checkrad alternative
Hi list, I have a new Cisco ASR. There is no SNMP OID on it for checking simultaneous use with checkrad. Is there an alternative? Am i able to use COA instead of checkrad? If so, any help would be appreciated. Thanx
On 27/10/2023 09:53, Igor Smitran wrote:
I have a new Cisco ASR. There is no SNMP OID on it for checking simultaneous use with checkrad.
Is there an alternative? Am i able to use COA instead of checkrad? If so, any help would be appreciated.
Look at the source for checkrad - it just does different things to find out if a user is logged in. Some involve just telnetting into the device... So, find out a) if it is even possible to determine who is logged into the Cisco, and b) how. Then modify checkrad or write your own script to make those checks. I'd be quite surprised if it's not possible to find out logged in users over SNMP, that's normally pretty standard. -- Matthew
Hi
So, find out a) if it is even possible to determine who is logged into the Cisco, and b) how. Then modify checkrad or write your own script to make those checks.
I'd be quite surprised if it's not possible to find out logged in users over SNMP, that's normally pretty standard.
Yep check the cisco aaa session mib You can find the active user sessions there Brian
On 27. 10. 23. 17:49, Brian Turnbow via Freeradius-Users wrote:
Hi
So, find out a) if it is even possible to determine who is logged into the Cisco, and b) how. Then modify checkrad or write your own script to make those checks.
I'd be quite surprised if it's not possible to find out logged in users over SNMP, that's normally pretty standard. Yep check the cisco aaa session mib You can find the active user sessions there Did snmpwalk entire tree, no username in any oid
Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 27/10/2023 18:10, Igor Smitran wrote:
Yep check the cisco aaa session mib You can find the active user sessions there Did snmpwalk entire tree, no username in any oid
Don't trust Cisco snmpwalk. In my experience it often misses things. Go directly for the MIBs you want to query. But otherwise you'll need to find some other way to find out who's on line, then write a script or devise a method that FreeRADIUS can query that. -- Matthew
On 27. 10. 23. 19:14, Matthew Newton via Freeradius-Users wrote:
Don't trust Cisco snmpwalk. In my experience it often misses things.
Go directly for the MIBs you want to query.
But otherwise you'll need to find some other way to find out who's on line, then write a script or devise a method that FreeRADIUS can query that.
Already tried it but no success. It seems that there is a possibility to use COA to check if session is live on NAS: echo "Acct-Session-Id=0044F775" | radclient -x *.*.*.*:1700 coa secret Sending CoA-Request of id 228 to *.*.*.* port 1700 Acct-Session-Id = "0044F775" rad_recv: CoA-NAK packet from host *.*.*.* port 1700, id=228, length=81 Cisco-Command-Code = "\020" Cisco-Account-Info = "Suser_framed_ip" Cisco-Account-Info = "$IVirtual-Access2.263" I will try to use update coa, unlang and sql xlat and avoid checkrad usage entirely. I hope i will succeed. In case that someone has something to add or share please do. I am expecting problems with parsing of reply messages from NAS and deciding what to do next, if i use only unlang for parsing. some rought example: if (there is session with null stop time) { update coa { send session id } } if (reply:packet-type COA) { if (Cisco-Command-Code) { reject } } Igor
On Oct 27, 2023, at 6:17 PM, Igor Smitran <sigor@blic.net> wrote:
It seems that there is a possibility to use COA to check if session is live on NAS:
That might work? If you send a CoA which doesn't change anything, you might get an ACK. If you send a CoA for a session which doesn't exist, you'll get a NAK. But it's not a common way to check user sessions, so it may or may not work, depending on the NAS.
I hope i will succeed. In case that someone has something to add or share please do.
I am expecting problems with parsing of reply messages from NAS and deciding what to do next, if i use only unlang for parsing.
some rought example:
if (there is session with null stop time) {
update coa {
send session id
}
}
if (reply:packet-type COA) {
if (Cisco-Command-Code) {
reject
}
See raddb/sites-available/originate-coa That's an example virtual server of how to handle CoA packets like this. *But*, you can't wait for the CoA reply, and then reject the original Access-Request. Version 3 just won't do this. The hack in v3 is to just run the exec module, and exec radclient. It's ugly, but it's likely to work. Alan DeKok.
