Thanks for the response. Yes, I was concerned about that as well, but a
look at the source code for the hack, copied in part below, seems to
indicate that the hack should also handle this case. I've also been in
contact with another user who has followed the same steps I have on a
Solaris system, and his system is working perfectly (i.e. the
Cisco-AVPair attributes are being parsed properly).
from rlm_preprocess.c :
* Cisco-AVPair's get packed as:
*
* Cisco-AVPair = "h323-foo-bar = baz"
* Cisco-AVPair = "h323-foo-bar=baz"
*
* which makes sense only if you're a lunatic.
* This code looks for the attribute named inside
* of the string, and if it exists, adds it as a
new
* attribute.
*/
if ((vp->attribute & 0xffff) == 1) {
char *p;
DICT_ATTR *dattr;
p = vp->strvalue;
gettoken(&p, newattr, sizeof(newattr));
if (((dattr = dict_attrbyname(newattr)) != NULL)
&&
(dattr->type == PW_TYPE_STRING)) {
VALUE_PAIR *newvp;
/*
* Make a new attribute.
*/
newvp = pairmake(newattr, ptr + 1,
T_OP_EQ);
if (newvp) {
pairadd(&vp, newvp);
}
}
} else { /* h322-foo-bar = "h323-foo-bar = baz"
*/
/*
* We strip out the duplicity from the
* value field, we use only the value on
* the right side of the '=' character.
*/
strNcpy(newattr, ptr + 1, sizeof(newattr));
strNcpy((char *)vp->strvalue, newattr,
sizeof(vp->strvalue));
vp->length = strlen((char *)vp->strvalue);
}
}
}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Alexander Serkin
Sent: Friday, November 05, 2004 3:52 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco-AVPair Help (help!!) Part 1
Hi.
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is
stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = yes
The key word is "*again*". In this case attribute name is the same as
inside
quotes. In your case attribute names are not the same at the left and at
the
right sides. So with_cisco_vsa_hack seems useless for PIX accounting.
BTW - does mysql permit ":" in column names ?
Billington, David wrote:
> Hi! I am running FreeRADIUS 1.0.1 and MySQL 4.1.7 on Redhat 9. The
> FreeRADIUS software was installed from an RPM package, which I created
> using the *.spec file included with the source code. Both
Authentication
> and Accounting are working properly, with the one exception. One NAS,
a
> Cisco PIX 525, is sending accounting packets containing multiple
> Cisco-AVPair attributes, as shown below:
>
> Mon Nov 1 13:42:52 2004
> Acct-Status-Type = Start
> NAS-Port = 208
> NAS-IP-Address = 10.100.255.17
> Login-IP-Host = 10.100.7.29
> Login-TCP-Port = Telnet
> Acct-Session-Id = "0x0020b1f6"
> User-Name = "msahni"
> Cisco-AVPair = "ip:source-ip=10.100.255.98"
> Cisco-AVPair = "ip:source-port=2557"
> Cisco-AVPair = "ip:destination-ip=10.100.7.29"
> Cisco-AVPair = "ip:destination-port=23"
> Client-IP-Address = 10.100.255.17
> Acct-Unique-Session-Id = "f189a9c186f55e4b"
> Timestamp = 1099338172
>
> I wish to have the Cisco-AVPairs parsed into more 'normal' attributes,
> such as:
>
> ip:source-ip=10.100.255.98
> ip:source-port=2557
> ip:destination-ip=10.100.7.29
> ip:destination-port=23
>
> which I can then insert into my radacct table using sql.conf. To
> accomplish this, I've performed two specific actions: (1) I've set the
> "with_cisco_vsa_hack" option in the preprocess module to "yes" in the
> radiusd.conf file, and (2) I've added four attributes matching these
> names in the dictionary.cisco file, as shown below:
>
> ATTRIBUTE ip:source-ip 114 string Cisco
> ATTRIBUTE ip:source-port 115 string Cisco
> ATTRIBUTE ip:destination-ip 116 string Cisco
> ATTRIBUTE ip:destination-port 117 string Cisco
>
> This does not work, however. The detail log file does not show any
> additional attributes being created. In order to obtain any
information
> from these attributes, I must reference them as "Cisco-AVPair" in my
> sql.conf file. This causes the information from the first attribute,
> ip:source-ip to be repeatedly entered into radacct as
> "ip:source-ip=3D10.100.255.98" (Note also the addition of the '3D'
> text!). I've tried referencing these attributes as "Cisco-AVPair[0]",
> "Cisco-AVPair[1]", etc... but this doesn't return anything.
