Hi Heikki, The attribute in the LDAP for RB-Context-Name has changed from safe to ngn.
but in the accounting that sent to the proxy the attribute value didn't changed. RB-Context-Name = "safe" the hook is acting as expected the problem is that some of attribute values stay the same and some of them changed. BR, Eliran On Tue, Dec 17, 2013 at 4:08 PM, Heikki Vatiainen <[email protected]> wrote: > On 12/17/2013 10:51 AM, eliran shlomo wrote: > > > This is the trace > > > > Correct attributes mark in blue , wrong in red. > > Hello Eliran, > > you had marked 'Class = "ngn"' in the Access-Request with blue. The same > value also comes in with Accounting-Request and based on the debug your > hook changes it to 'Class = "safe_ngn"'. This you have marked with red > in the proxied Accounting-Request. > > This is a bit confusing, I'm not sure what your desired outcome is but > at least it looks like the hook you have does change the contents before > the request is proxied out. > > Thanks, > Heikki > > > please advise and many thanks! > > > > > > Eliran > > > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Received from ********** port 1812 .... > > > > > > Code: Access-Request > > Identifier: 104 > > Authentic: > > <191><244>\<241><27><135><242><251>A^<197><247><164><237><150><250> > > Attributes: > > User-Name = "bdynamic_test1" > > User-Password = > > ;<133><181>}<24><228>E<248><19>><198>G<202><253>U<199> > > Service-Type = Authorize-Only > > Framed-Protocol = PPP > > NAS-Identifier = "SE600-LAB" > > NAS-IP-Address = ******** > > NAS-Port = 2432705629 > > NAS-Port-Type = Virtual > > NAS-Port-Id = "L2TP LNS 9309" > > RB-Medium-Type = DSL > > Connect-Info = "1000000000/1000000000" > > RB-NAS-Port = "<0><0><0><3>" > > RB-Platform-Type = "<0><0><0><6>" > > RB-OS-Version = "11.1.2.5" > > Acct-Session-Id = "FF10FFFF5800245D-52B00D63" > > Tunnel-Type = 0:L2TP > > Tunnel-Medium-Type = 0:IP > > Tunnel-Server-Endpoint = ***** > > Tunnel-Client-Endpoint = ***** > > Tunnel-Server-Auth-ID = SE600-LAB > > Tunnel-Client-Auth-ID = big-se-2-600-ptk > > RB-Tunnel-Max-Sessions = 0:65535 > > RB-Tunnel-Max-Tunnels = 0:32767 > > RB-Tunnel-Function = 0:LNS-Only > > Tunnel-ID = big-se-2-600-ptk:31113:11486 > > RB-LAC-Port = 1744830812 > > > > Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler > > 'NAS-Port-Type=ADSL', Identifier '' > > Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to > > bdynamic_test1 > > Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthLDAP2: > LDAP_User > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got result for > > uid=bdynamic_test1,ou=People,o=*****,c=**** > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got chapPassword: ****** > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authServiceProtocol: > Framed-User > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authPortLimit: 2 > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got authhostporttype: > > /^(ISDN|Async|Virtual|Sync|ADSL|CABLE|HOTSPOT)$/ > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitRate: 100000 > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceRate: 2360 > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got PoliceBurst: 12000000 > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RateLimitBurst: 30000 > > Tue Dec 17 09:27:23 2013: DEBUG: LDAP got RedbackContextname: ngn > > Tue Dec 17 09:27:23 2013: DEBUG: request packet > > TEST-SE > > Tue Dec 17 09:27:23 2013: ERR: user: bdynamic_test1 Pool is empty: > > adding default to pool , set class to ngn > > Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 looks for match with > > bdynamic_test1 [bdynamic_test1] > > Tue Dec 17 09:27:23 2013: DEBUG: Query is: 'select NASIDENTIFIER, > > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME='bdynamic_test1' > > and ACTIVE = TRUE and NASIDENTIFIER != '*********' and NASPORT != > '9309'': > > Tue Dec 17 09:27:23 2013: DEBUG: Radius::AuthLDAP2 ACCEPT: : > > bdynamic_test1 [bdynamic_test1] > > Tue Dec 17 09:27:23 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, > > Tue Dec 17 09:27:23 2013: DEBUG: Access accepted for bdynamic_test1 > > Tue Dec 17 09:27:23 2013: DEBUG: do query is: 'insert into RADAUTHLOG > > (HOSTNAME, NASID, TIME_STAMP, USERNAME, TYPE) values > > ('test4','********', 1387265243, 'bdynamic_test1', 1)': > > Tue Dec 17 09:27:23 2013: INFO: process > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Sending to ********** port 1812 .... > > > > > > Code: Access-Accept > > Identifier: 104 > > Authentic: > LA<187><223>J<194><4><208><135><174>x<232><181><148><220><189> > > Attributes: > > Service-Type = Framed-User > > Port-Limit = 2 > > Ascend-Maximum-Channels = 2 > > Class = "ngn" > > RB-Police-Rate = 2360 > > RB-Context-Name = "ngn" > > RB-QoS-Metering-Profile-Name = "100000" > > RB-Ip-Address-Pool-Name = "default" > > > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Received from ************** port 1812 .... > > > > > > Code: Accounting-Request > > Identifier: 76 > > Authentic: p<167><15><12><168><212><144><12>7<223><218>%?<208><164><193> > > Attributes: > > User-Name = "bdynamic_test1" > > Acct-Status-Type = Alive > > Acct-Session-Id = "FF10FFFF5800245D-52B00D63" > > Service-Type = Framed-User > > Framed-Protocol = PPP > > RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth > > NAS-Identifier = "SE600-LAB" > > NAS-IP-Address = ********** > > NAS-Port = 2432705629 > > NAS-Port-Type = Virtual > > NAS-Port-Id = "L2TP LNS 9309" > > RB-Medium-Type = DSL > > Connect-Info = "1000000000/1000000000" > > RB-Platform-Type = "<0><0><0><6>" > > RB-OS-Version = "11.1.2.5" > > Acct-Authentic = RADIUS > > Port-Limit = 2 > > RB-Context-Name = "safe" > > RB-Ip-Address-Pool-Name = "default" > > RB-Client-DNS-Pri = ****** > > RB-Client-DNS-Sec = ***** > > Framed-IP-Address = ******* > > Framed-IP-Netmask = 255.255.255.255 > > Tunnel-Type = 0:L2TP > > Tunnel-Medium-Type = 0:IP > > Tunnel-Server-Endpoint = ******* > > Tunnel-Client-Endpoint = ******** > > Tunnel-Server-Auth-ID = SE600-LAB > > Tunnel-Client-Auth-ID = big-se-2-600-ptk > > RB-Tunnel-Max-Sessions = 0:65535 > > RB-Tunnel-Max-Tunnels = 0:32767 > > RB-Tunnel-Function = 0:LNS-Only > > Tunnel-ID = big-se-2-600-ptk:31113:11486 > > RB-LAC-Port = 1744830812 > > Acct-Session-Time = 14 > > Acct-Input-Packets = 16 > > Acct-Output-Packets = 11 > > Acct-Input-Octets = 1727 > > Acct-Output-Octets = 1081 > > Acct-Input-Gigawords = 0 > > Acct-Output-Gigawords = 0 > > RB-Acct-Input-Packets-64 = 0x10 > > RB-Acct-Output-Packets-64 = 0xb > > RB-Acct-Input-Octets-64 = 0x6bf > > RB-Acct-Output-Octets-64 = 0x439 > > RB-Acct-Mcast-In-Packets = 0 > > RB-Acct-Mcast-Out-Packet = 0 > > RB-Acct-Mcast-In-Octets = 0 > > RB-Acct-Mcast-Out-Octets = 0 > > RB-Acct-Mcast-In-Packets-64 = 0x0 > > RB-Acct-Mcast-Out-Packets-64 = 0x0 > > RB-Acct-Mcast-In-Octets-64 = 0x0 > > RB-Acct-Mcast-Out-Octets-64 = 0x0 > > RB-QoS-Metering-Profile-Name = "100000" > > Class = "ngn" > > Event-Timestamp = 1387269490 > > > > Tue Dec 17 09:27:23 2013: DEBUG: Handling request with Handler > > 'NAS-IP-Address=*****, Request-Type=Accounting-Request, Acct-Status-Type > > = /^Alive/', Identifier '' > > Tue Dec 17 09:27:23 2013: DEBUG: RewriteFunction rewrote user name to > > bdynamic_test1 > > Tue Dec 17 09:27:23 2013: ERR: DA: user: bdynamic_test1 Context safe: > > setting class to safe . '_' . 