Hi everyone,
I am having trouble when using my Tigris NAS and the Radiator RADIUS server.
The problem is (I believe) with the Tigris, but I'm wondering if there are
any suggestions based on my RADIUS config to see if I could be doing
something wrong here.
(Anyone with experience using the Tigris and Radiator can jump in here)
My radius.cfg:
# radius.cfg
#
AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir D:\radiator
DbDir D:\radiator
#LogFile %L/%Y%m%d.log
#Trace 5
#DictionaryFile C:\radiator\dictionary.acc
<Log SQL>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:database=wap_stats;host=127.0.0.1
DBUsername wap_radius
DBAuth <password>
Table nrd_radius_log
Trace 1
</Log>
<Client x.y.z.15>
Secret <secret>
NasType Tigris
SNMPCommunity public
FramedGroupBaseAddress x.y.z.100
DupInterval 2
</Client>
<Realm DEFAULT>
AuthByPolicy ContinueAlways
<AuthBy SQL_MSISDN>
# Authby Accounting version - needs special mods for use with WAP
Gateway 'Fetch MSISDN' function
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:database=wap_stats;host=127.0.0.1
DBUsername wap_radius
DBAuth <password>
# empty authselect should mean no authentication done by this auth
entry
# and we get an ignore
AuthSelect
# This is the hostname and port of the MSISDN
# database to where we send details of
# accountig starts and stops
MSISDNDatabase localhost:7777
# CountryCode will be prepended to Calling-Station-Id
# to generate MSISDN
CountryCode 61
# If this is set, any leading 0 or 9 will be stripped
# from the Calling-Station-Id before the CountryCode
# is prepended to form the MSISDN
StripLeading09
FramedGroup 0;
# Log all the different fields that the Tigris is sending in the
Accounting packet
AccountingTable nrd_radius_accounting
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer
AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef ACCREASONCODE,Acc-Reason-Code
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef NASPORTTYPE,NAS-Port-Type
AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef SERVICETYPE,Service-Type
AcctColumnDef CONNECTINFO,Connect-Info
AcctColumnDef ACCCONNECTRXSPEED,Acc-Connect-Rx-Speed
AcctColumnDef ACCCONNECTTXSPEED,Acc-Connect-Tx-Speed
AcctColumnDef ACCINPUTERRORS,Acc-Input-Errors,integer
AcctColumnDef ACCOUTPUTERRORS,Acc-Output-Errors,integer
AcctColumnDef ACCMODEMMODULATIONTYPE,Acc-Modem_Modulation_Type
AcctColumnDef ACCMODEMERRORPROTOCOL,Acc-Modem_Error_Protocol
AcctColumnDef ACCDIALPORTINDEX,Acc-Dial-Port-Index,integer
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef ACCSERVICEPROFILE,Acc-Service-Profile
</AuthBy>
<AuthBy SQL_MSISDN>
# Authby for authentication
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:database=users;host=127.0.0.1
DBUsername wap_radius
DBAuth <password>
AuthSelect select user_id from users where msisdn=+%{MSISDN} and
acct_status="ACTIVE"
# This is the hostname and port of the MSISDN
# database to where we send details of
# accountig starts and stops
MSISDNDatabase localhost:7777
# CountryCode will be prepended to Calling-Station-Id
# to generate MSISDN
CountryCode 61
# If this is set, any leading 0 or 9 will be stripped
# from the Calling-Station-Id before the CountryCode
# is prepended to form the MSISDN
StripLeading09
FramedGroup 0;
NoDefaultIfFound
# no accounting options, so accounting will be "short-circuited"
</AuthBy>
<AuthBy FILE>
Filename defuser
</AuthBy>
MaxSessions 1
</Realm>
And the 'defuser' file contains the following:
DEFAULT
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = None,
Framed-MTU = 1500,
Service-Type = Framed-User
The issue is that what I am trying to achieve is RADIUS authentication, with
no username and password required.
In my situation, we have only GSM mobile incoming calls, and we are very
happy to use the existing user authentication performed by the mobile
network (ie, your number is unique to you, and if you lose it you are going
to have your SIM etc cancelled anyway)
As such, we want to setup the PPP sessions etc with as little requirements
as possible. Essentially, if the person's number (Calling-Station-ID)
appears in the user database and is active, we want to let them setup a
session and give them an IP address without the user needing to go through
any additional authentication stages.
