Table Of Contents
Cisco Access Registrar Scripts
Cisco Access Registrar Scripts
This chapter describes the scripts provided with Cisco Access Registrar.
Using Cisco AR Scripts
The scripts are stored in /localhost/Radius/Scripts.
UseCLIDAsSessionKey
UseCLIDAsSessionKey is used to specify that the Calling-Station-Id attribute should be used as the session key to correlate requests for the same session. This is a typical case for 3G mobile user session correlation.
ParseTranslationGroupsByRealm
ParseTranslationGroupsByRealm is referenced from the rule engine to determine the incoming and outgoing translation groups based on realm set in the rule engine so that the attributes can be added/filtered out by the configuration data set in MCD.
ParseTranslationGroupsByCLID
ParseTranslationGroupsByCLID is referenced from the rule engine to determine the incoming and outgoing translation groups based on CLID set in the rule engine so that the attributes can be added/filtered out by the configuration data set in MCD.
ExecRealmRule
ExecRealmRule is referenced from the rule engine to determine the authentication and authorization service and policy based on the realm set in the rule engine.
ExecDNISRule
ExecDNISRule is referenced from the rule engine to determine the authentication and authorization service and policy based on the DNIS set in the rule engine.
ParseProxyHints
ParseProxyHints is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which AAA services should be used for this request. If @radius is found, a set of AAA services is selected which will proxy the request to a remote radius server. If @tacacs is found, the AuthenticationService is selected that will proxy the request to a tacacs server for authentication. For any services not selected, the default service (as specified in the configuration by the administrator) will be used.
ParseServiceAndProxyHints
ParseServiceAndProxyHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseProxyHints.
ParseAAARealm
ParseAAARealm is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which AAA service should be used for this request. If @<realm> is found, the AAA service is selected which has the same name as the realm.
ParseAASRealm
ParseAASRealm is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which Authentication+Authorization service and of which SessionManager should be used for this request. If @<realm> is found, the AA service and the SessionManager which have the same name as the realm are selected. The Accounting service will be the DefaultAccountingService (as specified in the configuration by the administrator)
ParseServiceAndAAARealmHints
ParseServiceAndAAARealmHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseAAARealm.
ParseServiceAndAARealmHints
ParseServiceAndAARealmHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseAARealm.
ParseServiceAndAAASRealmHints
ParseServiceAndAAASRealmHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseAAASRealm.
ParseServiceAndAASRealmHints
ParseServiceAndAASRealmHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseAASRealm.
AuthorizePPP
AuthorizePPP is referenced from either the use record for users who's sessions are always PPP or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-PPP-users" into the response dictionary.
AuthorizeSLIP
AuthorizeSLIP is referenced from either the user record for users who's sessions are always SLIP or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-SLIP-users" into the response dictionary.
AuthorizeTelnet
AuthorizeTelnet is referenced from either the user record for users who's sessions are always telnet or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-Telnet-users" into the response dictionary.
AuthorizeService
AuthorizeService is referenced from user record for users who's sessions might be PPP, SLIP or Telnet depending on how they are connecting to the NAS. This script checks the request to determine which service is desired. If it is telnet, it calls the script AuthorizeTelnet. If it is PPP, it calls the script AuthorizePPP. If it is SLIP, it calls the script AuthorizeSLIP. If it is none of these, it rejects the request.
ACMEOutgoingScript
ACMEOutgoingScript is referenced from Vendor ACME for the outgoing script. If we are accepting this Access-Request and the response does not yet contain a Session-Timeout, set it to 3600 seconds.
DynamicLDAPSearchBase
DynamicLDAPSearchBase is referenced from the LDAP service incoming script. Based on the domain information in the user-name, LDAP DN based search will be performed. This allows the same user-name to exist under the same tree but of different path, such as in the case of directory tree merge.
This requires
1.
the filter attribute in the LDAP remote server configuration to be "%s" only
2.
3.
InitEntryPoint
InitEntryPoint initializes the global variables that hold the byte codes for the attributes we are interested in. Doing it this way saves us the lookup time for each request. Note that this is not thread-safe.
