[RADIATOR] Accounting attribute 25
Hugh Irvine
hugh at open.com.au
Fri May 24 03:38:53 UTC 2019
Hello Helmuth -
It is quite straightforward to implement what you require, however, your configuration file as shown below is a bit confusing.
Normally, the Class attribute is returned to the NAS in the initial Access-Accept, and it is the NAS that subsequently sends it in all Accounting-Requests.
It is the NAS that sends an authenticaiton request that Radiator replies to with an Access-Accept if successful.
Once the NAS has established the session, it then sends an Accounting-Start, followed by Accounting-Alives, followed by an Accounting-Stop when the session ends.
From what I can see in the configuration below, there is some duplication in the AuthBy SQL clauses for authentication and accounting, and I suspect there is a custom entry in the dictionary.
I would suggest that the AuthBy SQL for accounting only does accounting, and that the AuthBy SQL for authentication only does authentication.
Depending on where the data to be included in the Class attribute come from, multiple strings can be included.
If you want to proxy the accounting requests to multiple target hosts, you would use multiple AuthBy RADIUS clauses.
See my possible alterations below.
regards
Hugh
…..
<Handler NAS-Identifier = "WIMAX",Request-Type=Accounting-Request>
PreProcessingHook file:"/etc/radiator/gigawords-hook2.pl"
PostAuthHook file:"/etc/radiator/WimaxSessionHook.pl"
MaxSessions 1
PasswordLogFileName %L/logins
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
# proxy accounting to multiple target hosts if required
AuthByPolicy ContinueAlways
<AuthBy RADIUS>
…..
IgnoreAccountingResponse
</AuthBy>
<AuthBy RADIUS>
…..
IgnoreAccountingResponse
</AuthBy>
<AuthBy SQL>
NoDefault
DBSource dbi:mysql:<REMOVED>:localhost:3306
DBUsername radiator
DBAuth <REMOVED>
Timeout 0
# we are only processing accounting requests here
# so disable authentication with empty AuthSelect
AuthSelect
AccountingTable WIMAX_ACCOUNTING
AcctInsertQuery insert into %0 (%1) values (%2)
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets
AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets
AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
AcctColumnDef USERSERVICETYPE,User-Service-Type
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef NASPORTTYPE,Nas-Port-Type
AcctColumnDef CLIENTID,Client-Id
AcctColumnDef CONNECTINFO,Ascend-Data-Rate
AcctColumnDef CLASS,Class
AcctColumnDef REALM,%W,formatted
AcctColumnDef SESSIONSTARTTIMESTAMP,%b-0%{Acct-Session-Time},literal
DefaultSimultaneousUse 1
AddToReplyIfNotExist cisco-avpair = "multilink:max-links=1"
</AuthBy>
RejectHasReason
</Handler>
###
<Handler NAS-Identifier = "WIMAX">
PreProcessingHook file:"/etc/radiator/gigawords-hook2.pl"
PostAuthHook file:"/etc/radiator/WimaxPostAuthHook.pl"
MaxSessions 1
PasswordLogFileName %L/logins
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
# we are only processing authentication requests here
# so no accounting required
<AuthBy SQL>
AddToReplyIfNotExist Service-Type = Framed-User
NoDefault
Identifier <REMOVED>
DBSource dbi:mysql: <REMOVED>:localhost:3306
DBUsername radiator
DBAuth <REMOVED>
Timeout 0
AuthSelect select password,checkattr, replyattr,service, capstatus \
from WIMAX_SUBSCRIBERS where USERNAME='%n' \
AND status ='enabled'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
AuthColumnDef 3, Service, request
AuthColumnDef 4, CapStatus, request
# note that Service and CapStatus are being added to the request for use in the Class string below
AddToReply Class = "ServicePlan = %{Service}, AccountStatus = %{CapStatus}"
DefaultSimultaneousUse 1
AddToReplyIfNotExist cisco-avpair = "multilink:max-links=1"
</AuthBy>
RejectHasReason
AuthLog authfailures
</Handler>
> On 24 May 2019, at 01:01, Helmuth Kisting <hkisting at africaonline.na> wrote:
>
> Hi List,
> We are implementing a new Service Gateway on our Broadband Wireless infrastructure. It depends on RADIUS-Accounting to populate the product types configured on it with individual subs and as a result, we are feeding it the Accounting data directly from the NAS (Cisco 3750).
> I have recently been tasked to assist in implementing the product into our network and have the Billing Software provider integrate with the Service Gateway, however I am not familiar with RADIUS or Radiator since I inherited this server and project. It’s a very old Radiator version (3.14) running on recent hardware (PowerEdge R210).
>
> Our Service Gateway vendor requires attribute 25 (“class”) to contain the Service Plan of the subscriber ( ie: “something-something-business-20” ), however looking at the Accounting data received by the vendor’s device, attribute 25 is being used to specify one of either two account states - “capped” or “uncapped”. This obviously means the NAS receives this information at successful authentication and by implication, the Billing Software reads and writes to the value attribute on the RADIUS backend.
>
> I’d like to know:
> - How does RADIUS feed the initial accounting data for each successful auth to the NAS and where I can change this.
