[RADIATOR] Alive\Update handlers with proxy

Heikki Vatiainen hvn at open.com.au
Tue Dec 17 08:08:49 CST 2013


On 12/17/2013 10:51 AM, eliran shlomo wrote:

> This is the trace
> 
> Correct attributes mark in blue , wrong in red.

Hello Eliran,

you had marked 'Class = "ngn"' in the Access-Request with blue. The same
value also comes in with Accounting-Request and based on the debug your
hook changes it to 'Class = "safe_ngn"'. This you have marked with red
in the proxied Accounting-Request.

This is a bit confusing, I'm not sure what your desired outcome is but
at least it looks like the hook you have does change the contents before
the request is proxied out.

Thanks,
Heikki

> please advise and many thanks!
> 
> 
> Eliran
> 
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Received from ********** port 1812 ....
> 
> 
> Code:       Access-Request
> Identifier: 104
> Authentic: 
> <191><244>\<241><27><135><242><251>A^<197><247><164><237><150><250>
> Attributes:
>         User-Name = "bdynamic_test1"
>         User-Password =
> ;<133><181>}<24><228>E<248><19>><198>G<202><253>U<199>
>         Service-Type = Authorize-Only
>         Framed-Protocol = PPP
>         NAS-Identifier = "SE600-LAB"
>         NAS-IP-Address = ********
>         NAS-Port = 2432705629
>         NAS-Port-Type = Virtual
>         NAS-Port-Id = "L2TP LNS 9309"
>         RB-Medium-Type = DSL
>         Connect-Info = "1000000000/1000000000"
>         RB-NAS-Port = "<0><0><0><3>"
>         RB-Platform-Type = "<0><0><0><6>"
>         RB-OS-Version = "11.1.2.5"
>         Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
>         Tunnel-Type = 0:L2TP
>         Tunnel-Medium-Type = 0:IP
>         Tunnel-Server-Endpoint = *****
>         Tunnel-Client-Endpoint = *****
>         Tunnel-Server-Auth-ID = SE600-LAB
>         Tunnel-Client-Auth-ID = big-se-2-600-ptk
>         RB-Tunnel-Max-Sessions = 0:65535
>         RB-Tunnel-Max-Tunnels = 0:32767
>         RB-Tunnel-Function = 0:LNS-Only
>         Tunnel-ID = big-se-2-600-ptk:31113:11486
>         RB-LAC-Port = 1744830812
> 
> Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler
> 'NAS-Port-Type=ADSL', Identifier ''
> Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to
> bdynamic_test1
> Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthLDAP2: LDAP_User
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got result for
> uid=bdynamic_test1,ou=People,o=*****,c=****
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got chapPassword: ******
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authServiceProtocol: Framed-User
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authPortLimit: 2
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authhostporttype:
> /^(ISDN|Async|Virtual|Sync|ADSL|CABLE|HOTSPOT)$/
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitRate: 100000
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceRate: 2360
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceBurst: 12000000
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitBurst: 30000
> Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RedbackContextname: ngn
> Tue Dec 17 09:27:23 2013: DEBUG: request packet
> TEST-SE
> Tue Dec 17 09:27:23 2013: ERR: user: bdynamic_test1 Pool is empty:
> adding default to pool , set class to ngn
> Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 looks for match with
> bdynamic_test1 [bdynamic_test1]
> Tue Dec 17 09:27:23 2013: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID from RADONLINE where USERNAME='bdynamic_test1'
> and ACTIVE = TRUE and NASIDENTIFIER != '*********' and NASPORT != '9309'':
> Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> bdynamic_test1 [bdynamic_test1]
> Tue Dec 17 09:27:23 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Tue Dec 17 09:27:23 2013: DEBUG: Access accepted for bdynamic_test1
> Tue Dec 17 09:27:23 2013: DEBUG: do query is: 'insert into RADAUTHLOG
> (HOSTNAME, NASID, TIME_STAMP, USERNAME, TYPE) values
> ('test4','********', 1387265243, 'bdynamic_test1', 1)':
