(RADIATOR) FramedGroup Proxy Handling With Framed-IP-Address=255.255.255.254

Fri Dec 16 18:31:23 CST 2005

Hello Jason -

Thanks for your mail.

I don't think this is a change we would like to make to the base  
code, as there may be people using this address in the way it is  
intended to be used (Framed-IP-Address = 255.255.255.254 is indeed  
one "standard" way of telling a NAS to do address allocation).

I would have thought however that a PreHandlerHook in those  
<Client ...> clauses that need this processing would be the way to go.

regards

Hugh

On 17 Dec 2005, at 07:55, Jason Haltom wrote:

> (Bacground)
>
> Prety much what we do is every realm is assigned a FramedGroup,  
> weather the <Client> has aFramedGroupBaseAddress or not.  If there  
> is no  FramedGroupBaseAddress we just get an error in our logs and  
> the NAS or other proxy radius(which is between us and another  
> companies NAS) handles the IP.  That way our client’s users and our  
> users can pass between different all these NAS boxes without a  
> problem.
>
>
>
> (Problem)
>
> We are acting as a proxy between a client’s equipment and their  
> radius.  We like to have Radiator handle our IP assignments (via  
> FramedGroup) but our client likes to have the NAS handle the IPs.   
> This is a dialup/ISDN setup, some ISDN users do have a sticky IP  
> assigned by our client’s radius.  Our client’s radius always hands  
> out a Framed-IP-Address.  If the user does not have a sticky IP  
> assigned to them the radius sends a Framed-IP- 
> Address=255.255.255.254.  According to what they have told me, this  
> is done to inform the NAS that is should handle IP assignment.  We  
> have no problems with this client’s NASs with this setup, however,  
> due to the way everything else is setup, any users that belonged to  
> this client that connected to one of our NAS boxes was unable to  
> logon because they were assigned an IP of 255.255.255.254 and  
> Radiator passed it on to the NAS, but the NAS did not know what to  
> do (as it is not setup to had out IPs) with it so it gave the user  
> that address.
>
>
>
> I tried using several hooks to work around this and could never get  
> any of them to work.
>
>
>
> (Fix)
>
> I updated the “handle_framedgroup” function in Configurable.pm to  
> handle these 255.255.255.254 address.   If there is a Framed-IP- 
> Address and it is NOT 255.255.255.254 then Radiator acts as it  
> always has.  However, if the Framed-IP-Address is 255.255.255.254  
> the function will act as if the address is not assigned at all and  
> hand out an IP based on theFramedGroupBaseAddress assignment.    
> (Note for the sanity of anyone who does not know this:  This  
> function is only run when there is a FramedGroupBaseAddress assigned)
>
>
>
> I am not sure if this is anything useful to anyone else, but it may  
> be handy to anyone with a goofy setup like we have. This change  
> should only effect people who are a proxy server using FramedGroup  
> and process 255.255.255.254 addresses from another server. (If I am  
> wrong please let me know).
>
>
>
>
>
> Included below is a snip from our radius config file and the  
> changed function mentioned above.
>
>
>
> Thanks,
>
>
>
> Jason Haltom
>
>
>
>
>
> (Here is a snip from our radius.cfg file)
>
> [radius.cfg]
>
> ##-----------------AUTHBYs
>
> <AuthBy SQL>
>
>   Identifier FilterAndAccounting
>
> {removed all the sql stuff as it is not needed for the example}
>
> </AuthBy>
>
>
>
> <AuthBy RADIUS>
>
>   Identifier PixiusRad
>
>   <Host 64.39.212.132>
>
>     Secret {removed}
>
>     AuthPort 1645
>
>     AcctPort 1646
>
>   </Host>
>
>   <Host 209.173.229.160>
>
>     Secret {removed}
>
>     AuthPort 1645
>
>     AcctPort 1646
>
>   </Host>
>
>   LocalAddress 12.19.114.3
>
>   StripFromRequest NAS-IP-Address
>
>   AddToRequest NAS-IP-Address=12.19.114.3
>
>   AddToReplyIfNotExist Idle-Timeout = 1800
>
>   AddToReplyIfNotExist Session-Timeout = 18000
>
> </AuthBy>
>
> ##-----------------CLIENTs
>
> <Client 12.19.117.3>