> - I need to “switch” attributes somewhere and have the NAS send both the Service Plan and Account Status in its Accounting updates, with the “class” attribute(25) containing the Service Plan and some other attribute containing the Account Status. How would I achieve this?
> - If I were to implement Radiator as the RADIUS proxy, sending Accounting data to both the Billing Software and the Service Gateway- what configuration would I use to achieve this? Would someone be able to provide me with an example?
>
>
> Below is an excerpt from the accounting logs received on the Service Gateway and following that- an excerpt from the RADIUS config file(with the client sections and secrets removed):
>
> --------------------------->
> Apr 10 08:25:43.238: RADIUS/ENCODE(00001799):Orig. component type = PPPoE
> Apr 10 08:25:43.238: RADIUS(00001799): Config NAS IP: x.x.x.238
> Apr 10 08:25:43.238: RADIUS(00001799): Config NAS IP: x.x.x.238
> Apr 10 08:25:43.238: RADIUS(00001799): sending
> Apr 10 08:25:43.238: RADIUS/ENCODE(00001799):Orig. component type = PPPoE
> Apr 10 08:25:43.238: RADIUS(00001799): Config NAS IP: x.x.x.238
> Apr 10 08:25:43.238: RADIUS(00001799): Config NAS IP: x.x.x.238
> Apr 10 08:25:43.238: RADIUS(00001799): sending
> Apr 10 08:25:43.238: RADIUS(00001799): Send Accounting-Request to x.x.x.178:1813 id 1646/212, len 172
> Apr 10 08:25:43.238: RADIUS: authenticator EE EA C7 E5 DC FE B2 99 - FF 4C 39 85 59 3E 77 A1
> Apr 10 08:25:43.238: RADIUS: Acct-Session-Id [44] 10 "000020A2"
> Apr 10 08:25:43.238: RADIUS: Framed-Protocol [7] 6 PPP [1]
> Apr 10 08:25:43.238: RADIUS: Framed-IP-Address [8] 6 41.x.x.x
> Apr 10 08:25:43.238: RADIUS: User-Name [1] 8 "atnjet"
> Apr 10 08:25:43.238: RADIUS: Acct-Session-Time [46] 6 223843
> Apr 10 08:25:43.238: RADIUS: Acct-Input-Giga-Word[52] 6 0
> Apr 10 08:25:43.238: RADIUS: Acct-Output-Giga-Wor[53] 6 1
> Apr 10 08:25:43.238: RADIUS: Acct-Input-Octets [42] 6 1112929927
> Apr 10 08:25:43.238: RADIUS: Acct-Output-Octets [43] 6 3609300709
> Apr 10 08:25:43.238: RADIUS: Acct-Input-Packets [47] 6 4179640
> Apr 10 08:25:43.238: RADIUS: Acct-Output-Packets [48] 6 6086299
> Apr 10 08:25:43.238: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
> Apr 10 08:25:43.238: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
> Apr 10 08:25:43.238: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
> Apr 10 08:25:43.238: RADIUS: NAS-Port [5] 6 0
> Apr 10 08:25:43.238: RADIUS: NAS-Port-Id [87] 11 "0/0/2/524"
> Apr 10 08:25:43.238: RADIUS: Class [25] 10
> Apr 10 08:25:43.238: RADIUS: 75 6E 63 61 70 70 65 64 [uncapped]
> Apr 10 08:25:43.238: RADIUS: Service-Type [6] 6 Framed [2]
> Apr 10 08:25:43.238: RADIUS: NAS-IP-Address [4] 6 x.x.x.238
> Apr 10 08:25:43.238: RADIUS: Unsupported [151] 10
> Apr 10 08:25:43.238: RADIUS: 43 33 33 38 31 35 44 33 [C33815D3]
> Apr 10 08:25:43.238: RADIUS: Nas-Identifier [32] 7 "WIMAX"
> Apr 10 08:25:43.238: RADIUS: Acct-Delay-Time [41] 6 0
>
> <-----------------------------------------------------------------------
>
>
>
> RADIUS config file:
> ----------------------------------------------------------------------->
> …
> <AuthLog FILE>
> Identifier authfailures
> Filename %L/failures.%d-%m-%Y.log
> LogFailure 1
> FailureFormat %U,%u,%l,%N,%{NAS-Port},%{NAS-Port-Type}, \
> %{RadiusAuthenticationNumber},%0,%1,%{Called-Station-Id},%{Calling-Station-Id}
> </AuthLog>
>
>
> <AuthLog SQL>
> Identifier authfailures
>
> DBSource dbi:mysql:<REMOVED>:localhost:3306
> DBUsername radiator
> DBAuth <REMOVED>
> Timeout 0
>
> FailureQuery insert into WIMAX_AUTHFAILURES \
> (USERNAME,REALM,TIME_STAMP,NASIDENTIFIER,NASPORT,NASPORTTYPE,\
> SEVERITY,ERRORMESSAGE) values \
> ('%{User-Name}','%W','%t','%{NAS-IP-Address}','%{NAS-Port}','%{NAS -Port-Type}',\
> '%0',%1)
>
> </AuthLog>
>
>
> <SessionDatabase SQL>
>
> DBSource dbi:mysql: <REMOVED>:localhost:3306
> DBUsername radiator
> DBAuth <REMOVED>
>
> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS \
> from WIMAX_RADONLINE where USERNAME='%U' and NASIDENTIFIER='%{NAS-IP-Address}'
>
> AddQuery insert into WIMAX_RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
