I am using Cisco Access Registrar 3.0 with an oracle database with users type A. What i need to do is : if the users exists define services type A. If the user is not in the DB then it is type B so i have to define services for this type of user.
I am (and must)using the calling-station-id to authenticate users, so simply be reading it i cant determine the type of user sending the request.
I want to know if it is possible to define the services and profiles depending on the answer of the query. Every user outside the Database gets an Access-reject.
Thanks in advance
I'm not totally clear on what you're trying to do - you say that if the user is not in the DB, then they are type B. But if the user is outside the DB they should get rejected. So why do you need to define services for type B users?
Anyway, you may find a solution by using an Authentication Service to authenticate the users against the Oracle db. And then an outgoing script after the authentication service to set the authorization service according to whether the user is a type A or B.
If the user is not in the DB the radius request should be proxied to another server.
That is basically what i want to do.
Thanks once again
The service grouping feature should solve the problem:
THanks a lot!!! I just have one question. If i create a group services for accounting and set the Result Rule to OR. If the first Accounting Service doesn't send a response, then the Accounting request is proccesed by the second service?
Thanks a lot
Yes, that is correct.
Also note the parallel-and and parallel-or options added in AR 3.0R6:
Thank you very much, but i didn't make myself clear the last time,
The first service is type radius, so if it doesn't proccess the request they will timeout?. So in order to send the requests to the second service the CAR will wait for the retries and its timeouts. If that happens will the CAR shut down the service?
Thank you very much once again for all your help and your time!!!
Yes, AR will mark the first service's remoteserver as 'DOWN' and won't use it again until its reactivatetimerinterval has expired. The first service will use any other remoteservers available to it - if none are available, then it uses the service's outage policy.
Your initial question was about access requests. It would be useful to understand what you are trying to achieve with accounting.
Thanks a lot!!!
What i am trying to do is use one Accounting Service for prepaid and another for credit users. I know there is a prepaid type of service but it can't be used because the Prepaid Server Architecture doesn't allows us to.
But thanks a LOT!!your knowledge have been a big help!
Hi Sanjeev I am looking for some examples scripts CAR 3.5 Tcl/Tk and REX with configuration details not just scripts. The above link does not work any more. Can you please provide me sample scripts with config details.
You can find information on how to configure extension point scripts in AR at this location.
If you have AR installed, example scripts can be found at these locations.
Tcl - /cisco-ar/scripts/radius/tcl/tclscript.tcl
REX - /cisco-ar/examples/rexscript/rexscript.c
You might also want to have a look at the white paper on 'AR Customization Techniques'.
Thanks for your posting. Can you please help me with instruction on how to enable VSA (vendor specific attribute) in response dictionary.
 I have added new VSA (MyVendor) under the following configuration path
[ //localhost/Radius/Advanced/Attribute Dictionary/Vendor-Specific/Vendors/MyVendor/SubAttribute Dictionary ]
I have written a script where I populate the Mytest-attr1 with a string value and is added to the response dictionary.
The problem I have is the response dictionary is empty.
Tcl: request size -> 7
Tcl: response size -> 0
Tcl: environ size -> 19
Tcl: unknown attribute name: response put Mytest-attr1 teststring
I used the script to output the content of request environ and response dictionary.
How to use the Profile to add these additional attribute to the response dictionary ?
Can you please provide an example.
Please correct me if I have misinterpreted the logic