Hi Hugh,
I dont think it is necessary to add new configuration option.
There is bug in the Handler.pm
Regardless to PostAuthHook it adds the Reply-Message attribute
twice when RejectHasReason option is set.
I've made the patch.
It handles correctly the case of setting Reply-Message in PostAuthHook
also.
Hope it will be useful.
Here is it
*** Handler.pm.orig Mon Jan 15 11:17:21 2001
--- Handler.pm Tue Jan 16 12:46:36 2001
***************
*** 579,591 ****
elsif ($handled == $main::REJECT
|| $handled == $main::REJECT_IMMEDIATE)
{
&main::log($main::LOG_INFO, "Access rejected for $name: $reason");
$self->authlog($main::REJECT, $reason, $p, $rp);
- $rp->set_code('Access-Reject');
- $rp->addAttrByNum($Radius::Radius::REPLY_MESSAGE,
- 'Request Denied');
- $rp->addAttrByNum($Radius::Radius::REPLY_MESSAGE, $reason)
- if $self->{RejectHasReason};
$p->{Client}->replyTo($rp, $p);
}
--- 579,600 ----
elsif ($handled == $main::REJECT
|| $handled == $main::REJECT_IMMEDIATE)
{
+ # Get Reply-Message from reply packet
+ my $rpReason = $rp->getAttrByNum($Radius::Radius::REPLY_MESSAGE);
+
+ if(defined($rpReason)) {
+ &main::log($main::LOG_DEBUG, "Reply-Message=\"$rpReason\" is already
+set in reply packet");
+ $reason = $rpReason;
+ }
+ else {
+ $rp->addAttrByNum($Radius::Radius::REPLY_MESSAGE,
+ 'Request Denied');
+ $rp->changeAttrByNum($Radius::Radius::REPLY_MESSAGE, $reason)
+ if $self->{RejectHasReason};
+ }
+ $rp->set_code('Access-Reject');
&main::log($main::LOG_INFO, "Access rejected for $name: $reason");
$self->authlog($main::REJECT, $reason, $p, $rp);
$p->{Client}->replyTo($rp, $p);
}
HI> Hello Pavel -
HI> OK - I haven't looked at the code, but the "Request Denied" must be
HI> coming from somewhere after the PostAuthHook (in Handler.pm would be
HI> my guess). You could comment out that bit of code or possibly change
HI> it to a "change_attr" as you have in your hook.
HI> Let me know what you end up doing, and we might consider adding a
HI> configuration option to change the behaviour.
HI> regards
HI> Hugh
HI> At 16:22 +0300 01/1/13, pavel wrote:
>>Hi Hugh,
>>
>>I've turned RejectHasReason off - one Reply-Message vanished.
>>
>>*** Sending to x.x.x.x port 1025 ....
>>Code: Access-Reject
>>Identifier: 88
>>Authentic: <236><214><200><231><185><231><27><20><26><<29><9><222><156><211>z
>>Attributes:
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Netmask = 255.255.255.255
>> Framed-Routing = None
>> Framed-MTU = 1500
>> Framed-Compression = Van-Jacobson-TCP-IP
>> Framed-IP-Address = 172.16.1.2
>> Reply-Message = "Demo limit exceeded"
>> Reply-Message = "Request Denied"
>>
>>
>>HI> Hello Pavel -
>>
>>HI> Very nice work!
>>
>>HI> I suspect the reason you are getting the three Reply-Message lines is
>>HI> because you have "RejectHasReason" in your Handler. You might just
>>HI> try turning it off.
>>
>>HI> regards
>>
>>HI> Hugh
>>
>>
>>HI> At 14:51 +0300 01/1/13, pavel wrote:
>>>>Hi,
>>>>
>>>>I've written PostAuthHook which controls the number of demo sessions
>>>>on our access servers and dynamically clears lines for registered
>>>>users (see it below).
>>>>Everything works fine but when I try to set custom reject reason
>>>>Radiator 2.17.1 puts 3(!) Reply-Message attribute in reply:
>>>>
>>>>*** Sending to x.x.x.x port 1025 ....
>>>>Code: Access-Reject
>>>>Identifier: 26
>>>>Authentic: <199><15>NJ?<165><241>r<146><246><177><20><231><139>A<12>
>>>>Attributes:
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> Framed-IP-Netmask = 255.255.255.255
>>>> Framed-Routing = None
>>>> Framed-MTU = 1500
>>>> Framed-Compression = Van-Jacobson-TCP-IP
>>>> Framed-IP-Address = 172.16.1.2
>>>> Reply-Message = "Demo limit exceeded"
>>>> Reply-Message = "Request Denied"
>>>> Reply-Message = ""
>>>>
>>>>It's not critical but annoying.
