We're having some problems with the Class attribute being set improperly
when using the Group= check item. What we're trying to do is have a set
of trial userids log to a different detail file than the non-trial users.
We've put all of the trial users in a unix group (trial) and set the
Class attribute to "trial" for users who match the Group=trial check item.
We then log to detail%{Class}.
We're seeing apparently random cases of non-trial userids having the
Class attribute set to trial and therefore having their accounting info
go to the wrong detail file.
Our server is running Solaris 7 and Radiator 2.14.1, with the latest
patches and the shadows module. I've attached debug output for one
particular session; the userid in question is in group 1000, not group
2000 (the trial group). It looks like getpwnam is getting the correct
group (1000) for the user.
>From /etc/group:
customer::1000:
trial::2000:
Here are the relevant parts of our config:
##
# Set global options.
##
AuthPort 1812
AcctPort 1813
DbDir /etc/raddb
LogDir /var/adm/radacct
Trace 4
SnmpgetProg /usr/local/bin/snmpget
##
## Client Definitions
#
<Client xxx.xxx.xxx.5>
Secret removed
NasType Livingston
SNMPCommunity removed
DupInterval 300
</Client>
##
<AuthBy SYSTEM>
Identifier System
UseGetspnam
</AuthBy>
<Handler>
<AuthBy FILE>
# The filename defaults to %D/users
Filename %D/users.trial
</AuthBy>
## Trial userids will have a Class of "trial" and
## all others will have no Class attribute set.
AcctLogFileName %L/%N/detail%{Class}
</Handler>
#
Here's the relevant part of our users (users.trial) file:
# Default Trial Group Dial-Up PPP User System Profile
DEFAULT Auth-Type = System, Group = trial, NAS-Port-Type = Async
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Reply-Message="choice: ",
Port-Limit = 1,
Idle-Timeout = 1200,
Session-Timeout = 28800,
Class = trial
# Default PPPoE DSL User Profile
DEFAULT Auth-Type = System, NAS-IP-Address = xxx.xxx.xxx.8
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Idle-Timeout = 1200,
Session-Timeout = 28800
# Default Dial-Up PPP User System Profile
DEFAULT Auth-Type = System, NAS-Port-Type = Async
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Reply-Message="choice: ",
Port-Limit = 1,
Idle-Timeout = 1200,
Session-Timeout = 28800
Are we doing something obviously wrong? :-) Any suggestions would be
greatly appreciated!
Dawn Lovell
[EMAIL PROTECTED]
Thu Jan 27 14:39:01 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.5 port 1028 ....
Code: Access-Request
Identifier: 252
Authentic: gB<219><29><242><250><226><202><22>G<239><127>~<141>%<153>
Attributes:
User-Name = "user1"
User-Password = ""
NAS-IP-Address = xxx.xxx.xxx.5
NAS-Port = 6
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = "24000 LAPM/V42BIS"
Thu Jan 27 14:39:01 2000: DEBUG: Check if Handler should be used to handle this
request
Thu Jan 27 14:39:01 2000: DEBUG: Handling request with Handler ''
Thu Jan 27 14:39:01 2000: DEBUG: Deleting session for user1, xxx.xxx.xxx.5, 6
Thu Jan 27 14:39:01 2000: DEBUG: Handling with Radius::AuthFILE
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthFILE looks for match with user1
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Thu Jan 27 14:39:01 2000: DEBUG: Handling with Radius::AuthSYSTEM
Thu Jan 27 14:39:01 2000: DEBUG: getpwnam got user1, xxxxxxxxxxxxx, 56861, 1000, ,
Test User user1, Test User user1, /tmp, /bin/noshell
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthSYSTEM looks for match with user1
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthSYSTEM REJECT: User user1 is not in Group
trial
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthFILE REJECT: User user1 is not in Group
