[RADIATOR] Another Class like attribute

Hugh Irvine hugh at open.com.au
Mon Nov 27 22:37:56 UTC 2017 

Hi Robert -

A pretty easy way to do this is with multiple pseudo-attributes in the Class attribute.

I’ve included an example below.

cheers

Hugh


configuration file:

# simple.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory and log accounting to a file in the current
# directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: simple.cfg,v 1.5 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
        Secret  mysecret
        AddToRequest %{Class}
</Client>

<Handler Request-Type = Accounting-Request>
        AcctLogFileName %L/accounting
        <AuthBy INTERNAL>
                DefaultResult Accept
        </AuthBy>
</Handler>

<Handler>
        <AuthBy FILE>
                Filename %D/users
                AddToReply Class = "Tag1=one, Tag2=two, Tag3=three"
        </AuthBy>
        # Log accounting to a detail file
        AcctLogFileName %L/detail
</Handler>


radpwtst:

Radiator-4.19 hugh$ perl radpwtst -trace 4
Tue Nov 28 09:28:32 2017: DEBUG: Reading dictionary file './dictionary'
sending Access-Request
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 155
Authentic:  <140>i<194>LVG+.<25><150>k<195>o<197>#,
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = <189>mS<168><247><30><166><128>=<22><142>\^B{!

Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Accept
Identifier: 155
Authentic:  <144>v<164><146>iOc_<153><169>1t^<133><18><214>
Attributes:
	Framed-Protocol = PPP
	Service-Type = Framed-User
	Class = "Tag1=one, Tag2=two, Tag3=three"

OK
sending Accounting-Request Start
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1646 ....
Code:       Accounting-Request
Identifier: 156
Authentic:  <182><30>zuB+g<204><239><140>'<20>5<236><26><197>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Start
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0
	Class = "Tag1=one, Tag2=two, Tag3=three"

Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1646 ....
Code:       Accounting-Response
Identifier: 156
Authentic:  <174>m<226><234><143><205><162>&<255><139>k<239>q.p<182>
Attributes:

OK
sending Accounting-Request Stop
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1646 ....
Code:       Accounting-Request
Identifier: 157
Authentic:  <26><189>_<221>G<232><230><204>V<252>*<3>}<18><198>I
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Stop
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0
	Acct-Session-Time = 1000
	Acct-Input-Octets = 20000
	Acct-Output-Octets = 30000
	Class = "Tag1=one, Tag2=two, Tag3=three"

Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1646 ....
Code:       Accounting-Response
Identifier: 157
Authentic:  0'<148><171>i2<3>(/9<194>><203><161><142>n
Attributes:

OK


Server log:

Radiator-4.19 hugh$ perl radiusd -foreground -log_stdout -trace 4 -config simple.cfg 
Tue Nov 28 09:28:24 2017: DEBUG: Finished reading configuration file 'simple.cfg'
Tue Nov 28 09:28:24 2017: DEBUG: Reading dictionary file './dictionary'
Tue Nov 28 09:28:24 2017: INFO: Using Net::SSLeay 1.72 with SSL/TLS library version 0x9081df (OpenSSL 0.9.8zh 14 Jan 2016)
Tue Nov 28 09:28:24 2017: INFO: SSL/TLS library version 0x9081df (OpenSSL 0.9.8zh 14 Jan 2016) does not support TLSv1.1 or TLSv1.2
Tue Nov 28 09:28:24 2017: DEBUG: This system is IPv6 capable. IPv6 capability provided by: core
Tue Nov 28 09:28:24 2017: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Nov 28 09:28:24 2017: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Nov 28 09:28:24 2017: NOTICE: Server started: Radiator 4.19 on TiTi.fritz.box
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 51871 ....
Code:       Access-Request
Identifier: 155
Authentic:  <140>i<194>LVG+.<25><150>k<195>o<197>#,
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = <189>mS<168><247><30><166><128>=<22><142>\^B{!

