(RADIATOR) RewriteUsername statements

Mike Gomez mgomez at iland.net
Thu Jun 8 23:56:06 CDT 2006


Hugh,

It all worked beautifully!  Thanks for making such an awesome product! :)

Mike

----- Original Message -----
From: Hugh Irvine <hugh at open.com.au>
To: Mike Gomez <mgomez at iland.net>
Sent: Thursday, June 08, 2006 10:50 PM
Subject: Re: (RADIATOR) RewriteUsername statements


Hello Mike -

The DefaultRealm will add the suffix to the username, therefore the  
username

	mgomez

will be changed to

	mgomez at domain1.net

if it passes through a Client clause with

	DefaultRealm domain1.net

which will then be matched by this Realm

<Realm domain1.net>
	.....
</Realm>

You should do some testing in a test environment running Radiator at  
trace 4 debug so you can see what is happening.

regards

Hugh




On 8 Jun 2006, at 08:01, Mike Gomez wrote:

> So....I'd need to have something like this?
>
>
> <Client "IP of first modem pool from first domain">
> IdenticalClients "IP of second modem pool from first domain"
> IdenticalClients "IP of third modem pool from first domain"
> IgnoreAcctSignature
>         Secret  xxxxxxxx
>         DupInterval 0
> DefaultRealm domain1.net
> </Client>
>
> <Client "IP of first modem pool from second domain">
> IgnoreAcctSignature
>         Secret  xxxxxxxx
> IdenticalClients "IP of second modem pool from second domain"
> IdenticalClients "IP of third modem pool from second domain"
> DefaultRealm domain2.net
> </Client>
>
> <SessionDatabase SQL>
> Identifier InSQL
> DBSource dbi:mysql:radius:xxxxxxxx
>        DBUsername xxxxxx
>        DBAuth xxxxxx
>       </SessionDatabase>
>
> <Realm domain1.net>
> RewriteUsername s/^([^@]+)$/$1 at domain1.net/
> <AuthBy SQL>
>         DBSource dbi:mysql:radius:xxxxxxx
>           DBUsername xxxxxx
>              DBAuth xxxxxx
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR 
>         from SUBSCRIBERS 
>                 where USERNAME = '%n'
>
> #AddToReply Service-Type = Framed-User, 
> #Framed-Protocol = PPP
> AccountingTable ACCT%Y%m
>                 AcctColumnDef    USERNAME,User-Name
>                 AcctColumnDef    TIME_STAMP,Timestamp,integer-date
>                 AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef    ACCTINPUTOCTETS,Acct-Input- 
> Octets,integer
>                 AcctColumnDef    ACCTOUTPUTOCTETS,Acct-Output- 
> Octets,integer
>                 AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    ACCTSESSIONTIME,Acct-Session- 
> Time,integer
>                 AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate- 
> Cause
>                 AcctColumnDef    ACCTTERMINATECAUSE,Ascend- 
> Disconnect-Cause
>                 AcctColumnDef    NASPORT_TYPE,NAS-Port-Type
>                 AcctColumnDef    NASADDRESS,NAS-IP-Address
>                 AcctColumnDef    FRAMEDADDRESS,Framed-IP-Address
>                 AcctColumnDef    NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef    NASPORT,NAS-Port,integer
>                 AcctColumnDef    USRCONSPEED,Connect-Speed
>                 AcctColumnDef    USRCONSPEED,Connect-Info
>                 AcctColumnDef    MODULATION,Modulation-Type
>                 AcctColumnDef    CSI,Calling-Station-Id
>
>
>         </AuthBy>
>         # Log accounting to a detail file
>         AcctLogFileName ./detail
> </Realm>
>
> <Realm domain2.net>
> RewriteUsername s/^([^@]+)$/$1 at domain2.net/
> <AuthBy SQL>
>         DBSource dbi:mysql:radius:xxxxxxx
>           DBUsername xxxxxx
>              DBAuth xxxxxx
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR 
>         from SUBSCRIBERS 
>                 where USERNAME = '%n'
>
> #AddToReply Service-Type = Framed-User, 
> #Framed-Protocol = PPP
> AccountingTable ACCT%Y%m
>                 AcctColumnDef    USERNAME,User-Name
>                 AcctColumnDef    TIME_STAMP,Timestamp,integer-date
>                 AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef    ACCTINPUTOCTETS,Acct-Input- 
> Octets,integer
>                 AcctColumnDef    ACCTOUTPUTOCTETS,Acct-Output- 
> Octets,integer
>                 AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    ACCTSESSIONTIME,Acct-Session- 
> Time,integer
>                 AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate- 
> Cause
>                 AcctColumnDef    ACCTTERMINATECAUSE,Ascend- 
> Disconnect-Cause
>                 AcctColumnDef    NASPORT_TYPE,NAS-Port-Type
>                 AcctColumnDef    NASADDRESS,NAS-IP-Address
>                 AcctColumnDef    FRAMEDADDRESS,Framed-IP-Address
>                 AcctColumnDef    NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef    NASPORT,NAS-Port,integer
>                 AcctColumnDef    USRCONSPEED,Connect-Speed
>                 AcctColumnDef    USRCONSPEED,Connect-Info
>                 AcctColumnDef    MODULATION,Modulation-Type
>                 AcctColumnDef    CSI,Calling-Station-Id
>
>
>         </AuthBy>
>         # Log accounting to a detail file
>         AcctLogFileName ./detail
> </Realm>
>