trial
Thu Jan 27 14:39:01 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Thu Jan 27 14:39:01 2000: DEBUG: Handling with Radius::AuthSYSTEM
Thu Jan 27 14:39:02 2000: DEBUG: getpwnam got user1, xxxxxxxxxxxxx, 56861, 1000, ,
Test User user1, Test User user1, /tmp, /bin/noshell
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthSYSTEM looks for match with user1
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthSYSTEM REJECT: Check item NAS-IP-Address
expression 'xxx.xxx.xxx.8' does not match 'xxx.xxx.xxx.5' in request
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthFILE REJECT: Check item NAS-IP-Address
expression 'xxx.xxx.xxx.8' does not match 'xxx.xxx.xxx.5' in request
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT2
Thu Jan 27 14:39:02 2000: DEBUG: Handling with Radius::AuthSYSTEM
Thu Jan 27 14:39:02 2000: DEBUG: getpwnam got user1, xxxxxxxxxxxxx, 56861, 1000, ,
Test User user1, Test User user1, /tmp, /bin/noshell
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthSYSTEM looks for match with user1
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthSYSTEM ACCEPT:
Thu Jan 27 14:39:02 2000: DEBUG: Radius::AuthFILE ACCEPT:
Thu Jan 27 14:39:02 2000: DEBUG: Access accepted for user1
Thu Jan 27 14:39:02 2000: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.5 port 1028 ....
Code: Access-Accept
Identifier: 252
Authentic: gB<219><29><242><250><226><202><22>G<239><127>~<141>%<153>
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 255.255.255.254
Framed-Netmask = 255.255.255.255
Reply-Message = "choice: "
Port-Limit = 1
Idle-Timeout = 1200
Session-Timeout = 28800
...
Thu Jan 27 14:39:03 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.5 port 1028 ....
Code: Access-Request
Identifier: 252
Authentic: gB<219><29><242><250><226><202><22>G<239><127>~<141>%<153>
Attributes:
User-Name = "user1"
User-Password = ""
NAS-IP-Address = xxx.xxx.xxx.5
NAS-Port = 6
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = "24000 LAPM/V42BIS"
Thu Jan 27 14:39:03 2000: INFO: Duplicate request id 252 received from xxx.xxx.xxx.5:
ignored
...
Thu Jan 27 14:39:03 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.5 port 1028 ....
Code: Accounting-Request
Identifier: 253
Authentic: <134><203>Y<3><251><4><208><135><173><0>~<172><238><128><198><142>
Attributes:
Acct-Session-Id = "8E000A40"
User-Name = "user1"
NAS-IP-Address = xxx.xxx.xxx.5
NAS-Port = 6
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Connect-Info = "24000 LAPM/V42BIS"
Class = "trial"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = xxx.xxx.xxx.48
Acct-Delay-Time = 0
Thu Jan 27 14:39:03 2000: DEBUG: Check if Handler should be used to handle this
request
Thu Jan 27 14:39:03 2000: DEBUG: Handling request with Handler ''
Thu Jan 27 14:39:03 2000: DEBUG: Adding session for user1, xxx.xxx.xxx.5, 6
Thu Jan 27 14:39:03 2000: DEBUG: Handling with Radius::AuthFILE
Thu Jan 27 14:39:03 2000: DEBUG: Accounting accepted
Thu Jan 27 14:39:03 2000: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.5 port 1028 ....
Code: Accounting-Response
Identifier: 253
Authentic: <134><203>Y<3><251><4><208><135><173><0>~<172><238><128><198><142>
Attributes:
Thu Jan 27 14:39:03 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.5 port 1028 ....
Code: Access-Request
Identifier: 252
Authentic: gB<219><29><242><250><226><202><22>G<239><127>~<141>%<153>
Attributes:
User-Name = "user1"
User-Password = ""
NAS-IP-Address = xxx.xxx.xxx.5
NAS-Port = 6
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = "24000 LAPM/V42BIS"
Thu Jan 27 14:39:03 2000: INFO: Duplicate request id 252 received from xxx.xxx.xxx.5:
ignored
