(RADIATOR) Re: cisco-avpairs via LDAP

Tue, 19 Nov 2002 12:22:39 -0800


Hello Riza -

AddToReply will not work in the way you show below (it expects an attribute = value pair).

I would be inclined to simply add the attributes in the AuthBy LDAP2 clause:

<AuthBy LDAP2>
....
AuthAttrDef radiusciscoavpair, GENERIC, reply
....
</AuthBy>

regards

Hugh


On Tuesday, Nov 19, 2002, at 22:13 Australia/Melbourne, Riza Kamalie wrote:

guys,
 
running radiator 3.3.1 authenticating users via LDAP. 
 
I'm having a problem with assigning cisco-avpairs via an LDAP attribute to the AddToReply function,
calling it via Radiator doesnt work correclty. It fails with "Bad attribute=value pair: %{RadiusCisco}"
below is a part of teh config and output trace 4 of the log file.
 
<radius.cfg>
        <AuthBy LDAP2
               
                UsernameAttr    uid

                AuthAttrDef radiusciscoavpair,RadiusCisco,request
                AuthAttrDef radiusmaxsessions,RadiusMaxSessions,request
 
        </AuthBy>

        <AuthBy FILE>
                Identifier LDAP_NETWORK_PROFILES
                Filename ./eldappy.profile
                StripFromReply RadiusEnabled,RadiusAuthenticationNumber,RadiusAuthentication
 
                AddToReply      %{RadiusCisco}  
 
        </AuthBy>
 
</Handler>
</radius.cfg>
 
<radiator.log>
*** Received from 127.0.0.1 port 47049 ....
Code:       Access-Request
Identifier: 208
Authentic:  1234567890123456
Attributes:
        User-Name = "[EMAIL PROTECTED]"
        Service-Type = Framed-User
        NAS-IP-Address = 196.25.1.1
        NAS-Port = 1
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233>n<159><156>h<4><246><188>8<9><160><216>}x<153>"
 
Mon Nov 18 17:18:14 2002: DEBUG: Handling request with Handler 'Request-Type = Access-Request'
Mon Nov 18 17:18:14 2002: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Tue Nov 19 12:09:35 2002: INFO: Connecting to xxxx, port xxx
Tue Nov 19 12:09:35 2002: INFO: Attempting to bind with uid=xx,ou=xx,o=xx,c=xx, unlink (server eldap.worldonline.co.za:
389)
Tue Nov 19 12:09:35 2002: DEBUG: LDAP got result for uid=50000328,ou=xxx,ou=xxx,o=xxx,c=xx
Tue Nov 19 12:09:35 2002: DEBUG: LDAP got passwordcleartext: xxxx
Tue Nov 19 12:09:35 2002: DEBUG: LDAP got userpassword: xxxxxx

Tue Nov 19 12:09:35 2002: DEBUG: LDAP got radiusciscoavpair: cisco-avpair="ip:inacl#10=permit udp any any eq 53",cisco-avpair="ip:inacl#40=permit icmp any any",cisco-avpair="ip:inacl#60=permit tcp any 196.41.0.0 0.0.255.255",cisco-avpair="ip:inacl#70=deny ip any any"

Tue Nov 19 12:09:35 2002: DEBUG: LDAP got radiusmaxsessions: 2
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthLDAP2 looks for match with 50000328
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
Tue Nov 19 12:09:35 2002: DEBUG: AuthWOL handle_request: Received from 127.0.0.1 port 59299
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthWOL ACCEPT:
Tue Nov 19 12:09:35 2002: DEBUG: Handling with PORTLIMITCHECK: LDAP_PORTLIMITCHECK
Tue Nov 19 12:09:35 2002: DEBUG: Query is: select count(userid) from radonline where userid='50000328' and CLI not like 'IPASS%'
 
Tue Nov 19 12:09:35 2002: DEBUG: PORTLIMITCHECK got a current session count of 0
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with 50000328
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE REJECT: Check item RadiusEnabled expression 'suspend' does not match 'active' in request
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Tue Nov 19 12:09:35 2002: DEBUG: Radius::AuthFILE ACCEPT:

Tue Nov 19 12:09:35 2002: ERR: Bad attribute=value pair: %{RadiusCisco}

Tue Nov 19 12:09:35 2002: DEBUG: Access accepted for 50000328
Tue Nov 19 12:09:35 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 59299 ....
Code:       Access-Accept
Identifier: 3
Authentic:  1234567890123456
Attributes:
        Service-Type = Framed-User
        Framed-Protocol = PPP
 
</radiator.log>
 
 
 
 
 
Thanks
 
Riza Kamalie
Technical Systems Manager
Engineering

Worldonline 
A Division of Tiscali (Pty) Ltd
+27 (21) 940 9791
+27(0) 82 992 2027  
[EMAIL PROTECTED]
http://www.worldonline.co.za
 
 
Disclaimer:This email is considered a business record and is therefore property of Tiscali. This email, and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Tiscali. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify .
Very funny Scotty... Now beam down my clothes!!

 


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

Reply via email to