[RADIATOR] preClientHook problem using ClientListSQL from version 3.15 to version 4.3.1
Dario Aguilar
daguilar at arnet.net.ar
Wed Jan 14 14:36:45 CST 2009
Hi Hugh,
Here it is a simple example case. As I already mentioned before we are
using ClientListSQL and not Client clause, but maybe this will clarify a
little bit our problem.
Please read the comments in the config. File and in the log file.
Regards,
Dario.
[root at server ~]# cat /etc/radiator/radius.cfg
Foreground
# LogStdout
Trace 4
PidFile /var/log/radiator/radiusd.pid
AuthPort 1645
AcctPort 1646
LogDir /var/log/radiator
DbDir /etc/radiator
DictionaryFile /etc/radiator/dictionary
UsernameCharset a-z/A-Z0-9\._ at -
#
# We declare PreClientHook and ClientHook globally...
#
PreClientHook file:"/etc/radiator/PreClientHook.cfg"
ClientHook file:"/etc/radiator/PreClientHook.cfg"
<Client DEFAULT>
Secret mysecret
#
# We declare ClientHook inside a Client clause as an example but we want to
put # this inside the ClientListSQL clause
#
ClientHook file:"/etc/radiator/PreClientHook.cfg"
</Client>
<AuthBy INTERNAL>
Identifier LIBERADO
AuthResult ACCEPT
AcctStartResult ACCEPT
AcctStopResult ACCEPT
</AuthBy>
<Handler Request-Type=Access-Request>
PreProcessingHook file:"/etc/radiator/PreClientHook.cfg"
AuthBy LIBERADO
PasswordLogFileName /var/log/radiator/password.log
AcctLogFileName /var/log/radiator/acct.log
</Handler>
[root at server ~]# cat /etc/radiator/PreClientHook.cfg
sub
{
my $p = ${$_[0]};
my $nasport = $p->get_attr('NAS-Port');
my $nasip = $p->get_attr('NAS-IP-Address');
my $ip=&Radius::Util::format_special('%c',$p);
&main::log($main::LOG_DEBUG,"NASIP=$nasip NASPORT=$nasport IPORIGIN=$ip");
}
[root at server ~]# /usr/bin/radpwtst -timeout 2 -dictionary
/etc/radiator/dictionary -secret mysecret -bind_address 10.0.0.100 -s
10.0.0.100 -noacct -auth_port 1645 -acct_port 1646
Acct-Session-Id='2/1/0/1196.2436_07DDCC21' -user user at dom -password xxxx
-nas_ip_address 10.0.0.200 -nas_port 675989892 -nas_port_type Ethernet
[root at server ~]# tail -f /var/log/radiator/logfile
--------------------------------------------------------------------------------
ClientHook statement it´s not recognized globally as you said.
--------------------------------------------------------------------------------
Wed Jan 14 13:06:29 2009: ERR: Unknown keyword 'ClientHook' in
/etc/radiator/radius.cfg line 0
Wed Jan 14 13:06:29 2009: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Wed Jan 14 13:06:29 2009: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Wed Jan 14 13:06:29 2009: DEBUG: Creating authentication port 0.0.0.0:1645
Wed Jan 14 13:06:29 2009: DEBUG: Creating accounting port 0.0.0.0:1646
Wed Jan 14 13:06:29 2009: NOTICE: Server started: Radiator 4.3.1 on server
--------------------------------------------------------------------------------
Look at that NASIP and NASPORT variables actually Nas-IP-Address and
NAS-Port attributes are both encoded when it is called by global
PreClientHook statement with version 3.1 this was clear
--------------------------------------------------------------------------------
Wed Jan 14 13:08:23 2009: DEBUG: NASIP=�1d NASPORT=(JɄ IPORIGIN=10.0.0.100
Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
*** Received from 10.0.0.100 port 56017 ....
Code: Access-Request
Identifier: 158
Authentic: !i<219><159>'/<22>.i<225><213><242><210>+<234>O
Attributes:
User-Name = "user at dom"
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.200
NAS-Port = 675989892
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Ethernet
User-Password = <175><216>Fe<185><154>L<230><127>Wkgf'<150><238>
Acct-Session-Id = "2/1/0/1196.2436_07DDCC21"
As you can see now this attributes are decoded.
Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
IPORIGIN=10.0.0.100
Wed Jan 14 13:08:23 2009: DEBUG: Handling request with Handler
'Request-Type=Access-Request'
Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
IPORIGIN=10.0.0.100
Wed Jan 14 13:08:23 2009: DEBUG: Deleting session for user at dom, 10.0.0.200,
675989892
Wed Jan 14 13:08:23 2009: DEBUG: Handling with AuthINTERNAL: LIBERADO
Wed Jan 14 13:08:23 2009: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
AuthResult
Wed Jan 14 13:08:23 2009: DEBUG: Access accepted for user at dom
Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
*** Sending to 200.45.46.185 port 56017 ....
Code: Access-Accept
Identifier: 158
Authentic: <4>v<141>$<133> ]<159>4H-<226>?<29><223>2
Attributes:
Hugh Irvine wrote:
>
>
> Hello Dario -
>
> The NAS-IP-Address and NAS-Port attributes are normally in clear and
> available to a PreClientHook and/or ClientHook.
