(RADIATOR) Private Attribute radius

Julio Cesar Pinto jc at ifxcorp.com
Mon Jan 3 09:40:55 CST 2005


Hi Hugh,

We're using MaxTNT with TAOS 11, and radiator version 3.9.

The MaxTNT have the following kind of compatibility attributes:
1. old-ascend
2. vendor-specific
3. 16-bit-vendor-specific

I used the number 2.

Well, as you know I used in the dictionary the code 4846, but the output
in the NAS is the following:

RADIF: vendor 529 attr 287, len 19, 68 74 74 70 3a 2f 2f 32
RADIF: vendor 0 attr 135, len 4, c8 3e 03 03
RADIF: vendor 0 attr 136, len 4, c8 3e 03 03
RADIF: vendor 0 attr 242, len 24, 01 01 01 00 00 00 00 00
RADIF: vendor 0 attr 27, len 4, 00 00 0e 10
RADIF: vendor 529 attr 288, len 4, 00 00 00 50

As you see, the NAS received the attributes like 529.

I page you a debug log. I expect that this can help you.

*** Received from 216.241.0.70 port 7001 ....

Packet length = 128
01 15 00 80 c0 69 2e ab 27 82 0e 51 b6 65 ab 0e
9d 73 c1 cd 01 09 66 72 69 76 61 73 00 02 09 b6
43 87 4f 51 ce 33 04 06 d8 f1 00 46 20 12 54 4e
54 54 45 53 54 2e 69 66 78 6e 77 2e 63 6c 05 06
00 00 24 04 3d 06 00 00 00 00 06 06 00 00 00 02
07 06 00 00 00 01 18 02 1f 0a 32 33 37 34 32 35
38 33 1e 06 38 38 30 30 2c 0c 34 37 32 33 33 35
33 36 34 00 c5 06 00 00 79 e0 ff 06 00 00 ab e0
Code:       Access-Request
Identifier: 21
Authentic:  <192>i.<171>'<130><14>Q<182>e<171><14><157>s<193><205>
Attributes:
        User-Name = "frivas"
        User-Password = "<182>C<135>OQ<206>3"
        NAS-IP-Address = 216.241.0.70
        NAS-Identifier = "TNTTEST.ifxnw.cl"
        NAS-Port = 9220
        NAS-Port-Type = Async
        Service-Type = Framed-User
        Framed-Protocol = PPP
        State = ""
        Calling-Station-Id = "23742583"
        Called-Station-Id = "8800"
        Acct-Session-Id = "472335364"
        Ascend-Data-Rate = 31200
        Ascend-Xmit-Rate = 44000

Thu Dec 30 09:59:55 2004: DEBUG: Handling request with Handler
'NAS-IP-Address=216.241.0.70'
Thu Dec 30 09:59:55 2004: DEBUG: SDB1 Deleting session for frivas,
216.241.0.70, 9220
Thu Dec 30 09:59:55 2004: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER='216.241.0.70' and NASPORT=09220':
Thu Dec 30 09:59:56 2004: DEBUG: Handling with AuthINTERNAL:
Thu Dec 30 09:59:56 2004: DEBUG: Access accepted for frivas
Thu Dec 30 09:59:56 2004: DEBUG: Packet dump:
*** Sending to 216.241.0.70 port 7001 ....

Packet length = 87
02 15 00 57 75 fd 2e 0a c8 34 2e 3d 40 23 85 39
2d 14 7a 8f 07 06 00 00 00 01 1a 1e 00 00 12 ee
01 1f 18 68 74 74 70 3a 2f 2f 61 74 6c 61 73 2e
69 66 78 6e 77 2e 63 6c 87 06 d8 f1 00 85 88 06
d8 f1 00 97 1b 06 00 00 0e 10 1a 0d 00 00 12 ee
01 20 07 00 00 00 50
Code:       Access-Accept
Identifier: 21
Authentic:  <192>i.<171>'<130><14>Q<182>e<171><14><157>s<193><205>
Attributes:
        Framed-Protocol = PPP
        Ascend-HTTP-Redirect-URL = "http://atlas.ifxnw.cl"
        Ascend-Client-Primary-DNS = 216.241.0.133
        Ascend-Client-Secondary-DNS = 216.241.0.151
        Session-Timeout = 3600
        Ascend-HTTP-Redirect-Port = 80

Regards,

JC.

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: Friday, December 31, 2004 5:12 PM
To: Julio Cesar Pinto
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Private Attribute radius


Hello Julio -

Thanks very much for the information.

Could you please tell me exactly what NAS equipment you are using 
(hardware and software versions) and what version of vendor-specific 
attributes you are using? Better yet, could you please send me a trace 
5 debug showing the attribute dumps?