> Tue Dec 17 09:27:23 2013: INFO: process
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Sending to ********** port 1812 ....
> 
> 
> Code:       Access-Accept
> Identifier: 104
> Authentic:  LA<187><223>J<194><4><208><135><174>x<232><181><148><220><189>
> Attributes:
>         Service-Type = Framed-User
>         Port-Limit = 2
>         Ascend-Maximum-Channels = 2
>         Class = "ngn"
>         RB-Police-Rate = 2360
>         RB-Context-Name = "ngn"
>         RB-QoS-Metering-Profile-Name = "100000"
>         RB-Ip-Address-Pool-Name = "default"
> 
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Received from ************** port 1812 ....
> 
> 
> Code:       Accounting-Request
> Identifier: 76
> Authentic:  p<167><15><12><168><212><144><12>7<223><218>%?<208><164><193>
> Attributes:
>         User-Name = "bdynamic_test1"
>         Acct-Status-Type = Alive
>         Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth
>         NAS-Identifier = "SE600-LAB"
>         NAS-IP-Address = **********
>         NAS-Port = 2432705629
>         NAS-Port-Type = Virtual
>         NAS-Port-Id = "L2TP LNS 9309"
>         RB-Medium-Type = DSL
>         Connect-Info = "1000000000/1000000000"
>         RB-Platform-Type = "<0><0><0><6>"
>         RB-OS-Version = "11.1.2.5"
>         Acct-Authentic = RADIUS
>         Port-Limit = 2
>         RB-Context-Name = "safe"
>         RB-Ip-Address-Pool-Name = "default"
>         RB-Client-DNS-Pri = ******
>         RB-Client-DNS-Sec = *****
>         Framed-IP-Address = *******
>         Framed-IP-Netmask = 255.255.255.255
>         Tunnel-Type = 0:L2TP
>         Tunnel-Medium-Type = 0:IP
>         Tunnel-Server-Endpoint = *******
>         Tunnel-Client-Endpoint = ********
>         Tunnel-Server-Auth-ID = SE600-LAB
>         Tunnel-Client-Auth-ID = big-se-2-600-ptk
>         RB-Tunnel-Max-Sessions = 0:65535
>         RB-Tunnel-Max-Tunnels = 0:32767
>         RB-Tunnel-Function = 0:LNS-Only
>         Tunnel-ID = big-se-2-600-ptk:31113:11486
>         RB-LAC-Port = 1744830812
>         Acct-Session-Time = 14
>         Acct-Input-Packets = 16
>         Acct-Output-Packets = 11
>         Acct-Input-Octets = 1727
>         Acct-Output-Octets = 1081
>         Acct-Input-Gigawords = 0
>         Acct-Output-Gigawords = 0
>         RB-Acct-Input-Packets-64 = 0x10
>         RB-Acct-Output-Packets-64 = 0xb
>         RB-Acct-Input-Octets-64 = 0x6bf
>         RB-Acct-Output-Octets-64 = 0x439
>         RB-Acct-Mcast-In-Packets = 0
>         RB-Acct-Mcast-Out-Packet = 0
>         RB-Acct-Mcast-In-Octets = 0
>         RB-Acct-Mcast-Out-Octets = 0
>         RB-Acct-Mcast-In-Packets-64 = 0x0
>         RB-Acct-Mcast-Out-Packets-64 = 0x0
>         RB-Acct-Mcast-In-Octets-64 = 0x0
>         RB-Acct-Mcast-Out-Octets-64 = 0x0
>         RB-QoS-Metering-Profile-Name = "100000"
>         Class = "ngn"
>         Event-Timestamp = 1387269490
> 
> Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler
> 'NAS-IP-Address=*****, Request-Type=Accounting-Request, Acct-Status-Type
> = /^Alive/', Identifier ''
> Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to
> bdynamic_test1
> Tue Dec 17 09:27:23 2013: ERR: DA: user: bdynamic_test1 Context safe:
> setting class to safe . '_' . 'ngn'
> Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthRADIUS
> Tue Dec 17 09:27:23 2013: ERR: There is no value named ADSL for
> attribute NAS-Port-Type. Using 0.
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Sending to proxyserver port 1813 ....
> 
> 
> Code:       Accounting-Request
> Identifier: 6
> Authentic:  4<252><29><17>z<4>}<151><21>I'fvv<153><150>
> Attributes:
>         User-Name = "bdynamic_test1"
>         Acct-Status-Type = Alive
>         Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth
>         NAS-Identifier = "SE600-LAB"
>         NAS-IP-Address = ********
>         NAS-Port = 9309
>         NAS-Port-Id = "L2TP LNS 9309"
>         RB-Medium-Type = DSL
>         Connect-Info = "1000000000/1000000000"
