[RADIATOR] Handler type Stop/Alive distinguished processing
Thomas Kurian
thomas at kccg.com
Thu Apr 4 13:12:57 CDT 2013
Thanks Michael,
It is working now. Thank you very much for your advice.
Best Regards,
Thomas Kurian
IT Security Engineer (B.Tech. -- Electrical)
Kuwaiti Canadian Consulting Group (www.kccg.com)
T: +965 22435566
F: +965 22415149
E: thomas at kccg.com
On 4/4/2013 8:03 PM, Michael wrote:
> it looks to me like your mixing things up making it hard for me
> personally to follow. 1 config with 1 log would be easier to follow.
> Why does the time go backwards in your log?
>
> but anyways, i think what you want to do is process Alive packets and
> Stop packets separately, and ignore Start packets but then you talk
> about "Start packets are not processed" so i'm not sure what you
> want. Also, if your device is sending start packets and you are
> ignoring them, the device (depending on what device it is) may mark
> your radius servers dead.
>
> So, it's really quite simple:
> <Handler Request-Type = "Accounting-Request", Acct-Status-Type = Alive>
> ...
> </Handler>
> <Handler Request-Type = "Accounting-Request", Acct-Status-Type = Stop>
> ...
> </Handler>
>
> Sounds like maybe you're just making it more complicated than it is.
>
>
>
> On 04/04/13 06:30 AM, Thomas Kurian wrote:
>> Hi Mike and friends,
>> As advised by you , i have attached the configuration file & debug
>> logs. I want to process both alive and stop packets but with separate
>> handlers. What i notice from the logs is that the handler which is
>> first positioned is the only handler which is processed the rest of
>> the handlers are ignored. Let me explain it.
>> If handler stop is positioned first, only stop packets are processed
>> , Alive and Start packets are not processed , even if it is received.
>> I tried it vice versa also,in this case all accounting packets were
>> processed but the handler stop was ignored.
>> I also tried replacing Handler-Request-Type=Accounting-Request with
>> Handler-Status-Type=Alive , but no luck.
>>
>> How to resolve this issue , i require both the handlers to process
>> the respective packets contents when each of the kind is received by
>> radiator from the NAS. Please help me out.
>>
>>
>>
>> _Error debug log (Handler Stop is postioned first in the config file)
>> _Note:(only stop packets received were processed , Alive packets were
>> ignored , since handler-request-type=accounting request could not be
>> found)_
>> _Thu Apr 4 12:46:57 2013: WARNING: Could not find a handler for
>> 99047799: request is ignored
>> Thu Apr 4 12:46:57 2013: DEBUG: Packet dump:
>> *** Received from 10.50.1.4 port 1646 ....
>> Code: Accounting-Request
>> Identifier: 222
>> Authentic:
>> <239><6><165>+<223><146><185><162><255>\<165><24>r<247><255><222>
>> Attributes:
>> Acct-Session-Id = "002FD66A"
>> cisco-Policy-Up = "10Mbps"
>> cisco-Policy-Down = "10Mbps"
>> Framed-Protocol = PPP
>> Framed-IP-Address = 94.187.154.249
>> User-Name = "66555525"
>> cisco-avpair = "connect-progress=LAN Ses Up"
>> cisco-avpair = "nas-tx-speed=1000000000"
>> cisco-avpair = "nas-rx-speed=1000000000"
>> Acct-Session-Time = 10820
>> Acct-Input-Octets = 155877791
>> Acct-Output-Octets = 1691878933
>> Acct-Input-Packets = 1089024
>> Acct-Output-Packets = 1669389
>> Acct-Authentic = RADIUS
>> Acct-Status-Type = Alive
>> NAS-Port-Type = Virtual
>> NAS-Port = 0
>> NAS-Port-Id = "0/0/0/666"
>> cisco-avpair = "client-mac-address=dc9f.db2e.e52f"
>> Class =
>> "<153>3<1><8>66555525<21><4><132><28>Y<0>3<4><3><0><0><0>3<4><7><0><0><0>3<4><6><0><0><0>1<16>59d88f5c08487260"
>> Service-Type = Framed-User
>> NAS-IP-Address = 10.50.1.4
>> Event-Timestamp = 1365068817
>> NAS-Identifier = "DC-ISG2-Flash.wimd.kw"
>> Acct-Delay-Time = 0
>>
>> Thu Apr 4 12:46:57 2013: WARNING: Could not find a handler for
>> 66555525: request is ignored
>> _Error debug log (Handler Stop is positioned second in the config
>> file after Handler-Request-Type=Accounting-Request)_
>> (Note: Stop packets were processed with
>> Handler-Request-Type=Accounting-Request and not Handler-Status-Type=Stop)
>> Thu Apr 4 12:37:31 2013: DEBUG: Packet dump:
>> *** Received from 10.50.1.4 port 1646 ....