The reason I ask this is because the attribute definitions I sent you 
(see below) are in a special "Lucent" format (vendor 4846) rather than 
in the standard "Ascend" format (vendor 529).

thanks and regards

Hugh


On 1 Jan 2005, at 03:14, Julio Cesar Pinto wrote:

> Hi Hugh,
>
> At the moment we solved the problem, the solution was to modify in the
> NAS the compatibility with radius in the external profile.
>
> By default the NAS have old-ascend we change it to vendor-specific and
> work very well.
>
> Thanks a lot for your help,
>
> Greetings and Happy New Year,
>
> JC.
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
On
> Behalf Of Julio Cesar Pinto
> Sent: Wednesday, December 29, 2004 6:32 PM
> To: Hugh Irvine
> Cc: radiator at open.com.au
> Subject: RE: (RADIATOR) Private Attribute radius
>
> Hi Hugh,
>
> Very interesting, I see the correct attribute in the log trace 5.
>
> LOG.
>
> *** Sending to 216.241.0.70 port 7007 ....
>
> Packet length = 67
> 02 69 00 43 08 71 cf 80 7b 4d 4a da 00 7f c4 13
> 5f 49 9b d8 07 06 00 00 00 01 1a 1c 00 00 12 ee
> 01 1f 16 68 74 74 70 3a 2f 2f 32 31 36 2e 32 34
> 31 2e 31 2e 33 30 1a 0d 00 00 12 ee 01 20 07 00
> 00 00 50
> Code:       Access-Accept
> Identifier: 105
> Authentic:  <149><153><199><245>D<207>x<253><243>;N <30><132><211><22>
> Attributes:
>         Framed-Protocol = PPP
>         Ascend-HTTP-Redirect-URL = "http://216.241.1.30"
>         Ascend-HTTP-Redirect-Port = 80
>
> I'm going to discuses this with the support of Lucent, I will page you
> when we solve this problems.
>
> Thanks a lot,
>
> JC.
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Wednesday, December 29, 2004 4:55 PM
> To: Julio Cesar Pinto
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Private Attribute radius
>
>
> Hello Julio -
>
> The attribute definitions as shown in the URL you sent me and in the
> definitions I sent to you _are_ vendor-specifics.
>
> If you look at a trace 4 debug from Radiator (or radpwtst) you should
> see the correct attribute name.
>
> You will need to check with your NAS vendor how to use the attributes
> with RADIUS.
>
> If you could send me a trace 5 debug from Radiator showing the
> attributes in the reply I will verify the encoding.
>
> regards
>
> Hugh
>
>
> On 30 Dec 2004, at 08:12, Julio Cesar Pinto wrote:
>
>> Hi Hugh,
>>
>> It doesn't work :(
>>
>> I did a radstock, and the packet show me the following:
>>
>> Request (62) - 216.241.0.70:7007 -> 200.62.3.98:1812 (L124)
>>   User-Name             Len  6  "fgf*"
>>   User-Password         Len  8  "****|*"
>>   NAS-IP-Address        Len  6  216.241.0.70
>>   NAS-Identifier        Len 18  "TNTTEST.ifxnw.cl"
>>   NAS-Port              Len  6  9228
>>   NAS-Port-Type         Len  6  Async
>>   Service-Type          Len  6  Framed-User
>>   Framed-Protocol       Len  6  PPP
>>   State                 Len  2  ""
>>   Calling-Station-Id    Len 10  "25596126"
>>   Called-Station-Id     Len  6  "8800"
>>   Acct-Session-Id       Len 12  "472335283*"
>>   Calling-Station-Id    Len 10  "27582762"
>>   Called-Station-Id     Len  6  "8800"
>>   Ascend-Data-Svc       Len  6  Switched-Voice-Bearer
>> Acc-Ack (30) - 216.241.0.70:7006 <- 200.62.3.97:1813 (L67)
>>   Framed-Protocol       Len  6  PPP
>>   Vendor-Specific       Len 28  "*******http://216.241.1.30"
>>   Vendor-Specific       Len 13  "***** ****P"
>>
>> As you see the fields are show as Vendor-Specific, I'm using another
>> attributes like:
>>
>> ATTRIBUTE       Ascend-Client-Primary-DNS       135     ipaddr
>> ATTRIBUTE       Ascend-Client-Secondary-DNS     136     ipaddr
>> ATTRIBUTE       Ascend-Client-Assign-DNS        137     integer
>> ATTRIBUTE       Ascend-Data-Filter              242     abinary
>>
>> And this attribute in the radstock are show it with the same value
> that
>> the dictionary, keep in mind that the radstock use the same
dictionary
>> that I use in the radiators process.
>>
>> I know that this feature is working ok, because we implement a local
>> user into the NAS with the redirection parameter and work very well.
>>
>> I appreciate your comments in the matter.
>>
>> Thanks a lot,
>>
>> JC.
>>
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, December 28, 2004 5:40 PM
>> To: Julio Cesar Pinto
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) Private Attribute radius
>>
>>
>> Hello Julio -
>>
>> Thanks for the URL.
>>
>> You should be able to add the following to the standard Radiator 3.11
>> dictionary:
>>
>> VENDORATTR      4846     Ascend-Http-Redirect-URL                287
>>   string
>> VENDORATTR      4846     Ascend-Http-Redirect-Port
288
>>     integer
>>
>> Please let me know whether or not they work correctly.