>
> When running 'radiusd -X', the preprocess module returns "noop", which
I
> think means that it doesn't think it needs to do anything? The entire
> debug info is shown below, and the radiusd.conf file is included in a
> second email (this one was too big).
>
> I've read the mailing list and everything else until I'm blue in the
> face, and I see where a lot of people seem to have the same or similar
> problem, but nowhere have I found a solution that works on my system.
>
> Please help... I'm desperate to get this working! Thanks!!
>
> radiusd -X debug:
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/raddb/proxy.conf
> Config: including file: /etc/raddb/clients.conf
> Config: including file: /etc/raddb/snmp.conf
> Config: including file: /etc/raddb/eap.conf
> Config: including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = yes
> Module: Instantiated preprocess (preprocess)
> Module: Loaded SQL
> sql: driver = "rlm_sql_mysql"
> sql: server = "localhost"
> sql: port = ""
> sql: login = "radius"
> sql: password = "xxxxxxxx"
> sql: radius_db = "radius"
> sql: acct_table = "radacct"
> sql: acct_table2 = "radacct"
> sql: authcheck_table = "radcheck"
> sql: authreply_table = "radreply"
> sql: groupcheck_table = "radgroupcheck"
> sql: groupreply_table = "radgroupreply"
> sql: usergroup_table = "usergroup"
> sql: nas_table = "nas"
> sql: dict_table = "dictionary"
> sql: sqltrace = no
> sql: sqltracefile = "/var/log/radius/sqltrace.sql"
> sql: readclients = no
> sql: deletestalesessions = yes
> sql: num_sql_socks = 5
> sql: sql_user_name = "%{User-Name}"
> sql: default_user_profile = ""
> sql: query_on_not_found = no
> sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op
> FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op
> FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> sql: authorize_group_check_query = "SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
> pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY radgroupcheck.id"
> sql: authorize_group_reply_query = "SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
> preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY radgroupreply.id"
> sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
> AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
> AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
> '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
> NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
> sql: accounting_update_query = "UPDATE radacct ? SET FramedIPAddress
=
> '%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ?
> AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets =
> '%{Acct-Output-Octets}' ? WHERE AcctSessionId = '%{Acct-Session-Id}' ?
