[RADIATOR] preClientHook problem using ClientListSQL from version 3.15 to version 4.3.1
Hugh Irvine
hugh at open.com.au
Thu Jan 15 00:31:06 CST 2009
Hello Dario -
Thanks for your mail.
There was a slight problem in the patch set that did not allow
ClientHook to be defined as a global - this has now been fixed.
I have tested your code with a global ClientHook and it works correctly.
You will need today's latest patch set.
BTW - you can also define a ClientHook on a per-Client basis if desired.
regards
Hugh
On 15 Jan 2009, at 07:36, Dario Aguilar wrote:
>
> Hi Hugh,
> Here it is a simple example case. As I already mentioned before
> we are
> using ClientListSQL and not Client clause, but maybe this will
> clarify a
> little bit our problem.
> Please read the comments in the config. File and in the log file.
>
> Regards,
>
> Dario.
>
> [root at server ~]# cat /etc/radiator/radius.cfg
> Foreground
> # LogStdout
> Trace 4
> PidFile /var/log/radiator/radiusd.pid
> AuthPort 1645
> AcctPort 1646
> LogDir /var/log/radiator
> DbDir /etc/radiator
> DictionaryFile /etc/radiator/dictionary
> UsernameCharset a-z/A-Z0-9\._ at -
>
> #
> # We declare PreClientHook and ClientHook globally...
> #
> PreClientHook file:"/etc/radiator/PreClientHook.cfg"
> ClientHook file:"/etc/radiator/PreClientHook.cfg"
>
> <Client DEFAULT>
> Secret mysecret
> #
> # We declare ClientHook inside a Client clause as an example but we
> want to
> put # this inside the ClientListSQL clause
> #
> ClientHook file:"/etc/radiator/PreClientHook.cfg"
> </Client>
>
> <AuthBy INTERNAL>
> Identifier LIBERADO
> AuthResult ACCEPT
> AcctStartResult ACCEPT
> AcctStopResult ACCEPT
> </AuthBy>
>
> <Handler Request-Type=Access-Request>
> PreProcessingHook file:"/etc/radiator/PreClientHook.cfg"
> AuthBy LIBERADO
> PasswordLogFileName /var/log/radiator/password.log
> AcctLogFileName /var/log/radiator/acct.log
> </Handler>
>
>
>
>
> [root at server ~]# cat /etc/radiator/PreClientHook.cfg
>
> sub
> {
> my $p = ${$_[0]};
>
> my $nasport = $p->get_attr('NAS-Port');
> my $nasip = $p->get_attr('NAS-IP-Address');
> my $ip=&Radius::Util::format_special('%c',$p);
>
> &main::log($main::LOG_DEBUG,"NASIP=$nasip NASPORT=$nasport IPORIGIN=
> $ip");
> }
>
>
> [root at server ~]# /usr/bin/radpwtst -timeout 2 -dictionary
> /etc/radiator/dictionary -secret mysecret -bind_address 10.0.0.100 -s
> 10.0.0.100 -noacct -auth_port 1645 -acct_port 1646
> Acct-Session-Id='2/1/0/1196.2436_07DDCC21' -user user at dom -password
> xxxx
> -nas_ip_address 10.0.0.200 -nas_port 675989892 -nas_port_type Ethernet
>
>
> [root at server ~]# tail -f /var/log/radiator/logfile
>
> --------------------------------------------------------------------------------
> ClientHook statement it´s not recognized globally as you said.