>> Code: Accounting-Request
>> Identifier: 29
>> Authentic: #<144>`<139><161><219><154><190><0>><<161><252>C<220>T
>> Attributes:
>> Acct-Session-Id = "002FD585"
>> cisco-Policy-Up = "6Mbps"
>> cisco-Policy-Down = "6Mbps"
>> Framed-Protocol = PPP
>> Framed-IP-Address = 94.187.154.236
>> cisco-avpair = "ppp-disconnect-cause=Missed too many keepalives"
>> User-Name = "65002914"
>> Acct-Authentic = RADIUS
>> cisco-avpair = "connect-progress=LAN Ses Up"
>> cisco-avpair = "nas-tx-speed=1000000000"
>> cisco-avpair = "nas-rx-speed=1000000000"
>> Acct-Session-Time = 11448
>> Acct-Input-Octets = 28654436
>> Acct-Output-Octets = 160823960
>> Acct-Input-Packets = 88318
>> Acct-Output-Packets = 141945
>> Acct-Terminate-Cause = Port-Error
>> cisco-avpair = "disc-cause-ext=TCP Foreign Host Close"
>> Acct-Status-Type = Stop
>> NAS-Port-Type = Virtual
>> NAS-Port = 0
>> NAS-Port-Id = "0/0/0/666"
>> cisco-avpair = "client-mac-address=e046.9a3b.c135"
>> Class =
>> "<153>3<1><8>65002914<21><4><171><144><212><0>3<4><6><0><0><0>3<4><16><0><0><0>3<4><3><0><0><0>1<16>8f9c5c39dc74286f"
>> Service-Type = Framed-User
>> NAS-IP-Address = 10.50.1.4
>> Event-Timestamp = 1365068251
>> NAS-Identifier = "DC-ISG2-Flash.wimd.kw"
>> Acct-Delay-Time = 0
>>
>> Thu Apr 4 12:37:31 2013: DEBUG: Handling request with Handler
>> 'Request-Type = Accounting-Request', Identifier ''
>> Thu Apr 4 12:37:31 2013: DEBUG: tamesql Deleting session for
>> 65002914, 10.50.1.4, 0
>> Thu Apr 4 12:37:31 2013: DEBUG: do query to 'dbi:ODBC:IRONMAN':
>> 'delete from RADONLINE where NASIDENTIFIER='10.50.1.4' and NASPORT=00':
>> Thu Apr 4 12:37:31 2013: DEBUG: Handling with Radius::AuthSQL: thomas
>> Thu Apr 4 12:37:31 2013: DEBUG: Handling accounting with Radius::AuthSQL
>> Thu Apr 4 12:37:31 2013: DEBUG: do query to 'dbi:ODBC:IRONMAN':
>> 'update quotasubscribers set monthlycounter = 160823960, totalcounter
>> = 160823960, timestamp = 13650682
>> 51 where username='65002914' And Type = 'Q'':
>> Thu Apr 4 12:37:31 2013: DEBUG: AuthBy SQL result: ACCEPT,
>> Thu Apr 4 12:37:31 2013: DEBUG: Running PostAuthHook: Using Identifier
>>
>> Thu Apr 4 12:37:31 2013: DEBUG: Running PostAuthHook sql query check
>> for :
>> 65002914
>> Thu Apr 4 12:37:31 2013: DEBUG: Query to 'dbi:ODBC:IRONMAN': 'select
>> username from quotasubscribers where switched = 0 and type = 'Q' and
>> monthlycounter >= maxquota ':
>> Thu Apr 4 12:37:31 2013: DEBUG: The user 65002914 either has not yet
>> exceeded allocated quota or isnt a quota based user
>> Thu Apr 4 12:37:31 2013: DEBUG: Accounting accepted
>> Thu Apr 4 12:37:31 2013: DEBUG: Packet dump:
>> *** Sending to 10.50.1.4 port 1646 ....
