(RADIATOR) No Access-Reject but a different profile
Hugh Irvine
hugh at open.com.au
Wed Feb 15 00:32:56 CST 2006
Hello Toomas -
Many thanks for the feedback.
regards
Hugh
On 15 Feb 2006, at 17:26, Toomas Kärner wrote:
> Hi,
>
> Got my new system live yesterday. Works like a charm, load dropped and
> users get more information what they have done wrong.
> Here are some graphs of the load and its drop. Unit is request per
> sec.
> Earned myself few pints on the weekend :).
> Rgds.
> Toomas
>
>
> Friday, December 9, 2005, 1:45:12 AM, you wrote:
>
>> Hello Toomas -
>
>> Thanks for another interesting mail.
>
>> Mike and I have discussed this also, and at the moment we are not
>> convinced that we want to extend the AuthColumnDef syntax.
>
>> We will keep thinking about it however.
>
>> regards
>
>> Hugh
>
>
>> On 8 Dec 2005, at 20:37, Toomas Kärner wrote:
>
>>> And another idea.
>>>
>>> It would be extra super if AuthColumnDef's format could be extended
>>> so that
>>> there would be extra fielt in the end of it like this:
>>> AuthColumnDef 0, My-attribute, check, "You have no
>>> plaplapla"
>>> And if that check fails then this would be given as Reply-Message
>>> (if
>>> RejectHasReason and so on).
>>> In case of reply or request type of field, it could be used as
>>> "default"
>>> value if SQL returns NULL for this field.
>>> For example:
>>> AuthColumnDef 0, Rate-Limit-Rate, reply, 256kbps
>>> Sound nice, doesn't it ?
>>>
>>> Rgds.
>>> Toomas
>>>
>>> ----- Original Message -----
>>> From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Toomas Kärner" <tomkar at estpak.ee>
>>> Cc: <radiator at open.com.au>
>>> Sent: Thursday, December 08, 2005 12:36 AM
>>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>>
>>>
>>>>
>>>> Hello Toomas -
>>>>
>>>> Yes you will need to add your message to the request packet in the
>>>> previous AuthBy.
>>>>
>>>> Note that you can use any name you wish for this "pseudo-
>>>> attribute".
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 7 Dec 2005, at 21:12, Toomas Kärner wrote:
>>>>
>>>>> I'm getting somewhere but I'm little stuck (I know a workaround
>>>>> already bu I
>>>>> dont like it because it involves hook).
>>>>> Config of a special AuthBy that will find special profile to your
>>>>> user if it
>>>>> got denied
>>>>> <AuthBy SQL>
>>>>> Identifier AuthAccept
>>>>> DBSource dbi:mysql:
>>>>> DBUsername
>>>>> DBAuth
>>>>> AuthSelect select
>>>>> in_policy,out_policy,qos_profile,timeout,idle_timeout, \
>>>>> from denyprofiles \
>>>>> where MESSAGE = '%{Reply:Reply-Message}'
>>>>> AuthColumnDef 0, ERX-Ingress-Policy-Name, reply
>>>>> AuthColumnDef 1, ERX-Egress-Policy-Name, reply
>>>>> AuthColumnDef 2, ERX-QoS-Profile-Name, reply
>>>>> AuthColumnDef 3, Session-Timeout, reply
>>>>> AuthColumnDef 4, Idle-Timeout, reply
>>>>> AcceptIfMissing
>>>>> NoDefault
>>>>> </AuthBy>
>>>>> It "should" work but in log I see:
>>>>> Wed Dec 7 09:57:58 2005: DEBUG: AuthBy SQL result: REJECT, Bad
>>>>> Password
>>>>> (result from earlier AuthBy's)
>>>>> Wed Dec 7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL
>>>>> Wed Dec 7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL:
>>>>> AuthAccept
>>>>> Wed Dec 7 09:57:58 2005: DEBUG: Query is: 'select
>>>>> in_policy,out_policy,qos_profile,timeout,idle_timeout from
>>>>> denyprofiles
>>>>> where MESSAGE = ''':
>>>>>
>>>>> Message contains emty string for some reason...
>>>>> Its probably because auth_result_message gets inserted into reply
>>>>> (as a
>>>>> Reply-Message) in the very late stage of processing.
>>>>> Workaround could be by fetching it and puting it into request
>>>>> before
>>>>> executing AuthSelect and then doing AuthSelect with the Reply-
>>>>> Message from
>>>>> the request.
>>>>>
>>>>> Let me know what you think.
>>>>>
>>>>> Rgds.
>>>>> Toomas
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Toomas Kärner" <tomkar at estpak.ee>
>>>>> To: "Hugh Irvine" <hugh at open.com.au>
>>>>> Cc: <radiator at open.com.au>
>>>>> Sent: Tuesday, December 06, 2005 2:37 PM
>>>>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>>>>
>>>>>
>>>>>> Hi Hugh,
>>>>>>
>>>>>> I had such a "magic" in the PostAuthHook but I'd like to rid
>>>>>> of it
>>>>>> there
>>>>> and
>>>>>> do it more with config :). Sound weird? haa ... you haven't
>>>>>> seen my
>>>>>> implementation ways of radiator :D I have some ideas already.
>>>>>> I'll
>>>>>> how
>>>>> they
>>>>>> work out and let you know.
>>>>>>
>>>>>> Rgds.
