(RADIATOR) No Access-Reject but a different profile

Toomas Kärner tomkar at estpak.ee
Wed Feb 15 00:26:21 CST 2006


Hi,

Got my new system live yesterday. Works like a charm, load dropped and
users get more information what they have done wrong.
Here are some graphs of the load and its drop. Unit is request per
sec.
Earned myself few pints on the weekend :).
Rgds.
Toomas


Friday, December 9, 2005, 1:45:12 AM, you wrote:

> Hello Toomas -

> Thanks for another interesting mail.

> Mike and I have discussed this also, and at the moment we are not  
> convinced that we want to extend the AuthColumnDef syntax.

> We will keep thinking about it however.

> regards

> Hugh


> On 8 Dec 2005, at 20:37, Toomas Kärner wrote:

>> And another idea.
>>
>> It would be extra super if AuthColumnDef's format could be extended  
>> so that
>> there would be extra fielt in the end of it like this:
>>         AuthColumnDef   0,      My-attribute, check, "You have no  
>> plaplapla"
>> And if that check fails then this would be given as Reply-Message (if
>> RejectHasReason and so on).
>> In case of reply or request type of field, it could be used as  
>> "default"
>> value if SQL returns NULL for this field.
>> For example:
>>         AuthColumnDef   0,      Rate-Limit-Rate, reply, 256kbps
>> Sound nice, doesn't it ?
>>
>> Rgds.
>> Toomas
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Toomas Kärner" <tomkar at estpak.ee>
>> Cc: <radiator at open.com.au>
>> Sent: Thursday, December 08, 2005 12:36 AM
>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>
>>
>>>
>>> Hello Toomas -
>>>
>>> Yes you will need to add your message to the request packet in the
>>> previous AuthBy.
>>>
>>> Note that you can use any name you wish for this "pseudo-attribute".
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 7 Dec 2005, at 21:12, Toomas Kärner wrote:
>>>
>>>> I'm getting somewhere but I'm little stuck (I know a workaround
>>>> already bu I
>>>> dont like it because it involves hook).
>>>> Config of a special AuthBy that will find special profile to your
>>>> user if it
>>>> got denied
>>>> <AuthBy SQL>
>>>>         Identifier      AuthAccept
>>>>         DBSource        dbi:mysql:
>>>>         DBUsername
>>>>         DBAuth
>>>>         AuthSelect      select
>>>> in_policy,out_policy,qos_profile,timeout,idle_timeout, \
>>>>                         from denyprofiles \
>>>>                         where MESSAGE = '%{Reply:Reply-Message}'
>>>>         AuthColumnDef   0,      ERX-Ingress-Policy-Name, reply
>>>>         AuthColumnDef   1,      ERX-Egress-Policy-Name, reply
>>>>         AuthColumnDef   2,      ERX-QoS-Profile-Name, reply
>>>>         AuthColumnDef   3,      Session-Timeout, reply
>>>>         AuthColumnDef   4,      Idle-Timeout, reply
>>>>         AcceptIfMissing
>>>>         NoDefault
>>>> </AuthBy>
>>>> It "should" work but in log I see:
>>>> Wed Dec  7 09:57:58 2005: DEBUG: AuthBy SQL result: REJECT, Bad
>>>> Password
>>>> (result from earlier AuthBy's)
>>>> Wed Dec  7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL
>>>> Wed Dec  7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL:
>>>> AuthAccept
>>>> Wed Dec  7 09:57:58 2005: DEBUG: Query is: 'select
>>>> in_policy,out_policy,qos_profile,timeout,idle_timeout from
>>>> denyprofiles
>>>> where MESSAGE = ''':
>>>>
>>>> Message contains emty string for some reason...
>>>> Its probably because auth_result_message gets inserted into reply
>>>> (as a
>>>> Reply-Message) in the very late stage of processing.
>>>> Workaround could be by fetching it and puting it into request before
>>>> executing AuthSelect and then doing AuthSelect with the Reply-
>>>> Message from
>>>> the request.
>>>>
>>>> Let me know what you think.
>>>>
>>>> Rgds.
>>>> Toomas
>>>>
>>>> ----- Original Message -----
>>>> From: "Toomas Kärner" <tomkar at estpak.ee>
>>>> To: "Hugh Irvine" <hugh at open.com.au>
>>>> Cc: <radiator at open.com.au>
>>>> Sent: Tuesday, December 06, 2005 2:37 PM
>>>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>>>
>>>>
>>>>> Hi Hugh,
>>>>>
>>>>> I had such a "magic" in the PostAuthHook but I'd like to rid of it
>>>>> there
>>>> and
>>>>> do it more with config :). Sound weird? haa ... you haven't seen my
>>>>> implementation ways of radiator :D I have some ideas already. I'll
>>>>> how
>>>> they
>>>>> work out and let you know.
>>>>>
>>>>> Rgds.
>>>>> Toomas
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Hugh Irvine" <hugh at open.com.au>
>>>>> To: "Toomas Kärner" <tomkar at estpak.ee>
>>>>> Cc: <radiator at open.com.au>
