Proxy accounting message

Bjørn Mork bjorn at mork.no
Fri Sep 30 13:38:13 CEST 2005


"Ashwin Gobind" <Ashwin.Gobind at vodacom.co.za> writes:

> But doesn't this mean there has to be a realm in the username eg
> name at realm1
>
> The problem is the user-name attribute does not contain a realm. Is it
> still possible to proxy the accounting start and stop messages
> originating from as certain NAS-IP-ADDRESS.

I believe that was exactly what Nicolas' tip was supposed to do.

The trick is to make the files module do exactly the same as the realm
module would have done if you had passed "name at realm1" to the "suffix"
instance.

Proxy-To-Realm is documented in doc/module_interface


Bjørn

> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
> freeradius-users-request at lists.freeradius.org
> Sent: 29 September 2005 06:22 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 5, Issue 98
>
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Proxy of Accounting Requests (Ashwin Gobind)
>    2. Re: Proxy of Accounting Requests (Nicolas Baradakis)
>    3. RE: Proxy of Accounting Requests (Jonathan De Graeve)
>    4. Re: LDAP and groups (Dusty Doris)
>    5. Re: LDAP and groups (Kenneth Grady)
>    6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Juan Daniel Moreno)
>    7. (no subject) (msah at otitelecom.bj)
>    8. Postgresql+freeradius configuration (msah at otitelecom.bj)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 29 Sep 2005 12:18:37 +0200
> From: "Ashwin Gobind" <Ashwin.Gobind at vodacom.co.za>
> Subject: Proxy of Accounting Requests
> To: <freeradius-users at lists.freeradius.org>
> Message-ID:
> 	
> <753BF83740BB6C48BF8A15B5C61C88470BB847D7 at zamdc02100.vodacom.corp>
> Content-Type: text/plain;	charset="us-ascii"
>
> Good day. I am using freeradius 1.05
> I want to proxy accounting requests originating from certain hosts to
> another server, how can I do this. Also I am using Jradius to handle
> accounting request. But this certain request I don't want JRadius to
> handle, but freeradius just to proxy it.  Here is an example of the
> request
> Thanks
>
>
>
> Acct-Session-Id = C42EA2A31F96530
> Framed-Protocol = GPRS-PDP-Context
> Called-Station-Id = vlive
> Calling-Station-Id = 27829800529
> Framed-IP-Address = 10.19.128.6
> 3GPP-IMSI = 655019800002252
> 3GPP-Charging-ID = 33121584
> 3GPP-PDP-Type = 0
> 3GPP-GGSN-Address = 196.46.162.163
> 3GPP-IMSI-MCC-MNC = 65501
> 3GPP-GGSN-MCC-MNC = 65501
> 3GPP-NSAPI = 5
> 3GPP-Selection-Mode = 0
> 3GPP-Charging-Gateway-Address = 10.25.0.10
> 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808
> 3GPP-SGSN-Address = 196.6.254.49
> User-Name = 27829800529
> Cisco-AVPair = connect-progress=Call Up
> Acct-Authentic = RADIUS
> Acct-Status-Type = Start
> NAS-Port-Type = Virtual
> Cisco-NAS-Port = GGSN
> NAS-Port = 60000
> Class = [Binary Data]
> Service-Type = Framed-User
> NAS-IP-Address = 10.31.1.122
> NAS-Identifier = GMC-GGSN0-12-2
> Acct-Delay-Time = 0
> Client-IP-Address = 10.113.60.6
> Acct-Unique-Session-Id = b30a3d4d494c8a87
> "This e-mail is sent on the Terms and Conditions that can be accessed by
> Clicking on this link http://www.vodacom.net/legal/email.aspx "
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 29 Sep 2005 13:55:16 +0200
> From: Nicolas Baradakis <nbk at sitadelle.com>
> Subject: Re: Proxy of Accounting Requests
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20050929115516.GA2365 at asuka.tech.sitadelle.com>
> Content-Type: text/plain; charset=us-ascii
>
> Ashwin Gobind wrote:
>
>> I want to proxy accounting requests originating from certain hosts to
>> another server, how can I do this.
>
> You could add something like this in file "acct_users":
>
> DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1
>
> DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2
>
> -- 
> Nicolas Baradakis
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 29 Sep 2005 15:56:33 +0200
> From: "Jonathan De Graeve" <Jonathan.De.Graeve at imelda.be>
> Subject: RE: Proxy of Accounting Requests
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:
