Hello Pavel -
OK - I haven't looked at the code, but the "Request Denied" must be
coming from somewhere after the PostAuthHook (in Handler.pm would be
my guess). You could comment out that bit of code or possibly change
it to a "change_attr" as you have in your hook.
Let me know what you end up doing, and we might consider adding a
configuration option to change the behaviour.
regards
Hugh
At 16:22 +0300 01/1/13, pavel wrote:
>Hi Hugh,
>
>I've turned RejectHasReason off - one Reply-Message vanished.
>
>*** Sending to x.x.x.x port 1025 ....
>Code: Access-Reject
>Identifier: 88
>Authentic: <236><214><200><231><185><231><27><20><26><<29><9><222><156><211>z
>Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-IP-Address = 172.16.1.2
> Reply-Message = "Demo limit exceeded"
> Reply-Message = "Request Denied"
>
>
>HI> Hello Pavel -
>
>HI> Very nice work!
>
>HI> I suspect the reason you are getting the three Reply-Message lines is
>HI> because you have "RejectHasReason" in your Handler. You might just
>HI> try turning it off.
>
>HI> regards
>
>HI> Hugh
>
>
>HI> At 14:51 +0300 01/1/13, pavel wrote:
>>>Hi,
>>>
>>>I've written PostAuthHook which controls the number of demo sessions
>>>on our access servers and dynamically clears lines for registered
>>>users (see it below).
>>>Everything works fine but when I try to set custom reject reason
>>>Radiator 2.17.1 puts 3(!) Reply-Message attribute in reply:
>>>
>>>*** Sending to x.x.x.x port 1025 ....
>>>Code: Access-Reject
>>>Identifier: 26
>>>Authentic: <199><15>NJ?<165><241>r<146><246><177><20><231><139>A<12>
>>>Attributes:
>>> Service-Type = Framed-User
>>> Framed-Protocol = PPP
>>> Framed-IP-Netmask = 255.255.255.255
>>> Framed-Routing = None
>>> Framed-MTU = 1500
>>> Framed-Compression = Van-Jacobson-TCP-IP
>>> Framed-IP-Address = 172.16.1.2
>>> Reply-Message = "Demo limit exceeded"
>>> Reply-Message = "Request Denied"
>>> Reply-Message = ""
>>>
>>>It's not critical but annoying.
>>>Is it possible to set just one Reply-Message attribute?
>>>
>>>Here is the exerption from radius.cfg:
>>>...
>>><SessionDatabase SQL>
>>> Identifier SessDB
>>> DBSource dbi:Oracle:host.somewhere-in.ru
>>> DBUsername zzzz
>>> DBAuth xxxx
>>></SessionDatabase>
>>>...
>>><AuthBy PLSQL>
>>> Identifier DialUp
>>> NoDefault
>>> DBSource dbi:Oracle:host.somewhere-in.ru
>>> DBUsername zzzz
>>> DBAuth xxxx
>>>
>>> # Authentication
>>> AuthBlock BEGIN \
>>>
>>>get_user_data('%n','%N',:passwd,:check_item,:reply_item); \
>>> END;
>>>
>>> AuthParamDef :passwd, User-Password, check
>>> AuthParamDef :check_item, GENERIC, check
>>> AuthParamDef :reply_item, GENERIC, reply
>>>
>>> # Accounting
>>> AccountingStopsOnly
>>> AcctSQLStatement DECLARE \
>>> ret_val integer; \
>>> BEGIN \
>>> ret_val := stat.new_dialup_log_record_f('%{User-Name}', \
>>> '%j:%k:%p %f-%g-%i', \
>>> '%{Acct-Session-Time}', \
>>> '%{Acct-Input-Octets}', \
>>> '%{Acct-Output-Octets}', \
>>> '%{Acct-Session-Id}', \
>>>
>>>'%{Acct-Terminate-Cause}%{Ascend-Disconnect-Cause}', \
>>> '%N', \
>>> '%{NAS-Port}', \
>>> '%{Framed-IP-Address}'); \
>>> END;
> >></Auth>
>>>...