'ngn' > > Tue Dec 17 09:27:23 2013: DEBUG: Handling with Radius::AuthRADIUS > > Tue Dec 17 09:27:23 2013: ERR: There is no value named ADSL for > > attribute NAS-Port-Type. Using 0. > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Sending to proxyserver port 1813 .... > > > > > > Code: Accounting-Request > > Identifier: 6 > > Authentic: 4<252><29><17>z<4>}<151><21>I'fvv<153><150> > > Attributes: > > User-Name = "bdynamic_test1" > > Acct-Status-Type = Alive > > Acct-Session-Id = "FF10FFFF5800245D-52B00D63" > > Service-Type = Framed-User > > Framed-Protocol = PPP > > RB-Acct-Update-Reason = AAA-Load-Acct-Subscriber-Reauth > > NAS-Identifier = "SE600-LAB" > > NAS-IP-Address = ******** > > NAS-Port = 9309 > > NAS-Port-Id = "L2TP LNS 9309" > > RB-Medium-Type = DSL > > Connect-Info = "1000000000/1000000000" > > RB-Platform-Type = "<0><0><0><6>" > > RB-OS-Version = "11.1.2.5" > > Acct-Authentic = RADIUS > > Port-Limit = 2 > > RB-Context-Name = "safe" > > RB-Ip-Address-Pool-Name = "default" > > RB-Client-DNS-Pri = ********** > > RB-Client-DNS-Sec = ********* > > Framed-IP-Address = ********** > > Framed-IP-Netmask = 255.255.255.255 > > Tunnel-Type = 0:L2TP > > Tunnel-Medium-Type = 0:IP > > Tunnel-Server-Endpoint = ****** > > Tunnel-Client-Endpoint = ******** > > Tunnel-Server-Auth-ID = SE600-LAB > > Tunnel-Client-Auth-ID = big-se-2-600-ptk > > RB-Tunnel-Max-Sessions = 0:65535 > > RB-Tunnel-Max-Tunnels = 0:32767 > > RB-Tunnel-Function = 0:LNS-Only > > Tunnel-ID = big-se-2-600-ptk:31113:11486 > > RB-LAC-Port = 1744830812 > > Acct-Session-Time = 14 > > Acct-Input-Packets = 16 > > Acct-Output-Packets = 11 > > Acct-Input-Octets = 1727 > > Acct-Output-Octets = 1081 > > Acct-Input-Gigawords = 0 > > Acct-Output-Gigawords = 0 > > RB-Acct-Input-Packets-64 = 0x10 > > RB-Acct-Output-Packets-64 = 0xb > > RB-Acct-Input-Octets-64 = 0x6bf > > RB-Acct-Output-Octets-64 = 0x439 > > RB-Acct-Mcast-In-Packets = 0 > > RB-Acct-Mcast-Out-Packet = 0 > > RB-Acct-Mcast-In-Octets = 0 > > RB-Acct-Mcast-Out-Octets = 0 > > RB-Acct-Mcast-In-Packets-64 = 0x0 > > RB-Acct-Mcast-Out-Packets-64 = 0x0 > > RB-Acct-Mcast-In-Octets-64 = 0x0 > > RB-Acct-Mcast-Out-Octets-64 = 0x0 > > RB-QoS-Metering-Profile-Name = "100000" > > Class = "safe_ngn" > > Event-Timestamp = 1387269490 > > NAS-Port-Type = ADSL > > Timestamp = 1387265243 > > Acct-Delay-Time = 0 > > > > Tue Dec 17 09:27:23 2013: DEBUG: AuthBy RADIUS result: IGNORE, > > Tue Dec 17 09:27:23 2013: DEBUG: Accounting accepted > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Sending to *********** port 1812 .... > > > > > > Code: Accounting-Response > > Identifier: 76 > > Authentic: <15>v<16><224>`<211><179>2<153>=<154><218><10><147>+<219> > > Attributes: > > > > Tue Dec 17 09:27:23 2013: DEBUG: Received reply in AuthRADIUS for req 6 > > from ********:1813 > > Tue Dec 17 09:27:23 2013: DEBUG: Packet dump: > > *** Received from ******** port 1813 .... > > > > > > Code: Accounting-Response > > Identifier: 6 > > Authentic: r<206><143>zr<5><170><5>L<12><30><227>B<214><210><13> > > Attributes: > > > > > > proxyhook.pl <http://proxyhook.pl> > > > > > > sub { > > > > my $p = ${$_[0]}; # proxy reply packet > > my $context = lc($p->get_attr('RB-Context-Name')); > > my $class = lc($p->get_attr('Class')); > > my $pool = lc($p->get_attr('RB-Ip-Address-Pool-Name')); > > my $usern=$p->get_attr('User-Name'); > > > > if ( $context =~ /^(gamer|safe|ngn|big)$/ ) { > > > > if ( $pool =~ /^(ngn|xngn|NGN|XNGN)$/ ) { > > if ( $context =~ /^(gamer)$/ ) { > > $p->change_attr('Class', $context . '_' . 'ngn'); > > ## Logs ## > > &main::log($main::LOG_ERR, "DA: user: $usern Context gamer: > > setting class to $context . '_' . 'ngn'"); > > } > > } elsif ( $class =~ /^(ngn|xngn|NGN|XNGN)$/ ) { > > if ( $context =~ /^(gamer)$/ ) { > > $p->change_attr('Class', $context . '_' . 'ngn'); > > ## Logs ## > > &main::log($main::LOG_ERR, "DA: user: $usern Context gamer: > > setting class to $context . '_' . 'ngn'"); > > } elsif ( $context =~ /^(safe)$/ ) { > > $p->change_attr('Class', $context . '_' . 'ngn'); > > &main::log($main::LOG_ERR, "DA: user: $usern Context safe: > > setting class to $context . '_' . 