> AND UserName = '%{SQL-User-Name}' ? AND NASIPAddress=
> '%{NAS-IP-Address}'"
> sql: accounting_update_query_alt = "INSERT into radacct
(AcctSessionId,
> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
> AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
> AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
> ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
> %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}',
> '%{Acct-Authentic}', '', '%{Acct-Input-Octets}',
> '%{Acct-Output-Octets}', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '0')"
> sql: accounting_start_query = "INSERT into radacct (AcctSessionId,
> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
> AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets,
> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay,
> TunnelClientEndpoint, SourceIPAddress, DestinationIPAddress)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
> '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0',
> '%{Tunnel-Client-Endpoint}', '%{Cisco-AVPair}', '%{Cisco-AVPair}')"
> sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime =
> '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start =
> '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
> UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
> sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S',
> AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
> '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
> AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
> '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
> AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
> AND NASIPAddress = '%{NAS-IP-Address}'"
> sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId,
> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
> AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets,
> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
> %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',
> '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
> '%{Acct-Output-Octets}', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
> '%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
> '%{Acct-Delay-Time}')"
> sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
> UserName='%{SQL-User-Name}'"
> sql: connect_failure_retry_delay = 60
> sql: simul_count_query = ""
> sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
> NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
> FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND
> AcctStopTime = 0"
> sql: postauth_table = "radpostauth"
> sql: postauth_query = "INSERT into radpostauth (id, user, pass,
reply,
> date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
> '%{reply:Packet-Type}', NOW())"
> sql: safe-characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
> linked
> rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius
> rlm_sql (sql): starting 0
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> rlm_sql_mysql: Starting connect to MySQL server for #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql (sql): starting 1
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> rlm_sql_mysql: Starting connect to MySQL server for #1
> rlm_sql (sql): Connected new DB handle, #1
> rlm_sql (sql): starting 2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> rlm_sql_mysql: Starting connect to MySQL server for #2
> rlm_sql (sql): Connected new DB handle, #2
> rlm_sql (sql): starting 3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): starting 4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> rlm_sql_mysql: Starting connect to MySQL server for #4
> rlm_sql (sql): Connected new DB handle, #4
> Module: Instantiated sql (sql)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "/etc/shadow"
> unix: group = "(null)"
> unix: radwtmp = "/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Accounting-Request packet from host 10.100.255.17:1813,
> id=229, length=194
> Acct-Status-Type = Start
> NAS-Port = 0
> NAS-IP-Address = 10.100.255.17
> Login-IP-Host = 10.100.248.2
> Login-TCP-Port = 5962
> Acct-Session-Id = "0x002339ee"
> User-Name = ""
> Cisco-AVPair = "ip:source-ip=10.100.248.2"
> Cisco-AVPair = "ip:source-port=4385"
> Cisco-AVPair = "ip:destination-ip=10.100.255.2"
> Cisco-AVPair = "ip:destination-port=5962"
> Processing the preacct section of radiusd.conf
> modcall: entering group preacct for request 3
> modcall[preacct]: module "preprocess" returns noop for request 3
> rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address =
> 10.100.255.17,NAS-IP-Address = 10.100.255.17,Acct-Session-Id =
> "0x002339ee",User-Name = ""'
> rlm_acct_unique: Acct-Unique-Session-ID = "80142e378dd3cad0".
> modcall[preacct]: module "acct_unique" returns ok for request 3
> modcall: group preacct returns ok for request 3
> Processing the accounting section of radiusd.conf
> modcall: entering group accounting for request 3
> radius_xlat: '/var/log/radius/radacct/10.100.255.17/detail-20041104'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
> expands to /var/log/radius/radacct/10.100.255.17/detail-20041104
> modcall[accounting]: module "detail" returns ok for request 3
> modcall[accounting]: module "unix" returns ok for request 3
> radius_xlat: '/var/log/radius/radutmp'
> radius_xlat: ''
> modcall[accounting]: module "radutmp" returns ok for request 3
> radius_xlat: ''
> radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId,
> UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
> AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
> ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
> CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
> FramedIPAddress, AcctStartDelay, AcctStopDelay, TunnelClientEndpoint,
> SourceIPAddress, DestinationIPAddress) values('0x002339ee',
> '80142e378dd3cad0', '', '', '10.100.255.17', '0', '', '2004-11-04
> 13:01:16', '0', '0', '', '', '', '0', '0', '', '', '', '', '', '', '',
> '0', '', 'ip:source-ip=3D10.100.248.2',
'ip:source-ip=3D10.100.248.2')'
> rlm_sql (sql): Reserving sql socket id: 1
> rlm_sql (sql): Released sql socket id: 1
> modcall[accounting]: module "sql" returns ok for request 3
> modcall: group accounting returns ok for request 3
> Sending Accounting-Response of id 229 to 10.100.255.17:1813
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Cleaning up request 3 ID 229 with timestamp 418a7c7c
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 58 with timestamp 418a7c77
> Nothing to do. Sleeping until we see a request.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow,
ph. +7(095)7952089
fa. +7(095)7952084
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