>>>>>> Toomas
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Hugh Irvine" <hugh at open.com.au>
>>>>>> To: "Toomas Kärner" <tomkar at estpak.ee>
>>>>>> Cc: <radiator at open.com.au>
>>>>>> Sent: Tuesday, December 06, 2005 12:28 AM
>>>>>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Hello Toomas -
>>>>>>>
>>>>>>> This is very simple to do with a PostAuthHook.
>>>>>>>
>>>>>>> Here is an example I wrote for another customer which should
>>>>>>> give
>>>>>>> you
>>>>>>> the idea:
>>>>>>>
>>>>>>>
>>>>>>> # postauth.pl
>>>>>>> # Hugh Irvine, 20051129
>>>>>>>
>>>>>>> sub
>>>>>>> {
>>>>>>> my $p = ${$_[0]};
>>>>>>> my $rp = ${$_[1]};
>>>>>>> my $handled = $_[2];
>>>>>>> my $reason = $_[3];
>>>>>>>
>>>>>>> return unless ${$handled} == $main::REJECT || $
>>>>>>> {$handled} ==
>>>>>>> $main::REJECT_IMMEDIATE;
>>>>>>>
>>>>>>> return unless ${$reason} =~ 'Simultaneous-Use' || $
>>>>>>> {$reason} =~
>>>>>>> 'Check item';
>>>>>>>
>>>>>>> # Set the Identifier
>>>>>>> my $identifier = 'AllocateIPAddress';
>>>>>>> &main::log($main::LOG_DEBUG, "Using Identifier
>>>>>>> $identifier");
>>>>>>>
>>>>>>> # Find the AuthBy clause with the same Identifier
>>>>>>> my $authby = Radius::AuthGeneric::find($identifier);
>>>>>>>
>>>>>>> if (defined $authby)
>>>>>>> {
>>>>>>> &main::log($main::LOG_DEBUG, "Found AuthBy with
>>>>>>> Identifier
>>>>>>> $identifier");
>>>>>>>
>>>>>>> # add the PoolHint to the reply
>>>>>>> $rp->add_attr('Framed-Pool', 'RESTRICTED');
>>>>>>>
>>>>>>> # Call handle_request for this AuthBy DYNADDRESS
>>>>>>> my $rc = $authby->handle_request($p, $rp);
>>>>>>>
>>>>>>> if ($rc == $main::ACCEPT)
>>>>>>> {
>>>>>>> &main::log($main::LOG_DEBUG, "Allocate IP address
>>>>>>> succeeded");
>>>>>>> $$handled = $main::ACCEPT;
>>>>>>> $$reason = 'Conditional ACCEPT';
>>>>>>> }
>>>>>>> }
>>>>>>> else
>>>>>>> {
>>>>>>> &main::log($main::LOG_ERR, "No AuthBy with Identifier
>>>>>>> $identifier found for address allocation");
>>>>>>> }
>>>>>>> return;
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> This code checks the result of the previous AuthBy(s) and the
>>>>>>> reject
>>>>>>> reason and in certain circumstances allocates an IP address
>>>>>>> from the
>>>>>>> RESTRICTED pool and returns an Access-Accept. You can add
>>>>>>> additional
>>>>>>> reply attributes as required and of course you don't need to do
>>>>>>> the
>>>>>>> address allocation if your address pools are defined on your NAS
>>>>>>> equipment.
>>>>>>>
>>>>>>> Please let me know how you get on.
>>>>>>>
>>>>>>> hope that helps
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>>
>>>>>>> On 5 Dec 2005, at 20:30, Toomas Kärner wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm gathering my thoughts on solution that would rather give a
>>>>>>>> scpecific set
>>>>>>>> of parameters to a user upon a "failed" login rather than
>>>>>>>> Access-
>>>>>>>> Reject.
>>>>>>>> These profiles should also be different depending on the
>>>>>>>> cause of
>>>>>>>> "failure"
>>>>>>>> and in some cases it still should give Access-Reject.
>>>>>>>> It's part of my plan to get HD call levels lower - if thses
>>>>>>>> profiles will
>>>>>>>> direct subscriber to a "educational" web page for that specific
>>>>>>>> error that
>>>>>>>> he/she encountered then there would be no reason to call.
>>>>>>>> Also it
>>>>>>>> would
>>>>>>>> reduce the load on radius servers since logged in router
>>>>>>>> causes no
>>>>>>>> load but
>>>>>>>> once-in-a-second-trying router causes load. If it would get
>>>>>>>> in I
>>>>>>>> would get
>>>>>>>> rid of that extra load.
>>>>>>>> I have several (better and worse) ways of doing it but I'd
>>>>>>>> like to
>>>>>>>> get some
>>>>>>>> other opinions.
>>>>>>>> Let me know how YOU would do this. It would probably benefit us
>>>>>>>> all.
>>>>>>>>
>>>>>>>> Rgds.
>>>>>>>> Toomas
>>>>>>>>
>>>>>>>> --
>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>>> NB:
>>>>>>>
>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>>> archives/
>>>>>>> radiator)?
>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>> Have you included a copy of your configuration file (no
>>>>>>> secrets),
>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>
>>>>>>> --
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>> server
>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>> -
>>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>>> extensible,
>>>>>>> flexible with hardware, software, platform and database
>>>>>>> independence.
>>>>>>> -
>>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>>> systems.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/
>>>> radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>
>
>> NB:
>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> <mini-graph_week.png>
> <mini-graph_24h.png>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list