> Thereby essentially throwing anyone from the first group of modems  
> into the
> the domain1.net Realm (and using it's RewriteUsername statement), and
> throwing anyone from the second group into the domain2.net Realm  
> (and using
> it's *different* RewriteUsername statement)?
>
> Mike
>
> On Thursday 08 June 2006 09:39, Hugh Irvine wrote:
>> Hello Mike -
>>
>> You would normally use a DefaultRealm in your Client clauses to add
>> the correct Realm to usernames without them, then use different Realm
>> clauses like this:
>>
>>
>> # define Client clauses with DefautRealm
>>
>> <Client 1.1.1.1>
>>  ......
>>  DefaultRealm domain1.net
>> </Client>
>>
>> .....
>>
>> <Client n.n.n.n>
>>  ......
>>  DefaultRealm domain1.net
>> </Client>
>>
>> <Client 3.3.3.3>
>>  ......
>>  DefaultRealm domain2.net
>> </Client>
>>
>> .....
>>
>> <Client m.m.m.m>
>>  ......
>>  DefaultRealm domain2.net
>> </Client>
>>
>> .....
>>
>> <Realm domain1.net>
>>  ......
>> </Realm>
>>
>> <Realm domain2.net>
>>  .....
>> </Realm>
>>
>> .......
>>
>>
>> Of course you should always test thoroughly on a test server before
>> changing a production server.
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>> On 8 Jun 2006, at 07:09, Mike Gomez wrote:
>>> Hi there,
>>>
>>> I've been looking through the radiator reference manual on doing  
>>> some
>>> rewriteusername commands, and just wanted to get the list's opinion
>>> on if I'm
>>> going to be implementing this correctly.  Here's my current config
>>> file:
>>>
>>> <Client DEFAULT>
>>> IgnoreAcctSignature
>>>         Secret  xxxxxxxx
>>>         DupInterval 0
>>> </Client>
>>> <SessionDatabase SQL>
>>> Identifier InSQL
>>> DBSource dbi:mysql:radius:xxxxxxxx
>>>        DBUsername xxxxxx
>>>        DBAuth xxxxxx
>>>       </SessionDatabase>
>>> <Realm DEFAULT>
>>> RewriteUsername s/^([^@]+)$/$1 at domain1.net/
>>> <AuthBy SQL>
>>>         DBSource dbi:mysql:radius:xxxxxxx
>>>           DBUsername xxxxxx
>>>              DBAuth xxxxxx
>>> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR 
>>>         from SUBSCRIBERS 
>>>                 where USERNAME = '%n'
>>>
>>> #AddToReply Service-Type = Framed-User, 
>>> #Framed-Protocol = PPP
>>> AccountingTable ACCT%Y%m
>>>                 AcctColumnDef    USERNAME,User-Name
>>>                 AcctColumnDef    TIME_STAMP,Timestamp,integer-date
>>>                 AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
>>>                 AcctColumnDef    ACCTDELAYTIME,Acct-Delay- 
>>> Time,integer
>>>                 AcctColumnDef    ACCTINPUTOCTETS,Acct-Input-
>>> Octets,integer
>>>                 AcctColumnDef    ACCTOUTPUTOCTETS,Acct-Output-
>>> Octets,integer
>>>                 AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
>>>                 AcctColumnDef    ACCTSESSIONTIME,Acct-Session-
>>> Time,integer
>>>                 AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate-
>>> Cause
>>>                 AcctColumnDef    ACCTTERMINATECAUSE,Ascend-
>>> Disconnect-Cause
>>>                 AcctColumnDef    NASPORT_TYPE,NAS-Port-Type
>>>                 AcctColumnDef    NASADDRESS,NAS-IP-Address
>>>                 AcctColumnDef    FRAMEDADDRESS,Framed-IP-Address
>>>                 AcctColumnDef    NASIDENTIFIER,NAS-Identifier
>>>                 AcctColumnDef    NASPORT,NAS-Port,integer
>>>                 AcctColumnDef    USRCONSPEED,Connect-Speed
>>>                 AcctColumnDef    USRCONSPEED,Connect-Info
>>>                 AcctColumnDef    MODULATION,Modulation-Type
>>>                 AcctColumnDef    CSI,Calling-Station-Id
>>>
>>>
>>>         </AuthBy>
>>>         # Log accounting to a detail file
>>>         AcctLogFileName ./detail
>>> </Realm>
>>>
>>> As you can see, I've got the RewriteUsername s/^([^@]+)$/$1
>>> @domain1.net/
>>> under <Realm DEFAULT>.  What's happening is I've got a second set
>>> of modem
>>> pools (from a different domain) that I'm going to be switching to
>>> our radius
>>> server here soon.  So, I need a different rewrite username statement
>>> (RewriteUsername s/^([^@]+)$/$1 at domain2.net/) to apply to requests
>>> only from
>>> that second group of modem pools.  Can I use something like:
>>>
>>> <Client "IP of first modem pool">
>>> IgnoreAcctSignature
>>>         Secret  xxxxxxxx
>>> IdenticalClients "IP of second modem pool"
>>> IdenticalClients "IP of third modem pool"
>>> RewriteUsername s/^([^@]+)$/$1 at domain2.net/
>>> </Client>
>>>
>>> or would the rewriteusername statement under <Realm DEFAULT>
>>> override that?  I
>>> just wanted to get opinions on it before I start messing with a
>>> production
>>> system. ;)
>>>
>>> Thanks!
>>> --
>>> Mike Gomez
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>
> -- 
> Mike Gomez
> Network Operations Center
> I-Land Internet Services
> 660.829.4638 Ext. 130


NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

____________________________________________________________
This message sent using iMail from I-Land Internet Services.
http://www.iland.net 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list