(RADIATOR) Feature request

Hugh Irvine hugh at open.com.au
Wed Feb 8 14:20:48 CST 2006


Hello Toomas -

Many thanks for sharing this.

regards

Hugh


On 8 Feb 2006, at 21:14, Toomas Kärner wrote:

> Hi Hugh,
>
> Some time ago I described a feature that would enable to insert
> attributes from "profiles" etc. only if there is none jet in the
> reply. Solution was the one below.
> now I have figured out a better way of doing it. It enables more  
> than two
> authbys in chain and every time you can choose which attribute
> will be put into the final reply (the one that was there or new one
> from database). It pretty easy but I figured it out just now and I
> wanted to share.
>
> Example:
> The one in the reply is primary and should remain and NOT be replaced
> with attribute from profile:
> AuthSelect      select \
>                 if(strcmp('%{Reply:ERX-Ingress-Policy- 
> Name}',''),null,in_policy), \
>                 if(strcmp('%{Reply:ERX-Egress-Policy- 
> Name}',''),null,out_policy), \
>                 if(strcmp('%{Reply:ERX-QoS-Profile- 
> Name}',''),null,qos_profile), \
>                 if(strcmp(static_ip_permit,'Yes'),null,'%{Framed-IP- 
> Address}'), \
>                 if(strcmp('%{Reply:Session- 
> Timeout}',''),null,timeout), \
>                 if(strcmp('%{Reply:Idle- 
> Timeout}',''),null,idle_timeout) \
>                 from profiles \
>                 where PID = '%{ETC-Profile-Id}'
> #ETC-Profile-Id is bogus attribute from user authentication that
> #identifies desired service
>         AuthColumnDef   0,      ERX-Ingress-Policy-Name, reply
>         AuthColumnDef   1,      ERX-Egress-Policy-Name, reply
>         AuthColumnDef   2,      ERX-QoS-Profile-Name, reply
>         AuthColumnDef   3,      Framed-IP-Address, reply
>         AuthColumnDef   4,      Session-Timeout, reply
>         AuthColumnDef   5,      Idle-Timeout, reply
>
>
>> Yes, ofcource. Now I remember that I actually use it sord of like  
>> this in
>> one of my wifi radius implementation.
>> Thanks anyway. Your example is exactly what I had in mind.
>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Toomas Kärner" <tomkar at estpak.ee>
>> Cc: <radiator at open.com.au>
>> Sent: Thursday, December 08, 2005 12:46 AM
>> Subject: Re: (RADIATOR) Feature request
>
>
>
>> Hello Toomas -
>
>> My suggestion was in response to your initial question which I
>> thought was based on AddToReply.
>
>> An alternative approach for AuthColumnDef's could be this:
>
>
>> <AuthBy SQL>
>> ......
>> AuthColumnDef 0, Session-Timeout, request
>> </AuthBy>
>
>> <AuthBy ...>
>> .......
>> AuthColumnDef 0, Session-Timeout, reply
>> AddToReplyIfNotExist Session-Timeout = %{Session-Timeout}
>> </AuthBy>
>
>
>> hope that helps
>
>> regards
>
>> Hugh
>
>
>
>
>> On 7 Dec 2005, at 19:03, Toomas Kärner wrote:
>
>>> Thats fine but thats not the case.
>>> Consider that kind of configuration:
>>>
>>> <AuthBy sql>
>>> ......
>>> AuthColumnDef 0 Session-Timeout
>>> </AuthBy>
>>>
>>> <AuthBy ...>
>>> .......
>>> AuthColumnDef 0 Session-Timeout
>>> </AuthBy>
>>> If I had stripfromreply then the first setting of session-timeout is
>>> pointless.
>>>
>>> Rgds.
>>> Toomas
>>>
>>>
>>> ----- Original Message -----
>>> From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Toomas Kärner" <tomkar at estpak.ee>
>>> Cc: <radiator at open.com.au>
>>> Sent: Wednesday, December 07, 2005 12:28 AM
>>> Subject: Re: (RADIATOR) Feature request
>>>
>>>
>>>>
>>>> Hello Toomas -
>>>>
>>>> This is why StripFromReply happens before AddToReply.
>>>>
>>>>
>>>> <AuthBy ...>
>>>> ......
>>>> AddToReply Session-Timeout = 900
>>>> </AuthBy>
>>>>
>>>> <AuthBy ...>
>>>> .....
>>>> StripFromReply Session-Timeout
>>>> AddToReply Session-Timeout = 1800
>>>> </AuthBy>
>>>>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 7 Dec 2005, at 00:18, Toomas Kärner wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I got an idea for a small feature. There could be a keyword
>>>>> defined in
>>>>> AuthGeneric.pm that causes different AuthBy clauses to overwrite
>>>>> same
>>>>> parameter if it already exists in the reply instead add.
>>>>> Exlample:
>>>>> AuthBy1
>>>>>     Inserts Session-Timeout 900 into reply
>>>>> AuthBy2
>>>>>     Inserts Session-Timeout 1800 into reply.
>>>>> Right now the reply will end up with the same parameter twice  
>>>>> in it:
>>>>> Session-Timeout 900
>>>>> Session-Timeout 1800
>>>>> and that makes no sense in some cases.
>>>>> But if that new keyword (OverwriteAttributesThatExist for example)
>>>>> is set
>>>>> then it would cause radiator to "change_attr if exists" instead of
>>>>> just
>>>>> "add_attr" and the endresult would just be:
>>>>> Session-Timeout 1800.
>>>>>
>>>>> What you think? I could probably code it myself but then I  
>>>>> wouldn't
>>>>> have
>>>>> standard code anymore.
>>>>> Rgds.
>>>>> Toomas
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/ 
>>>> archives/
>>>> radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>
>
>> NB:
>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list