No subject

Pavel Uhliar pavel.uhliar at gmail.com
Fri Jun 26 14:02:31 CEST 2020


Hello, guys.

I am stuck with rewriting the contents of Accounting messages and need your
advice.

I need to manipulate Class attribute (I might use another one, but I guess
there is no difference in handling attributes internally) according to
actual state of local database running on RADIUS server. To be specific,
based on data received in Access-Request packet and actual contents of
RADIUS database my custom function in policy.conf decides which service
name should be supplied to customer and relays this info to NAS using Class
attribute.

The NAS itself is not the entity that needs to receive the information. NAS
copies the Class attribute into subsequent Accounting messages sent after
opening the session, and those Accounting messages are proxied to another
entity (let's call it "black-box", since it is beyond my control).
Black-box influences traffic transferred by the session according to
service template (which is my desired effect).

xxx.rewrite.class {
  if ((Called-Station-Id) && "%{Called-Station-Id}" =~
/^IW-REG([0-9]{3})-SVC(.*)$/i) {
    update reply {
      Class := "%{tolower:IW-R%{1}-S%{2}}-%{sql: SELECT SVC FROM radcheck
WHERE MAC='%{Calling-Station-Id}'}"
    }
    updated
  }
  else {
    noop
  }
}

I included my function into "authorize" and "preacct" sections of "default"
site config and everything works fine when the session is being started.


Now I need to change contents of the Class attribute DURING THE LIFETIME of
the session.


NAS keeps sending Accounting Interim updates. The information coming from
NAS is still the same as it was in Access-Request, but setting in local
database changed, so my script produces another contents for Class
attribute, and I need the change to be reflected in Accounting messsage
proxied to the black-box.

My idea was just to keep the same rewrite function in place, and I was
hoping that Class attribute will be sent back in response to Accounting
same as it was in response to Access-Request, then NAS will start to
include new version of my Class, that will be proxied to black-box, and
black-box does its job.

Unfortunately I can't get RADIUS to send the Class attribute in response to
Accounting message (neither Start nor Interim), Response contains just
Authenticator. So my intended solution does not work. Can you advise how to
force the Class attribute to be included?

09:31:01.466731 IP (tos 0x0, ttl 56, id 65225, offset 0, flags [DF], proto
UDP (17), length 217)
    xxxxx.59947 > yyyyy.radius-acct: RADIUS, length: 189
        Accounting Request (4), id: 0x1b, Authenticator:
c88c72cdfc48aa71744fbd90733a09a5
          Accounting Status Attribute (40), length: 6, Value: Start
          NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE
802.11
          Calling Station Attribute (31), length: 19, Value:
34:A8:EB:0B:4D:03
          Called Station Attribute (30), length: 21, Value: IW-REG001-SVCabc
          NAS Port ID Attribute (87), length: 11, Value: BR-airmax
          Username Attribute (1), length: 19, Value: 34:A8:EB:0B:4D:03
          NAS Port Attribute (5), length: 6, Value: -2141191544
          Accounting Session ID Attribute (44), length: 10, Value: 80600288
          Framed IP Address Attribute (8), length: 6, Value: 192.168.98.189
          Vendor Specific Attribute (26), length: 12, Value: Vendor:
Unknown (14988)
            Vendor Attribute: 10, Length: 4, Value: ..b.
          Class Attribute (25), length: 22, Value: iw-r001-sabc-bbbb
          Event Timestamp Attribute (55), length: 6, Value: Thu Jun 25
09:31:01 2020
          NAS ID Attribute (32), length: 13, Value: DHR Lucerna
          Accounting Delay Attribute (41), length: 6, Value: 00 secs
          NAS IP Address Attribute (4), length: 6, Value: xxxxx
09:31:01.474679 IP (tos 0x0, ttl 64, id 8369, offset 0, flags [none], proto
UDP (17), length 48)
    yyyyy.radius-acct > xxxxx.59947: RADIUS, length: 20
        Accounting Response (5), id: 0x1b, Authenticator:
3025c6d75fd16ac5992ac3278afa5630


As I mentioned before, I do not need the NAS to receive the info, it would
be sufficient for me to modify the proxied Accounting message. So, if
including the Class in Accounting Response is not possible (or does not do
what I need), I could solve it just between RADIUS and Accounting proxy.

I was trying to achieve this by including my function into "pre-proxy"
section of default site, but it does not influence the message, Class
contents is copied the same as it was ingested by the RADIUS. Can you
advise how to achieve this?

pre-proxy {
#attr_rewrite
#  Uncomment the following line if you want to change attributes
#  as defined in the preproxy_users file.
#files

xxx.rewrite.class

#  Uncomment the following line if you want to filter requests
#  sent to remote servers based on the rules defined in the
#  'attrs.pre-proxy' file.
#attr_filter.pre-proxy

#  If you want to have a log of packets proxied to a home
#  server, un-comment the following line, and the
#  'detail pre_proxy_log' section, above.
#pre_proxy_log
}

Thanks for all hints in advance,

    Pavel Uhliar


More information about the Freeradius-Users mailing list