> 	<FFA36DAA4D9D62438D6DD1947C631316073263 at exchangesrv.imz.be>
> Content-Type: text/plain;	charset="us-ascii"
>
> Can you also do this in SQL?
>
> J.
>
> -- 
> Jonathan De Graeve
> Network/System Administrator
> Imelda vzw
> Informatica Dienst
> 015/50.52.98
> jonathan.de.graeve at imelda.be
>
> ---------
> Always read the manual for the correct way to do things because the
> number of incorrect ways to do things is almost infinite
> ---------
>
> -----Oorspronkelijk bericht-----
> Van: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] Namens Nicolas
> Baradakis
> Verzonden: donderdag 29 september 2005 13:55
> Aan: FreeRadius users mailing list
> Onderwerp: Re: Proxy of Accounting Requests
>
> Ashwin Gobind wrote:
>
>> I want to proxy accounting requests originating from certain hosts to
>> another server, how can I do this.
>
> You could add something like this in file "acct_users":
>
> DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1
>
> DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2
>
> -- 
> Nicolas Baradakis
>
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 29 Sep 2005 10:06:30 -0400 (EDT)
> From: Dusty Doris <freeradius at mail.doris.cc>
> Subject: Re: LDAP and groups
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20050929100414.M98082 at mail.doris.name>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>> Hello there,
>>
>> I have a small problem. And I read the documentation. And I can't find
>> what's wrong.
>>
>> I have a corporate LDAP with users and group.
>>
>> Each group is a "groupOfUniqueNames", with "uniquemember".
>> In the user defintion, no group definition is set.
>>
>> I need to authenticate members of a certain groups, and not of another
> ...
>>
>> Every doc I read mention that you have to create an attribute "per
> user" ...
>>
>> Any other way ?
>>
>
> I chose to do groups per user with radiusgroupname attribute, which is
> in 
> the ldap_howto.  However, you don't have to do it that way.  Try reading
>
> radiusd.conf in the ldap section under the default
> groupmembership_filter. 
> Or reading doc/rlm_ldap.
>
> If you are trying that and not having success, then post your debug 
> output.
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 29 Sep 2005 08:11:27 -0600
> From: Kenneth Grady <klg at lanl.gov>
> Subject: Re: LDAP and groups
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <1128003087.27966.29.camel at grady.lanl.gov>
> Content-Type: text/plain
>
>    ldapsearch -x cn=my_group
> #
> # filter: cn=my_group
> # requesting: ALL
> #
>
> # my_group, group, lanl, gov
> dn: cn=my_group,ou=group,dc=lanl,dc=gov
> objectClass: groupOfNames
> cn: my_group
> member: employeeNumber=0067,ou=people,dc=lanl,dc=gov
> member: employeeNumber=0068,ou=people,dc=lanl,dc=gov
> ...
> ----------------------------------
> radiusd.conf (file)
> ...modules
> 	ldap My-group_Users {
>                 server = "ldap"
>                 net_timeout = 1
>                 timeout = 3
>                 timelimit = 4
>                 ldap_connections_number = 5
>                 basedn = "dc=lanl,dc=gov"
>                 #access_attr = "employeeNumber"
>                 filter =
> "(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name
> }},ou=people,dc=lanl,dc=gov))"
>                 start_tls = no
>                 groupname_attribute = cn
>                 groupmembership_filter = ""
>                 groupmembership_attribute = my_group
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 compare_check_items = yes
>                 access_attr_used_for_allow = yes
> 	}
> ... authorize
>         Autz-Type MY-GROUP {
>                 redundant {
>                         My-group_Users
>                         notfound = reject
>                 }
>         }
> ----------------------------------
> users (file)
> ...
> DEFAULT	NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP
>
> There's probably a better way, but this worked for what I wanted.
>
>
>
>
> On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Hello there,
>> 
