(RADIATOR) FramedGroup Proxy Handling With Framed-IP-Address=255.255.255.254
Jason Haltom
jasonh at ideateksystems.com
Fri Dec 16 19:27:04 CST 2005
Thanks for responding so quickly Hugh.
I tried several hooks with no luck, prehandler was not one though, but
due to a time crunch I had to do the base code change instead. The
thing that got me about using FramedGroup, is Radiator is handling the
IP and not the NAS unit, so if you send 255.255.255.254 to a NAS that is
expecting to receive all IPs from the radius server then the NAS hands
out the 255.255.255.254 address to the user and the user fails to get a
connection due to having a "bad" IP address.
The way I understand it, is when using FramedGroup to hand out an IP
address, that takes the burden off of the NAS, and if the server is a
proxy, it in essence becomes the NAS in respect to IP handling.
I just wanted to put my story out there with the fix that worked for us
incase anyone else ever comes along an issue like this as well. After
looking everything over, the prehandlerhook should have been the thing
to do, I think I tried about everything except that one before jumping
into the code. And I wasn’t sure if the default handling of this
address for the framedgroup function was accurate.
Have a good weekend,
Jason
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: Friday, December 16, 2005 6:31 PM
To: Jason Haltom
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) FramedGroup Proxy Handling With
Framed-IP-Address=255.255.255.254
Hello Jason -
Thanks for your mail.
I don't think this is a change we would like to make to the base
code, as there may be people using this address in the way it is
intended to be used (Framed-IP-Address = 255.255.255.254 is indeed
one "standard" way of telling a NAS to do address allocation).
I would have thought however that a PreHandlerHook in those
<Client ...> clauses that need this processing would be the way to go.
regards
Hugh
On 17 Dec 2005, at 07:55, Jason Haltom wrote:
> (Bacground)
>
> Prety much what we do is every realm is assigned a FramedGroup,
> weather the <Client> has aFramedGroupBaseAddress or not. If there
> is no FramedGroupBaseAddress we just get an error in our logs and
> the NAS or other proxy radius(which is between us and another
> companies NAS) handles the IP. That way our client’s users and our
> users can pass between different all these NAS boxes without a
> problem.
>
>
>
> (Problem)
>
> We are acting as a proxy between a client’s equipment and their
> radius. We like to have Radiator handle our IP assignments (via
> FramedGroup) but our client likes to have the NAS handle the IPs.
> This is a dialup/ISDN setup, some ISDN users do have a sticky IP
> assigned by our client’s radius. Our client’s radius always hands
> out a Framed-IP-Address. If the user does not have a sticky IP
> assigned to them the radius sends a Framed-IP-
> Address=255.255.255.254. According to what they have told me, this
> is done to inform the NAS that is should handle IP assignment. We
> have no problems with this client’s NASs with this setup, however,
> due to the way everything else is setup, any users that belonged to
> this client that connected to one of our NAS boxes was unable to
> logon because they were assigned an IP of 255.255.255.254 and
> Radiator passed it on to the NAS, but the NAS did not know what to
> do (as it is not setup to had out IPs) with it so it gave the user
> that address.
>
>
>
> I tried using several hooks to work around this and could never get
> any of them to work.
>
>
>
> (Fix)
>
> I updated the “handle_framedgroup” function in Configurable.pm to
> handle these 255.255.255.254 address. If there is a Framed-IP-
> Address and it is NOT 255.255.255.254 then Radiator acts as it
> always has. However, if the Framed-IP-Address is 255.255.255.254
> the function will act as if the address is not assigned at all and
> hand out an IP based on theFramedGroupBaseAddress assignment.
> (Note for the sanity of anyone who does not know this: This
> function is only run when there is a FramedGroupBaseAddress assigned)
>
>
>
> I am not sure if this is anything useful to anyone else, but it may
> be handy to anyone with a goofy setup like we have. This change
> should only effect people who are a proxy server using FramedGroup
> and process 255.255.255.254 addresses from another server. (If I am
> wrong please let me know).
>
>
>
>
>
> Included below is a snip from our radius config file and the
> changed function mentioned above.