> REALM) values ('%U','%{NAS-IP-Address}', \
> '%{NAS-Port}','%{Acct-Session-Id}','%{Timestamp}', \
> '%{Framed-IP-Address}', '%{GlobalVar:saixadsl}','%W')
>
> #DeleteQuery delete from WIMAX_RADONLINE where USERNAME='%U'
> # #and NASIDENTIFIER='%{NAS-IP-Address}'
> DeleteQuery delete from WIMAX_RADONLINE where USERNAME='%U'
> #and ACCTSESSIONID=%3
> #and NASIDENTIFIER='%{NAS-IP-Address}'
>
> Timeout 0
> </SessionDatabase>
>
> <Handler NAS-Identifier = "WIMAX",Acct-Status-Type=Alive|Start>
> PreProcessingHook file:"/etc/radiator/gigawords-hook2.pl"
> PostAuthHook file:"/etc/radiator/WimaxSessionHook.pl"
> MaxSessions 1
>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
>
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
>
> RejectHasReason
> </Handler>
>
>
> <Handler NAS-Identifier = "WIMAX",Request-Type=Accounting-Request>
> PreProcessingHook file:"/etc/radiator/gigawords-hook2.pl"
> PostAuthHook file:"/etc/radiator/WimaxSessionHook.pl"
> MaxSessions 1
>
> PasswordLogFileName %L/logins
>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
>
> <AuthBy SQL>
> NoDefault
> DBSource dbi:mysql:<REMOVED>:localhost:3306
> DBUsername radiator
> DBAuth <REMOVED>
>
> Timeout 0
>
> AuthSelect select password,checkattr, replyattr,service, capstatus \
> from WIMAX_SUBSCRIBERS where USERNAME='%n' \
> AND status ='enabled'
>
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> AuthColumnDef 3, Service, reply
> AuthColumnDef 4, CapStatus, reply
> AuthColumnDef 5, Static, reply
>
> AccountingTable WIMAX_ACCOUNTING
> AcctInsertQuery insert into %0 (%1) values (%2)
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets
> AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets
> AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
> AcctColumnDef USERSERVICETYPE,User-Service-Type
> AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
> AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> AcctColumnDef NASPORTTYPE,Nas-Port-Type
> AcctColumnDef CLIENTID,Client-Id
> AcctColumnDef CONNECTINFO,Ascend-Data-Rate
> AcctColumnDef CLASS,Class
> AcctColumnDef REALM,%W,formatted
> AcctColumnDef SESSIONSTARTTIMESTAMP,%b-0%{Acct-Session-Time},literal
>
> DefaultSimultaneousUse 1
> AddToReplyIfNotExist cisco-avpair = "multilink:max-links=1"
> </AuthBy>
>
> RejectHasReason
>
> </Handler>
>
> ###
>
> <Handler NAS-Identifier = "WIMAX">
> PreProcessingHook file:"/etc/radiator/gigawords-hook2.pl"
> PostAuthHook file:"/etc/radiator/WimaxPostAuthHook.pl"
> MaxSessions 1
>
> PasswordLogFileName %L/logins
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
>
> <AuthBy SQL>
> AddToReplyIfNotExist Service-Type = Framed-User
> NoDefault
> Identifier <REMOVED>
> DBSource dbi:mysql: <REMOVED>:localhost:3306
> DBUsername radiator
> DBAuth <REMOVED>
> Timeout 0
>
> AuthSelect select password,checkattr, replyattr,service, capstatus \
> from WIMAX_SUBSCRIBERS where USERNAME='%n' \
> AND status ='enabled'
>
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> AuthColumnDef 3, Service, reply
> AuthColumnDef 4, CapStatus, reply
>
> AccountingTable WIMAX_ACCOUNTING
> AcctInsertQuery insert into %0 (%1) values (%2)
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets
> AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets
> AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
> AcctColumnDef USERSERVICETYPE,User-Service-Type
> AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
> AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> AcctColumnDef NASPORTTYPE,Nas-Port-Type
> AcctColumnDef CLIENTID,Client-Id
> AcctColumnDef CONNECTINFO,Ascend-Data-Rate
> AcctColumnDef CLASS,Class
> AcctColumnDef REALM,%W,formatted
> AcctColumnDef SESSIONSTARTTIMESTAMP,%b-0%{Acct-Session-Time},literal
>
> DefaultSimultaneousUse 1
> AddToReplyIfNotExist cisco-avpair = "multilink:max-links=1"
> </AuthBy>
> RejectHasReason
> AuthLog authfailures
> </Handler>
>
> <----------------------------------------------------------------------------------------------
>
>
>
> Thank you very much!
>
> Helmuth Kisting
> System Administrator
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean. _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list