[RADIATOR] Change of Authorization

Hugh Irvine hugh at open.com.au
Wed Oct 17 17:26:22 CDT 2012


Hello Rohan -

What I described was one typical way it is done automatically, but obviously other methods are possible.

regards

Hugh


On 18 Oct 2012, at 02:49, <rohan.henry at cwjamaica.com> wrote:

> Thanks Hugh.
> 
> 
> Oh Yes! I recall there was discussion around tracking usage via interim accounting. But its an external system (linked to our billing system) that will monitor user sessions for usage thresholds and initiate the COA as well as modify the user profile in LDAP temporarily should a user reconnect.
> 
> I will need to get more feedback on how the external system will be initiating the COA (such as by bulk or single). Based on your description below it appears that COA is normally done in bulk.
> 
> Rohan.
> 
> 
> On Wed, 17 Oct 2012 08:42:00 +1100
> Hugh Irvine <hugh at open.com.au> wrote:
>> 
>> Hello Rohan -
>> 
>> See below.
>> 
>> On 17 Oct 2012, at 04:11, <rohan.henry at cwjamaica.com> wrote:
>> 
>>> Thanks Hugh, 
>>> 
>>> I will pass on your hello to Elon :). Seems like a bit of configuration.
>>> 
>>> Are you confirming that Interim-Update is required for COA? 
>> 
>> Typically you want to use COA on a session that has exceeded some limit, therefore you need to know when the session has exceeded whatever limit and take action when it happens.
>> 
>> The only way to know what is happening with an existing session using RADIUS is via interim accounting.
>> 
>>> And how is COA triggered from the Billing/Provisional system? 
>> 
>> You would have a periodic cron job or similar scan the database.
>> 
>>> Is COA described anywhere in the RADIATOR documentation? 
>> 
>> COA is supported (or not) by the NAS equipment in question, and varies from one device to another.
>> 
>> Here is the help for the "radpwtst" utility:
>> 
>> 
>> Radiator-4.10 hugh$ perl radpwtst -h
>> 
>> usage: radpwtst [-h] [-time] [-iterations n] 
>>         [-trace [level]] [-s server] [-secret secret] [-retries n]
>>         [-noauth] [-noacct][-nostart] [-nostop] [-alive] [-status] 
>>         [-chap] [-chap_nc] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] [-eapgtc] [-sip] [-leap]
>>         [-motp_secret xxxxxxxxxxxxxxxx] [-eaphex xxxxxxxxxxxxx]
>>         [-accton] [-acctoff] [-framed_ip_address address]
>>         [-auth_port port] [-acct_port port] [-identifier n]
>>         [-user username] [-password password] 
>>         [-nas_ip_address address] [-nas_identifier string]
>>         [-nas_port port] [-nas_port_type type] [-service_type service] 
>>         [-calling_station_id string] [-called_station_id string] 
>>         [-session_id string] [-interactive]
>>         [-delay_time n] [-session_time n] [-input_octets n]
>>         [-output_octets n] [-timeout n] [-dictionary file,file]
>>         [-gui] [-class string] [-useoldascendpasswords]
>>         [-code requestcode] [-raw data] [-rawfile filename] 
>> 	  [-rawfileseq filename]
>>         [-outport port] [-bind_address dotted-ip-address]
>>         [-options optionfile]
>>         [attribute=value]... 
>> 
>> 
>> You would use it something like this (depending on what specific attribute-value pairs the NAS requires):
>> 
>> 
>> 	perl radpwtst -noauth -noacct -code Change-Filter-Request -s n.n.n.n -auth_port nnn -secret _the_shared_secret_ User-Name=someuser Acct-Session-Id=whatever …..
>> 
>> 
>> You will need to check your NAS documentation to verify exactly what is required, and you will need to do some experiments to discover exactly what works.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>>> 
>>> On Tue, 16 Oct 2012 13:22:48 +1100 
>>> Hugh Irvine wrote: 
>>>> 
>>>> Hello Rohan - 
>>>> 
>>>> Depending on your exact requirements, here are the various elements you'll need. 
>>>> 
>>>> 1. an SQL database for your customer records and accounting records 
>>>> 
>>>> 2. each customer record must have accounting totals updated in real time by RADIUS interim accounting requests as well as session accounting 
>>>> 
>>>> 3. when authenticating a customer (user) you need to check the current totals in the customer record and return the appropriate RADIUS reply items (ie. time remaining and/or quota limits and/or bandwidth limits) 
>>>> 
>>>> 4. a cron job to scan the customer records periodically and if a change is required to a current customer session, run a script that calls the "radpwtst" utility with whatever COA attribute-value pairs are necessary 
>>>> 
>>>> 5. an end-of-billing period cron job to reset the totals in the customer records when the new period begins 
>>>> 
