[RADIATOR] Forwarding Radius Accounting Records to Multiple Authby statements.
Hugh Irvine
hugh at open.com.au
Wed Feb 24 04:05:23 CST 2010
Hello Simon -
As authentication and accounting are separate operations, you cannot do special things with accounting after the authentication has happened.
The way to get around this is to use the Class attribute to carry information from the authentication that will subsequently be included in the accounting.
And note that you appear to have a loop in your AuthBy naming.
So you should do something like this:
.....
<AuthBy SQL>
Identifier AuthDB
DBSource dbi:mysql:authdb:localhost:3306
DBUsername username
DBAuth passsword
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, Service-Type, reply
AuthColumnDef 2, Framed-Protocol, reply
AuthColumnDef 3, Framed-MTU, reply
AuthColumnDef 4, Framed-IP-Address, reply
AuthColumnDef 5, Framed-IP-Netmask,reply
AuthColumnDef 6, Framed-Route,reply
AuthColumnDef 7, Framed-Route,reply
AuthColumnDef 8, Filter-Id,reply
AuthColumnDef 9, Filter-Id,reply
AuthColumnDef 10, cisco-avpair, reply
AuthColumnDef 11, cisco-avpair, reply
AuthColumnDef 12, cisco-avpair, reply
AuthColumnDef 13, cisco-avpair, reply
AuthSelect select PASSWORD, SERVICE_TYPE, FRAMED_PROTOCOL, FRAMED_MTU, IP_ADDRESS, NETMASK, FRAMED_ROUTE, FRAMED_ROUTE2, FILTERIN, FILTEROUT, AVPAIR1, AVPAIR2, AVPAIR3, AVPAIR4 from adslusers where '%n' LIKE CONCAT(USERNAME,'@%') and NEWACCT='0'
NoDefault
</AuthBy>
<AuthBy SQL>
Identifier SQLAcct
DBAuth password
DBSource dbi:mysql:SQLaccounting:localhost:3306
DBUsername username
AuthSelect
AccountingTable freeway_acct
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLERID,Calling-Station-Id
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef TUNNELSEREND,Tunnel-Server-Endpoint
AcctColumnDef TUNNELCLIEND,Tunnel-Client-Endpoint
AcctColumnDef TUNNELTYPE,Tunnel-Type
AcctColumnDef TUNNELSERAUTH,Tunnel-Server-Auth-ID
AcctColumnDef TUNNELID,Tunnel-ID
</AuthBy>
<AuthBy GROUP>
Identifier AuthDBorProxy
AuthByPolicy ContinueAlways
AuthBy SQLAcct
AuthBy AuthDB
</AuthBy>
<AuthBy RADIUS>
Identifier NEW_ACCT
Host 10.2.2.2
LocalAddress 10.1.1.1
Secret xxxx
AuthPort 1812
AcctPort 1813
AddToReply Class = NEW_ACCT
</AuthBy>
<Handler Realm=adsl.domain.tld, Class = NEW_ACCT>
AuthBy NEW_ACCT
PacketTrace
</Handler>
<Handler Realm=adsl.domain.tld>
AuthByPolicy ContinueWhileReject
AuthBy AuthDBorProxy
AuthBy NEW_ACCT
PacketTrace
</Handler>
hope that helps
regards
Hugh
On 24 Feb 2010, at 19:32, Simon Dixon wrote:
>
> Guys I have a interesting issue, that I am having issues resolving, I'm pretty sure I am missing something but not sure what.
>
> Some brief history to start with. We are an ISP migrating to a new accounting package, this accounting package has a in built radius server, and as we provide tails to other companies we are going to keep Radiator as our primary Radius server that our NAS's talk directly to, so based on realm it can hand off the requests to other radius servers or authenticate them it's self. For our primary realms we are moving the authentication to this new accounting package, so radiator will be proxying this traffic. Due to some other complications we are doing a staged migration, and have a sql field in our existing Authby statement saying if it should auth the user or reject them, based on it being 0 or 1, if 1 then the request flows through to the new accounting package via a radius proxy authby.
>
> The issue I am having is the accounting records do not flow through, so the new accounting package does not see the start/alive/stop records which it requires.
>
> We are running Radiator 4.3.1 blow is the relevant bits of the config. Can anybody point me in the right direction.
>
> thanks in advance.
>
> Simon.
>
> ------
>
> <AuthBy SQL>
> Identifier AuthDB
> DBSource dbi:mysql:authdb:localhost:3306
> DBUsername username
> DBAuth passsword
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, Service-Type, reply
> AuthColumnDef 2, Framed-Protocol, reply
> AuthColumnDef 3, Framed-MTU, reply
> AuthColumnDef 4, Framed-IP-Address, reply
> AuthColumnDef 5, Framed-IP-Netmask,reply
> AuthColumnDef 6, Framed-Route,reply
> AuthColumnDef 7, Framed-Route,reply
> AuthColumnDef 8, Filter-Id,reply
> AuthColumnDef 9, Filter-Id,reply
> AuthColumnDef 10, cisco-avpair, reply
> AuthColumnDef 11, cisco-avpair, reply
> AuthColumnDef 12, cisco-avpair, reply
> AuthColumnDef 13, cisco-avpair, reply
> AuthSelect select PASSWORD, SERVICE_TYPE, FRAMED_PROTOCOL, FRAMED_MTU, IP_ADDRESS, NETMASK, FRAMED_ROUTE, FRAMED_ROUTE2, FILTERIN, FILTEROUT, AVPAIR1, AVPAIR2, AVPAIR3, AVPAIR4 from adslusers where '%n' LIKE CONCAT(USERNAME,'@%') and NEWACCT='0'
> NoDefault
> </AuthBy>
>
>
> <AuthBy SQL>
> Identifier SQLAcct
> DBAuth password
> DBSource dbi:mysql:SQLaccounting:localhost:3306
> DBUsername username
> AuthSelect
> AccountingTable freeway_acct
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef CALLERID,Calling-Station-Id
> AcctColumnDef CALLEDSTATIONID,Called-Station-Id
> AcctColumnDef TUNNELSEREND,Tunnel-Server-Endpoint
> AcctColumnDef TUNNELCLIEND,Tunnel-Client-Endpoint
> AcctColumnDef TUNNELTYPE,Tunnel-Type
> AcctColumnDef TUNNELSERAUTH,Tunnel-Server-Auth-ID
> AcctColumnDef TUNNELID,Tunnel-ID
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier AuthDB
> AuthByPolicy ContinueAlways
> AuthBy SQLAcct
> AuthBy AuthDB
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier NEW_ACCT
> Host 10.2.2.2
> LocalAddress 10.1.1.1
> Secret xxxx
> AuthPort 1812
> AcctPort 1813
> </AuthBy>
>
> <Handler Realm=adsl.domain.tld>
> AuthByPolicy ContinueWhileReject
> AuthBy AuthDB
> AuthBy NEW_ACCT
> PacketTrace
> </Handler>
>
>
>
> --
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list