[c-nsp] Re: Cisco Access Registrar proxy authentication

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Sun May 8 05:02:13 EDT 2005 

Rob,

you can check the chapter "Using Extension Points" in the CAR
documentation for an overview. The scripts used by CAR are stored in
/opt/CSCOar/scripts/radius/, you can find examples (and the source code
for the REX/C-langugage scripts) in /opt/CSCOar/examples/.

I acknowledge that this requires a solid understanding of how CAR works
(as outlined in the "Cisco CNS Access Registrar Concepts and Reference
Guide"). 
I could give this a shot (if I have some spare time) if you sent me
(offline)

1) a trace of a typical access-request which you want to change (i.e. a
user which needs to be forwarded based on a realm/domain), you need to
increase the trace level to "5"  and send the output in
"/opt/CSCOar/logs/name_radius_1_trace"

2) your CAR configuration (the output of "ls -R" in aregcmd)

If you are indeed using the ParseAAARealm extension point script to
select the service based on the realm, I'd probably replace this
REX/C-script by a TCL extension point script
(/opt/CSCOar/scripts/radius/tcl/tclscript.tcl) and delete the two lines
which strip the domain 

proc ParseAAASRealm {request response environ} {
[...]
    if { [ regexp {([^@]+)@([^@]+)} $userName dummy newUserName realm ]
} {
       # don't strip the domain
       # regsub "@$realm" $userName "" newUserName
       # $environ put User-Name $newUserName
       $environ put Authentication-Service $realm
  [...]
}

You want to use CAR on a test/staging machine to test extension point
scripts, you can use "radclient" to simulate requests..

	oli

Rob Polland <> wrote on Sunday, May 08, 2005 9:40 AM:

> thanks a lot Oliver for yor update,
> 
> but the problem is that I dont know how to write TCL scripts in the
> access registrar so have you any thing that can help me, even an
> example.
> 
> thanks a lot again ,
> 
> 
> On 5/4/05, Rob Polland <rpolland at gmail.com> wrote:
>> Dear All,
>> does any body know how to configure the following case:
>> 
>> I want to proxy authentication/authorization/accounting records to a
>> radius client with the followng scenario:
>> 
>> first the user dial to our NAS with username:
>> comp/username.domain.com, the request is forwarded to our CAR radius,
>> our radius will proxy the request to their radius based on the prefix
>> /comp also the radius will strip /comp suffix, does any body know how
>> can we configure such thing ??
>> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list