>         RB-Platform-Type = "<0><0><0><6>"
>         RB-OS-Version = "11.1.2.5"
>         Acct-Authentic = RADIUS
>         Port-Limit = 2
>         RB-Context-Name = "safe"
>         RB-Ip-Address-Pool-Name = "default"
>         RB-Client-DNS-Pri = **********
>         RB-Client-DNS-Sec = *********
>         Framed-IP-Address = **********
>         Framed-IP-Netmask = 255.255.255.255
>         Tunnel-Type = 0:L2TP
>         Tunnel-Medium-Type = 0:IP
>         Tunnel-Server-Endpoint = ******
>         Tunnel-Client-Endpoint = ********
>         Tunnel-Server-Auth-ID = SE600-LAB
>         Tunnel-Client-Auth-ID = big-se-2-600-ptk
>         RB-Tunnel-Max-Sessions = 0:65535
>         RB-Tunnel-Max-Tunnels = 0:32767
>         RB-Tunnel-Function = 0:LNS-Only
>         Tunnel-ID = big-se-2-600-ptk:31113:11486
>         RB-LAC-Port = 1744830812
>         Acct-Session-Time = 14
>         Acct-Input-Packets = 16
>         Acct-Output-Packets = 11
>         Acct-Input-Octets = 1727
>         Acct-Output-Octets = 1081
>         Acct-Input-Gigawords = 0
>         Acct-Output-Gigawords = 0
>         RB-Acct-Input-Packets-64 = 0x10
>         RB-Acct-Output-Packets-64 = 0xb
>         RB-Acct-Input-Octets-64 = 0x6bf
>         RB-Acct-Output-Octets-64 = 0x439
>         RB-Acct-Mcast-In-Packets = 0
>         RB-Acct-Mcast-Out-Packet = 0
>         RB-Acct-Mcast-In-Octets = 0
>         RB-Acct-Mcast-Out-Octets = 0
>         RB-Acct-Mcast-In-Packets-64 = 0x0
>         RB-Acct-Mcast-Out-Packets-64 = 0x0
>         RB-Acct-Mcast-In-Octets-64 = 0x0
>         RB-Acct-Mcast-Out-Octets-64 = 0x0
>         RB-QoS-Metering-Profile-Name = "100000"
>         Class = "safe_ngn"
>         Event-Timestamp = 1387269490
>         NAS-Port-Type = ADSL
>         Timestamp = 1387265243
>         Acct-Delay-Time = 0
> 
> Tue Dec 17 09:27:23 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> Tue Dec 17 09:27:23 2013: DEBUG: Accounting accepted
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Sending to *********** port 1812 ....
> 
> 
> Code:       Accounting-Response
> Identifier: 76
> Authentic:  <15>v<16><224>`<211><179>2<153>=<154><218><10><147>+<219>
> Attributes:
> 
> Tue Dec 17 09:27:23 2013: DEBUG: Received reply in AuthRADIUS for req 6
> from ********:1813
> Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> *** Received from ******** port 1813 ....
> 
> 
> Code:       Accounting-Response
> Identifier: 6
> Authentic:  r<206><143>zr<5><170><5>L<12><30><227>B<214><210><13>
> Attributes:
> 
> 
> proxyhook.pl <http://proxyhook.pl>
> 
> 
> sub {
> 
> my $p = ${$_[0]};   # proxy reply packet
> my $context = lc($p->get_attr('RB-Context-Name'));
> my $class = lc($p->get_attr('Class'));
> my $pool = lc($p->get_attr('RB-Ip-Address-Pool-Name'));
> my $usern=$p->get_attr('User-Name');
> 
> if ( $context =~ /^(gamer|safe|ngn|big)$/ ) {
> 
> if ( $pool =~ /^(ngn|xngn|NGN|XNGN)$/ ) {
>         if ( $context =~ /^(gamer)$/ ) {
>                 $p->change_attr('Class', $context . '_' . 'ngn');
>         ## Logs ##
>         &main::log($main::LOG_ERR, "DA: user: $usern Context gamer:
> setting class to $context . '_' . 'ngn'");
>         }
> } elsif ( $class =~ /^(ngn|xngn|NGN|XNGN)$/ ) {
>          if ( $context =~ /^(gamer)$/ ) {
>                 $p->change_attr('Class', $context . '_' . 'ngn');
>          ## Logs ##
>          &main::log($main::LOG_ERR, "DA: user: $usern Context gamer:
> setting class to $context . '_' . 'ngn'");
>         } elsif ( $context =~ /^(safe)$/ ) {
>                 $p->change_attr('Class', $context . '_' . 'ngn');
>          &main::log($main::LOG_ERR, "DA: user: $usern Context safe:
> setting class to $context . '_' . 'ngn'");
>         }
> 
>    } elsif ( $class =~ /^(default|safe)$/ ) {
>         $p->change_attr('Class', $context);
>          &main::log($main::LOG_ERR, "DA: user: $usern Context $class
> pool default: setting class to $context ");
>    } elsif ( $class =~ /^(ngn)$/ ) {
>         $p->change_attr('Class', 'ngn');
>          &main::log($main::LOG_ERR, "DA: user: $usern Context $class