>>
>> I will then consider what to do about adding them to the standard
>> dictionary.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 29 Dec 2004, at 01:01, Julio Cesar Pinto wrote:
>>
>>> Hi Hugh,
>>>
>>> I found the attributes in the following page
>>>
>>> http://www.lucentradius.com/dcforum/User_files/3dd2be19328291e9.txt
>>>
>>> You could see that this page management the information about Navis
>>> Soft.
>>>
>>> So, according whit this information the official definitions are:
>>>
>>> ATTRIBUTE       Ascend-Http-Redirect-URL                287
> string
>>> Lucent
>>> ATTRIBUTE       Ascend-Http-Redirect-Port               288
>> integer
>>> Lucent
>>>
>>> Let me know your comments,
>>>
>>> Thanks,
>>>
>>> JC.
>>>
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: Monday, December 27, 2004 6:09 PM
>>> To: Julio Cesar Pinto
>>> Cc: radiator at open.com.au
>>> Subject: Re: (RADIATOR) Private Attribute radius
>>>
>>>
>>> Hello Julio -
>>>
>>> What are the "official" definitions for these attributes?
>>>
>>> Normally the definitions would look like this, but from the code I
>>> think there is the same restriction of less than 255 for these
>>> attributes too (see "Radius/Radius.pm->sub pack()) so I don't think
>>> they will work.
>>>
>>>
>>> VENDORATTR      529     Ascend-HTTP-Redirect-URL                287
>>> string
>>> VENDORATTR      529     Ascend-HTTP-Redirect-Port
288
>>>    integer
>>>
>>>
>>> Please let me know what you discover for the "official" attributes.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 28 Dec 2004, at 08:40, Julio Cesar Pinto wrote:
>>>
>>>> Hugh,
>>>>
>>>> I appreciate your help in this doubt, thanks a lot.
>>>>
>>>> Working in a new project we need to use the following attributes:
>>>> Ascend-HTTP-Redirect-URL
>>>> Ascend-HTTP-Redirect-Port
>>>>
>>>> This attributes don't exist in the radiator dictionary, so I added
>>> this
>>>> by hand in the following way:
>>>>
>>>> ATTRIBUTE       Ascend-HTTP-Redirect-URL        287     string
>>>> ATTRIBUTE       Ascend-HTTP-Redirect-Port       288     integer
>>>>
>>>> Anyway I received the following message in the logs:
>>>>
>>>> Mon Dec 27 16:33:46 2004: WARNING: Invalid reply item
>>>> Ascend-HTTP-Redirect-URL ignored
>>>> Mon Dec 27 16:33:46 2004: WARNING: Invalid reply item
>>>> Ascend-HTTP-Redirect-Port ignored
>>>>
>>>> What is the correct way to add this attributes, into the 529
> vendor?.
>>>>
>>>> Let me know your comments,
>>>>
>>>> Thanks in advantage,
>>>>
>>>> JC.
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>>> Sent: Wednesday, December 22, 2004 10:29 PM
>>>> To: Julio Cesar Pinto
>>>> Cc: radiator at open.com.au
>>>> Subject: Re: (RADIATOR) Private Attribute radius
>>>>
>>>>
>>>> Hello Julio -
>>>>
>>>> Radius attributes are encoded into an 8 bit field - hence are
> limited
>>>> to 255 and below.
>>>>
>>>> We provide the OSC-AVPAIR attribute that can be used in any way you
>>>> wish.
>>>>
>>>> 	AddToReply OSC-AVPAIR = "Test=123, Conn-Stat=active,
>>>> Visp-Id=whatever,
>>>> ....."
>>>>
>>>> If you want to define your own "official" attributes you should
> apply
>>>> for your own vendor number from IANA.
>>>>
>>>> 	http://www.iana.org/cgi-bin/enterprise.pl
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 23 Dec 2004, at 11:30, Julio Cesar Pinto wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I would like to know, if is possible include in my dictionary a
>>>> private
>>>>> attribute. Something likes that:
>>>>>
>>>>> ATTRIBUTE       Test                689             integer
>>>>> ATTRIBUTE       Conn-Stat		690             integer
>>>>> ATTRIBUTE       Visp-Id   		691             string
>>>>> ATTRIBUTE       Country-Id          692             string
>>>>>
>>>>> I know that I can :) the machine is my slave, but the idea is that
>>>>> these
>>>>> attribute to be recognized by radiator, because at the moment I
>>>> receive
>>>>> the following error:
>>>>>
>>>>> Wed Dec 22 18:28:33 2004: WARNING: Invalid reply item Visp-Id
>> ignored
>>>>> Wed Dec 22 18:28:33 2004: WARNING: Invalid reply item Country-Id
>>>>> ignored
>>>>>
>>>>> When the packet pass through AuthBy RADIUS
>>>>>
>>>>> I appreciate any comments.
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> JC.
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive
>>>> (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS
server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
extensible,
>>>> flexible with hardware, software, platform and database
> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
> systems.
>>>>
>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
systems.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list