(RADIATOR) ascend data filter problems

Hugh Irvine hugh at open.com.au
Wed Sep 8 21:21:43 CDT 2004


Hello Troy -

Yes you can use an AddToReply to send Ascend-Data-Filter attributes.

It is not clear to me where the problem is occurring.

You should have a look at an ethereal trace to see what is actually on 
the wire and a trace 5 debug from Radiator to see what is in the 
packets received by Radiator. I am guessing that you have a problem 
with your dictionary file. Note that there are two different sets of 
Ascend dictionary attributes, so there may be some confusion. Note that 
in the trace shown below you do not show the access accept coming back 
from the target proxy.

What version of Radiator are you running?

regards

Hugh


On 9 Sep 2004, at 03:32, troy chaney wrote:

> We have a pass thru radius customer that is having a lot of problems 
> sending us their ascend data filters. I have not been able to find a 
> definitive answer in the archives. They are attempting to send their 
> filters as an AddToReply. We use a user database to perform this 
> function and I am unsure as to if the filters can be passed this away 
> and if so what the proper syntax would be to do so.
>
>  AddToReply Service-Type = Framed-User,Framed-Protocol = 
> PPP,Framed-IP-Address = 255.255.255.254,Framed-IP-Netmask = 
> 255.255.255.255,Session-Timeout = 14400,Idle-Timeout = 
> 900,Ascend-Data-Filter = ip in forward tcp est,Ascend-Data-Filter = ip 
> in forward dstip 66.210.32.128/27,Ascend-Data-Filter = ip in forward 
> dstip 207.27.152.9/24,Ascend-Data-Filter = ip in drop tcp dstport = 
> 25,Ascend-Data-Filter = ip in forward
>
>  
>
>  
>
> When ever I run radtest I get the following
>
> rad_recv: Access-Accept packet from host 66.210.32.156:1645, id=151, 
> length=216
>
>         Service-Type = Framed-User
>
>         Framed-Protocol = PPP
>
>         Framed-IP-Address = 255.255.255.254
>
>         Framed-IP-Netmask = 255.255.255.255
>
>         Session-Timeout = 14400
>
>         Idle-Timeout = 900
>
>         Ascend-Data-Filter = "ip input forward tcp est"
>
>         Ascend-Data-Filter = "ip input forward 0 dstip 
> 66.210.32.128/27"
>
>         Ascend-Data-Filter = "ip input forward 0 dstip 207.27.152.9/24"
>
>         Ascend-Data-Filter = "ip input drop tcp dstport = 25"
>
>         Ascend-Data-Filter = "ip input forward 0"
>
>  
>
>  
>
> When looked at from Radar
>
>  
>
> *** Sending to 66.210.32.156 port 1645 ....
>
> Code:       Access-Request
>
> Identifier: 58
>
> Authentic:  1234567890123456
>
> Attributes:
>
>             User-Name = "sensley at afo.net"
>
>             Service-Type = Framed-User
>
>             NAS-IP-Address = 192.168.12.10
>
>             NAS-Port = 1
>
>             Called-Station-Id = "123456789"
>
>             Calling-Station-Id = "987654321"
>
>             NAS-Port-Type = Async
>
>             User-Password = 
> "<221><15>J<156><181><247><232><255><135>n{<168><29>><142><156>"
>
>  
>
> Wed Sep  8 10:25:58 2004: DEBUG: Access accepted for sensley at afo.net
>
> Wed Sep  8 10:25:58 2004: DEBUG: Packet dump:
>
> *** Sending to 65.167.179.3 port 3177 ....
>
> Code:       Access-Accept
>
> Identifier: 94
>
> Authentic:  1234567890123456
>
> Attributes:
>
>             Service-Type = Framed-User
>
>             Framed-Protocol = PPP
>
>             Framed-IP-Address = 255.255.255.254
>
>             Framed-IP-Netmask = 255.255.255.255
>
>             Session-Timeout = 14400
>
>             Idle-Timeout = 900
>
> My question is if the ascend-data-filters can be passed successfully 
> as AddToReply and if so what the correct syntax would be and if not 
> what is the best way to get them to successfully pass their ascend 
> data filters?
>
>  
>
>  
>
> Troy
>
>  
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list