ParseServiceHints
ParseServiceHints is referenced from the NAS IncomingScript scripting point. Check to see if we are given a hint of the service type or the realm. If so, set the appropriate attributes in the request or radius dictionary to record the hint and rewrite the user name to remove the hint.
ParseTranslationGroupsByRealm
ParseTranslationGroupsByRealm is referenced from the rule engine to determine the incoming and outgoing translation groups based on realm set in the rule engine so that the attributes an be added/filtered out y the configuration data set in MCD.
ParseTranslationGroupsByDNIS
ParseTranslationGroupsByDNIS is referenced from the rule engine to determine the incoming and outgoing translation groups based on realm set in the rule engine so that the attributes can be added/filtered out by the configuration data set in MCD.
ParseTranslationGroupsByCLID
ParseTranslationGroupsByCLID is referenced from the rule engine to determine the incoming and outgoing translation groups based on CLID set in the rule engine so that the attributes can be added/filtered out by the configuration data set in MCD.
ParseProxyHints
ParseProxyHints is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which AAA services should be used for this request. If @radius is found, a set of AAA services is selected which will proxy the request to a remote radius server. If @tacacs is found, the AuthenticationService is selected that will proxy the request to a tacacs server for authentication. For any services not selected, the default service (as specified in the configuration by the administrator) will be used.
ParseServiceAndProxyHints
ParseServiceAndProxyHints is referenced from the NAS IncomingScript scripting point. It calls both ParseServiceHints and ParseProxyHints.
ParseAAARealm
ParseAAARealm is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which AAA service should be used for this request. If @<realm> is found, the AAA service is selected which has the same name as the realm.
ParseAARealm
ParseAARealm is referenced from the NAS IncomingScript scripting point. It looks for a realm name on the user name attribute as a hint of which Authentication+Authorization service should be used for this request. If @<realm> is found, the AA service is selected which has the same name as the realm. The Accounting service will be the DefaultAccountingService (as specified in the configuration by the administrator).
AuthorizePPP
AuthorizePPP is referenced from either the user record for users who's sessions are always PPP or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-PPP-users" into the response dictionary.
AuthorizeSLIP
AuthorizeSLIP is referenced from either the user record for users who's sessions are always SLIP or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-SLIP-users" into the response dictionary.
AuthorizeTelnet
AuthorizeTelnet is referenced from either the user record for users who's sessions are always telnet or from the from the script AuthorizeService, which checks the request to determine which service is desired. This script merges in the Profile named "default-Telnet-users" into the response dictionary.
AuthorizeService
AuthorizeService is referenced from user record for users who's sessions might be PPP, SLIP or Telnet depending on how they are connecting to the NAS. This script checks the request to determine which service is desired. If it is telnet, it calls the script AuthorizeTelnet. If it is PPP, it calls the script AuthorizePPP. If it is SLIP, it calls the script AuthorizeSLIP. If it is none of these, it rejects the request.
ACMEOutgoingScript
ACMEOutgoingScript is referenced from Vendor ACME for the outgoing script. If we are accepting this Access-Request and the response does not yet contain a Session-Timeout, set it to 3600 seconds.
ExecFilterRule
ExecFilterRule is referenced from the rule engine to determine whether a user packet should be rejected or not based on whether a special character like "*", "/", "\" or "?" shows up in the packet.
ExecDNISRule
ExecDNISRule is referenced from the rule engine to determine the authentication and authorization service and policy based on the DNIS set in the rule engine.
ExecCLIDRule
ExecCLIDRule is referenced from the rule engine to determine the authentication and authorization service and policy based on the CLID set in the rule engine.
ParseTranslationGroupsByCLID
ParseTranslationGroupsByCLID is referenced from the rule engine to determine the incoming and outgoing translationgroups based on CLID set in the rule engine so that the attributes can be added/filtered out by the configuration data set in MCD.
ExecFilterRule
ExecFilterRule is referenced from the rule engine to determine whether a user packet should be rejected or not based on the special character like "*", "/", "\" or "?" shows up in the packet.