>
>
>
> Thanks,
>
>
>
> Jason Haltom
>
>
>
>
>
> (Here is a snip from our radius.cfg file)
>
> [radius.cfg]
>
> ##-----------------AUTHBYs
>
> <AuthBy SQL>
>
> Identifier FilterAndAccounting
>
> {removed all the sql stuff as it is not needed for the example}
>
> </AuthBy>
>
>
>
> <AuthBy RADIUS>
>
> Identifier PixiusRad
>
> <Host 64.39.212.132>
>
> Secret {removed}
>
> AuthPort 1645
>
> AcctPort 1646
>
> </Host>
>
> <Host 209.173.229.160>
>
> Secret {removed}
>
> AuthPort 1645
>
> AcctPort 1646
>
> </Host>
>
> LocalAddress 12.19.114.3
>
> StripFromRequest NAS-IP-Address
>
> AddToRequest NAS-IP-Address=12.19.114.3
>
> AddToReplyIfNotExist Idle-Timeout = 1800
>
> AddToReplyIfNotExist Session-Timeout = 18000
>
> </AuthBy>
>
> ##-----------------CLIENTs
>
> <Client 12.19.117.3>
>
> Description Portmaster
>
> DefaultRealm pxs
>
> FramedGroupBaseAddress 12.19.117.100
>
> FramedGroupBaseAddress 12.19.117.150
>
> FramedGroupBaseAddress 12.19.117.200
>
> NasType Portmaster3
>
> Secret {removed}
>
> </Client>
>
>
>
> <Client 24.249.116.4>
>
> Description JC dialup POP run by pxs
>
> Secret {removed}
>
> DefaultRealm pxs
>
> </Client>
>
> ##-----------------REALMs
>
> <Realm pxs>
>
> AuthByPolicy ContinueWhileAccept
>
> RewriteUsername s/\@pxs//
>
> AuthBy PixiusRad
>
> SessionDatabase sessionDB
>
> MaxSessions 2
>
> FramedGroup 2
>
> AuthLog globalauthlog
>
> </Realm>
>
>
>
> <Realm kansasi.net>
>
> AuthByPolicy ContinueWhileAccept
>
> AuthBy FilterAndAccounting
>
> Description kansasi.net realm
>
> FramedGroup 2
>
> MaxSessions 2
>
> PasswordLogFileName logs/kansasi-pass.log
>
> RejectHasReason
>
> SessionDatabase sessionDB
>
> AuthLog globalauthlog
>
> </Realm>
>
>
>
>
>
>
>
> (Here is the changed function with comments on the change area)
>
> [ Configurable.pm]
>
> #####################################################################
>
> # This is to handle FramedGroup Realm request or Framed-Group
>
> # user attribute
>
> # it takes return packet, group value and packet flag as parameters.
>
> sub handle_framedgroup
>
> {
>
> my ($self, $p, $value) = @_;
>
> ##----Mod by JMH to allow Radiator to act as the NAS if it is a
> proxy to assign an IP address.
>
> #What to do if there is already an IP address
>
> if( defined $p->{rp}->getAttrByNum
> ($Radius::Radius::FRAMED_IP_ADDRESS))
>
> {
>
> #If there is a framed IP address and if it is not an
> RFC address then return as normal.
>
> #If it is an RFC then allow FramedGroup to assign an address as it
> is acting as the NAS in the aspect of IP handling.
>
> return if( $p->{rp}->getAttrByNum
> ($Radius::Radius::FRAMED_IP_ADDRESS) ne "255.255.255.254" );
>
> #Notify the debug logs that we ignored an address.
>
> $self->log($main::LOG_DEBUG, "Ignored Framed-IP-
> Address", $p);
>
>
>
> }
>
> ##----END of Mod -- see below for old code.
>
> # Dont do this if there is already an IP address
>
> # return if defined $p->{rp}->getAttrByNum
>
> # ($Radius::Radius::FRAMED_IP_ADDRESS);
>
> ##----End of old code.
>
> $self->log($main::LOG_DEBUG,
>
> "FramedGroup $value address is being
> assigned", $p);
>
>
>
> # Figure out an address to allocate
>
> my $base = $p->{Client}->{FramedGroupBaseAddress}[$value];
>
> if (!defined $base)
>
> {
>
> $self->log($main::LOG_WARNING,
>
> "There is no FramedGroupBaseAddress
> defined for a Framed-Group of $value. No address will be
> allocated", $p);
>
> return;
>
> }
>
> if ($p->{Client}->{FramedGroupMaxPortsPerClassC} == 0)
>
> {
>
> $self->log($main::LOG_WARNING,
>
> "FramedGroupMaxPortsPerClassC is 0. No
> address will be allocated", $p);
>
> return;
>
> }
>
>
>
> my @base = split(/\./, $base);
>
> my $port = $p->getAttrByNum($Radius::Radius::NAS_PORT);
>
> # Adjust port number by subtracting an offset. Cisco ISDN port
> numbers start
>
> # at a silly number
>
> $port -= $p->{Client}->{FramedGroupPortOffset}
>
> if $port > $p->{Client}->{FramedGroupPortOffset};
>
>
>
> # Compute octet 4 of the IP address
>
> my $o4 = $base[3] + ($port % $p->{Client}->
> {FramedGroupMaxPortsPerClassC});
>
> # Compute octet 3 of the IP address
>
> my $o3 = ($base[2] + int($port / $p->{Client}->
> {FramedGroupMaxPortsPerClassC})) % 256;
>
>
>
> $p->{rp}->changeAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS,
>
> "$base[0].$base[1].$o3.
> $o4");
>
>
>
> }
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date:
> 12/15/2005
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date:
12/15/2005
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date:
12/15/2005
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list