'ngn'"); > > } > > > > } elsif ( $class =~ /^(default|safe)$/ ) { > > $p->change_attr('Class', $context); > > &main::log($main::LOG_ERR, "DA: user: $usern Context $class > > pool default: setting class to $context "); > > } elsif ( $class =~ /^(ngn)$/ ) { > > $p->change_attr('Class', 'ngn'); > > &main::log($main::LOG_ERR, "DA: user: $usern Context $class > > pool default: setting class to $context "); > > } elsif ( $context =~ /^(gamer)$/ ) { > > $p->change_attr('Class', $context); > > ## Logs ## > > &main::log($main::LOG_ERR, "DA: user: $usern Context&pool gamer: > > setting class to $context "); > > } elsif ( $context =~ /^(big)$/ ) { > > $p->change_attr('Class', 'gamer'); > > ## Logs ## > > &main::log($main::LOG_ERR, "DA: user: $usern Context big: > > setting class to gamer "); > > } > > > > } > > > > > > } > > > > > > On Dec 16, 2013 5:08 PM, "Heikki Vatiainen" <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 12/16/2013 03:44 PM, eliran shlomo wrote: > > > > > I have proxy radius that receive a different attributes then the > NAS. > > > > > > When i change an attribute in the LDAP and tell the NAS to get an > > update > > > the NAS receive all updated values > > > But the values that are sent to the proxy contain old data. > > > > Hello Eliran, > > > > are you changing $p (the current request) in the hook? $p is what the > > outgoing request in AuthBy RADIUS is based on. > > > > It's a bit hard to say more without Trace 4 logs and the hook. > > > > Thanks, > > Heikki > > > > > > > please advise. > > > > > > Thanks, > > > > > > Eliran > > > > > > The AuthBy look like this > > > > > > <AuthBy RADIUS> > > > Identifier ProxyAccounting > > > Host x.x.x.x > > > NoForwardAuthentication > > > IgnoreAccountingResponse > > > AcctPort 1813 > > > FailureBackoffTime 0 > > > Retries 1 > > > RetryTimeout 3 > > > Secret ****** > > > </AuthBy> > > > > > > And the handler looks like this > > > > > > <Handler NAS-IP-Address=x.x.x.x, Request-Type=Accounting-Request, > > > Acct-Status-Type = /^Alive/> > > > include %{GlobalVar:CONFIGROOT}/include/RewriteUsername.inc > > > PreAuthHook > > file:"%{GlobalVar:CONFIGROOT}/include/proxyupdate.pl > > <http://proxyupdate.pl> > > > <http://proxyupdate.pl>" > > > AuthBy ProxyAccounting > > > SessionDatabase NULL > > > AccountingHandled > > > AcctLogFileName %{GlobalVar:DETAILDIR}/%c/detail-%Y%m%d.csv > > > AcctLogFileFormat \ > > > > %{User-Name},%{Acct-Session-Id},%{Framed-IP-Address},\ > > > > > > %{Calling-Station-Id},%{Called-Station-Id},%{NAS-IP-Address},\ > > > %{NAS-Port-Type},%{NAS-Port},%{Acct-Status-Type},\ > > > > %{Tunnel-Server-Endpoint},%{Tunnel-Client-Endpoint},\ > > > %{Tunnel-Server-Auth-ID},%{Tunnel-Client-Auth-ID},\ > > > > > > %{RB-Context-Name},%{Acct-Input-Octets},%{Acct-Output-Octets},\ > > > %{Acct-Input-Gigawords},%{Acct-Output-Gigawords},\ > > > > > %{RB-QoS-Metering-Profile-Name},%{Acct-Terminate-Cause},\ > > > %{Acct-Session-Time},%{Event-Timestamp},\ > > > %{Acct-Authentic},%{Acct-Delay-Time},\ > > > %{Acct-Input-Packets},%{Acct-Output-Packets},\ > > > %{Framed-Protocol},%{Service-Type} > > > </Handler> > > > > > > > > > > > > > > > > > > _______________________________________________ > > > radiator mailing list > > > [email protected] <mailto:[email protected]> > > > http://www.open.com.au/mailman/listinfo/radiator > > > > > > > > > -- > > Heikki Vatiainen <[email protected] <mailto:[email protected]>> > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, > TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > > NetWare etc. > > _______________________________________________ > > radiator mailing list > > [email protected] <mailto:[email protected]> > > http://www.open.com.au/mailman/listinfo/radiator > > > > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator >
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