>>>>Is it possible to set just one Reply-Message attribute?
>>>>
>>>>Here is the exerption from radius.cfg:
>>>>...
>>>><SessionDatabase SQL>
>>>> Identifier SessDB
>>>> DBSource dbi:Oracle:host.somewhere-in.ru
>>>> DBUsername zzzz
>>>> DBAuth xxxx
>>>></SessionDatabase>
>>>>...
>>>><AuthBy PLSQL>
>>>> Identifier DialUp
>>>> NoDefault
>>>> DBSource dbi:Oracle:host.somewhere-in.ru
>>>> DBUsername zzzz
>>>> DBAuth xxxx
>>>>
>>>> # Authentication
>>>> AuthBlock BEGIN \
>>>>
>>>>get_user_data('%n','%N',:passwd,:check_item,:reply_item); \
>>>> END;
>>>>
>>>> AuthParamDef :passwd, User-Password, check
>>>> AuthParamDef :check_item, GENERIC, check
>>>> AuthParamDef :reply_item, GENERIC, reply
>>>>
>>>> # Accounting
>>>> AccountingStopsOnly
>>>> AcctSQLStatement DECLARE \
>>>> ret_val integer; \
>>>> BEGIN \
>>>> ret_val := stat.new_dialup_log_record_f('%{User-Name}', \
>>>> '%j:%k:%p %f-%g-%i', \
>>>> '%{Acct-Session-Time}', \
>>>> '%{Acct-Input-Octets}', \
>>>> '%{Acct-Output-Octets}', \
>>>> '%{Acct-Session-Id}', \
>>>>
>>>>'%{Acct-Terminate-Cause}%{Ascend-Disconnect-Cause}', \
>>>> '%N', \
>>>> '%{NAS-Port}', \
>>>> '%{Framed-IP-Address}'); \
>>>> END;
>> >></Auth>
>>>>...
>>>><Handler>
>>>> AcctLogFileName %L/account.log
>>>> PasswordLogFileName %L/password.log
>>>>
>>>> AuthBy DialUp
>>>> PostAuthHook file:"%D/checkDemo"
>>>> AccountingHandled
>>>> RejectHasReason
>>>> SessionDatabase SessDB
>>>></Handler>
>>>>
>>>>
>>>>checkDemo
>>>>#
>>>>sub {
>>>> my $request = ${$_[0]};
>>>> my $reply = ${$_[1]};
>>>> my $result = ${$_[2]};
>>>>
>>>> &main::log($main::LOG_DEBUG, "Entering checkDemo");
>>>>
>>>> my %client = (
>>>> # client type,limit
>>>> 'x.x.x.x' => ['Cisco', 28],
>>>> 'y.y.y.y' => ['Ascend', 28]
>>>> );
>>>> my %kick = (
>>>> 'Cisco' => \&kickOnCisco,
>>>> 'Ascend' => \&kickOnAscend
>>>> );
>>>>
>>>> # Exit if it's not Access-Request
>>>> return if ($request->code ne 'Access-Request');
>>>>
>>>> my $community = "zzzzzzzzzz";
>>>> my $sdb;
>>>>
>>>> # Get IP of the pool and username
>>>> my $nas_ip = $request->get_attr('NAS-IP-Address');
>>>> my $user_name = $request->get_attr('User-Name');
>>>>
>>>> if ($result == $main::ACCEPT) {
>>>>
>>>> # Check how many lines are used on the pool
>>>> $sdb = &Radius::SessGeneric::find('SessDB');
>>>> my $lines_used = $sdb->sessionsOnNAS($nas_ip,$request);
>>>>
>>>> if ($lines_used >= $client{$nas_ip}[1]) {
>>>>
>>>> if ($user_name eq 'demo') {
>>>> ${$_[2]} = $main::REJECT;
>>>> $reply->change_attr('Reply-Message','Demo limit exceeded');
>>>> &main::log($main::LOG_INFO, "Line limit for demo
>>>>exceeded($lines_used $client{$nas_ip}[1]) on $nas_ip");
>>>> }
>>>> else {
>>>> # Kick one of the demo
>>>>
>>>>&{$kick{$client{$nas_ip}[0]}}($sdb,$nas_ip,$lines_used -
>>>>$client{$nas_ip}[1],$user_name);
>>>> }
>>>> }
>>>> }
>>>>