> pool default: setting class to $context ");
>    } elsif ( $context =~ /^(gamer)$/ ) {
>         $p->change_attr('Class', $context);
>         ## Logs ##
>         &main::log($main::LOG_ERR, "DA: user: $usern Context&pool gamer:
> setting class to $context ");
>    } elsif ( $context =~ /^(big)$/ ) {
>         $p->change_attr('Class', 'gamer');
>         ## Logs ##
>         &main::log($main::LOG_ERR, "DA: user: $usern Context big:
> setting class to gamer ");
> }
> 
> }
> 
> 
> }
> 
> 
> On Dec 16, 2013 5:08 PM, "Heikki Vatiainen" <hvn at open.com.au
> <mailto:hvn at open.com.au>> wrote:
> 
>     On 12/16/2013 03:44 PM, eliran shlomo wrote:
> 
>     > I have proxy radius that receive a different attributes then the NAS.
>     >
>     > When i change an attribute in the LDAP and tell the NAS to get an
>     update
>     > the NAS receive all updated values
>     > But the values that are sent to the proxy contain old data.
> 
>     Hello Eliran,
> 
>     are you changing $p (the current request) in the hook? $p is what the
>     outgoing request in AuthBy RADIUS is based on.
> 
>     It's a bit hard to say more without Trace 4 logs and the hook.
> 
>     Thanks,
>     Heikki
> 
> 
>     > please advise.
>     >
>     > Thanks,
>     >
>     > Eliran
>     >
>     > The AuthBy look like this
>     >
>     > <AuthBy RADIUS>
>     >         Identifier ProxyAccounting
>     >         Host x.x.x.x
>     >         NoForwardAuthentication
>     >         IgnoreAccountingResponse
>     >         AcctPort 1813
>     >         FailureBackoffTime 0
>     >         Retries 1
>     >         RetryTimeout 3
>     >         Secret ******
>     > </AuthBy>
>     >
>     > And the handler looks like this
>     >
>     > <Handler NAS-IP-Address=x.x.x.x, Request-Type=Accounting-Request,
>     > Acct-Status-Type = /^Alive/>
>     >         include %{GlobalVar:CONFIGROOT}/include/RewriteUsername.inc
>     >         PreAuthHook
>     file:"%{GlobalVar:CONFIGROOT}/include/proxyupdate.pl
>     <http://proxyupdate.pl>
>     > <http://proxyupdate.pl>"
>     >         AuthBy ProxyAccounting
>     >         SessionDatabase NULL
>     >         AccountingHandled
>     >         AcctLogFileName %{GlobalVar:DETAILDIR}/%c/detail-%Y%m%d.csv
>     >         AcctLogFileFormat  \
>     >                 %{User-Name},%{Acct-Session-Id},%{Framed-IP-Address},\
>     >
>     > %{Calling-Station-Id},%{Called-Station-Id},%{NAS-IP-Address},\
>     >                 %{NAS-Port-Type},%{NAS-Port},%{Acct-Status-Type},\
>     >                 %{Tunnel-Server-Endpoint},%{Tunnel-Client-Endpoint},\
>     >                 %{Tunnel-Server-Auth-ID},%{Tunnel-Client-Auth-ID},\
>     >
>     > %{RB-Context-Name},%{Acct-Input-Octets},%{Acct-Output-Octets},\
>     >                 %{Acct-Input-Gigawords},%{Acct-Output-Gigawords},\
>     >                
>     %{RB-QoS-Metering-Profile-Name},%{Acct-Terminate-Cause},\
>     >                 %{Acct-Session-Time},%{Event-Timestamp},\
>     >                 %{Acct-Authentic},%{Acct-Delay-Time},\
>     >                 %{Acct-Input-Packets},%{Acct-Output-Packets},\
>     >                 %{Framed-Protocol},%{Service-Type}
>     > </Handler>
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > radiator mailing list
>     > radiator at open.com.au <mailto:radiator at open.com.au>
>     > http://www.open.com.au/mailman/listinfo/radiator
>     >
> 
> 
>     --
>     Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> 
>     Radiator: the most portable, flexible and configurable RADIUS server
>     anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>     Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>     TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>     DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>     NetWare etc.
>     _______________________________________________
>     radiator mailing list
>     radiator at open.com.au <mailto:radiator at open.com.au>
>     http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list