Hello Mariano -
On Saturday 10 February 2001 07:49, Mariano Absatz wrote:
> Hello,
>
> I want to do the following:
>
> We have our own customers authenticating through LDAP (<AuthBy LDAP2>)
> and we keep accounting and the on line users in a MySQL database.
>
OK.
> Now we want to sale access through our NAS to other ISP's (we sell on
> line wireless access, through a shasta tunneling box).
>
Fine.
> The idea is as follows: we wholesale to the other ISP a bunch of
> simultaneous connections with different characteristics, for instance:
>
> 50 64kbps connections
> 30 128kbps connections
> 10 256kbps connections
> 10 512kbps connections
> 5 1mbps connections
>
> We don't care about the other ISP users and passwords or which kind of
> connection they give to each user as long as this ISP's users don't
> exceed the maximum simultaneous connections of each kind.
>
> The idea is that the kind of connection be not preconfigured on the
> user's name or realm, but that the other ISP radius server be able to
> send it to us in an attribute, so they are able to dynamically assign the
> connections.
>
> That is, if they bought the example above, but have 60 customers for the
> 64kb connections, they are able to evaluate when the 51st. user is trying
> to log in and if there is another kind of connection available, they
> assign that.
>
> When we receive the Access-Accept from their radius server we should
> check this attribute and recodify it into a suitable attribute to send to
> the shasta (Shasta-Service-Profile), according to a set of rules.
>
> The quantities of connections for each customer ISP (we expect to have
> more than one) should be changeable on line (I would rather use LDAP than
> SQL, since all our provisioning works with LDAP).
>
Understood.
> Now for the questions:
>
> 1) How should I combine <AuthBy Radius> with <AuthBy PORTLIMITCHECK> so I
> can do the port limit check AFTER I get the Radius Access-Accept.
>
You will need to write a ReplyHook to do this.
> 2) Can I check the limits against something found in an LDAP entry? How?
> Otherwise, is there other solution? (probably through SQL)
>
Yes, your hook code can do anything at all.
> 3) We would like to add the accounting packets to our accounting AND ALSO
> send them to the other ISP. Is it possible, how do we do it?
>
Yes, simply specify a Handler for accounting packets and put multiple
AuthBy's in it:
<Handler Request-Type = Accounting-Request>
AuthByPolicy ContinueAlways
AuthBy mySQLAccounting
AuthBy SendToRadiusProxy
.....
</Handler>
If you have multiple target proxies, you could also use the Class attribute
to differentiate between them:
<Handler Request-Type = Accounting-Request, Class = nnnnn>
AuthByPolicy ContinueAlways
AuthBy mySQLAccounting
AuthBy SendToRadiusProxy
.....
</Handler>
> 4) What would be the "correct" attribute to pass info from the other ISP
> to us saying "accept and use this specific kind of connection"? I've been
> browsing through the RFC's and Configuration-Token (78) (RFC2869, page
> 31) seems to be the right choice... am I right? (BTW, it could be added
> to the next release of the dictionary ;-)
>
I have just looked at the RFC, and I agree that Configuration-Token would be
appropriate to use for this application. You can easily add the definition to
the Radiator dictionary with any standard text editor.
You will also find an example ReplyHook in the Radiator 2.17.1 distribution
in the file "goodies/hooks.txt". This ReplyHook does most of what you need
and can be modified as required.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