>
> --------------------------------------------------------------------------------
>
> Wed Jan 14 13:06:29 2009: ERR: Unknown keyword 'ClientHook' in
> /etc/radiator/radius.cfg line 0
> Wed Jan 14 13:06:29 2009: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Wed Jan 14 13:06:29 2009: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Wed Jan 14 13:06:29 2009: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Wed Jan 14 13:06:29 2009: DEBUG: Creating accounting port 0.0.0.0:1646
> Wed Jan 14 13:06:29 2009: NOTICE: Server started: Radiator 4.3.1 on
> server
> --------------------------------------------------------------------------------
> Look at that NASIP and NASPORT variables actually Nas-IP-Address and
> NAS-Port attributes are both encoded when it is called by global
> PreClientHook statement with version 3.1 this was clear
> --------------------------------------------------------------------------------
> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=�1d NASPORT=(JɄ
> IPORIGIN=10.0.0.100
> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
> *** Received from 10.0.0.100 port 56017 ....
> Code: Access-Request
> Identifier: 158
> Authentic: !i<219><159>'/<22>.i<225><213><242><210>+<234>O
> Attributes:
> User-Name = "user at dom"
> Service-Type = Framed-User
> NAS-IP-Address = 10.0.0.200
> NAS-Port = 675989892
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Ethernet
> User-Password = <175><216>Fe<185><154>L<230><127>Wkgf'<150><238>
> Acct-Session-Id = "2/1/0/1196.2436_07DDCC21"
>
>
>
> As you can see now this attributes are decoded.
>
>
> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
> IPORIGIN=10.0.0.100
> Wed Jan 14 13:08:23 2009: DEBUG: Handling request with Handler
> 'Request-Type=Access-Request'
> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
> IPORIGIN=10.0.0.100
> Wed Jan 14 13:08:23 2009: DEBUG: Deleting session for user at dom,
> 10.0.0.200,
> 675989892
> Wed Jan 14 13:08:23 2009: DEBUG: Handling with AuthINTERNAL: LIBERADO
> Wed Jan 14 13:08:23 2009: DEBUG: AuthBy INTERNAL result: ACCEPT,
> Fixed by
> AuthResult
> Wed Jan 14 13:08:23 2009: DEBUG: Access accepted for user at dom
> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
> *** Sending to 200.45.46.185 port 56017 ....
> Code: Access-Accept
> Identifier: 158
> Authentic: <4>v<141>$<133> ]<159>4H-<226>?<29><223>2
> Attributes:
>
>
>
> Hugh Irvine wrote:
>>
>>
>> Hello Dario -
>>
>> The NAS-IP-Address and NAS-Port attributes are normally in clear and
>> available to a PreClientHook and/or ClientHook.
>>
>> Both PreClientHook and ClientHook are global configuration options in
>> the configuration file - they don't need to be defined in
>> ClientListSQL.
>>
>> reagrds
>>
>> Hugh
>>
>>
>> On 10 Jan 2009, at 00:27, Dario Aguilar wrote:
>>
>>>
>>> Hi Hugh,
>>> As you can see in the script, we need to use the
>>> 'NAS-IP-Address' and 'NAS-Port' attributes in our preClientHook.cfg
>>> and both
>>> values will not be decrypted because this should be done now in a
>>> context of
>>> a particular Client. The problem is that we cannot declare the
>>> parameter
>>> ClientHook into the ClientListSQL clause because this dont even
>>> exist so I
>>> don´t know how can I call preClientHook script to execute for all
>>> our SQL
>>> clients and not to each one in particular. Maybe Mikey´s added
>>> support for
>>> ClientHook in ClientList SQLClientHook should help us to resolve
>>> this but
>>> how can we implement this to satisfy our needs correctly?
>>>
>>> best regards,
>>>
>>> Dario.
>>>
>>>
>>> Hugh Irvine wrote:
>>>>
>>>>
>>>> Hello Dario -
>>>>
>>>> Can you please tell me what problems you are having?
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 8 Jan 2009, at 04:49, Dario Aguilar wrote:
>>>>
>>>>>
>>>>> Hi, first of all I want to clarify that I am a new user of
>>>>> Radiator
>>>>> and my
>>>>> knowledge of Perl language is very poor. We are trying to move
>>>>> from
>>>>> version
>>>>> 3.15 to 4.3.1 and some problems a problem appered to us with the
>>>>> old
>>>>> Global
>>>>> "preClientHook" statement in the new version. How should I call
>>>>> PreClientHook.cfg to work in using ClientListSQL ?. I´ve already
>>>>> finish
>>>>> reading the revision history of versions 4.3 and 4.3.1 and the
>>>>> reference
>>>>> manual but I still have very clear how to implement this in our
>>>>> server.
