[RADIATOR] preClientHook problem using ClientListSQL from version 3.15 to version 4.3.1

Dario Aguilar daguilar at arnet.net.ar
Mon Jan 19 12:32:27 CST 2009


Hi Hugh, this solves our issue. thanks.

regards,

Dario.


Hugh Irvine wrote:
> 
> 
> Hello Dario -
> 
> Thanks for your mail.
> 
> There was a slight problem in the patch set that did not allow  
> ClientHook to be defined as a global - this has now been fixed.
> 
> I have tested your code with a global ClientHook and it works correctly.
> 
> You will need today's latest patch set.
> 
> BTW - you can also define a ClientHook on a per-Client basis if desired.
> 
> regards
> 
> Hugh
> 
> 
> On 15 Jan 2009, at 07:36, Dario Aguilar wrote:
> 
>>
>> Hi Hugh,
>> 	  Here it is a simple example case. As I already mentioned before  
>> we are
>> using ClientListSQL and not Client clause, but maybe this will  
>> clarify a
>> little bit our problem.
>> 	  Please read the comments in the config. File and in the log file.
>>
>> Regards,
>>
>> Dario.
>>
>> [root at server ~]# cat /etc/radiator/radius.cfg
>> Foreground
>> # LogStdout
>> Trace 4
>> PidFile	/var/log/radiator/radiusd.pid
>> AuthPort	1645	
>> AcctPort	1646
>> LogDir		/var/log/radiator
>> DbDir		/etc/radiator
>> DictionaryFile  /etc/radiator/dictionary
>> UsernameCharset a-z/A-Z0-9\._ at -
>>
>> #
>> # We declare PreClientHook and ClientHook globally...
>> #
>> PreClientHook file:"/etc/radiator/PreClientHook.cfg"
>> ClientHook file:"/etc/radiator/PreClientHook.cfg"
>>
>> <Client DEFAULT>
>>    Secret mysecret
>> #
>> # We declare ClientHook inside a Client clause as an example but we  
>> want to
>> put # this inside the ClientListSQL clause
>> #
>>    ClientHook file:"/etc/radiator/PreClientHook.cfg"
>> </Client>
>>
>> <AuthBy INTERNAL>
>>    Identifier LIBERADO
>>    AuthResult ACCEPT
>>    AcctStartResult ACCEPT
>>    AcctStopResult ACCEPT
>> </AuthBy>
>>
>> <Handler Request-Type=Access-Request>
>>    PreProcessingHook file:"/etc/radiator/PreClientHook.cfg"
>>    AuthBy LIBERADO
>>    PasswordLogFileName /var/log/radiator/password.log
>>    AcctLogFileName /var/log/radiator/acct.log
>> </Handler>
>>
>>
>>
>>
>> [root at server ~]# cat /etc/radiator/PreClientHook.cfg
>>
>> sub
>> {
>> my $p = ${$_[0]};
>>
>> my $nasport = $p->get_attr('NAS-Port');
>> my $nasip = $p->get_attr('NAS-IP-Address');
>> my $ip=&Radius::Util::format_special('%c',$p);
>>
>> &main::log($main::LOG_DEBUG,"NASIP=$nasip NASPORT=$nasport IPORIGIN= 
>> $ip");
>> }
>>
>>
>> [root at server ~]# /usr/bin/radpwtst -timeout 2 -dictionary
>> /etc/radiator/dictionary -secret mysecret -bind_address 10.0.0.100 -s
>> 10.0.0.100 -noacct -auth_port 1645 -acct_port 1646
>> Acct-Session-Id='2/1/0/1196.2436_07DDCC21' -user user at dom -password  
>> xxxx
>> -nas_ip_address 10.0.0.200 -nas_port 675989892 -nas_port_type Ethernet
>>
>>
>> [root at server ~]# tail -f /var/log/radiator/logfile
>>
>> --------------------------------------------------------------------------------
>> ClientHook statement it´s not recognized globally as you said.
>>
>> --------------------------------------------------------------------------------
>>
>> Wed Jan 14 13:06:29 2009: ERR: Unknown keyword 'ClientHook' in
>> /etc/radiator/radius.cfg line 0
>> Wed Jan 14 13:06:29 2009: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> Wed Jan 14 13:06:29 2009: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Wed Jan 14 13:06:29 2009: DEBUG: Creating authentication port  
>> 0.0.0.0:1645
>> Wed Jan 14 13:06:29 2009: DEBUG: Creating accounting port 0.0.0.0:1646
>> Wed Jan 14 13:06:29 2009: NOTICE: Server started: Radiator 4.3.1 on  
>> server
>> --------------------------------------------------------------------------------
>> Look at that NASIP and NASPORT variables actually Nas-IP-Address and
>> NAS-Port  attributes are both encoded when it is called by global
>> PreClientHook statement with version 3.1 this was clear
