Hello Sek Chye -
As promised, I have some things ready for you.
On Fri, 03 Nov 2000, Goh Sek Chye wrote:
> Hi! I have a problem here and would appreciate any enlightenment and
> example configuration file.
>
> I am currently testing a GPRS RAS. It can be configured to assign IP
> address dynamically with an IP pool.
>
> However, if it is configured to assign the IP address dynamically, it will
> not send accounting start and stop packet to the Radius server :-(
>
> But if we let Radius server assigns IP address dynamically using AuthBy
> DYNADDRESS and AddressAllocator SQL, then the GPRS RAS will be able to
> send accounting start and stop packets. Wierd but that is what the
> vendors told me how it should work for their RAS.
>
> However, in our testing with the above setup, we found that the IP address
> never get deallocated when the user disconnect. From the trace 4 debug,
> we found that the GPRS RAS does not send the Framed-IP-Address attribute
> in the accounting stop packet.
>
> Looking at the source code, we realise that Radiator needs the
> Framed-IP-Address attribute in the accounting stop packet in order to
> deallocate the used IP address.
>
> How can we configure radiator to work with the GPRS RAS in this case?
>
> In addition, We need to configure radiator to authenticate against an
> external SQL Oracle database. On top of that, the radius has to proxy the
> authentication request to at least two different Radius server for the
> realm "abc.com.sg" and "xyz.com.sg"
>
> How can we configure Radiator to handle all of the different types of
> authentication method as described above and at the same time allocate IP
> address dynamically for every authentication requests?
>
Here are some hints and suggestions:
# configure AuthBy clauses
<AuthBy SQL>
Identifier CheckSQL
DBSource ....
DBUsername ....
DBAuth ....
.....
</AuthBy>
<AuthBy RADIUS>
Identifier Check.abc.com.sg
Host radius.abc.com.sg
Secret somesecret
ReplyHook file:"%D/AllocateIPAddressOnReplyFromProxy"
</AuthBy>
<AuthBy RADIUS>
Identifier Check.xyz.com.sg
Host radius.xyz.com.sg
Secret somesecret
ReplyHook file:"%D/AllocateIPAddressOnReplyFromProxy"
</AuthBy>
<AddressAllocator SQL>
Identifier AddressAllocatorSQL
.....
</AddressAllocator>
<AuthBy DYNADDRESS>
Identifier AllocateIPAddress
Allocator AddressAllocatorSQL
.....
</AuthBy>
<Handler Realm = abc.com.sg>
Identifier AllocateIPAddress
AuthBy Check.abc.com.sg
</Handler>
<Handler Realm = xyz.com.sg>
Identifier AllocateIPAddress
AuthBy Check.abc.com.sg
</Handler>
<Handler>
AuthByPolicy ContinueWhileAccept
AuthBy CheckSQL
AuthBy AllocateIPAddress
</Handler>
Here is the code for the ReplyHook:
# -*- mode: Perl -*-
# AllocateIPAddressOnReplyFromProxy
#
# ReplyHook to (de)allocate an IP address
# when an AuthBy RADIUS reply is received.
# The Realm/Handler must use the same Identifier
# as the AuthBy DYNADDRESS Identifier.
#
# Also add Class = Framed-IP-Address to allocate
# and the reverse for deallocate.
#
# Author: Hugh Irvine ([EMAIL PROTECTED])
# Copyright (C) 2000 Open System Consultants
# $Id$
sub
{
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
my $address;
# Get the Identifier for this Realm/Handler
my $identifier = Radius::Util::format_special('%{Handler:Identifier}', $op, $rp);
&main::log($main::LOG_DEBUG, "Using Identifier $identifier");
# Find the AuthBy clause with the same Identifier
my $authby = Radius::AuthGeneric::find($identifier);
&main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");
# Get the request code from the proxy reply.
my $code = $p->code;
if ($code eq 'Access-Accept')
{
# Set the correct reply code in the reply packet
# or if the AuthBy is undefined set to Access-Reject.
if (defined $authby)
{
# Strip any Framed-IP-Address and Framed-IP-Netmask
# just in case the upstream proxy has sent one by mistake
$rp->delete_attr('Framed-IP-Address');
$rp->delete_attr('Framed-IP-Netmask');
# Call handle_request for this AuthBy DYNADDRESS
my ($rc, $reason) = $authby->handle_request($op, $rp);
if ($rc == $main::ACCEPT)
{
# Get the IP address and add it in a Class attribute
$address = $rp->get_attr('Framed-IP-Address');
$rp->add_attr('Class', $address);
}
else
{
&main::log($main::LOG_ERR, "Allocate IP address failed: $reason");
$rp->set_code('Access-Reject');
}
}
else
{
&main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
$rp->set_code('Access-Reject');
}
}
elsif ($code eq 'Accounting-Response')
{
# Call handle_request for this AuthBy DYNADDRESS
if (defined $authby)
{
# Get the IP address from the Class attribute
$address = $rp->get_attr('Class');
$op->add_attr('Framed-IP-Address', $address);
my ($rc, $reason) = $authby->handle_request($op, $rp);
if ($rc != $main::ACCEPT)
{
&main::log($main::LOG_ERR, "De-allocate IP address failed: $reason");
}
}
else
{
&main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
}
}
return;
}
If you have any questions, please don't hesitate to ask.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