>>>> &main::log($main::LOG_DEBUG, "Exiting checkDemo");
>>>>
>>>># Subroutines
>>>> sub kickOnCisco {
>>>> my $sessdb = $_[0];
>>>> my $ip = $_[1];
>>>> my $count = $_[2];
>>>> my $name = $_[3];
>>>>
>>>> my $CiscoOID = ".1.3.6.1.4.1.9.2.1.76.0";
>>>> my @ifNumber = (13, 14, 15, 16, 17, 18, 19, 20,
>>>> 5, 6, 7, 8, 9, 10, 11, 12);
>>>>
>>>> # Select demos from DB
>>>> my $q = "SELECT NASPORT
>>>> FROM RADONLINE
>>>> WHERE
>>>> (NASIDENTIFIER ='$ip') AND
>>>> (USERNAME ='demo')";
>>>>
>>>> my $sth = $sessdb->prepareAndExecute($q);
>>>> return unless $sth;
>>>>
>>>> # Lets kick
>>>> my $nasPort;
>>>> while (($nasPort) = $sth->fetchrow())
>>>> {
>>>> &main::log($main::LOG_INFO,"Kicking demo from
>>>>$ip:$nasPort for $name");
>>>> # Kicking
>>>> my $result = &Radius::SNMP::snmpset($ip,
>>>> $community,
>>>> $CiscoOID,
>>>> 'i', $ifNumber[$nasPort-1]);
>>>>
>>>> # Not more then count
>>>> last if --$count ;
>>>> }
>>>>
>>>> return;
>>>> }
>>>>
>>>> sub kickOnAscend {
>>>> my $sessdb = $_[0];
>>>> my $ip = $_[1];
>>>> my $count = $_[2];
>>>> my $name = $_[3];
>>>>
>>>> # Select demos from DB
>>>> my $q = "SELECT ACCTSESSIONID
>>>> FROM RADONLINE
>>>> WHERE
>>>> (NASIDENTIFIER ='$ip') AND
>>>> (USERNAME ='demo')";
>>>>
>>>> my $sth = $sessdb->prepareAndExecute($q);
>>>> return unless $sth;
>>>>
>>>> # Lets kick
>>>> my $sessId;
>>>> while (($sessId) = $sth->fetchrow())
>>>> {
>>>> &main::log($main::LOG_INFO,"Kicking demo from $ip,
>>>>session $sessId for $name");
>>>> # Kicking
>>>> my $result = &Radius::SNMP::snmpset($ip,
>>>> $community,
>>>> "$Radius::Nas::AscendMIB.12.3.1.3.$sessId",
>> >> 'i', 1);
>>>>
>>>> # Not more then count
>>>> last if --$count ;
>>>> }
>>>>
>>>> return;
>>>> }
>>>>}
>>>>
>>>>
>>>>With respect,
>>>>Pavel A Crasotin
>>>>____________________________________
>>>>OJSC SeverTransCom
>>>>40/13 Sobinova, Yaroslavl, 150000, Russia
>>>>Tel/Fax: +7 (0852) 47-71-70, 47-69-49
>>>> +7 (0852) 72-17-28, 72-17-38
>>>>
>>>>
>>>>
>>>>===
>>>>Archive at http://www.starport.net/~radiator/
>>>>Announcements on [EMAIL PROTECTED]
>>>>To unsubscribe, email '[EMAIL PROTECTED]' with
>>>>'unsubscribe radiator' in the body of the message.
>>
>>
>>
>>With respect,
>>Pavel A Crasotin
>>____________________________________
>>OJSC SeverTransCom
>>40/13 Sobinova, Yaroslavl, 150000, Russia
>>Tel/Fax: +7 (0852) 47-71-70, 47-69-49
>> +7 (0852) 72-17-28, 72-17-38
>>
>>
>>
>>===
>>Archive at http://www.starport.net/~radiator/
>>Announcements on [EMAIL PROTECTED]
>>To unsubscribe, email '[EMAIL PROTECTED]' with
>>'unsubscribe radiator' in the body of the message.
With respect,
Pavel A Crasotin
____________________________________
OJSC SeverTransCom
40/13 Sobinova, Yaroslavl, 150000, Russia
Tel/Fax: +7 (0852) 47-71-70, 47-69-49
+7 (0852) 72-17-28, 72-17-38
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