>>>>>
>>>>> Our radius.conf looks something like this:
>>>>> -------------------------------------------------------------
>>>>> <ClientListSQL>
>>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>>> DBUsername %{GlobalVar:DBUsername}
>>>>> DBAuth %{GlobalVar:DBAuth}
>>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>>> DBUsername %{GlobalVar:DBUsername}
>>>>> DBAuth %{GlobalVar:DBAuth}
>>>>> GetClientQuery SELECT nas_ip_address,secret from
>>>>> tbl_radclient WHERE nas_ip_address IS NOT NULL and secret IS NOT
>>>>> NULL
>>>>> BackupFilename
>>>>> %D/clientlist.%{GlobalVar:CodeType}.%{GlobalVar:IpAddress}.dat
>>>>> RefreshPeriod 3600
>>>>> Timeout 2
>>>>> FailureBackoffTime 0
>>>>> ConnectionHook file:"%D/ConnectionHook.cfg"
>>>>> </ClientListSQL>
>>>>>
>>>>> PreClientHook file:"%D/PreClientHook.cfg"
>>>>> -------------------------------------------------
>>>>>
>>>>> PreClientHook.cfg----->>>
>>>>>
>>>>> sub {
>>>>> my $p=${$_[0]};
>>>>> my $nasip=$p->get_attr('NAS-IP-Address');
>>>>> my $ip=&Radius::Util::format_special('%c', $p);
>>>>> my $nasport=$p->get_attr('NAS-Port');
>>>>> my $callid=$p->get_attr('Calling-Station-Id');
>>>>>
>>>>> &main::log($main::LOG_DEBUG,'Into PreClientHook');
>>>>> &main::log($main::LOG_DEBUG,"NASIP=[$nasip]
>>>>> NASPORT=[$nasport]
>>>>> SOURCE_IP=[$ip] CallId=[$callid]");
>>>>> if($ip ne '192.168.0.1' and $ip ne '192.168.0.2') {
>>>>> $p->change_attr('NAS-IP-Address',$ip) if $nasip ne
>>>>> $ip;
>>>>> }
>>>>>
>>>>> $p->add_attr('NAS-Port',$callid) unless defined $nasport;
>>>>> $p->delete_attr('State');
>>>>> if ($p->code eq 'Accounting-Request' &&
>>>>> $p->get_attr('Acct-Status-Type') eq 'Stop') {
>>>>> my %ascend2ietf = (
>>>>> 'remoteEndHungup' => 'User-Request',
>>>>> 'pppRcvTerminate' => 'User-Request',
>>>>> 'sessTimeOut' => 'Session-Timeout',
>>>>> '240' => 'Host-Request',
>>>>> );
>>>>>
>>>>> my $ascend_disconnect_cause =
>>>>> $p->get_attr('Ascend-Disconnect-Cause');
>>>>> if($ascend_disconnect_cause) {
>>>>> my $newval=
>>>>> $ascend2ietf{$ascend_disconnect_cause};
>>>>> $newval='Lost-Carrier'
>>>>> unless defined $newval;
>>>>> $p->change_attr('Acct-Terminate-Cause',
>>>>> $newval);
>>>>> }
>>>>> }
>>>>> }
>>>>> -------------------------------------------
>>>>>
>>>>> thanks,
>>>>> Dario Aguilar
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21336689.html
>>>>> Sent from the Radiator - General mailing list archive at
>>>>> Nabble.com.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive
>>>> (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21372284.html
>>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>
> --
> View this message in context: http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21464623.html
> Sent from the Radiator - General mailing list archive at Nabble.com.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list