Re: (RADIATOR) Session Database issues.

[Utku Er]

Hi Griff,   The reason of that strange lines that you mention is the radiator's default session database implementation which is right. Its because only one user can be connected from the same nasidentifier and nas port at any time...      When a user access request comes, radiator first erases the line with the same nas and same nas port in the database just in case of a problem... this means it has to run DeleteQuery first...    Since your two radpwtst tests sends the same nasidentifier and nasport, regardless of the other things, you will always get OK for that... Try changing nas_ip_address or nas_port to see the real behaviour...    The other conceptual problem is changing the calling-number attribute does not affect anything since this attribute either not exists in the countquery or the deletequery.   Utku Er.   ----- Original Message ----- From: Griff Hamlin, III To: [EMAIL PROTECTED] Sent: Thursday, January 17, 2002 9:02 PM Subject: (RADIATOR) Session Database issues. I am using Radiator 2.18.3 on AIX. I find that even though in my config file I have DefaultSimultaneousUse 1 set, all users are still allowed on. I use an SQL session database, and when I try tests using radpwtst I find something peculiar. I first run the following command: /usr/local/Radiator-2.18/radpwtst -nostop -user=hamlin -password=XXXX -auth_port=1645 -acct_port=1646 -calling_station_id 9095551212 -nas_ip_address 127.0.0.1 This gives me an accesss accept and place the user information into my sql 'online' table. I purposely do not let radpwtst send a stop packet so that the information will remain in the online table. I then change the phone number (because I have a hook that checks for it) and run the following command from radpwtst. /usr/local/Radiator-2.18/radpwtst -noacct -user=hamlin -password=XXXX -auth_port=1645 -acct_port=1646 -calling_station_id 9495551213 -nas_ip_address 127.0.0.1 Notice that now, I have changed it to -noacct since all I want is the access reply. Strangely enough, it is accepted! Yet I can see the row in the online database. I get the following from the logfile on trace 4. This is the access request after the user is already in the online sql database. ---------logfile output ---------------------------- *** Received from 127.0.0.1 port 46269 .... Code:       Access-Request Identifier: 17 Authentic:  1234567890123456 Attributes:    User-Name = "hamlin"    Service-Type = Framed-User    NAS-IP-Address = 127.0.0.1    NAS-Port = 1234    Called-Station-Id = "123456789"    Calling-Station-Id = "9491234546"    NAS-Port-Type = Async    User-Password = "<207><184>f<154><223>5p<246><188>8<9><160><216>}x<153>" Fri Jan 18 05:39:47 2002: INFO: Checking :hamlin: call-id :9491234546: Fri Jan 18 05:39:47 2002: INFO: CallIDHook: returned row --->  'hamlin', '9095551212' Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler Service-Type = Call-Check should be used to handle this request Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler User-Name = admin should be used to handle this request Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler Request-Type=Accounting-Request should be used to handle this request Fri Jan 18 05:39:47 2002: DEBUG: Check if Handler  should be used to handle this request Fri Jan 18 05:39:47 2002: DEBUG: Handling request with Handler '' Fri Jan 18 05:39:47 2002: DEBUG: Rewrote user name to hamlin Fri Jan 18 05:39:47 2002: DEBUG:  Deleting session for hamlin, 127.0.0.1, 1234   <-----### This seems odd to me Fri Jan 18 05:39:47 2002: DEBUG: do query is: delete from online where (nasidentifier='127.0.0.1')&&(nasport='1234') Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthGROUP Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL Fri Jan 18 05:39:47 2002: DEBUG: Handling with Radius::AuthSQL: Fri Jan 18 05:39:47 2002: DEBUG: Query is: select check_items, reply_items, case when (prepay='false') then if(session_timeout,session_timeout,NULL) when ((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when ((prepay='true')&&(!(ISNULL(session_timeout)))) then if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout) end from users where (username='hamlin' && handler_group='defau') Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL looks for match with hamlin Fri Jan 18 05:39:47 2002: DEBUG: Query is: select username, acctsessionid from online where username='hamlin' Fri Jan 18 05:39:47 2002: DEBUG: Radius::AuthSQL ACCEPT: Fri Jan 18 05:39:47 2002: DEBUG: Access accepted for hamlin Fri Jan 18 05:39:47 2002::hamlin accepted from 127.0.0.1, called 123456789 from 9491234546 Fri Jan 18 05:39:47 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 46269 .... Code:       Access-Accept Identifier: 17 Authentic:  1234567890123456 Attributes:    Framed-IP-Address = 255.255.255.254    Framed-Routing = None    Framed-Compression = Van-Jacobson-TCP-IP    Framed-IP-Netmask = 255.255.255.255    Idle-Timeout = 900    Framed-Protocol = PPP    Service-Type = Framed-User ----------end logfile output--------------------------------------------------- I have labelled the line above that seems strange to me. Why would it delete the session from the online sql database before doing anything else? I found the line in Handler.pm that does this and commented it out. When I then tried this test, it works like a champ (It's line 257 in Handler.pm). Perhaps I am doing something wrong. My radius.cfg file is as follows: ---------- radius.cfg -------------- # Values for testing only Trace 4 #Trace 3 #AuthPort 1812 #AcctPort 1813 # Directory where logfile and details file are LogDir /var/adm/radacct # Database directory. Should contain: # users           The user database # dictionary      The dictionary for your NAS DbDir /etc/raddb AuthPort 1645 AcctPort 1646 # client list include %D/client_list.cfg SnmpgetProg /usr/bin/snmp_aix.pl PreClientHook file:"/etc/raddb/CallIdCheck.hook" # Global parameters LivingstonOffs 29 LivingstonHole 2 LivingstonMIB 1.3.6.1.4.1.307 # Define Global Variables # DbHost should be localhost DefineGlobalVar DbHost ns2.quik.com.au DefineGlobalVar DbServer xxxxxx DefineGlobalVar DbUser  xxxxx DefineGlobalVar DbPass  xxxxxx # Online Session Database <SessionDatabase SQL>    DBSource %{GlobalVar:DbServer}    DBUsername %{GlobalVar:DbUser}    DBAuth %{GlobalVar:DbPass}    AddQuery insert into online (username, nasidentifier, nasport,\             acctsessionid, callingid, framedaddress) values ('%U','%c',\             '%{NAS-Port}','%{Acct-Session-Id}','%{Calling-Station-Id}',\             '%{Framed-IP-Address}')    DeleteQuery delete from online where (nasidentifier='%1')&&(nasport='%2')    CountQuery select username, acctsessionid from online where username='%n' </SessionDatabase> <AuthLog FILE>   Identifier log1   Filename %L/logfile   LogSuccess 1   LogFailure 1 @   SuccessFormat %l::%n accepted from %c, called %{Called-Station-Id} from %{Calling-Station-Id}   FailureFormat %l::%n rejected from %c, %1, Called %{Called-Station-Id} from %{Calling-Station-Id}, password=%P </AuthLog> # Process call-check requests. <Handler Service-Type = Call-Check>    AcctLogFileName %L/callcheck.log    <AuthBy SQL>       DBSource    %{GlobalVar:DbServer}       DBUsername  %{GlobalVar:DbUser}       DBAuth      %{GlobalVar:DbPass}       Timeout 8       FailureBackoffTime 10       AuthSelect select handler_group from check where \          (dialing_number='%{Calling-Station-Id}')&& \          (handler_group='%{Handler-Group}')       AuthColumnDef 0,Handler-Group,check    </AuthBy> </Handler> # Get rid of admin accounting requests <Handler User-Name = admin> </Handler> # Handle all accounting here. <Handler Request-Type=Accounting-Request>   RewriteUsername s/^([^@]+).*/$1/   # Need a little hook here to determine if this is an accounting packet   # whether we use the Livingston or Acct-Terminate-Cause attributes.   # This gets the attribute Livingston if it exists, if not, gets   # Acct-Terminate-Cause, if not gets Ascend-Disconnect-Cause   # Put the correct one in new attribute %{Term-Cause} to be used later   PreAuthHook file:"/etc/raddb/accounting.hook"   <AuthBy GROUP>     AuthByPolicy ContinueWhileAccept     <AuthBy SQL>       DBSource    dbi:mysql:cheetah:ns.quik.com.au       DBUsername  %{GlobalVar:DbUser}       DBAuth      %{GlobalVar:DbPass}       AccountingTable dialupusage       AccountingStopsOnly       Timeout 8       FailureBackoffTime 10       AcctColumnDef username, %U, formatted       AcctColumnDef session_id, %{Acct-Session-Id}%m-%d, formatted       AcctColumnDef router_ip, %c, formatted       AcctColumnDef date, %f-%g-%i %j:%k:%p, formatted       AcctColumnDef session_time, %{Acct-Session-Time}, formatted       AcctColumnDef ip_address, %{Framed-IP-Address}, formatted       AcctColumnDef phone, %{Calling-Station-Id}, formatted       AcctColumnDef terminate_cause, %{Term-Cause}, formatted     </AuthBy>     <AuthBy SQL>       DBSource    %{GlobalVar:DbServer}       DBUsername  %{GlobalVar:DbUser}       DBAuth      %{GlobalVar:DbPass}       AccountingStopsOnly       Timeout 8       FailureBackoffTime 10       AcctSQLStatement update users set prepaid_timeleft=prepaid_timeleft-0%{Acct-Session-Time} where (prepay='true')&&(username='%U')     </AuthBy> # SQL   </AuthBy> # Group </Handler> # Handle the bulk of the users using our radius:users SQL table <Handler>   # remove the realm   RewriteUsername s/^([^@]+).*/$1/   <AuthBy GROUP>     AuthByPolicy ContinueWhileIgnore     <AuthBy SQL>       IgnoreAccounting       Timeout 8       FailureBackoffTime 10       DBSource    %{GlobalVar:DbServer}       DBUsername  %{GlobalVar:DbUser}       DBAuth      %{GlobalVar:DbPass}       NoDefault       DefaultSimultaneousUse 1       # This AuthSelect gets a comma separated list of check items, a comma       # separated list of reply items from the radius:users table        AuthSelect select check_items, reply_items, case when (prepay='false') then if(session_timeout,session_timeout,NULL) when ((prepay='true')&&(ISNULL(session_timeout))) then prepaid_timeleft when ((prepay='true')&&(!(ISNULL(session_timeout)))) then if(prepaid_timeleft<session_timeout,prepaid_timeleft,session_timeout) end from users where (username='%U' && handler_group='%{Handler-Group}')       # As it turns out, an attributename of GENERIC means that it is a       # comma separated list of attribute=value pairs.       # AuthColumnDef statements define the returned value from the database       # AuthColumnDef <position number in select starting with 0>, attribute       # name (or GENERIC if list), and whether check, reply, or request (to be       # used in later sql statement).       AuthColumnDef 0,GENERIC, check       AuthColumnDef 1,GENERIC,reply       AuthColumnDef 2,Session-Timeout,reply     </AuthBy> #SQL #   <AuthBy FILE> #     # if db fails #     Filename %D/users #   </AuthBy>   </AuthBy> # Group   PostAuthHook file:"/etc/raddb/prepay_overuse.hook"   AuthLog log1 </Handler> ------- end radius.cfg Any help is greatly appreciated. Griff Hamlin, III === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.