>>><Handler>
>>> AcctLogFileName %L/account.log
>>> PasswordLogFileName %L/password.log
>>>
>>> AuthBy DialUp
>>> PostAuthHook file:"%D/checkDemo"
>>> AccountingHandled
>>> RejectHasReason
>>> SessionDatabase SessDB
>>></Handler>
>>>
>>>
>>>checkDemo
>>>#
>>>sub {
>>> my $request = ${$_[0]};
>>> my $reply = ${$_[1]};
>>> my $result = ${$_[2]};
>>>
>>> &main::log($main::LOG_DEBUG, "Entering checkDemo");
>>>
>>> my %client = (
>>> # client type,limit
>>> 'x.x.x.x' => ['Cisco', 28],
>>> 'y.y.y.y' => ['Ascend', 28]
>>> );
>>> my %kick = (
>>> 'Cisco' => \&kickOnCisco,
>>> 'Ascend' => \&kickOnAscend
>>> );
>>>
>>> # Exit if it's not Access-Request
>>> return if ($request->code ne 'Access-Request');
>>>
>>> my $community = "zzzzzzzzzz";
>>> my $sdb;
>>>
>>> # Get IP of the pool and username
>>> my $nas_ip = $request->get_attr('NAS-IP-Address');
>>> my $user_name = $request->get_attr('User-Name');
>>>
>>> if ($result == $main::ACCEPT) {
>>>
>>> # Check how many lines are used on the pool
>>> $sdb = &Radius::SessGeneric::find('SessDB');
>>> my $lines_used = $sdb->sessionsOnNAS($nas_ip,$request);
>>>
>>> if ($lines_used >= $client{$nas_ip}[1]) {
>>>
>>> if ($user_name eq 'demo') {
>>> ${$_[2]} = $main::REJECT;
>>> $reply->change_attr('Reply-Message','Demo limit exceeded');
>>> &main::log($main::LOG_INFO, "Line limit for demo
>>>exceeded($lines_used $client{$nas_ip}[1]) on $nas_ip");
>>> }
>>> else {
>>> # Kick one of the demo
>>>
>>>&{$kick{$client{$nas_ip}[0]}}($sdb,$nas_ip,$lines_used -
>>>$client{$nas_ip}[1],$user_name);
>>> }
>>> }
>>> }
>>>
>>> &main::log($main::LOG_DEBUG, "Exiting checkDemo");
>>>
>>># Subroutines
>>> sub kickOnCisco {
>>> my $sessdb = $_[0];
>>> my $ip = $_[1];
>>> my $count = $_[2];
>>> my $name = $_[3];
>>>
>>> my $CiscoOID = ".1.3.6.1.4.1.9.2.1.76.0";
>>> my @ifNumber = (13, 14, 15, 16, 17, 18, 19, 20,
>>> 5, 6, 7, 8, 9, 10, 11, 12);
>>>
>>> # Select demos from DB
>>> my $q = "SELECT NASPORT
>>> FROM RADONLINE
>>> WHERE
>>> (NASIDENTIFIER ='$ip') AND
>>> (USERNAME ='demo')";
>>>
>>> my $sth = $sessdb->prepareAndExecute($q);
>>> return unless $sth;
>>>
>>> # Lets kick
>>> my $nasPort;
>>> while (($nasPort) = $sth->fetchrow())
>>> {
>>> &main::log($main::LOG_INFO,"Kicking demo from
>>>$ip:$nasPort for $name");
>>> # Kicking
>>> my $result = &Radius::SNMP::snmpset($ip,
>>> $community,
>>> $CiscoOID,
>>> 'i', $ifNumber[$nasPort-1]);
>>>
>>> # Not more then count
>>> last if --$count ;
>>> }
>>>
>>> return;
>>> }
>>>
>>> sub kickOnAscend {
>>> my $sessdb = $_[0];
>>> my $ip = $_[1];
>>> my $count = $_[2];
>>> my $name = $_[3];
>>>
>>> # Select demos from DB
>>> my $q = "SELECT ACCTSESSIONID
>>> FROM RADONLINE
>>> WHERE
>>> (NASIDENTIFIER ='$ip') AND
>>> (USERNAME ='demo')";
>>>
>>> my $sth = $sessdb->prepareAndExecute($q);
>>> return unless $sth;
>>>
>>> # Lets kick
>>> my $sessId;
>>> while (($sessId) = $sth->fetchrow())
>>> {
>>> &main::log($main::LOG_INFO,"Kicking demo from $ip,
>>>session $sessId for $name");
>>> # Kicking
>>> my $result = &Radius::SNMP::snmpset($ip,
>>> $community,
>>> "$Radius::Nas::AscendMIB.12.3.1.3.$sessId",
> >> 'i', 1);
>>>
>>> # Not more then count
>>> last if --$count ;
>>> }
>>>
>>> return;
>>> }
>>>}
>>>
>>>
>>>With respect,
>>>Pavel A Crasotin
>>>____________________________________
>>>OJSC SeverTransCom
>>>40/13 Sobinova, Yaroslavl, 150000, Russia
>>>Tel/Fax: +7 (0852) 47-71-70, 47-69-49
>>> +7 (0852) 72-17-28, 72-17-38
>>>
>>>
>>>
>>>===
>>>Archive at http://www.starport.net/~radiator/
>>>Announcements on [EMAIL PROTECTED]
>>>To unsubscribe, email '[EMAIL PROTECTED]' with
>>>'unsubscribe radiator' in the body of the message.
>
>
>
>With respect,
>Pavel A Crasotin
>____________________________________
>OJSC SeverTransCom
>40/13 Sobinova, Yaroslavl, 150000, Russia
>Tel/Fax: +7 (0852) 47-71-70, 47-69-49
> +7 (0852) 72-17-28, 72-17-38
>
>
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
