[RADIATOR] preClientHook problem using ClientListSQL from version 3.15 to version 4.3.1
Dario Aguilar
daguilar at arnet.net.ar
Mon Jan 19 12:32:27 CST 2009
Hi Hugh, this solves our issue. thanks.
regards,
Dario.
Hugh Irvine wrote:
>
>
> Hello Dario -
>
> Thanks for your mail.
>
> There was a slight problem in the patch set that did not allow
> ClientHook to be defined as a global - this has now been fixed.
>
> I have tested your code with a global ClientHook and it works correctly.
>
> You will need today's latest patch set.
>
> BTW - you can also define a ClientHook on a per-Client basis if desired.
>
> regards
>
> Hugh
>
>
> On 15 Jan 2009, at 07:36, Dario Aguilar wrote:
>
>>
>> Hi Hugh,
>> Here it is a simple example case. As I already mentioned before
>> we are
>> using ClientListSQL and not Client clause, but maybe this will
>> clarify a
>> little bit our problem.
>> Please read the comments in the config. File and in the log file.
>>
>> Regards,
>>
>> Dario.
>>
>> [root at server ~]# cat /etc/radiator/radius.cfg
>> Foreground
>> # LogStdout
>> Trace 4
>> PidFile /var/log/radiator/radiusd.pid
>> AuthPort 1645
>> AcctPort 1646
>> LogDir /var/log/radiator
>> DbDir /etc/radiator
>> DictionaryFile /etc/radiator/dictionary
>> UsernameCharset a-z/A-Z0-9\._ at -
>>
>> #
>> # We declare PreClientHook and ClientHook globally...
>> #
>> PreClientHook file:"/etc/radiator/PreClientHook.cfg"
>> ClientHook file:"/etc/radiator/PreClientHook.cfg"
>>
>> <Client DEFAULT>
>> Secret mysecret
>> #
>> # We declare ClientHook inside a Client clause as an example but we
>> want to
>> put # this inside the ClientListSQL clause
>> #
>> ClientHook file:"/etc/radiator/PreClientHook.cfg"
>> </Client>
>>
>> <AuthBy INTERNAL>
>> Identifier LIBERADO
>> AuthResult ACCEPT
>> AcctStartResult ACCEPT
>> AcctStopResult ACCEPT
>> </AuthBy>
>>
>> <Handler Request-Type=Access-Request>
>> PreProcessingHook file:"/etc/radiator/PreClientHook.cfg"
>> AuthBy LIBERADO
>> PasswordLogFileName /var/log/radiator/password.log
>> AcctLogFileName /var/log/radiator/acct.log
>> </Handler>
>>
>>
>>
>>
>> [root at server ~]# cat /etc/radiator/PreClientHook.cfg
>>
>> sub
>> {
>> my $p = ${$_[0]};
>>
>> my $nasport = $p->get_attr('NAS-Port');
>> my $nasip = $p->get_attr('NAS-IP-Address');
>> my $ip=&Radius::Util::format_special('%c',$p);
>>
>> &main::log($main::LOG_DEBUG,"NASIP=$nasip NASPORT=$nasport IPORIGIN=
>> $ip");
>> }
>>
>>
>> [root at server ~]# /usr/bin/radpwtst -timeout 2 -dictionary
>> /etc/radiator/dictionary -secret mysecret -bind_address 10.0.0.100 -s
>> 10.0.0.100 -noacct -auth_port 1645 -acct_port 1646
>> Acct-Session-Id='2/1/0/1196.2436_07DDCC21' -user user at dom -password
>> xxxx
>> -nas_ip_address 10.0.0.200 -nas_port 675989892 -nas_port_type Ethernet
>>
>>
>> [root at server ~]# tail -f /var/log/radiator/logfile
>>
>> --------------------------------------------------------------------------------
>> ClientHook statement it´s not recognized globally as you said.
>>
>> --------------------------------------------------------------------------------
>>
>> Wed Jan 14 13:06:29 2009: ERR: Unknown keyword 'ClientHook' in
>> /etc/radiator/radius.cfg line 0
>> Wed Jan 14 13:06:29 2009: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> Wed Jan 14 13:06:29 2009: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Wed Jan 14 13:06:29 2009: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Wed Jan 14 13:06:29 2009: DEBUG: Creating accounting port 0.0.0.0:1646
>> Wed Jan 14 13:06:29 2009: NOTICE: Server started: Radiator 4.3.1 on
>> server
>> --------------------------------------------------------------------------------
>> Look at that NASIP and NASPORT variables actually Nas-IP-Address and
>> NAS-Port attributes are both encoded when it is called by global
>> PreClientHook statement with version 3.1 this was clear
>> --------------------------------------------------------------------------------
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=�1d NASPORT=(JɄ
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
>> *** Received from 10.0.0.100 port 56017 ....
