Hello Pavel -
Very nice work!
I suspect the reason you are getting the three Reply-Message lines is
because you have "RejectHasReason" in your Handler. You might just
try turning it off.
regards
Hugh
At 14:51 +0300 01/1/13, pavel wrote:
>Hi,
>
>I've written PostAuthHook which controls the number of demo sessions
>on our access servers and dynamically clears lines for registered
>users (see it below).
>Everything works fine but when I try to set custom reject reason
>Radiator 2.17.1 puts 3(!) Reply-Message attribute in reply:
>
>*** Sending to x.x.x.x port 1025 ....
>Code: Access-Reject
>Identifier: 26
>Authentic: <199><15>NJ?<165><241>r<146><246><177><20><231><139>A<12>
>Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-IP-Address = 172.16.1.2
> Reply-Message = "Demo limit exceeded"
> Reply-Message = "Request Denied"
> Reply-Message = ""
>
>It's not critical but annoying.
>Is it possible to set just one Reply-Message attribute?
>
>Here is the exerption from radius.cfg:
>...
><SessionDatabase SQL>
> Identifier SessDB
> DBSource dbi:Oracle:host.somewhere-in.ru
> DBUsername zzzz
> DBAuth xxxx
></SessionDatabase>
>...
><AuthBy PLSQL>
> Identifier DialUp
> NoDefault
> DBSource dbi:Oracle:host.somewhere-in.ru
> DBUsername zzzz
> DBAuth xxxx
>
> # Authentication
> AuthBlock BEGIN \
>
>get_user_data('%n','%N',:passwd,:check_item,:reply_item); \
> END;
>
> AuthParamDef :passwd, User-Password, check
> AuthParamDef :check_item, GENERIC, check
> AuthParamDef :reply_item, GENERIC, reply
>
> # Accounting
> AccountingStopsOnly
> AcctSQLStatement DECLARE \
> ret_val integer; \
> BEGIN \
> ret_val := stat.new_dialup_log_record_f('%{User-Name}', \
> '%j:%k:%p %f-%g-%i', \
> '%{Acct-Session-Time}', \
> '%{Acct-Input-Octets}', \
> '%{Acct-Output-Octets}', \
> '%{Acct-Session-Id}', \
>
>'%{Acct-Terminate-Cause}%{Ascend-Disconnect-Cause}', \
> '%N', \
> '%{NAS-Port}', \
> '%{Framed-IP-Address}'); \
> END;
></Auth>
>...
><Handler>
> AcctLogFileName %L/account.log
> PasswordLogFileName %L/password.log
>
> AuthBy DialUp
> PostAuthHook file:"%D/checkDemo"
> AccountingHandled
> RejectHasReason
> SessionDatabase SessDB
></Handler>
>
>
>checkDemo
>#
>sub {
> my $request = ${$_[0]};
> my $reply = ${$_[1]};
> my $result = ${$_[2]};
>
> &main::log($main::LOG_DEBUG, "Entering checkDemo");
>
> my %client = (
> # client type,limit
> 'x.x.x.x' => ['Cisco', 28],
> 'y.y.y.y' => ['Ascend', 28]
> );
> my %kick = (
> 'Cisco' => \&kickOnCisco,
> 'Ascend' => \&kickOnAscend
> );
>
> # Exit if it's not Access-Request
> return if ($request->code ne 'Access-Request');
>
> my $community = "zzzzzzzzzz";
> my $sdb;
>
> # Get IP of the pool and username
> my $nas_ip = $request->get_attr('NAS-IP-Address');
> my $user_name = $request->get_attr('User-Name');
>
> if ($result == $main::ACCEPT) {
>
> # Check how many lines are used on the pool
> $sdb = &Radius::SessGeneric::find('SessDB');
> my $lines_used = $sdb->sessionsOnNAS($nas_ip,$request);
>
> if ($lines_used >= $client{$nas_ip}[1]) {
>
> if ($user_name eq 'demo') {
> ${$_[2]} = $main::REJECT;
> $reply->change_attr('Reply-Message','Demo limit exceeded');
> &main::log($main::LOG_INFO, "Line limit for demo
>exceeded($lines_used $client{$nas_ip}[1]) on $nas_ip");
> }
> else {
> # Kick one of the demo
>
>&{$kick{$client{$nas_ip}[0]}}($sdb,$nas_ip,$lines_used -
>$client{$nas_ip}[1],$user_name);
> }
> }
> }
>
> &main::log($main::LOG_DEBUG, "Exiting checkDemo");
>
># Subroutines
> sub kickOnCisco {
> my $sessdb = $_[0];
> my $ip = $_[1];
> my $count = $_[2];
> my $name = $_[3];
>
> my $CiscoOID = ".1.3.6.1.4.1.9.2.1.76.0";
> my @ifNumber = (13, 14, 15, 16, 17, 18, 19, 20,
> 5, 6, 7, 8, 9, 10, 11, 12);
>
> # Select demos from DB
> my $q = "SELECT NASPORT
> FROM RADONLINE
> WHERE
> (NASIDENTIFIER ='$ip') AND
> (USERNAME ='demo')";
>
> my $sth = $sessdb->prepareAndExecute($q);
> return unless $sth;
>
> # Lets kick
> my $nasPort;
> while (($nasPort) = $sth->fetchrow())
> {
> &main::log($main::LOG_INFO,"Kicking demo from
>$ip:$nasPort for $name");
> # Kicking
> my $result = &Radius::SNMP::snmpset($ip,
> $community,
> $CiscoOID,
> 'i', $ifNumber[$nasPort-1]);
>
> # Not more then count
> last if --$count ;
> }
>
> return;
> }
>
> sub kickOnAscend {
> my $sessdb = $_[0];
> my $ip = $_[1];
> my $count = $_[2];
> my $name = $_[3];
>
> # Select demos from DB
> my $q = "SELECT ACCTSESSIONID
> FROM RADONLINE
> WHERE
> (NASIDENTIFIER ='$ip') AND
> (USERNAME ='demo')";
>
> my $sth = $sessdb->prepareAndExecute($q);
> return unless $sth;
>
> # Lets kick
> my $sessId;
> while (($sessId) = $sth->fetchrow())
> {
> &main::log($main::LOG_INFO,"Kicking demo from $ip,
>session $sessId for $name");
> # Kicking
> my $result = &Radius::SNMP::snmpset($ip,
> $community,
> "$Radius::Nas::AscendMIB.12.3.1.3.$sessId",
> 'i', 1);
>
> # Not more then count
> last if --$count ;
> }
>
> return;
> }
>}
>
>
>With respect,
>Pavel A Crasotin
>____________________________________
>OJSC SeverTransCom
>40/13 Sobinova, Yaroslavl, 150000, Russia
>Tel/Fax: +7 (0852) 47-71-70, 47-69-49
> +7 (0852) 72-17-28, 72-17-38
>
>
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
