[RADIATOR] Alive\Update handlers with proxy
eliran shlomo
eliranshlomo at gmail.com
Wed Dec 18 01:44:10 CST 2013
Hi Heikki,
The attribute in the LDAP for RB-Context-Name has changed from safe to ngn.
but in the accounting that sent to the proxy the attribute value didn't
changed.
RB-Context-Name = "safe"
the hook is acting as expected the problem is that some of attribute values
stay the same and some of them changed.
BR,
Eliran
On Tue, Dec 17, 2013 at 4:08 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 12/17/2013 10:51 AM, eliran shlomo wrote:
>
> > This is the trace
> >
> > Correct attributes mark in blue , wrong in red.
>
> Hello Eliran,
>
> you had marked 'Class = "ngn"' in the Access-Request with blue. The same
> value also comes in with Accounting-Request and based on the debug your
> hook changes it to 'Class = "safe_ngn"'. This you have marked with red
> in the proxied Accounting-Request.
>
> This is a bit confusing, I'm not sure what your desired outcome is but
> at least it looks like the hook you have does change the contents before
> the request is proxied out.
>
> Thanks,
> Heikki
>
> > please advise and many thanks!
> >
> >
> > Eliran
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Received from ********** port 1812 ....
> >
> >
> > Code: Access-Request
> > Identifier: 104
> > Authentic:
> > <191><244>\<241><27><135><242><251>A^<197><247><164><237><150><250>
> > Attributes:
> > User-Name = "bdynamic_test1"
> > User-Password =
> > ;<133><181>}<24><228>E<248><19>><198>G<202><253>U<199>
> > Service-Type = Authorize-Only
> > Framed-Protocol = PPP
> > NAS-Identifier = "SE600-LAB"
> > NAS-IP-Address = ********
> > NAS-Port = 2432705629
> > NAS-Port-Type = Virtual
> > NAS-Port-Id = "L2TP LNS 9309"
> > RB-Medium-Type = DSL
> > Connect-Info = "1000000000/1000000000"
> > RB-NAS-Port = "<0><0><0><3>"
> > RB-Platform-Type = "<0><0><0><6>"
> > RB-OS-Version = "11.1.2.5"
> > Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
> > Tunnel-Type = 0:L2TP
> > Tunnel-Medium-Type = 0:IP
> > Tunnel-Server-Endpoint = *****
> > Tunnel-Client-Endpoint = *****
> > Tunnel-Server-Auth-ID = SE600-LAB
> > Tunnel-Client-Auth-ID = big-se-2-600-ptk
> > RB-Tunnel-Max-Sessions = 0:65535
> > RB-Tunnel-Max-Tunnels = 0:32767
> > RB-Tunnel-Function = 0:LNS-Only
> > Tunnel-ID = big-se-2-600-ptk:31113:11486
> > RB-LAC-Port = 1744830812
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler
> > 'NAS-Port-Type=ADSL', Identifier ''
> > Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to
> > bdynamic_test1
> > Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthLDAP2:
> LDAP_User
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got result for
> > uid=bdynamic_test1,ou=People,o=*****,c=****
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got chapPassword: ******
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authServiceProtocol:
> Framed-User
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authPortLimit: 2
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authhostporttype:
> > /^(ISDN|Async|Virtual|Sync|ADSL|CABLE|HOTSPOT)$/
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitRate: 100000
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceRate: 2360
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceBurst: 12000000
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitBurst: 30000
> > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RedbackContextname: ngn
> > Tue Dec 17 09:27:23 2013: DEBUG: request packet
> > TEST-SE
> > Tue Dec 17 09:27:23 2013: ERR: user: bdynamic_test1 Pool is empty:
> > adding default to pool , set class to ngn
> > Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 looks for match with
> > bdynamic_test1 [bdynamic_test1]
> > Tue Dec 17 09:27:23 2013: DEBUG: Query is: 'select NASIDENTIFIER,
> > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME='bdynamic_test1'
> > and ACTIVE = TRUE and NASIDENTIFIER != '*********' and NASPORT !=
> '9309'':
> > Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> > bdynamic_test1 [bdynamic_test1]
> > Tue Dec 17 09:27:23 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
> > Tue Dec 17 09:27:23 2013: DEBUG: Access accepted for bdynamic_test1
> > Tue Dec 17 09:27:23 2013: DEBUG: do query is: 'insert into RADAUTHLOG
> > (HOSTNAME, NASID, TIME_STAMP, USERNAME, TYPE) values
> > ('test4','********', 1387265243, 'bdynamic_test1', 1)':
> > Tue Dec 17 09:27:23 2013: INFO: process
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Sending to ********** port 1812 ....
