(RADIATOR) Feature request

Toomas Kärner tomkar at estpak.ee
Wed Feb 8 04:14:03 CST 2006


Hi Hugh,

Some time ago I described a feature that would enable to insert
attributes from "profiles" etc. only if there is none jet in the
reply. Solution was the one below.
now I have figured out a better way of doing it. It enables more than two
authbys in chain and every time you can choose which attribute
will be put into the final reply (the one that was there or new one
from database). It pretty easy but I figured it out just now and I
wanted to share.

Example:
The one in the reply is primary and should remain and NOT be replaced
with attribute from profile:
AuthSelect      select \
                if(strcmp('%{Reply:ERX-Ingress-Policy-Name}',''),null,in_policy), \
                if(strcmp('%{Reply:ERX-Egress-Policy-Name}',''),null,out_policy), \
                if(strcmp('%{Reply:ERX-QoS-Profile-Name}',''),null,qos_profile), \
                if(strcmp(static_ip_permit,'Yes'),null,'%{Framed-IP-Address}'), \
                if(strcmp('%{Reply:Session-Timeout}',''),null,timeout), \
                if(strcmp('%{Reply:Idle-Timeout}',''),null,idle_timeout) \
                from profiles \
                where PID = '%{ETC-Profile-Id}'
#ETC-Profile-Id is bogus attribute from user authentication that
#identifies desired service
        AuthColumnDef   0,      ERX-Ingress-Policy-Name, reply
        AuthColumnDef   1,      ERX-Egress-Policy-Name, reply
        AuthColumnDef   2,      ERX-QoS-Profile-Name, reply
        AuthColumnDef   3,      Framed-IP-Address, reply
        AuthColumnDef   4,      Session-Timeout, reply
        AuthColumnDef   5,      Idle-Timeout, reply


> Yes, ofcource. Now I remember that I actually use it sord of like this in
> one of my wifi radius implementation.
> Thanks anyway. Your example is exactly what I had in mind.

> ----- Original Message ----- 
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Toomas Kärner" <tomkar at estpak.ee>
> Cc: <radiator at open.com.au>
> Sent: Thursday, December 08, 2005 12:46 AM
> Subject: Re: (RADIATOR) Feature request



> Hello Toomas -

> My suggestion was in response to your initial question which I
> thought was based on AddToReply.

> An alternative approach for AuthColumnDef's could be this:


> <AuthBy SQL>
> ......
> AuthColumnDef 0, Session-Timeout, request
> </AuthBy>

> <AuthBy ...>
> .......
> AuthColumnDef 0, Session-Timeout, reply
> AddToReplyIfNotExist Session-Timeout = %{Session-Timeout}
> </AuthBy>


> hope that helps

> regards

> Hugh




> On 7 Dec 2005, at 19:03, Toomas Kärner wrote:

>> Thats fine but thats not the case.
>> Consider that kind of configuration:
>>
>> <AuthBy sql>
>> ......
>> AuthColumnDef 0 Session-Timeout
>> </AuthBy>
>>
>> <AuthBy ...>
>> .......
>> AuthColumnDef 0 Session-Timeout
>> </AuthBy>
>> If I had stripfromreply then the first setting of session-timeout is
>> pointless.
>>
>> Rgds.
>> Toomas
>>
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Toomas Kärner" <tomkar at estpak.ee>
>> Cc: <radiator at open.com.au>
>> Sent: Wednesday, December 07, 2005 12:28 AM
>> Subject: Re: (RADIATOR) Feature request
>>
>>
>>>
>>> Hello Toomas -
>>>
>>> This is why StripFromReply happens before AddToReply.
>>>
>>>
>>> <AuthBy ...>
>>> ......
>>> AddToReply Session-Timeout = 900
>>> </AuthBy>
>>>
>>> <AuthBy ...>
>>> .....
>>> StripFromReply Session-Timeout
>>> AddToReply Session-Timeout = 1800
>>> </AuthBy>
>>>
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 7 Dec 2005, at 00:18, Toomas Kärner wrote:
>>>
>>>> Hi,
>>>>
>>>> I got an idea for a small feature. There could be a keyword
>>>> defined in
>>>> AuthGeneric.pm that causes different AuthBy clauses to overwrite
>>>> same
>>>> parameter if it already exists in the reply instead add.
>>>> Exlample:
>>>> AuthBy1
>>>>     Inserts Session-Timeout 900 into reply
>>>> AuthBy2
>>>>     Inserts Session-Timeout 1800 into reply.
>>>> Right now the reply will end up with the same parameter twice in it:
>>>> Session-Timeout 900
>>>> Session-Timeout 1800
>>>> and that makes no sense in some cases.
>>>> But if that new keyword (OverwriteAttributesThatExist for example)
>>>> is set
>>>> then it would cause radiator to "change_attr if exists" instead of
>>>> just
>>>> "add_attr" and the endresult would just be:
>>>> Session-Timeout 1800.
>>>>
>>>> What you think? I could probably code it myself but then I wouldn't
>>>> have
>>>> standard code anymore.
>>>> Rgds.
>>>> Toomas
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.


> NB:

> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list