>> Code: Accounting-Response
>> Identifier: 29
>> Authentic: (e<12>Z<183>bS<24>*-_<150><4>'<130><238>
>> Attributes:
>>
>> *_Radiator Config file_*
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> Trace 4
>>
>> # You will probably want to add other Clients to suit your work site,
>>
>> <Client DEFAULT>
>> Secret XXXXXXXXXX
>> DupInterval 0
>> </Client>
>>
>>
>> <Client 10.50.1.4>
>> Secret XXXXXXXXXX
>> DupInterval 0
>> NasType Cisco
>> IgnoreAcctSignature
>> </Client>
>>
>> # Accept processing of other accounting requests of the genre Stop
>>
>> <Handler Acct-Status-Type = Stop>
>> <AuthBy SQL>
>> Identifier thomas
>> DBSource dbi:ODBC:IRONMAN
>> DBUsername XXXXXXXX
>> DBAuth WXXXXXXXXX
>>
>>
>> AccountingStopsOnly
>> AccountingTable ACCOUNTING
>> AcctColumnDef USERNAME, User-Name
>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>> AcctColumnDef TIME_STAMP,Event-Timestamp,integer-date
>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>> AcctColumnDef NASPORT,NAS-Port,integer
>> </Handler>
>>
>> <SessionDatabase SQL>
>> # This SessionDatabase clause can be used to insert value of extra
>> desired field for future development
>>
>> Identifier tamesql
>> DBSource dbi:ODBC:IRONMAN
>> DBUsername XXXXXXXXXXX
>> DBAuth XXXXX
>>
>> </SessionDatabase>
>>
>>
>> # Accept processing of other accounting requests of the genre Alive
>> interim updates
>> <Handler Request-Type = Accounting-Request>
>> <AuthBy SQL>
>> Identifier thomas
>> DBSource dbi:ODBC:IRONMAN
>> DBUsername XXXXXXXXXXX
>> DBAuth XXXXXXXXXX
>>
>>
>> AcctSQLStatement update quotasubscribers set
>> monthlycounter = %{Acct-Output-Octets}, totalcounter =
>> %{Acct-Output-Octets}, timestamp = %{Event-Timestamp} \
>> where username='%n' \
>> And Type = 'Q'
>>
>>
>>
>> </AuthBy>
>> PostAuthHook file:"/etc/radiator/rocky.pl"
>> #Log accounting to a detail file
>> AcctLogFileName %L/detail
>>
>>
>> </Handler>
>> Requesting your kind help & cooperation,
>>
>> Thomas Kurian
>> IT Security Engineer (B.Tech. -- Electrical)
>> Kuwaiti Canadian Consulting Group (www.kccg.com)
>> T: +965 22435566
>> F: +965 22415149
>> E:thomas at kccg.com
>> On 3/27/2013 11:40 PM, Michael wrote:
>>>
>>>
>>> AuthByPolicy is only for what to do when you have multiple
>>> authby's. you only have 1 per handler here so it's irrelevant.