> >
> >
> > Code: Access-Accept
> > Identifier: 104
> > Authentic:
> LA<187><223>J<194><4><208><135><174>x<232><181><148><220><189>
> > Attributes:
> > Service-Type = Framed-User
> > Port-Limit = 2
> > Ascend-Maximum-Channels = 2
> > Class = "ngn"
> > RB-Police-Rate = 2360
> > RB-Context-Name = "ngn"
> > RB-QoS-Metering-Profile-Name = "100000"
> > RB-Ip-Address-Pool-Name = "default"
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Received from ************** port 1812 ....
> >
> >
> > Code: Accounting-Request
> > Identifier: 76
> > Authentic: p<167><15><12><168><212><144><12>7<223><218>%?<208><164><193>
> > Attributes:
> > User-Name = "bdynamic_test1"
> > Acct-Status-Type = Alive
> > Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth
> > NAS-Identifier = "SE600-LAB"
> > NAS-IP-Address = **********
> > NAS-Port = 2432705629
> > NAS-Port-Type = Virtual
> > NAS-Port-Id = "L2TP LNS 9309"
> > RB-Medium-Type = DSL
> > Connect-Info = "1000000000/1000000000"
> > RB-Platform-Type = "<0><0><0><6>"
> > RB-OS-Version = "11.1.2.5"
> > Acct-Authentic = RADIUS
> > Port-Limit = 2
> > RB-Context-Name = "safe"
> > RB-Ip-Address-Pool-Name = "default"
> > RB-Client-DNS-Pri = ******
> > RB-Client-DNS-Sec = *****
> > Framed-IP-Address = *******
> > Framed-IP-Netmask = 255.255.255.255
> > Tunnel-Type = 0:L2TP
> > Tunnel-Medium-Type = 0:IP
> > Tunnel-Server-Endpoint = *******
> > Tunnel-Client-Endpoint = ********
> > Tunnel-Server-Auth-ID = SE600-LAB
> > Tunnel-Client-Auth-ID = big-se-2-600-ptk
> > RB-Tunnel-Max-Sessions = 0:65535
> > RB-Tunnel-Max-Tunnels = 0:32767
> > RB-Tunnel-Function = 0:LNS-Only
> > Tunnel-ID = big-se-2-600-ptk:31113:11486
> > RB-LAC-Port = 1744830812
> > Acct-Session-Time = 14
> > Acct-Input-Packets = 16
> > Acct-Output-Packets = 11
> > Acct-Input-Octets = 1727
> > Acct-Output-Octets = 1081
> > Acct-Input-Gigawords = 0
> > Acct-Output-Gigawords = 0
> > RB-Acct-Input-Packets-64 = 0x10
> > RB-Acct-Output-Packets-64 = 0xb
> > RB-Acct-Input-Octets-64 = 0x6bf
> > RB-Acct-Output-Octets-64 = 0x439
> > RB-Acct-Mcast-In-Packets = 0
> > RB-Acct-Mcast-Out-Packet = 0
> > RB-Acct-Mcast-In-Octets = 0
> > RB-Acct-Mcast-Out-Octets = 0
> > RB-Acct-Mcast-In-Packets-64 = 0x0
> > RB-Acct-Mcast-Out-Packets-64 = 0x0
> > RB-Acct-Mcast-In-Octets-64 = 0x0
> > RB-Acct-Mcast-Out-Octets-64 = 0x0
> > RB-QoS-Metering-Profile-Name = "100000"
> > Class = "ngn"
> > Event-Timestamp = 1387269490
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler
> > 'NAS-IP-Address=*****, Request-Type=Accounting-Request, Acct-Status-Type
> > = /^Alive/', Identifier ''
> > Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to
> > bdynamic_test1
> > Tue Dec 17 09:27:23 2013: ERR: DA: user: bdynamic_test1 Context safe:
> > setting class to safe . '_' . 'ngn'
> > Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthRADIUS
> > Tue Dec 17 09:27:23 2013: ERR: There is no value named ADSL for
> > attribute NAS-Port-Type. Using 0.
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Sending to proxyserver port 1813 ....