>>>>> Sent: Tuesday, December 06, 2005 12:28 AM
>>>>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>>>>
>>>>>
>>>>>>
>>>>>> Hello Toomas -
>>>>>>
>>>>>> This is very simple to do with a PostAuthHook.
>>>>>>
>>>>>> Here is an example I wrote for another customer which should give
>>>>>> you
>>>>>> the idea:
>>>>>>
>>>>>>
>>>>>> # postauth.pl
>>>>>> # Hugh Irvine, 20051129
>>>>>>
>>>>>> sub
>>>>>> {
>>>>>>      my $p = ${$_[0]};
>>>>>>      my $rp = ${$_[1]};
>>>>>>      my $handled = $_[2];
>>>>>>      my $reason = $_[3];
>>>>>>
>>>>>>      return unless ${$handled} == $main::REJECT || ${$handled} ==
>>>>>> $main::REJECT_IMMEDIATE;
>>>>>>
>>>>>>      return unless ${$reason} =~ 'Simultaneous-Use' || $ 
>>>>>> {$reason} =~
>>>>>> 'Check item';
>>>>>>
>>>>>>      # Set the Identifier
>>>>>>      my $identifier = 'AllocateIPAddress';
>>>>>>      &main::log($main::LOG_DEBUG, "Using Identifier $identifier");
>>>>>>
>>>>>>      # Find the AuthBy clause with the same Identifier
>>>>>>      my $authby = Radius::AuthGeneric::find($identifier);
>>>>>>
>>>>>>      if (defined $authby)
>>>>>>      {
>>>>>>          &main::log($main::LOG_DEBUG, "Found AuthBy with  
>>>>>> Identifier
>>>>>> $identifier");
>>>>>>
>>>>>>          # add the PoolHint to the reply
>>>>>>          $rp->add_attr('Framed-Pool', 'RESTRICTED');
>>>>>>
>>>>>>          # Call handle_request for this AuthBy DYNADDRESS
>>>>>>          my $rc = $authby->handle_request($p, $rp);
>>>>>>
>>>>>>          if ($rc == $main::ACCEPT)
>>>>>>          {
>>>>>>              &main::log($main::LOG_DEBUG, "Allocate IP address
>>>>>> succeeded");
>>>>>>              $$handled = $main::ACCEPT;
>>>>>>              $$reason = 'Conditional ACCEPT';
>>>>>>          }
>>>>>>      }
>>>>>>      else
>>>>>>      {
>>>>>>          &main::log($main::LOG_ERR, "No AuthBy with Identifier
>>>>>> $identifier found for address allocation");
>>>>>>      }
>>>>>>      return;
>>>>>> }
>>>>>>
>>>>>>
>>>>>> This code checks the result of the previous AuthBy(s) and the  
>>>>>> reject
>>>>>> reason and in certain circumstances allocates an IP address  
>>>>>> from the
>>>>>> RESTRICTED pool and returns an Access-Accept. You can add  
>>>>>> additional
>>>>>> reply attributes as required and of course you don't need to do  
>>>>>> the
>>>>>> address allocation if your address pools are defined on your NAS
>>>>>> equipment.
>>>>>>
>>>>>> Please let me know how you get on.
>>>>>>
>>>>>> hope that helps
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 5 Dec 2005, at 20:30, Toomas Kärner wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm gathering my thoughts on solution that would rather give a
>>>>>>> scpecific set
>>>>>>> of parameters to a user upon a "failed" login rather than Access-
>>>>>>> Reject.
>>>>>>> These profiles should also be different depending on the cause of
>>>>>>> "failure"
>>>>>>> and in some cases it still should give Access-Reject.
>>>>>>> It's part of my plan to get HD call levels lower - if thses
>>>>>>> profiles will
>>>>>>> direct subscriber to a "educational" web page for that specific
>>>>>>> error that
>>>>>>> he/she encountered then there would be no reason to call. Also it
>>>>>>> would
>>>>>>> reduce the load on radius servers since logged in router  
>>>>>>> causes no
>>>>>>> load but
>>>>>>> once-in-a-second-trying router causes load. If it would get in I
>>>>>>> would get
>>>>>>> rid of that extra load.
>>>>>>> I have several (better and worse) ways of doing it but I'd  
>>>>>>> like to
>>>>>>> get some
>>>>>>> other opinions.
>>>>>>> Let me know how YOU would do this. It would probably benefit us
>>>>>>> all.
>>>>>>>
>>>>>>> Rgds.
>>>>>>> Toomas
>>>>>>>
>>>>>>> --
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>> archives/
>>>>>> radiator)?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>> -- 
>>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical,  
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>> -
>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>> systems.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.


> NB:

> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/ 
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mini-graph_week.png
Type: image/png
Size: 7862 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060215/c922e2c5/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mini-graph_24h.png
Type: image/png
Size: 8576 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060215/c922e2c5/attachment-0001.png>


More information about the radiator mailing list