>> --------------------------------------------------------------------------------
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=�1d  NASPORT=(JɄ  
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
>> *** Received from 10.0.0.100 port 56017 ....
>> Code:       Access-Request
>> Identifier: 158
>> Authentic:  !i<219><159>'/<22>.i<225><213><242><210>+<234>O
>> Attributes:
>> 	User-Name = "user at dom"
>> 	Service-Type = Framed-User
>> 	NAS-IP-Address = 10.0.0.200
>> 	NAS-Port = 675989892
>> 	Called-Station-Id = "123456789"
>> 	Calling-Station-Id = "987654321"
>> 	NAS-Port-Type = Ethernet
>> 	User-Password = <175><216>Fe<185><154>L<230><127>Wkgf'<150><238>
>> 	Acct-Session-Id = "2/1/0/1196.2436_07DDCC21"
>>
>>
>>
>> As you can see now this attributes are decoded.
>>
>>
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG: Handling request with Handler
>> 'Request-Type=Access-Request'
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG:  Deleting session for user at dom,  
>> 10.0.0.200,
>> 675989892
>> Wed Jan 14 13:08:23 2009: DEBUG: Handling with AuthINTERNAL: LIBERADO
>> Wed Jan 14 13:08:23 2009: DEBUG: AuthBy INTERNAL result: ACCEPT,  
>> Fixed by
>> AuthResult
>> Wed Jan 14 13:08:23 2009: DEBUG: Access accepted for user at dom
>> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
>> *** Sending to 200.45.46.185 port 56017 ....
>> Code:       Access-Accept
>> Identifier: 158
>> Authentic:  <4>v<141>$<133> ]<159>4H-<226>?<29><223>2
>> Attributes:
>>
>>
>>
>> Hugh Irvine wrote:
>>>
>>>
>>> Hello Dario -
>>>
>>> The NAS-IP-Address and NAS-Port attributes are normally in clear and
>>> available to a PreClientHook and/or ClientHook.
>>>
>>> Both PreClientHook and ClientHook are global configuration options in
>>> the configuration file - they don't need to be defined in  
>>> ClientListSQL.
>>>
>>> reagrds
>>>
>>> Hugh
>>>
>>>
>>> On 10 Jan 2009, at 00:27, Dario Aguilar wrote:
>>>
>>>>
>>>> Hi Hugh,
>>>>           As you can see in the script, we need to use the
>>>> 'NAS-IP-Address' and 'NAS-Port' attributes in our preClientHook.cfg
>>>> and both
>>>> values will not be decrypted because this should be done now in a
>>>> context of
>>>> a particular Client. The problem is that we cannot declare the
>>>> parameter
>>>> ClientHook into the ClientListSQL clause because this dont even
>>>> exist so I
>>>> don´t know how can I call preClientHook script to execute for all
>>>> our SQL
>>>> clients and not to each one in particular. Maybe Mikey´s added
>>>> support for
>>>> ClientHook in ClientList SQLClientHook should help us to resolve
>>>> this but
>>>> how can we implement this to satisfy our needs correctly?
>>>>
>>>> best regards,
>>>>
>>>> Dario.
>>>>
>>>>
>>>> Hugh Irvine wrote:
>>>>>
>>>>>
>>>>> Hello Dario -
>>>>>
>>>>> Can you please tell me what problems you are having?
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 8 Jan 2009, at 04:49, Dario Aguilar wrote:
>>>>>
>>>>>>
>>>>>> Hi, first of all I want to clarify that I am a new user of  
>>>>>> Radiator
>>>>>> and my
>>>>>> knowledge of Perl language is very poor. We are trying to move  
>>>>>> from
>>>>>> version
>>>>>> 3.15 to 4.3.1 and some problems a problem appered to us with the  
>>>>>> old
>>>>>> Global
>>>>>> "preClientHook" statement in the new version. How should I call
>>>>>> PreClientHook.cfg to work in using ClientListSQL ?. I´ve already
>>>>>> finish
>>>>>> reading the revision history of versions 4.3 and 4.3.1 and the
>>>>>> reference
>>>>>> manual but I still have very clear how to implement this in our
>>>>>> server.
>>>>>>
>>>>>> Our radius.conf looks something like this:
>>>>>> -------------------------------------------------------------
>>>>>> <ClientListSQL>
>>>>>>      DBSource                dbi:Oracle:%{GlobalVar:DBInstance}
>>>>>>      DBUsername              %{GlobalVar:DBUsername}
