(no subject)

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view

(no subject)

Pavel Uhliar
Hello, guys.

I am stuck with rewriting the contents of Accounting messages and need your

I need to manipulate Class attribute (I might use another one, but I guess
there is no difference in handling attributes internally) according to
actual state of local database running on RADIUS server. To be specific,
based on data received in Access-Request packet and actual contents of
RADIUS database my custom function in policy.conf decides which service
name should be supplied to customer and relays this info to NAS using Class

The NAS itself is not the entity that needs to receive the information. NAS
copies the Class attribute into subsequent Accounting messages sent after
opening the session, and those Accounting messages are proxied to another
entity (let's call it "black-box", since it is beyond my control).
Black-box influences traffic transferred by the session according to
service template (which is my desired effect).

xxx.rewrite.class {
  if ((Called-Station-Id) && "%{Called-Station-Id}" =~
/^IW-REG([0-9]{3})-SVC(.*)$/i) {
    update reply {
      Class := "%{tolower:IW-R%{1}-S%{2}}-%{sql: SELECT SVC FROM radcheck
WHERE MAC='%{Calling-Station-Id}'}"
  else {

I included my function into "authorize" and "preacct" sections of "default"
site config and everything works fine when the session is being started.

Now I need to change contents of the Class attribute DURING THE LIFETIME of
the session.

NAS keeps sending Accounting Interim updates. The information coming from
NAS is still the same as it was in Access-Request, but setting in local
database changed, so my script produces another contents for Class
attribute, and I need the change to be reflected in Accounting messsage
proxied to the black-box.

My idea was just to keep the same rewrite function in place, and I was
hoping that Class attribute will be sent back in response to Accounting
same as it was in response to Access-Request, then NAS will start to
include new version of my Class, that will be proxied to black-box, and
black-box does its job.

Unfortunately I can't get RADIUS to send the Class attribute in response to
Accounting message (neither Start nor Interim), Response contains just
Authenticator. So my intended solution does not work. Can you advise how to
force the Class attribute to be included?

09:31:01.466731 IP (tos 0x0, ttl 56, id 65225, offset 0, flags [DF], proto
UDP (17), length 217)
    xxxxx.59947 > yyyyy.radius-acct: RADIUS, length: 189
        Accounting Request (4), id: 0x1b, Authenticator:
          Accounting Status Attribute (40), length: 6, Value: Start
          NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE
          Calling Station Attribute (31), length: 19, Value:
          Called Station Attribute (30), length: 21, Value: IW-REG001-SVCabc
          NAS Port ID Attribute (87), length: 11, Value: BR-airmax
          Username Attribute (1), length: 19, Value: 34:A8:EB:0B:4D:03
          NAS Port Attribute (5), length: 6, Value: -2141191544
          Accounting Session ID Attribute (44), length: 10, Value: 80600288
          Framed IP Address Attribute (8), length: 6, Value:
          Vendor Specific Attribute (26), length: 12, Value: Vendor:
Unknown (14988)
            Vendor Attribute: 10, Length: 4, Value: ..b.
          Class Attribute (25), length: 22, Value: iw-r001-sabc-bbbb
          Event Timestamp Attribute (55), length: 6, Value: Thu Jun 25
09:31:01 2020
          NAS ID Attribute (32), length: 13, Value: DHR Lucerna
          Accounting Delay Attribute (41), length: 6, Value: 00 secs
          NAS IP Address Attribute (4), length: 6, Value: xxxxx
09:31:01.474679 IP (tos 0x0, ttl 64, id 8369, offset 0, flags [none], proto
UDP (17), length 48)
    yyyyy.radius-acct > xxxxx.59947: RADIUS, length: 20
        Accounting Response (5), id: 0x1b, Authenticator:

As I mentioned before, I do not need the NAS to receive the info, it would
be sufficient for me to modify the proxied Accounting message. So, if
including the Class in Accounting Response is not possible (or does not do
what I need), I could solve it just between RADIUS and Accounting proxy.

I was trying to achieve this by including my function into "pre-proxy"
section of default site, but it does not influence the message, Class
contents is copied the same as it was ingested by the RADIUS. Can you
advise how to achieve this?

pre-proxy {
#  Uncomment the following line if you want to change attributes
#  as defined in the preproxy_users file.


#  Uncomment the following line if you want to filter requests
#  sent to remote servers based on the rules defined in the
#  'attrs.pre-proxy' file.

#  If you want to have a log of packets proxied to a home
#  server, un-comment the following line, and the
#  'detail pre_proxy_log' section, above.

Thanks for all hints in advance,

    Pavel Uhliar
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html