>> Code: Access-Request
>> Identifier: 158
>> Authentic: !i<219><159>'/<22>.i<225><213><242><210>+<234>O
>> Attributes:
>> User-Name = "user at dom"
>> Service-Type = Framed-User
>> NAS-IP-Address = 10.0.0.200
>> NAS-Port = 675989892
>> Called-Station-Id = "123456789"
>> Calling-Station-Id = "987654321"
>> NAS-Port-Type = Ethernet
>> User-Password = <175><216>Fe<185><154>L<230><127>Wkgf'<150><238>
>> Acct-Session-Id = "2/1/0/1196.2436_07DDCC21"
>>
>>
>>
>> As you can see now this attributes are decoded.
>>
>>
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG: Handling request with Handler
>> 'Request-Type=Access-Request'
>> Wed Jan 14 13:08:23 2009: DEBUG: NASIP=10.0.0.200 NASPORT=675989892
>> IPORIGIN=10.0.0.100
>> Wed Jan 14 13:08:23 2009: DEBUG: Deleting session for user at dom,
>> 10.0.0.200,
>> 675989892
>> Wed Jan 14 13:08:23 2009: DEBUG: Handling with AuthINTERNAL: LIBERADO
>> Wed Jan 14 13:08:23 2009: DEBUG: AuthBy INTERNAL result: ACCEPT,
>> Fixed by
>> AuthResult
>> Wed Jan 14 13:08:23 2009: DEBUG: Access accepted for user at dom
>> Wed Jan 14 13:08:23 2009: DEBUG: Packet dump:
>> *** Sending to 200.45.46.185 port 56017 ....
>> Code: Access-Accept
>> Identifier: 158
>> Authentic: <4>v<141>$<133> ]<159>4H-<226>?<29><223>2
>> Attributes:
>>
>>
>>
>> Hugh Irvine wrote:
>>>
>>>
>>> Hello Dario -
>>>
>>> The NAS-IP-Address and NAS-Port attributes are normally in clear and
>>> available to a PreClientHook and/or ClientHook.
>>>
>>> Both PreClientHook and ClientHook are global configuration options in
>>> the configuration file - they don't need to be defined in
>>> ClientListSQL.
>>>
>>> reagrds
>>>
>>> Hugh
>>>
>>>
>>> On 10 Jan 2009, at 00:27, Dario Aguilar wrote:
>>>
>>>>
>>>> Hi Hugh,
>>>> As you can see in the script, we need to use the
>>>> 'NAS-IP-Address' and 'NAS-Port' attributes in our preClientHook.cfg
>>>> and both
>>>> values will not be decrypted because this should be done now in a
>>>> context of
>>>> a particular Client. The problem is that we cannot declare the
>>>> parameter
>>>> ClientHook into the ClientListSQL clause because this dont even
>>>> exist so I
>>>> don´t know how can I call preClientHook script to execute for all
>>>> our SQL
>>>> clients and not to each one in particular. Maybe Mikey´s added
>>>> support for
>>>> ClientHook in ClientList SQLClientHook should help us to resolve
>>>> this but
>>>> how can we implement this to satisfy our needs correctly?
>>>>
>>>> best regards,
>>>>
>>>> Dario.
>>>>
>>>>
>>>> Hugh Irvine wrote:
>>>>>
>>>>>
>>>>> Hello Dario -
>>>>>
>>>>> Can you please tell me what problems you are having?
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 8 Jan 2009, at 04:49, Dario Aguilar wrote:
>>>>>
>>>>>>
>>>>>> Hi, first of all I want to clarify that I am a new user of
>>>>>> Radiator
>>>>>> and my
>>>>>> knowledge of Perl language is very poor. We are trying to move
>>>>>> from
>>>>>> version
>>>>>> 3.15 to 4.3.1 and some problems a problem appered to us with the
>>>>>> old
>>>>>> Global
>>>>>> "preClientHook" statement in the new version. How should I call
>>>>>> PreClientHook.cfg to work in using ClientListSQL ?. I´ve already
>>>>>> finish
>>>>>> reading the revision history of versions 4.3 and 4.3.1 and the
>>>>>> reference
>>>>>> manual but I still have very clear how to implement this in our
>>>>>> server.