> >
> >
> > Code: Accounting-Request
> > Identifier: 6
> > Authentic: 4<252><29><17>z<4>}<151><21>I'fvv<153><150>
> > Attributes:
> > User-Name = "bdynamic_test1"
> > Acct-Status-Type = Alive
> > Acct-Session-Id = "FF10FFFF5800245D-52B00D63"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth
> > NAS-Identifier = "SE600-LAB"
> > NAS-IP-Address = ********
> > NAS-Port = 9309
> > NAS-Port-Id = "L2TP LNS 9309"
> > RB-Medium-Type = DSL
> > Connect-Info = "1000000000/1000000000"
> > RB-Platform-Type = "<0><0><0><6>"
> > RB-OS-Version = "11.1.2.5"
> > Acct-Authentic = RADIUS
> > Port-Limit = 2
> > RB-Context-Name = "safe"
> > RB-Ip-Address-Pool-Name = "default"
> > RB-Client-DNS-Pri = **********
> > RB-Client-DNS-Sec = *********
> > Framed-IP-Address = **********
> > Framed-IP-Netmask = 255.255.255.255
> > Tunnel-Type = 0:L2TP
> > Tunnel-Medium-Type = 0:IP
> > Tunnel-Server-Endpoint = ******
> > Tunnel-Client-Endpoint = ********
> > Tunnel-Server-Auth-ID = SE600-LAB
> > Tunnel-Client-Auth-ID = big-se-2-600-ptk
> > RB-Tunnel-Max-Sessions = 0:65535
> > RB-Tunnel-Max-Tunnels = 0:32767
> > RB-Tunnel-Function = 0:LNS-Only
> > Tunnel-ID = big-se-2-600-ptk:31113:11486
> > RB-LAC-Port = 1744830812
> > Acct-Session-Time = 14
> > Acct-Input-Packets = 16
> > Acct-Output-Packets = 11
> > Acct-Input-Octets = 1727
> > Acct-Output-Octets = 1081
> > Acct-Input-Gigawords = 0
> > Acct-Output-Gigawords = 0
> > RB-Acct-Input-Packets-64 = 0x10
> > RB-Acct-Output-Packets-64 = 0xb
> > RB-Acct-Input-Octets-64 = 0x6bf
> > RB-Acct-Output-Octets-64 = 0x439
> > RB-Acct-Mcast-In-Packets = 0
> > RB-Acct-Mcast-Out-Packet = 0
> > RB-Acct-Mcast-In-Octets = 0
> > RB-Acct-Mcast-Out-Octets = 0
> > RB-Acct-Mcast-In-Packets-64 = 0x0
> > RB-Acct-Mcast-Out-Packets-64 = 0x0
> > RB-Acct-Mcast-In-Octets-64 = 0x0
> > RB-Acct-Mcast-Out-Octets-64 = 0x0
> > RB-QoS-Metering-Profile-Name = "100000"
> > Class = "safe_ngn"
> > Event-Timestamp = 1387269490
> > NAS-Port-Type = ADSL
> > Timestamp = 1387265243
> > Acct-Delay-Time = 0
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> > Tue Dec 17 09:27:23 2013: DEBUG: Accounting accepted
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Sending to *********** port 1812 ....
> >
> >
> > Code: Accounting-Response
> > Identifier: 76
> > Authentic: <15>v<16><224>`<211><179>2<153>=<154><218><10><147>+<219>
> > Attributes:
> >
> > Tue Dec 17 09:27:23 2013: DEBUG: Received reply in AuthRADIUS for req 6
> > from ********:1813
> > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump:
> > *** Received from ******** port 1813 ....
> >
> >
> > Code: Accounting-Response
> > Identifier: 6
> > Authentic: r<206><143>zr<5><170><5>L<12><30><227>B<214><210><13>
> > Attributes:
> >
> >
> > proxyhook.pl <http://proxyhook.pl>
> >
> >
> > sub {
> >
> > my $p = ${$_[0]}; # proxy reply packet
> > my $context = lc($p->get_attr('RB-Context-Name'));
> > my $class = lc($p->get_attr('Class'));
> > my $pool = lc($p->get_attr('RB-Ip-Address-Pool-Name'));
> > my $usern=$p->get_attr('User-Name');
> >
> > if ( $context =~ /^(gamer|safe|ngn|big)$/ ) {
> >
> > if ( $pool =~ /^(ngn|xngn|NGN|XNGN)$/ ) {
> > if ( $context =~ /^(gamer)$/ ) {
> > $p->change_attr('Class', $context . '_' . 'ngn');
> > ## Logs ##
> > &main::log($main::LOG_ERR, "DA: user: $usern Context gamer:
> > setting class to $context . '_' . 'ngn'");
> > }
> > } elsif ( $class =~ /^(ngn|xngn|NGN|XNGN)$/ ) {
> > if ( $context =~ /^(gamer)$/ ) {
> > $p->change_attr('Class', $context . '_' . 'ngn');
> > ## Logs ##
> > &main::log($main::LOG_ERR, "DA: user: $usern Context gamer:
> > setting class to $context . '_' . 'ngn'");
> > } elsif ( $context =~ /^(safe)$/ ) {
> > $p->change_attr('Class', $context . '_' . 'ngn');
> > &main::log($main::LOG_ERR, "DA: user: $usern Context safe:
> > setting class to $context . '_' . 'ngn'");
> > }
> >
> > } elsif ( $class =~ /^(default|safe)$/ ) {
> > $p->change_attr('Class', $context);
> > &main::log($main::LOG_ERR, "DA: user: $usern Context $class
> > pool default: setting class to $context ");
> > } elsif ( $class =~ /^(ngn)$/ ) {
> > $p->change_attr('Class', 'ngn');
> > &main::log($main::LOG_ERR, "DA: user: $usern Context $class
> > pool default: setting class to $context ");
> > } elsif ( $context =~ /^(gamer)$/ ) {
> > $p->change_attr('Class', $context);
> > ## Logs ##
> > &main::log($main::LOG_ERR, "DA: user: $usern Context&pool gamer:
> > setting class to $context ");
> > } elsif ( $context =~ /^(big)$/ ) {
> > $p->change_attr('Class', 'gamer');
> > ## Logs ##
> > &main::log($main::LOG_ERR, "DA: user: $usern Context big:
> > setting class to gamer ");
> > }
> >
> > }
> >
> >
> > }
> >
> >
> > On Dec 16, 2013 5:08 PM, "Heikki Vatiainen" <hvn at open.com.au
> > <mailto:hvn at open.com.au>> wrote:
> >
> > On 12/16/2013 03:44 PM, eliran shlomo wrote:
> >
> > > I have proxy radius that receive a different attributes then the
> NAS.