>>>
>>> Best to show some debug log of this in action with a start packet to
>>> figure out what's going on. the config looks like it should at
>>> least handle the start packet.
>>>
>>>
>>>
>>> On 27/03/13 03:32 PM, Thomas Kurian wrote:
>>>> Hi Mike,
>>>> Thanks for your email. Can you please tell me where exactly i have
>>>> to add "AuthByPolicy ContinueWhileIgnore"? Should it go under each
>>>> handler clause inside Authby sql?
>>>>
>>>> _My old config (which didnt work ,Start packets were never getting
>>>> processed) (this was the config i had problem a long time ago..
>>>> which lead me to ask this question)_
>>>>
>>>> AcctPort 1813
>>>>
>>>> AuthPort 1812
>>>>
>>>>
>>>>
>>>>
>>>> BindAddress 0.0.0.0
>>>>
>>>>
>>>> LogDir /var/log/radius
>>>>
>>>> DbDir /etc/radiator
>>>>
>>>> # Use a low trace level in production systems. Increase
>>>>
>>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>>
>>>> Trace 4
>>>>
>>>> # You will probably want to add other Clients to suit your work site,
>>>>
>>>> # one for each NAS you want to work with
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> <Client DEFAULT>
>>>>
>>>> Secret xxxx
>>>>
>>>> DupInterval 0
>>>>
>>>> </Client>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> <Client 10.50.1.4>
>>>>
>>>> Secret xxx
>>>>
>>>> DupInterval 0
>>>>
>>>> NasType Cisco
>>>>
>>>> IgnoreAcctSignature
>>>>
>>>> </Client>
>>>>
>>>>
>>>>
>>>>
>>>> #For strictly processing with Accounting Stop packets
>>>>
>>>>
>>>>
>>>>
>>>> <Handler Acct-Status-Type = Stop>
>>>>
>>>>
>>>>
>>>>
>>>> <AuthBy SQL>
>>>>
>>>> Identifier Block-Quota-SQL
>>>>
>>>>
>>>>
>>>>
>>>> DBSource dbi:mysql:radius
>>>>
>>>> DBUsername xxxx
>>>>
>>>> DBAuth xxxxx
>>>>
>>>>
>>>>
>>>>
>>>> AccountingStopsOnly
>>>>
>>>> AccountingTable quotacouunter
>>>>
>>>> AuthColumnDef username,User-Name,check
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> AuthSelect select monthlycounter from quotacounter \
>>>>
>>>> where username='%n' \
>>>>
>>>> And type = 'Q'
>>>>
>>>> #AuthColumnDef 0, Session-Timeout, reply
>>>>
>>>>
>>>>
>>>>
>>>> AcctSQLStatement update quotacounter set \
>>>>
>>>> monthlycounter=monthlycounter+%{Acct-Input-Octets} \
>>>>
>>>> where username='%n' \
>>>>
>>>> And Type = 'Q'
>>>>
>>>>
>>>>
>>>>
>>>> AuthSelect select totalcounter from quotacounter \
>>>>
>>>> where username='%n' \
>>>>
>>>> And Type = 'Q'
>>>>
>>>>
>>>>
>>>>
>>>> AcctSQLStatement update quotacounter set \
>>>>
>>>> totalcounter=totalcounter+%{Acct-Input-Octets} \
>>>>
>>>> where username='%n' \
>>>>
>>>> And Type = 'Q'
>>>>
>>>>
>>>>
>>>>
>>>> PostAuthHook file:"%D/thomas.pl";
>>>>
>>>>
>>>>
>>>>
>>>> </AuthBy>
>>>>
>>>>
>>>>
>>>>
>>>> </Handler>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> # Accept processing of other accounting requests of the genre start
>>>> and interim
>>>>
>>>>
>>>>
>>>>
>>>> <Handler Request-Type = Accounting-Request>
>>>>
>>>>
>>>>
>>>> <Realm DEFAULT>
>>>>
>>>> <AuthBy SQL>
>>>>
>>>>
>>>>
>>>>
>>>> DBSource dbi:mysql:radius
>>>>
>>>> DBUsername xxxx
>>>>
>>>> DBAuth xxxx
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> AccountingTable ACCOUNTING
>>>>
>>>> AcctColumnDef USERNAME, User-Name
>>>>
>>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>>>
>>>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>>>>
>>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets
>>>>
>>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets
>>>>
>>>> AcctColumnDef TIME_STAMP,Event-Timestamp
>>>>
>>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time
>>>>