>
> Both PreClientHook and ClientHook are global configuration options in
> the configuration file - they don't need to be defined in ClientListSQL.
>
> reagrds
>
> Hugh
>
>
> On 10 Jan 2009, at 00:27, Dario Aguilar wrote:
>
>>
>> Hi Hugh,
>> As you can see in the script, we need to use the
>> 'NAS-IP-Address' and 'NAS-Port' attributes in our preClientHook.cfg
>> and both
>> values will not be decrypted because this should be done now in a
>> context of
>> a particular Client. The problem is that we cannot declare the
>> parameter
>> ClientHook into the ClientListSQL clause because this dont even
>> exist so I
>> don´t know how can I call preClientHook script to execute for all
>> our SQL
>> clients and not to each one in particular. Maybe Mikey´s added
>> support for
>> ClientHook in ClientList SQLClientHook should help us to resolve
>> this but
>> how can we implement this to satisfy our needs correctly?
>>
>> best regards,
>>
>> Dario.
>>
>>
>> Hugh Irvine wrote:
>>>
>>>
>>> Hello Dario -
>>>
>>> Can you please tell me what problems you are having?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 8 Jan 2009, at 04:49, Dario Aguilar wrote:
>>>
>>>>
>>>> Hi, first of all I want to clarify that I am a new user of Radiator
>>>> and my
>>>> knowledge of Perl language is very poor. We are trying to move from
>>>> version
>>>> 3.15 to 4.3.1 and some problems a problem appered to us with the old
>>>> Global
>>>> "preClientHook" statement in the new version. How should I call
>>>> PreClientHook.cfg to work in using ClientListSQL ?. I´ve already
>>>> finish
>>>> reading the revision history of versions 4.3 and 4.3.1 and the
>>>> reference
>>>> manual but I still have very clear how to implement this in our
>>>> server.
>>>>
>>>> Our radius.conf looks something like this:
>>>> -------------------------------------------------------------
>>>> <ClientListSQL>
>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>> DBUsername %{GlobalVar:DBUsername}
>>>> DBAuth %{GlobalVar:DBAuth}
>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>> DBUsername %{GlobalVar:DBUsername}
>>>> DBAuth %{GlobalVar:DBAuth}
>>>> GetClientQuery SELECT nas_ip_address,secret from
>>>> tbl_radclient WHERE nas_ip_address IS NOT NULL and secret IS NOT
>>>> NULL
>>>> BackupFilename
>>>> %D/clientlist.%{GlobalVar:CodeType}.%{GlobalVar:IpAddress}.dat
>>>> RefreshPeriod 3600
>>>> Timeout 2
>>>> FailureBackoffTime 0
>>>> ConnectionHook file:"%D/ConnectionHook.cfg"
>>>> </ClientListSQL>
>>>>
>>>> PreClientHook file:"%D/PreClientHook.cfg"
>>>> -------------------------------------------------
>>>>
>>>> PreClientHook.cfg----->>>
>>>>
>>>> sub {
>>>> my $p=${$_[0]};
>>>> my $nasip=$p->get_attr('NAS-IP-Address');
>>>> my $ip=&Radius::Util::format_special('%c', $p);
>>>> my $nasport=$p->get_attr('NAS-Port');
>>>> my $callid=$p->get_attr('Calling-Station-Id');
>>>>
>>>> &main::log($main::LOG_DEBUG,'Into PreClientHook');
>>>> &main::log($main::LOG_DEBUG,"NASIP=[$nasip] NASPORT=[$nasport]
>>>> SOURCE_IP=[$ip] CallId=[$callid]");
>>>> if($ip ne '192.168.0.1' and $ip ne '192.168.0.2') {
>>>> $p->change_attr('NAS-IP-Address',$ip) if $nasip ne
>>>> $ip;
>>>> }
>>>>
>>>> $p->add_attr('NAS-Port',$callid) unless defined $nasport;
>>>> $p->delete_attr('State');
>>>> if ($p->code eq 'Accounting-Request' &&
>>>> $p->get_attr('Acct-Status-Type') eq 'Stop') {
>>>> my %ascend2ietf = (
>>>> 'remoteEndHungup' => 'User-Request',
>>>> 'pppRcvTerminate' => 'User-Request',
>>>> 'sessTimeOut' => 'Session-Timeout',
>>>> '240' => 'Host-Request',
>>>> );
>>>>
>>>> my $ascend_disconnect_cause =
>>>> $p->get_attr('Ascend-Disconnect-Cause');
>>>> if($ascend_disconnect_cause) {
>>>> my $newval=
>>>> $ascend2ietf{$ascend_disconnect_cause};
>>>> $newval='Lost-Carrier'
>>>> unless defined $newval;
>>>> $p->change_attr('Acct-Terminate-Cause',
>>>> $newval);
>>>> }
>>>> }
>>>> }
>>>> -------------------------------------------
>>>>
>>>> thanks,
>>>> Dario Aguilar
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21336689.html
>>>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21372284.html
>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
--
View this message in context: http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21464623.html
Sent from the Radiator - General mailing list archive at Nabble.com.
More information about the radiator
mailing list