(RADIATOR) Clienty entry by FQDN issue

Mike McCauley mikem at open.com.au
Fri Jun 1 21:26:41 CDT 2007 

Hello Garry,

that looks OK, but we will do some more extensive tests on it neext week.

Cheers.

On Friday 01 June 2007 23:36, peirce at maine.edu wrote:
> Hi - I've finally resolved a NAS client problem I'm having but wondering if
> the right way to do so. If there's not a better way, perhaps it could be
> incoporated into future builds.
>
> I'm running Radiator v3.15.
>
> My client entry's are built from an included script and the entries are
> defined by FQDN. ex. <Client rtr-c.xyz.net>
>               NasType Cisco
>               Secret <pw>
>               DefaultRealm XYZ
> </Client>
>
> These hosts have multiple IP addresses configured on them and all have DNS
> entries.
>
> Authenticating into the device can be intermittent and I believe it's
> because Radiator is intermittently resolving the client entry name to an
> IP address that is different from the incoming request.  Through a debug
> line I added, I see that when Radiator starts, the known address for a
> given client entry changes.  An nslookup on the host from the radius server
> returns all addresses for the host. It seems Radiator is only choosing one 
> - the first returned?.
>
> If I add all addresses the host has as IdenticalClients, the issue goes
> away. Given the large number of clients I have that would be very
> cumbersome to do as would defining the clients by all IP addresses.
> The clients are configured to always source the request from a defined
> address.
>
> When the address is the different, the request fails to find a matching
> client and is ultimatley rejected.
>
> In my case the NAS_ID contains the FQDN of the device, so I made the
> change below in Client::find to try and identify it using the
> NAS_IDENTIFIER.
>
> This seems to solve my issue. I found it odd I could not find anything in
> the archives of someone having the same issue, so I'm wondering if I've
> gone about it in the right way.
>
> I also included a change I found helpful to display the NAS_ID &
> Calling_Station_ID in the log when an access-request is rejected.
>
> thanks for any insight,
>
> ##############
> Client.pm - change to check NAS_ID if check on Client_IP fails
>
> --- Client.pm.orig      2007-06-01 08:49:37.000000000 -0400
> +++ Client.pm   2007-06-01 08:21:35.000000000 -0400
>
> @@ -162,6 +162,11 @@
>         $ret = $Radius::Client::clients{'MAC:' . $mac}
>             if ($mac =~
> /^[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-
> F]{2}-?[0-9a-fA-F]{2}$/);
>
> +       # Try to deduce a entry via NAS_IDENTIFIER
> +       my $dns_name = $p->getAttrByNum($Radius::Radius::NAS_IDENTIFIER);
> +       $dns_name =~ tr/[A-Z]/[a-z]/;
> +       $ret = $Radius::Client::clients{$dns_name};
> +
>         # Still nothing, fall back to the default
>         $ret = $Radius::Client::clients{DEFAULT}
>              unless defined $ret;
>
> ###########
> Handler.pm - change to include NAS and Calling_Station on failed attempt
>
> --- Handler.pm.orig 2007-06-01 08:47:36.000000000 -0400
> +++ Handler.pm  2007-06-01 08:46:12.000000000 -0400
>
> @@ -469,7 +469,9 @@
>         elsif (   $result == $main::REJECT
>
>                || $result == $main::REJECT_IMMEDIATE)
>
>         {
> -           $self->log($main::LOG_INFO, "Access rejected for user $name:
> $reason", $p); +           my $nas_id = $p->getNasId();
> +           my $calling_station =
> $p->getAttrByNum($Radius::Radius::CALLING_STATION_ID); +          
> $self->log($main::LOG_INFO, "Access rejected at $nas_id for user $name from
> $calling_station: $reason", $p);
>
>             $self->authlog($main::REJECT, $reason, $p);
>             $p->{rp}->set_code('Access-Reject');
>
>
>
> Garry Peirce	peirce at maine.edu	1-207-561-3539
> =============================================
> Network Analyst
> ITS, Communications and Network Services
> University of Maine System

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list