>> I have a small problem. And I read the documentation. And I can't find
>
>> what's wrong.
>> 
>> I have a corporate LDAP with users and group.
>> 
>> Each group is a "groupOfUniqueNames", with "uniquemember".
>> In the user defintion, no group definition is set.
>> 
>> I need to authenticate members of a certain groups, and not of another
> ...
>> 
>> Every doc I read mention that you have to create an attribute "per
> user" 
>> ...
>> 
>> Any other way ?
>> 
>> Regards,
>> Jean-Francois Gobin
>> 
>> - ----------
>> Jean-Francois Gobin - Administrateur gobinjf.be
>> http://www.gobinjf.be   mailto:gobin at gobinjf.be
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (FreeBSD)
>> Comment: Made with pgp4pine 1.76
>> 
>> iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft
>> g16kNx6wUzO1va189DJmHRA=
>> =kTQn
>> -----END PGP SIGNATURE-----
>> 
>> - 
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 29 Sep 2005 16:22:12 +0200
> From: Juan Daniel Moreno <juanitomoreno at gmail.com>
> Subject: Re: SSL3_GET_CLIENT_KEY_EXCHANGE
> To: freeradius-users at lists.freeradius.org
> Message-ID: <2e33d53305092907226e2de3a4 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
>>
>>   The protocol specification describes this.  The implementation in
>> src/modules/rlm_eap/ contains diagrams of the packets it expects to
>> receive.
>>
>>   Alan DeKok.
>>
>>
>
> Thank you Alan, but now I have a new problem. I have been reading the
> src/modules/rlm_eap/ to understand my problem but I don't find the
> issue. In TLS establishment, the public key in the server.cert is 128
> bytes length. I generate a random string of 46 bytes and the protocol
> version (TLS 1.0 (0x03, 0x01)) and I use the SSL function
> RSA_public_encrypt() with server's public key to encrypt the
> PreMasterSecret. As a result I get a 128 length string. As I send this
> data to the server, I get a "tls rsa encrypted length is wrong:
> s3_srvr.c: 1450:"
>
> Can anybody please tell me where can be my problem?  Here is my code
> for exemple.
>
>
> void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short
> *length, char *HandshakeMessages, unsigned short *length_Hndshk, char
> *buff)
> {
>
> 	char *PreMasterSecret		      = (char*) _MEMORY_Allocate
> (58 , true);
> 	char *EncryptedPreMasterSecret	= (char*) _MEMORY_Allocate (128,
> true);
> 	char *temp			            = (char*)
> _MEMORY_Allocate (58 , true);
> 	unsigned char *tmpCert		      =  _MEMORY_Allocate
>                                                              
> (ClientSSLData->certificate_len + 128, true);
>
> 	_RANDOM_MakeCharString (temp, 46);
>
> 	PreMasterSecret [0] = 0x03;
> 	PreMasterSecret [1] = 0x01;
>
> 	for (register int i = 0; i<46; i++)
> 	{
> 		PreMasterSecret[i+2]				= temp
> [i];
> 		ClientSSLData->PreMasterSecret[i]	=
> PreMasterSecret[i];
> 	}
>
> 	for (i = 0; i < ClientSSLData->certificate_len; i++)
> 		tmpCert[i] =(unsigned char)
> ClientSSLData->certificate[i];
>
>
> 	//----- OpenSSL Functions -----
> 	RSA		 *server_public_key;
> 	
> 	X509	 *cert				= X509_new ();
> 	
> 	EVP_PKEY *evp				= EVP_PKEY_new ();
>
> 	X509	 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert,
>  
> (ClientSSLData->certificate_len) );
> 	
> 	//----- d2i_509 Function retrives tmpCert pointer advanced the
> number
> of bytes read -----
> 	tmpCert = tmpCert - (ClientSSLData->certificate_len);
>
>
> 	//----- We get the public key from the Server certificate -----
> 	evp	 = X509_get_pubkey(cert);
>
> 	server_public_key = (RSA *) evp->pkey.ptr;
>
> 	int rsasize = RSA_size(server_public_key);
>
> 	//----- We get the PreMasterSecret encrypted -----
> 	int Encrypted_len = RSA_public_encrypt(48, (BYTE*)
> PreMasterSecret,
> (unsigned char*)EncryptedPreMasterSecret, server_public_key,
> RSA_PKCS1_PADDING);
>
> 	ClientSSLData->bufferSSL[(*length)++] = 0x16;		//
> Handshake Message
> 	ClientSSLData->bufferSSL[(*length)++] = 0x03;		//
> Version
> 	ClientSSLData->bufferSSL[(*length)++] = 0x01;		//
> Version
> 	ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) /
> 256;	// Length
> 	ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) %
