[RADIATOR] AcctInsertQuery for Authby RADIUS

Michael ringo at vianet.ca
Wed Feb 16 08:10:28 CST 2011


You mentioned you wanted to '... log the RADIUS accounting records locally ... for realms that need to be authenticated by another RADIUS server'.  I don't think you can actually Authenticate your accounting start/stops as the password is not included in the packet.  If accounting is coming into your radius server, the authentication has already happened by this point.  You need to ether accept it, or don't.

But, I assume you mean authenticate the Realm, and except ALL accounting that may shows up for that Realm.  Keep in mind, that if authentication happens elsewhere, and accounting shows up here, it will be logged regardless of your <AuthBy RADIUS>.

I like to configure all clauses separately, and call them with identifiers. I find it makes the config easier to look at, and later you can call the same AuthBy if you want. but that's personal preference.

So, modifying Remo's example a bit:
<AuthBy SQL>
	Identifier SQL-acct-logging
	DBSource        ...
	DBUsername      ...
	DBAuth          ...

	AcctInsertQuery ...
	AcctColumnDef ...
</AuthBy SQL>

<AuthBy RADIUS>
	Identifier RADIUS-auth-proxy
	<Host XYZ>
		...
	</HOST>
</AuthBy RADIUS>


Then call them in the Handler. again, i like to separate so you can see exactly what would happen when a packet is processed:
<Handler Realm=jeff.com, Request-Type=Access-Request>
	...

	AuthByPolicy 	ContinueUntilAccept
  	AuthBy RADIUS-auth-proxy

	# you may want some sort of AuthLog here to.
	AuthLog ...

  	...
</Handler>
<Handler Realm=jeff.com, Request-Type=Accounting-Request, Acct-Status-Type = Start|Stop|Alive>
	...

	# AuthByPolicy (blank) means process all AuthBy's
	AuthByPolicy
  	AuthBy SQL-acct-logging
	AuthBy you-could-have-another-log-aswell

  	...
</Handler>


Michael


On 11-02-16 02:53 AM, Ryter Remo wrote:
> Hi Jeff,
>
> What you can do is to combine both AuthBy clauses into an<AuthBy GROUP>  and simply put one after the other.
>
> It would be something like this:
>
> <AuthBy GROUP>
> 	Identifier My_Group
>
> 	# carefully with this, ensure that
> 	# your AuthBy SQL will return ACCEPT
> 	AuthByPolicy ContinueWhileAccept
>
> 	<AuthBy SQL>
> 		DBSource        ...
> 		DBUsername      ...
> 		DBAuth          ...
>
> 		# This select has to succeed in order
> 		# to return an ACCEPT (which is needed
> 		# to continue to the AuthBy RADIUS)
> 		# TIP: when there is no PASSWORD (NULL)
> 		# in the selected record, then it's accepted
> 		# no matter which password is provided
> 		# in the request
> 		AuthSelect select PASSWORD from ...
>
> 		# now simply define your stuff
> 		AcctColumnDef ...
> 	</AuthBy SQL>
>
> 	<AuthBy RADIUS>
> 		<Host XYZ>
> 			...
> 		</HOST>
> 	</AuthBy RADIUS>
> </AuthBy>
>
> Now you can use this AuthBy GROUP inside your handlers:
>
> <Handler Realm=jeff.com>
> 	...
> 	
> 	AuthBy My_Group
>
> 	...
> </Handler>
>
> Hope that helped!
>
> Cheers,
> --Remo
>
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Jeffrey Lee
> Sent: Mittwoch, 16. Februar 2011 08:33
> To: Michael
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] AcctInsertQuery for Authby RADIUS
>
> I tried adding<AuthBy SQL>  after<AuthBy RADIUS>  but as soon as
> <AuthBy RADIUS>  is executed,<AuthBy SQL>  will not be executed.
>
> Can you actually place<AuthBy SQL>  within a<AuthBy RADIUS>?
>
> What I'm trying to achieve is to log the RADIUS accounting records
> locally (start, stop&  alive) for realms that need to be authenticated
> by another RADIUS server. How can I achieve that?
>
>
> On Wed, Feb 16, 2011 at 11:26 AM, Michael<ringo at vianet.ca>  wrote:
>> AcctInsertQuery is for the<AuthBy SQL>  section.  it sounds like your trying
>> to use it inside or around an<AuthBy RADIUS>.  It doesn't work that way.
>> You need to setup an<AuthBy SQL>  section where the AcctInsertQuery will be
>> inside your<AuthBy RADIUS>  or i prefer configuring it outside and calling
>> it inside via AuthBy (Identifier).
>>
>> Without a config sample though, ...can only speculate.
>>
>> Michael
>>
>>
>> On 11-02-15 07:35 PM, Jeffrey Lee wrote:
>>>
>>> How do I log all accounting records locally (to a SQL DB) before
>>> proxy-forwarding to the respective RADIUS server?
>>> I know that I can log the accounting records locally but what I want
>>> is to insert the accounting record into a SQL database.
>>>
>>> I've tried adding AcctInsertQuery between<Authby RADIUS>    tags, but
>>> I'm getting this error when I started radiusd.
>>> "Wed Feb 16 10:24:07 2011: ERR: Unknown keyword 'AcctInsertQuery' in
>>> C:\Program Files\Radiator\radius.cfg line 268"
>>>
>>> Really need help with this! Thanks
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>


More information about the radiator mailing list