> > >
> > > When i change an attribute in the LDAP and tell the NAS to get an
> > update
> > > the NAS receive all updated values
> > > But the values that are sent to the proxy contain old data.
> >
> > Hello Eliran,
> >
> > are you changing $p (the current request) in the hook? $p is what the
> > outgoing request in AuthBy RADIUS is based on.
> >
> > It's a bit hard to say more without Trace 4 logs and the hook.
> >
> > Thanks,
> > Heikki
> >
> >
> > > please advise.
> > >
> > > Thanks,
> > >
> > > Eliran
> > >
> > > The AuthBy look like this
> > >
> > > <AuthBy RADIUS>
> > > Identifier ProxyAccounting
> > > Host x.x.x.x
> > > NoForwardAuthentication
> > > IgnoreAccountingResponse
> > > AcctPort 1813
> > > FailureBackoffTime 0
> > > Retries 1
> > > RetryTimeout 3
> > > Secret ******
> > > </AuthBy>
> > >
> > > And the handler looks like this
> > >
> > > <Handler NAS-IP-Address=x.x.x.x, Request-Type=Accounting-Request,
> > > Acct-Status-Type = /^Alive/>
> > > include %{GlobalVar:CONFIGROOT}/include/RewriteUsername.inc
> > > PreAuthHook
> > file:"%{GlobalVar:CONFIGROOT}/include/proxyupdate.pl
> > <http://proxyupdate.pl>
> > > <http://proxyupdate.pl>"
> > > AuthBy ProxyAccounting
> > > SessionDatabase NULL
> > > AccountingHandled
> > > AcctLogFileName %{GlobalVar:DETAILDIR}/%c/detail-%Y%m%d.csv
> > > AcctLogFileFormat \
> > >
> %{User-Name},%{Acct-Session-Id},%{Framed-IP-Address},\
> > >
> > > %{Calling-Station-Id},%{Called-Station-Id},%{NAS-IP-Address},\
> > > %{NAS-Port-Type},%{NAS-Port},%{Acct-Status-Type},\
> > >
> %{Tunnel-Server-Endpoint},%{Tunnel-Client-Endpoint},\
> > > %{Tunnel-Server-Auth-ID},%{Tunnel-Client-Auth-ID},\
> > >
> > > %{RB-Context-Name},%{Acct-Input-Octets},%{Acct-Output-Octets},\
> > > %{Acct-Input-Gigawords},%{Acct-Output-Gigawords},\
> > >
> > %{RB-QoS-Metering-Profile-Name},%{Acct-Terminate-Cause},\
> > > %{Acct-Session-Time},%{Event-Timestamp},\
> > > %{Acct-Authentic},%{Acct-Delay-Time},\
> > > %{Acct-Input-Packets},%{Acct-Output-Packets},\
> > > %{Framed-Protocol},%{Service-Type}
> > > </Handler>
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au <mailto:radiator at open.com.au>
> > > http://www.open.com.au/mailman/listinfo/radiator
> > >
> >
> >
> > --
> > Heikki Vatiainen <hvn at open.com.au <mailto:hvn at open.com.au>>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > NetWare etc.
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au <mailto:radiator at open.com.au>
> > http://www.open.com.au/mailman/listinfo/radiator
> >
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131218/ff8a8d1e/attachment-0001.html
More information about the radiator
mailing list