>>>>>>
>>>>>> Our radius.conf looks something like this:
>>>>>> -------------------------------------------------------------
>>>>>> <ClientListSQL>
>>>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>>>> DBUsername %{GlobalVar:DBUsername}
>>>>>> DBAuth %{GlobalVar:DBAuth}
>>>>>> DBSource dbi:Oracle:%{GlobalVar:DBInstance}
>>>>>> DBUsername %{GlobalVar:DBUsername}
>>>>>> DBAuth %{GlobalVar:DBAuth}
>>>>>> GetClientQuery SELECT nas_ip_address,secret from
>>>>>> tbl_radclient WHERE nas_ip_address IS NOT NULL and secret IS NOT
>>>>>> NULL
>>>>>> BackupFilename
>>>>>> %D/clientlist.%{GlobalVar:CodeType}.%{GlobalVar:IpAddress}.dat
>>>>>> RefreshPeriod 3600
>>>>>> Timeout 2
>>>>>> FailureBackoffTime 0
>>>>>> ConnectionHook file:"%D/ConnectionHook.cfg"
>>>>>> </ClientListSQL>
>>>>>>
>>>>>> PreClientHook file:"%D/PreClientHook.cfg"
>>>>>> -------------------------------------------------
>>>>>>
>>>>>> PreClientHook.cfg----->>>
>>>>>>
>>>>>> sub {
>>>>>> my $p=${$_[0]};
>>>>>> my $nasip=$p->get_attr('NAS-IP-Address');
>>>>>> my $ip=&Radius::Util::format_special('%c', $p);
>>>>>> my $nasport=$p->get_attr('NAS-Port');
>>>>>> my $callid=$p->get_attr('Calling-Station-Id');
>>>>>>
>>>>>> &main::log($main::LOG_DEBUG,'Into PreClientHook');
>>>>>> &main::log($main::LOG_DEBUG,"NASIP=[$nasip]
>>>>>> NASPORT=[$nasport]
>>>>>> SOURCE_IP=[$ip] CallId=[$callid]");
>>>>>> if($ip ne '192.168.0.1' and $ip ne '192.168.0.2') {
>>>>>> $p->change_attr('NAS-IP-Address',$ip) if $nasip ne
>>>>>> $ip;
>>>>>> }
>>>>>>
>>>>>> $p->add_attr('NAS-Port',$callid) unless defined $nasport;
>>>>>> $p->delete_attr('State');
>>>>>> if ($p->code eq 'Accounting-Request' &&
>>>>>> $p->get_attr('Acct-Status-Type') eq 'Stop') {
>>>>>> my %ascend2ietf = (
>>>>>> 'remoteEndHungup' => 'User-Request',
>>>>>> 'pppRcvTerminate' => 'User-Request',
>>>>>> 'sessTimeOut' => 'Session-Timeout',
>>>>>> '240' => 'Host-Request',
>>>>>> );
>>>>>>
>>>>>> my $ascend_disconnect_cause =
>>>>>> $p->get_attr('Ascend-Disconnect-Cause');
>>>>>> if($ascend_disconnect_cause) {
>>>>>> my $newval=
>>>>>> $ascend2ietf{$ascend_disconnect_cause};
>>>>>> $newval='Lost-Carrier'
>>>>>> unless defined $newval;
>>>>>> $p->change_attr('Acct-Terminate-Cause',
>>>>>> $newval);
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>> -------------------------------------------
>>>>>>
>>>>>> thanks,
>>>>>> Dario Aguilar
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21336689.html
>>>>>> Sent from the Radiator - General mailing list archive at
>>>>>> Nabble.com.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive
>>>>> (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>> Have you checked the RadiusExpert wiki:
>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>> and DIAMETER translation agent.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>> systems.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21372284.html
>>>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21464623.html
>> Sent from the Radiator - General mailing list archive at Nabble.com.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
View this message in context: http://www.nabble.com/preClientHook-problem-using-ClientListSQL-from-version-3.15-to-version-4.3.1-tp21336689p21548826.html
Sent from the Radiator - General mailing list archive at Nabble.com.
More information about the radiator
mailing list