Tue Nov 28 09:28:32 2017: DEBUG: Handling request with Handler '', Identifier ''
Tue Nov 28 09:28:32 2017: DEBUG:  Deleting session for mikem, 203.63.154.1, 1234
Tue Nov 28 09:28:32 2017: DEBUG: Handling with Radius::AuthFILE: 
Tue Nov 28 09:28:32 2017: DEBUG: Reading users file ./users
Tue Nov 28 09:28:32 2017: DEBUG: Radius::AuthFILE looks for match with mikem [mikem]
Tue Nov 28 09:28:32 2017: DEBUG: Radius::AuthFILE ACCEPT: : mikem [mikem]
Tue Nov 28 09:28:32 2017: DEBUG: AuthBy FILE result: ACCEPT, 
Tue Nov 28 09:28:32 2017: DEBUG: Access accepted for mikem
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 51871 ....
Code:       Access-Accept
Identifier: 155
Authentic:  <144>v<164><146>iOc_<153><169>1t^<133><18><214>
Attributes:
	Framed-Protocol = PPP
	Service-Type = Framed-User
	Class = "Tag1=one, Tag2=two, Tag3=three"

Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 51871 ....
Code:       Accounting-Request
Identifier: 156
Authentic:  <182><30>zuB+g<204><239><140>'<20>5<236><26><197>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Start
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0
	Class = "Tag1=one, Tag2=two, Tag3=three"

Tue Nov 28 09:28:32 2017: DEBUG: Handling request with Handler 'Request-Type = Accounting-Request', Identifier ''
Tue Nov 28 09:28:32 2017: DEBUG:  Adding session for mikem, 203.63.154.1, 1234
Tue Nov 28 09:28:32 2017: DEBUG: Handling with AuthINTERNAL: 
Tue Nov 28 09:28:32 2017: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult
Tue Nov 28 09:28:32 2017: DEBUG: Accounting accepted
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 51871 ....
Code:       Accounting-Response
Identifier: 156
Authentic:  <174>m<226><234><143><205><162>&<255><139>k<239>q.p<182>
Attributes:

Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 51871 ....
Code:       Accounting-Request
Identifier: 157
Authentic:  <26><189>_<221>G<232><230><204>V<252>*<3>}<18><198>I
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Stop
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0
	Acct-Session-Time = 1000
	Acct-Input-Octets = 20000
	Acct-Output-Octets = 30000
	Class = "Tag1=one, Tag2=two, Tag3=three"

Tue Nov 28 09:28:32 2017: DEBUG: Handling request with Handler 'Request-Type = Accounting-Request', Identifier ''
Tue Nov 28 09:28:32 2017: DEBUG:  Deleting session for mikem, 203.63.154.1, 1234
Tue Nov 28 09:28:32 2017: DEBUG: Handling with AuthINTERNAL: 
Tue Nov 28 09:28:32 2017: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult
Tue Nov 28 09:28:32 2017: DEBUG: Accounting accepted
Tue Nov 28 09:28:32 2017: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 51871 ....
Code:       Accounting-Response
Identifier: 157
Authentic:  0'<148><171>i2<3>(/9<194>><203><161><142>n
Attributes:


Accounting log:

Tue Nov 28 09:28:32 2017
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
        Class = "Tag1=one, Tag2=two, Tag3=three"
        Tag1 = one
        Tag2 = two
        Tag3 = three
        Timestamp = 1511821712

Tue Nov 28 09:28:32 2017
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Stop
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
        Acct-Session-Time = 1000
        Acct-Input-Octets = 20000
        Acct-Output-Octets = 30000
        Class = "Tag1=one, Tag2=two, Tag3=three"
        Tag1 = one
        Tag2 = two
        Tag3 = three
        Timestamp = 1511821712


> On 28 Nov 2017, at 03:55, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> 
> We use Class pretty extensively to carry over a value from access requests into accounting requests, etc. Since “Class” is already used and appears you can only have one Class attribute; is there any other arbitrary RADIUS attribute that is supported in a session on the client? Looking to tag/mark sessions a certain way for logging purposes and would really rather not make a mess out of Class which is already being used.
> 
> What we are trying to do is at access accept time tag/mark a session a certain what so that when accounting records come in, we can look for this attribute and log additional information based on that tag/mark.
> 
> Ideas?
> 
> --
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP:  https://inoc.net/~rblayzor/
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list