>>>>>>      DBAuth                  %{GlobalVar:DBAuth}
>>>>>>      DBSource                dbi:Oracle:%{GlobalVar:DBInstance}
>>>>>>      DBUsername              %{GlobalVar:DBUsername}
>>>>>>      DBAuth                  %{GlobalVar:DBAuth}
>>>>>>      GetClientQuery          SELECT nas_ip_address,secret from
>>>>>> tbl_radclient WHERE nas_ip_address IS NOT NULL and secret IS NOT
>>>>>> NULL
>>>>>>      BackupFilename
>>>>>> %D/clientlist.%{GlobalVar:CodeType}.%{GlobalVar:IpAddress}.dat
>>>>>>      RefreshPeriod           3600
>>>>>>      Timeout                 2
>>>>>>      FailureBackoffTime      0
>>>>>>      ConnectionHook file:"%D/ConnectionHook.cfg"
>>>>>> </ClientListSQL>
>>>>>>
>>>>>> PreClientHook file:"%D/PreClientHook.cfg"
>>>>>> -------------------------------------------------
>>>>>>
>>>>>> PreClientHook.cfg----->>>
>>>>>>
>>>>>> sub {
>>>>>>      my $p=${$_[0]};
>>>>>>      my $nasip=$p->get_attr('NAS-IP-Address');
>>>>>>      my $ip=&Radius::Util::format_special('%c', $p);
>>>>>>      my $nasport=$p->get_attr('NAS-Port');
>>>>>>      my $callid=$p->get_attr('Calling-Station-Id');
>>>>>>
>>>>>>      &main::log($main::LOG_DEBUG,'Into PreClientHook');
>>>>>>      &main::log($main::LOG_DEBUG,"NASIP=[$nasip]  
>>>>>> NASPORT=[$nasport]
>>>>>> SOURCE_IP=[$ip] CallId=[$callid]");
>>>>>>       if($ip ne '192.168.0.1' and $ip ne '192.168.0.2') {
>>>>>>              $p->change_attr('NAS-IP-Address',$ip) if $nasip ne
>>>>>> $ip;
>>>>>>      }
>>>>>>
>>>>>>      $p->add_attr('NAS-Port',$callid) unless defined $nasport;
>>>>>>      $p->delete_attr('State');
>>>>>>      if ($p->code eq 'Accounting-Request' &&
>>>>>> $p->get_attr('Acct-Status-Type') eq 'Stop') {
>>>>>>              my %ascend2ietf = (
>>>>>>                      'remoteEndHungup'       => 'User-Request',
>>>>>>                      'pppRcvTerminate'       => 'User-Request',
>>>>>>                      'sessTimeOut'           => 'Session-Timeout',
>>>>>>                      '240'                   => 'Host-Request',
>>>>>>              );
>>>>>>
>>>>>>              my $ascend_disconnect_cause =
>>>>>> $p->get_attr('Ascend-Disconnect-Cause');
>>>>>>              if($ascend_disconnect_cause) {
>>>>>>                      my $newval=
>>>>>> $ascend2ietf{$ascend_disconnect_cause};
>>>>>>                      $newval='Lost-Carrier'
>>>>>>                              unless defined $newval;
>>>>>>                      $p->change_attr('Acct-Terminate-Cause',
>>>>>> $newval);
>>>>>>              }
>>>>>>      }
>>>>>> }
>>>>>> -------------------------------------------
>>>>>>
>>>>>> thanks,
>>>>>> Dario Aguilar
>>>>>> -- 
>>>>>> View this message in context:
>>>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21336689.html
>>>>>> Sent from the Radiator - General mailing list archive at  
>>>>>> Nabble.com.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive
>>>>> (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>> Have you checked the RadiusExpert wiki:
>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>
>>>>> -- 
>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>> and DIAMETER translation agent.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,  
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database  
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>>> systems.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> View this message in context:
>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21372284.html
>>>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>
>> -- 
>> View this message in context:
>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21464623.html
>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 

-- 
View this message in context: http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21548826.html
Sent from the Radiator - General mailing list archive at Nabble.com.




More information about the radiator mailing list