>From my brief research, it seems that this is not an overly common way to do
things, and as such it is very difficult to find any information on other
people's attempts etc.
In order to do this, we are presently trying to use the Tigris VPSM
functionality, which generates an Access-Request similar to the following
when it detects an incoming call:
Attributes:
User-Name = "<called number>"
User-Password = "<calling number encrypted with secret>"
NAS-Port = 71
NAS-Port-Type = ISDN
Acc-Request-Type = Ring-Indication
Called-Station-Id = "xxxxxxxxx"
Calling-Station-Id = "0414576342"
NAS-IP-Address = 10.28.30.15
I have the RADIUS part where the calling station ID is used to query the
user database up and working fine.
The 'problem' is that it appears that the Tigris needs some other attributes
sent to it, apart from the defaults I mentioned above.
This is probably not the best place to ask for help with this, but it's
worth a shot...
Anyway, just to be complete, here is my present Tigris config script:
SET SCRIPT VERSION 11.5.4 (ISDN Software Version 10.1)
SET PROMPT WAP_TEST
ADD ACCESS ENTRY x.y.z.0 255.255.255.0 69 TFTP
ADD ACCESS ENTRY x.y.z.0 255.255.255.0 23 TELNET
ADD ACCESS ENTRY x.y.z.0 255.255.255.0 80 HTTP
ADD ACCESS ENTRY x.y.z.0 255.255.255.0 0 PUBLIC
SET SYSTEM OPTIMIZER STATE ON
SET VIRTUAL PORT COUNT 50 0 0 0 0
ADD ACCESS PARTITION ENTRY "WAP" "WAP Trial"
SET ACCESS PARTITION IP GATEWAY "WAP" w.x.y.z
SET ACCESS PARTITION PROXY SERVER "WAP" "VPSM"
SET ARP MODE PROXY
SET STP MODE OFF
SET BRIDGE MODE OFF
SET BOOTP MODE OFF
ADD CALLED NUMBER ENTRY 1 ANY "xxxxxxxxx" "WAP-ANY"
SET CALLED NUMBER AUTHORIZATION MODE 1 ANY "xxxxxxxxx" VPSM
SET CALL MANAGER MESSAGE LEVEL 5
SET DS1 INTERFACE TYPE J7.3 ERICSSON
ADD IP NETWORK ENTRY x.y.z.15 255.255.255.0 J7.1
SET IP UNNUMBERED INTERFACE DEFAULT SOURCE ADDRESS x.y.z.15
SET IP INGRESS FILTERING DISABLED
ADD IP ROUTE ENTRY 0.0.0.0 0.0.0.0 w.x.y.z 1
SET ISDN MESSAGE LEVEL J7.3 3
SET ISDN CLI OPTION J7.3 ON
SET ISDN CALLED NUMBER GROUP J7.3 1
SET MODEM MANAGER MESSAGE LEVEL 5
SET RADIUS PORT COUNT 200
SET RADIUS AUTHENTICATION MESSAGE LEVEL 7
SET RADIUS ACCOUNTING MESSAGE LEVEL 7
SET RADIUS IDENTIFIER "WAP TIGRIS"
SET RADIUS DEBUG MASK 0xff
SET RADIUS IP ADDRESS x.y.z.15
ADD RADIUS AUTHENTICATION SERVER ENTRY 1 10.28.30.16 "secret"
SET RADIUS AUTHENTICATION SERVER ACCESS PARTITION 1 "VPSM"
ADD RADIUS ACCOUNTING SERVER ENTRY 1 10.28.30.16 "secret"
SET RADIUS ACCOUNTING SERVER ACCESS PARTITION 1 "VPSM"
ADD SERVICE PROFILE ENTRY "WAP-ANY" CDNR
SET SERVICE PROFILE ACCESS PARTITION "WAP-ANY" "WAP"
SET SERVICE PROFILE MODEM POOL "WAP-ANY" "DEFAULT"
RESET
Anyone that got this far has my appreciation... even better if there are
some suggestions on what I can do...
Regards,
Tony Frank
WAP Support
Vodafone FSC
Ericsson Australia PTY LTD
* Email [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
* Mobile: 0414 576 342
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
