|
|
This chapter describes how to use Cisco Access Registrar scripting to customize your RADIUS server.
You can write scripts to affect the way Cisco Access Registrar handles and responds to requests, and to change the behavior of Cisco Access Registrar after a script is run.
All scripts reference the three dictionaries listed below, which are data structures that contain key/value pairs.
The process for creating and implementing a script involves:
The goal of the script and its scripting point are tied together. For example, when you want to create a script that performs some special processing of a username before it is processed by the Cisco Access Registrar server, you would reference this script as an incoming script.
When on the other hand, you would like to affect the response, such as setting a specific timeout when there is not one, you would reference the script as an outgoing script.
In order to be able to create a script, you need to understand the way Cisco Access Registrar processes client requests. Cisco Access Registrar processes requests and responses in a hierarchical fashion; incoming requests are processed from the most general to the most specific levels, whereas, outgoing responses are processed from the most specific to the most general levels. Extension points are available at each level.
An incoming script can be referenced at each of the following extension points:
An authentication or authorization script can be referenced at each of the following extension points:
The outgoing script can be referenced at each of the following extension points:
You can write scripts in either Tcl or as shared libraries. In this section, the scripts are shown in Tcl.
To write a script, do the following:
Step 1 Using an editor, create the Tcl source file.
Step 2 Give it a name.
Step 3 Define one or more procedures, using the following syntax:
proc name {request response environment}
{Body}
Step 4 Create the body of the script.
Step 5 Save the file and copy it to the /opt/AICar1/scripts/radius/tcl directory, or to the location you chose when you installed Cisco Access Registrar.
When you create a script you can use any one or all of the three dictionaries: Request, Response, or Environment.
The following examples show scripts using all three dictionaries.
This script is referenced from the server's IncomingScript scripting point. It checks to see whether the request contains a NAS-Identifier or a NAS-IP-Address. When it does not, it sets the NAS-IP-Address from the request's source IP address.
proc MapSourceIPAddress {request response environment}
{
if { ! ( [ $request containsKey NAS-Identifier ] ||
[ $request containsKey NAS-IP-Address ] ) } {
$request put NAS-IP-Address [ $environment get Source-IP-Address ]
}
}
Tcl scripts interpret $request arguments as active commands that can interpret strings from the Request dictionary, which contains keys and values.
The containsKey method has the syntax: <$dict> containsKey <attribute>. In this example, <$dict> refers to the Request dictionary and the attributes NAS-identifier and NAS-IP-Address. The containsKey method returns 1 when the dictionary contains the attribute, and 0 when it does not. Using the containsKey method prevents you from overwriting an existing value.
The put method has the syntax: <$dict> put <attribute value>[<index>]. In this example, <$request> refers to the Request dictionary and the attribute is NAS-IP-Address. The put method sets the NAS's IP address attribute.
The get method has the syntax: <$dict> get <attribute>. In this example, <$dict> refers to the Environment dictionary and <attribute> is the Source-IP-Address. The get method returns the value of the attribute from the dictionary.
For a list of the methods you can use with scripts, see "Cisco Access Registrar Dictionaries." They include get, put, and others.
This script is referenced from either the user record for users whose sessions are always PPP, or from the script, AuthorizeService, which checks the request to determine which service is desired. The script merges the Profile named default-PPP-users into the Response dictionary.
proc AuthorizePPP {request response environment}
{
$response addProfile default-PPP-users
}
This script is referenced from the NAS Incoming Script scripting point. It looks for a realm name on the username attribute to determine which AAA services should be used for the request. When it finds @radius, it selects a set of AAA services that will proxy the request to a remote RADIUS server. When it finds @tacacs, it selects the Authentication Service that will proxy the request to a TACACS server for authentication. For all of the remaining usernames, it uses the default Service (as specified in the configuration by the administrator).
Note the function, regsub, is a Tcl function.
proc ParseProxyHints {request response environment} {
set userName [ $request get User-Name ]
if { [ regsub "@radius" $userName "" newUserName ] } {
$request put User-Name $newUserName
$radius put Authentication-Service "radius-proxy"
$radius put Authorization-Service "radius-proxy"
$radius put Accounting-Service "radius-proxy"
} else {
if { [ regsub "@tacacs" $userName "" newUserName ] } {
$request put User-Name
$radius put Authentication-Service "tacacs-client"
} }
}
After you have written the script, you must add the script definition to the Cisco Access Registrar's script Configuration directory so it can be referenced. Adding the script definition involves:
The rule of thumb to use in determining where to add the script is the most general scripts should be on the outermost points, whereas the most specific scripts should be on the innermost points.
In the server configuration a Scripts directory exists. You must add the script you created to this directory. To add the ParseProxyHints script to the Cisco Access Registrar server, type the following command and supply the following information: Name=ParseProxyHints, Description=ParseProxyHints, Language=tcl, Filename=ParseProxyHints, and Entrypoint=ParseProxyHints.
As the example script, ParseProxyHints, applies to a specific NAS (NAS1), the entry point should be that NAS. To specify the script at this scripting point, type:
To test the script, you can use the radclient command, which lets you create and send packets. For more information about the radclient command, see the "Using the aregcmd Commands" section.
Posted: Thu Aug 19 08:13:12 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.