On 28. 10. 23. 18:27, Alan DeKok wrote:
See raddb/sites-available/originate-coa That's an example virtual server of how to handle CoA packets like this.
*But*, you can't wait for the CoA reply, and then reject the original Access-Request. Version 3 just won't do this.
The hack in v3 is to just run the exec module, and exec radclient. It's ugly, but it's likely to work.
Yes, i can see that, unfortunately. Best way would be to wait for COA reply from NAS and then decide to reject access request or allow it. But, this makes it undoable: "The "coa" or "disconnect" packet is sent when the current Access-Request or Accounting-Request has been finished, and a reply sent to the NAS." I need to get back to drawing board :( It looks like the only possible way would be to rewrite checkrad and send COA from there. Thank you Igor
On 28/10/2023 20:54, Igor Smitran wrote:
On 28. 10. 23. 18:27, Alan DeKok wrote:
See raddb/sites-available/originate-coa The hack in v3 is to just run the exec module, and exec radclient. It's ugly, but it's likely to work.
It looks like the only possible way would be to rewrite checkrad and send COA from there.
Or as Alan said just write a script to do it and exec that instead of checkrad. I still find it surprising it's not available over SNMP. E.g. Cisco ASR 1k supports the CISCO-SUBSCRIBER-SESSION-MIB which seems to contain what you want: https://www.cisco.com/c/en/us/td/docs/routers/asr1000/mib/guide/asr1kmib/asr... Also make sure you have the correct access to read the SNMP table. -- Matthew
On 29. 10. 23. 16:09, Matthew Newton via Freeradius-Users wrote:
Or as Alan said just write a script to do it and exec that instead of checkrad.
Yes, i agree, but it's even less expensive (time regarding) to trigger perl module than to exec script, isn't it? Or am i wrong and missing something?
I still find it surprising it's not available over SNMP. E.g. Cisco ASR 1k supports the CISCO-SUBSCRIBER-SESSION-MIB which seems to contain what you want:
https://www.cisco.com/c/en/us/td/docs/routers/asr1000/mib/guide/asr1kmib/asr...
yes, i have two ASRs 1k and it works on them, but this new ASR 9901 doesn't have that table at all, did snmpwalk on entire tree and didn't find anything that looks even close to ASR 1k results.
On Oct 29, 2023, at 8:04 PM, Igor Smitran <sigor@blic.net> wrote:
Yes, i agree, but it's even less expensive (time regarding) to trigger perl module than to exec script, isn't it? Or am i wrong and missing something?
Perl is pretty slow. It's not a huge difference. But checkrad isn't a Perl module. It's a perl program which is exec'd by the server. So it's slower than *either* just using rlm_perl, or "exec + radclient". The only way to make it faster is to use rlm_perl, and then have the Perl module open a socket, create the RADIUS packet, send the RADIUS packet, and look for the response. This may help: https://metacpan.org/pod/Authen::Radius
I still find it surprising it's not available over SNMP. E.g. Cisco ASR 1k supports the CISCO-SUBSCRIBER-SESSION-MIB which seems to contain what you want:
https://www.cisco.com/c/en/us/td/docs/routers/asr1000/mib/guide/asr1kmib/asr... yes, i have two ASRs 1k and it works on them, but this new ASR 9901 doesn't have that table at all, did snmpwalk on entire tree and didn't find anything that looks even close to ASR 1k results.
I suspect that vendors are removing MIBs. checkrad / MIBs were in wide-spread use in the early 2000s. In the last 10 years? Not so much. Alan DeKok.
On 30. 10. 23. 01:09, Alan DeKok wrote:
Perl is pretty slow. It's not a huge difference. But checkrad isn't a Perl module. It's a perl program which is exec'd by the server. So it's slower than *either* just using rlm_perl, or "exec + radclient".
The only way to make it faster is to use rlm_perl, and then have the Perl module open a socket, create the RADIUS packet, send the RADIUS packet, and look for the response. This may help:
Already found and tested it, wanted to add it to checkrad. I am not sure how to setup sql module to call rlm_perl instead of chekrad. Or maybe to try to check Simultaneous-Use in authorize section and call rlm_perl there: 1. Disable simultaneous check queries in sql 2. add Simultaneous-Use check in authorize 3. call rlm_pelr based on 2 Regards, Igor
participants (4)
-
Alan DeKok -
Brian Turnbow -
Igor Smitran -
Matthew Newton