[RADIATOR] Defining share secret per NASID instead of IP

Bengi Sağlam bengi at socialandbeyond.com
Tue Nov 4 04:49:50 CST 2014


Hi Heikki,

Thanks for the solution, PreClientHook has solved my issue. In the
beginning I wrote this hook:

PreClientHook  sub {  \
        my $nasId = ${$_[0]}->get_attr('NAS-Identifier'); \
${$_[0]}->add_attr('Called-Station-Id',$nasId);  \
}

With this PreClientHook I was able to see  Accounting packet with the
status of Accounting-On on the radiator log by fetching the secret with the
MAC. However, I realised that this hook adds 'Called-Station-Id' per each
packet and this caused to have multiple 'Called-Station-Id' attribute for
the other packets as it is seen below on the log:

*Code:       Accounting-Request*
*Identifier: 14*
*Authentic:  <169><21>r<241>2<232>@<227>Eu<5><|<140><186><159>*
*Attributes:*
* Acct-Status-Type = Stop*
* Acct-Terminate-Cause = Admin-Reset*
* NAS-Port-Type = Wireless-IEEE-802-11*
* Calling-Station-Id = "04:46:65:66:D6:0D"*
* Called-Station-Id = "00-0C-42-FA-53-30"*
* NAS-Port-Id = "bridgeLAN"*
* User-Name = "04_46_65_66_D6_0D at Connect_Directly"*
* NAS-Port = 2150629382*
* Acct-Session-Id = "80300006"*
* Framed-IP-Address = 10.5.0.18*
* Mikrotik-Host-IP = 10.5.0.18*
* Event-Timestamp = 1415033836*
* Acct-Input-Octets = 10127*
* Acct-Output-Octets = 12976*
* Acct-Input-Gigawords = 0*
* Acct-Output-Gigawords = 0*
* Acct-Input-Packets = 58*
* Acct-Output-Packets = 46*
* Acct-Session-Time = 293*
* NAS-Identifier = "00-0C-42-FA-53-30"*
* Acct-Delay-Time = 0*
* NAS-IP-Address = 217.124.187.43*
* Called-Station-Id = "00-0C-42-FA-53-30"*

To solve having multiple attribute problem, I made a small if with the perl
in the PreClientHook by checking the 'Called-Station-Id' attribute, so the
attribute is not added when it exists already. Following PreClientHook
could be a solution for the ones who might have the same problem like me.


PreClientHook  sub {  \
          my $nasId = ${$_[0]}->get_attr('NAS-Identifier'); \
my $stationId = ${$_[0]}->get_attr('Called-Station-Id'); \
${$_[0]}->add_attr('Called-Station-Id',$nasId) unless($stationId); \
}

Thanks,
Bengi.



On Fri, Oct 31, 2014 at 6:44 PM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 31.10.2014 15.01, Bengi Sağlam wrote:
>
> > In the radiator log, I can see the Accounting packet request(first
> > request after reboot) with the status Accounting-On, and Radius responds
> > to client.
>
> >     //NAS-Identifier = "00-0C-42-FA-53-30"
>
> > Seems like Radius does not respond for the requests when I fetch Secret
> > with the MAC, if you could suggest any solution for this I would
> appreciate.
>
> The MAC address match is done against the Called-Station-Id attribute.
> You could consider a PreClientHook to add Called-Station-Id if it is not
> present. Note that when it is present, it would need to be the MAC address.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20141104/7a3abc4f/attachment.html 


More information about the radiator mailing list