> 256;	// Length
>   	ClientSSLData->bufferSSL[(*length)++] = 0x10;		//
> Client key exchange
> 	ClientSSLData->bufferSSL[(*length)++] = 0x00;
> // Length
>   	ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256;
> // Length
> 	ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256;
> // Length
>
> 	//----- Public key exchange -----
> 	for (i = 0; i < Encrypted_len; i++)
> 	{
> 		buff[i]	 =  EncryptedPreMasterSecret[i];
> 		HandshakeMessages[(*length_Hndshk)++]	=
> EncryptedPreMasterSecret[i];
> 	}
>
>
> 	free (PreMasterSecret);
> 	free (EncryptedPreMasterSecret);
> 	free (temp);
> 	free (tmpCert);
>
> }
>
> Thank you for your help. Juan Daniel MORENO
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 29 Sep 2005 16:59:00 +0100
> From: msah at otitelecom.bj
> Subject: (no subject)
> Cc: freeradius-users at lists.freeradius.org
> Message-ID: <20050929165900.j5qtkf92v5cso808 at webmail.otitelecom.bj>
> Content-Type: text/plain;	charset=ISO-8859-1
>
> Good morning!!!!!
> I have successfully configured  freeradius server with using postgresql
> database
> to storage users which i want to authenticate.
> when i put it in debug mode to test he works well. But when I run it as
> deamon
> the  server radius don't see the postgresql server. In the radius's log
> file i
> look this:
>  Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
> Info: rlm_sql (sql): Attempting to connect to
> radiusadmin at localhost:/radiusdb
> Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
> radiusadmin at localhost:radiusdb
> Error: rlm_sql_postgresql: Postgresql error 'could not connect to
> server:
> Permission denied ?Is the server running on host "localhost" and
> accepting
> ?TCP/IP connections on port 5432? '
> Error: rlm_sql (sql): Failed to connect DB handle #0
> Info: Ready to process requests.
> I use fedora core4 as Operating System and freeradius 1.0.4-1,
> postgresql
> 8.0.3-1.
> In the postgresql's file pg_hba.conf i make this configuration:
> #TYPE  DATABASE    USER         CIDR-ADDRESS          METHOD
> #IPv4 local connections:
> host    radiusdb   radiusadmin  127.0.0.1/32          trust
> I don't why this dysfonctionnement
> Please help me and thanks for your assistance.
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 29 Sep 2005 17:00:47 +0100
> From: msah at otitelecom.bj
> Subject: Postgresql+freeradius configuration
> To: freeradius-users at lists.freeradius.org
> Message-ID: <20050929170047.yclw6uck1huss8g0 at webmail.otitelecom.bj>
> Content-Type: text/plain;	charset=ISO-8859-1
>
> Good morning!!!!!
> I have successfully configured  freeradius server with using postgresql
> database
> to storage users which i want to authenticate.
> when i put it in debug mode to test he works well. But when I run it as
> deamon
> the  server radius don't see the postgresql server. In the radius's log
> file i
> look this:
>  Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
> Info: rlm_sql (sql): Attempting to connect to
> radiusadmin at localhost:/radiusdb
> Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server
> radiusadmin at localhost:radiusdb
> Error: rlm_sql_postgresql: Postgresql error 'could not connect to
> server:
> Permission denied ?Is the server running on host "localhost" and
> accepting
> ?TCP/IP connections on port 5432? '
> Error: rlm_sql (sql): Failed to connect DB handle #0
> Info: Ready to process requests.
> I use fedora core4 as Operating System and freeradius 1.0.4-1,
> postgresql
> 8.0.3-1.
> In the postgresql's file pg_hba.conf i make this configuration:
> #TYPE  DATABASE    USER         CIDR-ADDRESS          METHOD
> #IPv4 local connections:
> host    radiusdb   radiusadmin  127.0.0.1/32          trust
> I don't why this dysfonctionnement
> Please help me and thanks for your assistance.
>
>
>
> ------------------------------
>
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 5, Issue 98
> ***********************************************
> “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx "
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list