>>>> Note that Radiator itself in this scenario is only required to process the RADIUS authentication requests and accounting requests, everything else is done directly on the database with scripts. 
>>>> 
>>>> hope that helps 
>>>> 
>>>> regards 
>>>> 
>>>> Hugh 
>>>> 
>>>> ps - please give my best regards to Elon Richards and his colleagues at CW Barbados 
>>>> 
>>>> 
>>>> On 16 Oct 2012, at 06:03, rohan.henry at cwjamaica.com wrote: 
>>>> 
>>>>> Michael. 
>>>>> 
>>>>> Thanks much for the start. I am going to do some further reading to see what i can come up with. I must also confirm COA support on our Juniper E320 NAS devices. 
>>>>> 
>>>>> Rohan 
>>>>> 
>>>>> 
>>>>> On Mon, 15 Oct 2012 13:34:38 -0400 
>>>>> Michael wrote: 
>>>>>> 
>>>>>> This was the hardest thing to get working and automated for me personally. I don't know if there is an easy way of doing it. I didn't find one. I accomplished it with a complicated process. It could be as simple as a script to execute "./radpwtst -s IP -code Change-Filter-Request etc....." 
>>>>>> 
>>>>>> 
>>>>>> My complicated process goes something like the following, but I would suggest making sure the above simple method works for you as I do have a couple nas's where CoA just doesn't work with the IOS that it has. 
>>>>>> 
>>>>>> - a script process that injects Change-Filter-Request packets into the radiator service, using radpwtst: 
>>>>>> push( @change_args, ( 
>>>>>> '-s', 'local radiator ip', 
>>>>>> '-code', 'Change-Filter-Request', 
>>>>>> "Timestamp=$timestamp", 
>>>>>> "NAS-IP-Address=$nas_ip", 
>>>>>> "NAS-Port=$nas_port", 
>>>>>> "Acct-Session-Id=$sess_id", 
>>>>>> "Framed-IP-Address=$ip", 
>>>>>> "Class=$class", 
>>>>>> "cisco-Policy-Up=$rate_up", 
>>>>>> "cisco-Policy-Down=$rate_down" 
>>>>>> ) 
>>>>>> 
>>>>>> - a Handler with custom Hook configured to read the cisco-Policy rate values from the injected packet, and look up the proper policy command from a radiator global variable depending on the nas-ip-address since I have multiple nas's that require different commands. 
>>>>>> eg. global variable: 
>>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-up ip:sub-qos-policy-in=RATE100M 
>>>>>> DefineFormattedGlobalVar 1.2.3.4-RATE100M-down ip:sub-qos-policy-out=RATE100M 
>>>>>> 
>>>>>> - add 2 "cisco-avpair" attributes to the packet with the up rate and down rate commands. These are the actual commands the NAS needs to change the rate limit. The policy must already be setup on your nas. 
>>>>>> ie: 
>>>>>> cisco-avpair="ip:sub-qos-policy-in=RATE100M" 
>>>>>> cisco-avpair="ip:sub-qos-policy-out=RATE100M" 
>>>>>> 
>>>>>> - then a custom authby that required patching to determine what nas to forward the packet to, since i have multiple nas's. Also another authby that logs this request which is not required but i wanted to log it. 
>>>>>> 
>>>>>> 
>>>>>> There's much more to it, but I don't want to get too deep here. it all pretty much revolves around building the Change-Filter-Request packet with "./radpwtst -code Change-Filter-Request" and ether send that to the nas, or inject it into radiator so you can do other things with it. 
>>>>>> 
>>>>>> 
>>>>>> Michael 
>>>>>> 
>>>>>> 
>>>>>> On 15/10/12 12:47 PM, rohan.henry at cwjamaica.com wrote: 
>>>>>>> Hello all, 
>>>>>>> 
>>>>>>> I do not see any info on the captioned in the Radiator documentation. Where do I go to see details on implementing COA? 
>>>>>>> 
>>>>>>> Thanks. 
>>>>>>> 
>>>>>>> Rohan 
>>>>>>> _______________________________________________ 
>>>>>>> radiator mailing list 
>>>>>>> radiator at open.com.au 
>>>>>>> http://www.open.com.au/mailman/listinfo/radiator 
>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> Rohan Henry 
>>>>> Server Administrator 
>>>>> LIME 
>>>>> Phone (876) 936-4819 
>>>>> Mobile (876) 997-0729 
>>>>> _______________________________________________ 
>>>>> radiator mailing list 
>>>>> radiator at open.com.au 
>>>>> http://www.open.com.au/mailman/listinfo/radiator 
>>>> 
>>>> 
>>>> -- 
>>>> 
>>>> Hugh Irvine 
>>>> hugh at open.com.au 
>>>> 
>>>> Radiator: the most portable, flexible and configurable RADIUS server 
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
>>>> DIAMETER etc. 
>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. 
>>>> 
>>> 
>>> Rohan Henry 
>>> Server Administrator 
>>> LIME 
>>> Phone (876) 936-4819 
>>> Mobile (876) 997-0729
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> --
>> 
>> Hugh Irvine
>> hugh at open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server 
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. 
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
> 
> Rohan Henry
> Server Administrator
> LIME
> Phone (876) 936-4819
> Mobile (876) 997-0729
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list