[RADIATOR] COA log
Hugh Irvine
hugh at open.com.au
Wed Feb 4 17:30:49 CST 2015
Hi Michael -
Very nice.
BTW - there are a number of custom RADIUS attributes that are available for this sort of thing in the OSC vendor-specifics in the standard dictionary.
…..
#
# Open System Consultants VSA's for carrying user data
# from AuthBy PAM etc. OSC-AVPAIR is used to pass private data
# between instances of Radiator
#
VENDOR OSC 9048
VENDORATTR 9048 OSC-AVPAIR 0 string
VENDORATTR 9048 OSC-Uid 1 integer
VENDORATTR 9048 OSC-Gid 2 integer
VENDORATTR 9048 OSC-Home 3 string
VENDORATTR 9048 OSC-Shell 4 string
VENDORATTR 9048 OSC-Integrity-Message 5 binary
# Experimental presence indicators, used to indictae whether and
# where the user was last logged in. USed By AuthPRESENCESQL.pm
VENDORATTR 9048 OSC-User-Presence-Indicator 6 integer
VENDORATTR 9048 OSC-User-Presence-Location 7 string
VENDORATTR 9048 OSC-User-Presence-Timestamp 8 integer
VENDORATTR 9048 OSC-Client-Identifier 9 string
VENDORATTR 9048 OSC-Service-Identifier 10 string
VENDORATTR 9048 OSC-Customer-Identifier 11 string
VENDORATTR 9048 OSC-Provider-Identifier 12 string
VENDORATTR 9048 OSC-Environment-Identifier 13 string
VENDORATTR 9048 OSC-Version-Identifier 14 string
VENDORATTR 9048 OSC-Session-Identifier 15 string
VENDORATTR 9048 OSC-Device-Identifier 16 string
VENDORATTR 9048 OSC-User-Identifier 17 string
VENDORATTR 9048 OSC-Group-Identifier 18 string
VENDORATTR 9048 OSC-Acct-Input-Octets-64 19 integer64
VENDORATTR 9048 OSC-Acct-Output-Octets-64 20 integer64
VENDORATTR 9048 OSC-Authorize-Group 21 string
VALUE OSC-User-Presence-Indicator NotPresent 0
VALUE OSC-User-Presence-Indicator Present 1
VALUE OSC-User-Presence-Indicator Unsure 2
# Attributes to help exporting information from SIM/USIM authentication
VENDORATTR 9048 OSC-SIM-IMSI 80 string
VENDORATTR 9048 OSC-SIM-MSIDSN 81 string
VENDORATTR 9048 OSC-SIM-Identity 82 string
VENDORATTR 9048 OSC-SIM-TMSI 83 string
VENDORATTR 9048 OSC-SIM-FastReauthId 84 string
VENDORATTR 9048 OSC-SIM-Method 85 integer
VALUE OSC-SIM-Method EAP-SIM 18
VALUE OSC-SIM-Method EAP-AKA 23
VALUE OSC-SIM-Method EAP-AKA-PRIME 50
# The following are derived from Tacacs+ requests per draft-grant-tacacs-02
VENDORATTR 9048 OSC-TACACS-Action 100 integer
VENDORATTR 9048 OSC-TACACS-Privilege-Level 101 integer
VENDORATTR 9048 OSC-TACACS-Authen-Type 102 integer
VENDORATTR 9048 OSC-TACACS-Service 103 integer
VENDORATTR 9048 OSC-TACACS-Authen-Method 104 integer
VALUE OSC-TACACS-Action Login 1
VALUE OSC-TACACS-Action Chpass 2
VALUE OSC-TACACS-Action Sendpass 3
VALUE OSC-TACACS-Action Sendauth 4
VALUE OSC-TACACS-Privilege-Level Max 15
VALUE OSC-TACACS-Privilege-Level Root 15
VALUE OSC-TACACS-Privilege-Level User 1
VALUE OSC-TACACS-Privilege-Level Min 0
VALUE OSC-TACACS-Authen-Type ASCII 1
VALUE OSC-TACACS-Authen-Type PAP 2
VALUE OSC-TACACS-Authen-Type CHAP 3
VALUE OSC-TACACS-Authen-Type ARAP 4
VALUE OSC-TACACS-Authen-Type MSCHAP 5
VALUE OSC-TACACS-Service None 0
VALUE OSC-TACACS-Service Login 1
VALUE OSC-TACACS-Service Enable 2
VALUE OSC-TACACS-Service PPP 3
VALUE OSC-TACACS-Service ARAP 4
VALUE OSC-TACACS-Service PT 5
VALUE OSC-TACACS-Service RCMD 6
VALUE OSC-TACACS-Service X25 7
VALUE OSC-TACACS-Service NASIq 8
VALUE OSC-TACACS-Service FWPROXY 9
VALUE OSC-TACACS-Authen-Method Not_Set 0
VALUE OSC-TACACS-Authen-Method None 1
VALUE OSC-TACACS-Authen-Method KRB5 2
VALUE OSC-TACACS-Authen-Method Line 3
VALUE OSC-TACACS-Authen-Method Enable 4
VALUE OSC-TACACS-Authen-Method Local 5
VALUE OSC-TACACS-Authen-Method TACACSPLUS 6
VALUE OSC-TACACS-Authen-Method Guest 8
VALUE OSC-TACACS-Authen-Method RADIUS 16
VALUE OSC-TACACS-Authen-Method KRB4 17
VALUE OSC-TACACS-Authen-Method RCMD 32
…..