>
>   Description Portmaster
>
>   DefaultRealm pxs
>
>   FramedGroupBaseAddress 12.19.117.100
>
>   FramedGroupBaseAddress 12.19.117.150
>
>   FramedGroupBaseAddress 12.19.117.200
>
>   NasType Portmaster3
>
>   Secret {removed}
>
> </Client>
>
>
>
> <Client 24.249.116.4>
>
>   Description JC dialup POP run by pxs
>
>   Secret {removed}
>
>   DefaultRealm pxs
>
> </Client>
>
> ##-----------------REALMs
>
> <Realm pxs>
>
>   AuthByPolicy ContinueWhileAccept
>
>   RewriteUsername s/\@pxs//
>
>   AuthBy PixiusRad
>
>   SessionDatabase sessionDB
>
>   MaxSessions 2
>
>   FramedGroup 2
>
>   AuthLog globalauthlog
>
> </Realm>
>
>
>
> <Realm kansasi.net>
>
>   AuthByPolicy ContinueWhileAccept
>
>   AuthBy FilterAndAccounting
>
>   Description kansasi.net realm
>
>   FramedGroup 2
>
>   MaxSessions 2
>
>   PasswordLogFileName logs/kansasi-pass.log
>
>   RejectHasReason
>
>   SessionDatabase sessionDB
>
>   AuthLog globalauthlog
>
> </Realm>
>
>
>
>
>
>
>
> (Here is the changed function with comments on the change area)
>
> [ Configurable.pm]
>
> #####################################################################
>
> # This is to handle FramedGroup Realm request or Framed-Group
>
> # user attribute
>
> # it takes return packet, group value and packet flag as parameters.
>
> sub handle_framedgroup
>
> {
>
>     my ($self, $p, $value) = @_;
>
> ##----Mod by JMH to allow Radiator to act as the NAS if it is a  
> proxy to assign an IP address.
>
>     #What to do if there is already an IP address
>
>     if( defined $p->{rp}->getAttrByNum 
> ($Radius::Radius::FRAMED_IP_ADDRESS))
>
>     {
>
>             #If there is a framed IP address and if it is not an  
> RFC address then return as normal.
>
> #If it is an RFC then allow FramedGroup to assign an address as it  
> is acting as the NAS in the aspect of IP handling.
>
>             return if( $p->{rp}->getAttrByNum 
> ($Radius::Radius::FRAMED_IP_ADDRESS) ne "255.255.255.254" );
>
> #Notify the debug logs that we ignored an address.
>
>             $self->log($main::LOG_DEBUG, "Ignored Framed-IP- 
> Address", $p);
>
>
>
>     }
>
> ##----END of Mod --  see below for old code.
>
> # Dont do this if there is already an IP address
>
> #    return if defined $p->{rp}->getAttrByNum
>
> #                      ($Radius::Radius::FRAMED_IP_ADDRESS);
>
> ##----End of old code.
>
>     $self->log($main::LOG_DEBUG,
>
>                         "FramedGroup $value address is being  
> assigned", $p);
>
>
>
>     # Figure out an address to allocate
>
>     my $base = $p->{Client}->{FramedGroupBaseAddress}[$value];
>
>     if (!defined $base)
>
>     {
>
>             $self->log($main::LOG_WARNING,
>
>                            "There is no FramedGroupBaseAddress  
> defined for a Framed-Group of $value. No address will be  
> allocated", $p);
>
>             return;
>
>     }
>
>     if ($p->{Client}->{FramedGroupMaxPortsPerClassC} == 0)
>
>     {
>
>             $self->log($main::LOG_WARNING,
>
>                            "FramedGroupMaxPortsPerClassC is 0. No  
> address will be allocated", $p);
>
>             return;
>
>     }
>
>
>
>     my @base = split(/\./, $base);
>
>     my $port = $p->getAttrByNum($Radius::Radius::NAS_PORT);
>
>     # Adjust port number by subtracting an offset. Cisco ISDN port  
> numbers start
>
>     # at a silly number
>
>     $port -= $p->{Client}->{FramedGroupPortOffset}
>
>         if $port > $p->{Client}->{FramedGroupPortOffset};
>
>
>
>     # Compute octet 4 of the IP address
>
>     my $o4 = $base[3] + ($port % $p->{Client}-> 
> {FramedGroupMaxPortsPerClassC});
>
>     # Compute octet 3 of the IP address
>
>     my $o3 = ($base[2] + int($port / $p->{Client}-> 
> {FramedGroupMaxPortsPerClassC})) % 256;
>
>
>
>     $p->{rp}->changeAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS,
>
>                                           "$base[0].$base[1].$o3. 
> $o4");
>
>
>
> }
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date:  
> 12/15/2005
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.