROM CDKEY WHERE CDKEY = '%U'
AuthColumnDef 0, GENERIC, check
AuthColumnDef 1, GENERIC, reply
AccountingTable ACCT%v%Y
AcctColumnDef USERNAME,%n,formatted
AcctColumnDef TIMESTAMP,Timestamp,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASPORTTYPE,NAS-Port-Type
AcctColumnDef USRCONNECTSPEED,USR-Connect-Speed
AcctColumnDef CALLEDID,Called-Station-Id
AcctColumnDef CALLINGID,Calling-Station-Id
</AuthBy>
AuthLog authlog
AuthLog authlogsql
</Realm>
<Realm vispctl.com>
PacketTrace
<AuthBy SQL>
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AuthSelect Select HASH FROM VISPCTL where CTLID = '%U'
</AuthBy>
</Realm>
<Handler User-Name = /duplicated|unauthentica/>
AuthByPolicy ContinueAlways
<AuthBy SQL>
AcctSQLStatement
AuthSelect
</AuthBy>
AcctLogFileName %L/descartados.log
</Handler>
<Handler Request-Type= /Ascend-Access-Event/ >
AuthByPolicy ContinueAlways
<AuthBy SQL>
AcctSQLStatement
AuthSelect
</AuthBy>
AcctLogFileName %L/descartados.log
</Handler>
<Handler NAS-Identifier="i-Pass VNAS">
RejectHasReason
SessionDatabase sessnull
AuthByPolicy ContinueAlways
AuthBy acctexternos
AuthBy authipass
</Handler>
<Handler ClassDB="externos">
SessionDatabase externos
AuthByPolicy ContinueAlways
AuthBy acctexternos
AuthBy authroamserver
</Handler>
<Handler Realm=virtualnet>
RewriteUsername s/^([^@]+).*/$1/
SessionDatabase sessvnet
RejectHasReason
AccountingHandled
PreAuthHook file:"test2.pl"
AuthBy virtualnet
AuthLog authlog
AuthLog authlogsql
</Handler>
<Handler Realm=wirelnet>
RewriteUsername s/^([^@]+).*/$1/
SessionDatabase sesswnet
RejectHasReason
AccountingHandled
PreAuthHook file:"test3.pl"
AuthBy wirelnet
</Handler>
<Handler>
SessionDatabase sqlsess
RejectHasReason
PostAuthHook file:"test4.pl"
AuthByPolicy ContinueUntilAccept
AuthBy authsql
AuthLog authlog
AuthLog authlogsql
</Handler>
<SessionDatabase SQL>
Identifier sessvnet
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AddQuery INSERT INTO RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
CALLINGID, \
SERVICETYPE) values ('%U', '%N' , 0%{NAS-Port},
'%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}',
'%{Calling-Station-Id}', \
'%{Service-Type}')
</SessionDatabase>
<SessionDatabase SQL>
Identifier sesswnet
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AddQuery INSERT INTO RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
CALLINGID, \
SERVICETYPE) values ('%U', '%N' , 0%{NAS-Port},
'%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}',
'%{Calling-Station-Id}', \
'%{Service-Type}')
</SessionDatabase>
<SessionDatabase SQL>
Identifier sqlsess
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AddQuery INSERT INTO %{ClassDB}.RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
NASPORTTYPE,CALLINGID, \
SERVICETYPE) values ('%U', '%N' , 0%{NAS-Port},
'%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}',
'%{NAS-Port-Type}','%{Calling-Station-Id}', \
'%{Service-Type}')
DeleteQuery DELETE FROM %{ClassDB}.RADONLINE where
NASIDENTIFIER='%1' and NASPORT='%2'
CountQuery SELECT NASIDENTIFIER, NASPORT, ACCTSESSIONID,
FRAMEDIPADDRESS \
from %{ClassDB}.RADONLINE where USERNAME='%U'
</SessionDatabase>
<SessionDatabase SQL>
Identifier cdsess
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AddQuery INSERT INTO RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
CALLINGID, \
SERVICETYPE) values ('%U', '%N' , 0%{NAS-Port},
'%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}',
'%{Calling-Station-Id}', \
'%{Service-Type}')
</SessionDatabase>
<SessionDatabase SQL>
Identifier externos
DBSource dbi:mysql:xxxxx
DBUsername xxx
DBAuth xxx
AddQuery INSERT INTO RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
NASPORTTYPE,CALLINGID, \
SERVICETYPE) values ('%{User-Name}', '%N' ,
0%{NAS-Port}, '%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}',
'%{NAS-Port-Type}','%{Calling-Station-Id}', \
'%{Service-Type}')
DeleteQuery DELETE FROM RADONLINE where NASIDENTIFIER='%1' and
NASPORT='%2'
CountQuery SELECT NASIDENTIFIER, NASPORT, ACCTSESSIONID,
FRAMEDIPADDRESS \
FROM RADONLINE where USERNAME='%n'
</SessionDatabase>
<SessionDatabase NULL>
Identifier sessnull
</SessionDatabase >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040608/2076a2fa/attachment.html>
More information about the radiator
mailing list