Of course you can use OSC-AVPAIR for anything at all, and you can use the others as you see fit.
regards
Hugh
> On 5 Feb 2015, at 10:20, Michael <ringo at vianet.ca> wrote:
>
>
>
> I personally log COA/POD requests using a very custom method. This may
> not be desirable for others. I do this by after processing the COA/POD
> normally, pass it to an AuthBy config that essentially changes it to an
> Accounting-Request packet, populates a few extra values, then passes it
> to my normal accounting log AuthBy. This also requires adding custom
> values to the dictionary file.
>
>
> <AuthBy GROUP>
> Identifier convert2accounting
>
> <AuthBy INTERNAL>
> OtherHook sub {\
> # some fancy code here.
> }
> </AuthBy>
>
> # now that this packate has been converted to an accounting
> packet, it is ready to be logged. pass it to the accounting log AuthBy
> AuthBy accounting_log
> </AuthBy>
>
>
> an example result is something like this:
>
> +----------+---------------------+--------+-----------+--------------+
> | username | timestamp | type | sess_time | term_cause |
> +----------+---------------------+--------+-----------+--------------+
> | username | 2015-01-05 15:04:09 | login | NULL | NULL |
> | username | 2015-01-05 16:46:03 | info | NULL | rate-change |
> | username | 2015-01-05 16:47:02 | info | NULL | kick-request |
> | username | 2015-01-05 16:47:02 | logout | 6173 | Admin-Reset |
> +----------+---------------------+--------+-----------+--------------+
>
>
>
>
>
> On 04/02/15 05:57 PM, Hugh Irvine wrote:
>> Hello -
>>
>> As COA is not an authentication, it therefore follows that it will not be logged by an AuthLog clause.
>>
>> To see what happens with a COA you will need to look at the log file (not the authlog file).
>>
>> regards
>>
>> Hugh
>>
>>
>>> On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP) <carlos.onrubia.aviles at proximus.com> wrote:
>>>
>>> Dear all,
>>>
>>>
>>>
>>> I have the following problem:
>>>
>>>
>>>
>>> I can log authentification with the configuration here below, it works correctly.
>>>
>>> But if I use event_log identifier to log a COA (and not a normal Access-Request with Accept or Reject), nothing happens.
>>>
>>>
>>>
>>> Can you indicate me how to log a COA with the answer (ACK or NACK)
>>>
>>>
>>>
>>> Thanks in advance,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <Handler User-Name = ABCD
>>>
>>> AuthBy toto
>>>
>>> AuthLog event_log
>>>
>>> </Handler>
>>>
>>>
>>>
>>> <AuthLog FILE>
>>>
>>> Identifier event_log
>>>
>>> Filename %L/event_auth.log
>>>
>>> SuccessFormat %v %d %H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
>>>
>>> FailureFormat %v %d %H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
>>>
>>> LogSuccess 1
>>>
>>> LogFailure 1
>>>
>>> </AuthLog>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ***** Disclaimer *****
>>> http://www.proximus.be/maildisclaimer
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc.
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list