>>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time
>>>>
>>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>>>
>>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>>>
>>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>>>
>>>> AcctColumnDef NASPORT,NAS-Port
>>>>
>>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>>>
>>>>
>>>>
>>>>
>>>> </AuthBy>
>>>>
>>>> # Log accounting to a detail file
>>>>
>>>> AcctLogFileName %L/detail
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> </Realm>
>>>>
>>>> </Handler>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Requesting your kind help, Thomas Kurian IT Security Engineer
>>>> (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group
>>>> (www.kccg.com) T: +965 22435566 F: +965 22415149 E: thomas at kccg.com
>>>> On 3/27/2013 8:00 PM, radiator-request at open.com.au wrote:
>>>>> Send radiator mailing list submissions to radiator at open.com.au To
>>>>> subscribe or unsubscribe via the World Wide Web, visit
>>>>> http://www.open.com.au/mailman/listinfo/radiator or, via email,
>>>>> send a message with subject or body 'help' to
>>>>> radiator-request at open.com.au You can reach the person managing the
>>>>> list at radiator-owner at open.com.au When replying, please edit your
>>>>> Subject line so it is more specific than "Re: Contents of radiator
>>>>> digest..." Today's Topics: 1. Re: Handler type Stop/Alive
>>>>> distinguished processing (Michael Newton)
>>>>> ----------------------------------------------------------------------
>>>>> Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael
>>>>> Newton <mnewton at pofp.com> Subject: Re: [RADIATOR] Handler type
>>>>> Stop/Alive distinguished processing To: radiator at open.com.au
>>>>> Message-ID:
>>>>> <CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=FzyDoVJi-bH-DCw at mail.gmail.com>
>>>>> Content-Type: text/plain; charset="utf-8" On 27 March 2013 09:29,
>>>>> <radiator-request at open.com.au> wrote:
>>>>>> My requirement is to process and handle ,Alive and Stop packet
>>>>>> separately and the configuration must be called/processed
>>>>>> separately ,each time the radiator receives it based on the Acct
>>>>>> Status type as described above. Please help me out , i could not
>>>>>> find an explanation for this anywhere and i am confused. Please
>>>>>> let me know, if you need any more specifics to help me out.
>>>>> There shouldn't be any problem with using <Handler
>>>>> Acct-Status-Type=Start>, <Handler Acct-Status-Type=Alive>, or
>>>>> <Handler Acct-Status-Type=Stop>, it is how we do accounting on our
>>>>> server. Maybe make sure you you are using "AuthByPolicy
>>>>> ContinueWhileIgnore" if you have problems with subsequent handlers
>>>>> not getting called? If that doesn't help, I'd suggest posting the
>>>>> config that doesn't work instead of the one that does; other
>>>>> people may be able to provide more suggestions. Mike
>>>>> -------------- next part -------------- An HTML attachment was
>>>>> scrubbed... URL:
>>>>> http://www.open.com.au/pipermail/radiator/attachments/20130327/ab98603b/attachment-0001.html
>>>>> ------------------------------
>>>>> _______________________________________________ radiator mailing
>>>>> list radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator End of radiator
>>>>> Digest, Vol 46, Issue 24 ****************************************
>>>>
>>>> _______________________________________________ radiator mailing
>>>> list radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130404/3a465bcc/attachment-0001.html
More information about the radiator
mailing list