Index: authserv.conf
===================================================================
RCS file: /cvsroot/NoCatAuth/authserv.conf,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- authserv.conf	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ authserv.conf	14 Jul 2003 16:13:43 -0000	1.1.1.1.2.1
@@ -230,6 +230,10 @@
 #
 # LocalGateway    192.168.1.7
 
+# RedirectTime -- Seconds to wait before redirecting after
+#	login.
+RedirectTime = 5
+
 # Auth service template names. See the individual templates
 #   for details on what each one does.
 #
Index: gateway.conf
===================================================================
RCS file: /cvsroot/NoCatAuth/gateway.conf,v
retrieving revision 1.1.1.1
retrieving revision 1.5
diff -u -r1.1.1.1 -r1.5
--- gateway.conf	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ gateway.conf	25 Jun 2003 03:59:06 -0000	1.5
@@ -268,13 +268,14 @@
 
 ###### Other Common Gateway Options. (stuff you probably won't have to change)
 #
-# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
+# ResetCmd, PermitCmd, DenyCmd, StatsCmd -- Shell commands to reset,
 #   open and close the firewall. You probably don't need to
 #   change these.
 #
 # ResetCmd	initialize.fw
 # PermitCmd	access.fw permit $MAC $IP $Class 
 # DenyCmd	access.fw deny $MAC $IP $Class 
+# StatsCmd	stats.fw $MAC $IP
 
 ##
 # GatewayPort - The TCP port to bind the gateway 
@@ -284,6 +285,11 @@
 # GatewayPort     5280
 
 ##
+# GatewayAddr - The IP address to bind the gateway
+#   service to.
+# GatewayAddr	127.0.0.1
+
+##
 # PGPKeyPath -- The directory in which PGP keys are stored.
 #   NoCat tries to find this in the pgp/ directory above
 #   the bin/ parent directory. Set this only if you put it
@@ -314,5 +320,67 @@
 # MaxMissedARP	2
 #
 # IdleTimeout   300
+
+
+##### Accounting method
+#
+# DataSource -- specifies what to authenticate against.
+#   Possible values are DBI, RADIUS, File, Log, None
+#
+
+AccountingMethod None
+
+##### Accounting update timeout
+# Default 5 minutes.  Set to 0 to disable.
+#
+
+AccountingUpdateInterval 300
+
+## File accounting support
+#
+# FileAccounting_Path /var/log/nocat_accounting.log
+
+## RADIUS support. Requires Authen::Radius to be installed from the CPAN.
+#
+# Right now, this support is totally experimental. Please send bug reports
+# and patches. The admin tools don't fully work with RADIUS support at the moment.
+#
+# The RADIUS_Host may by in a number of different formats and is required:
+#
+#   RADIUS_Host radius.nocat.net
+#   RADIUS_Host radius1.nocat.net,radius2.nocat.net,radius3.nocat.net
+#   RADIUS_Host radius1.nocat.net:1645,radius2.nocat.net:1812,radius3.nocat.net
+#
+# The previous three examples are 1 host and multiple hosts (can be any number of
+# hosts separated by a comma) and finally with ports provided after a colon.  (If
+# no port number is supplied, it uses the Authen::Radius default of the radius 
+# service in /etc/services or 1645.  Mixing entries with and without ports is 
+# fine.)  These examples require a RADIUS_Secret in the format:
+#
+# RADIUS_Secret	sHHHH
+#
+# The other format is to use the RADIUS_Host with a secret after
+# the hostname seperated by a * such as the examples below.  This 
+# allows for different secrets on different hosts.
+#
+# RADIUS_Host radius1.nocat.net*secret1,radius2.nocat.net*secret2,radius3.nocat.net*secret3
+#
+# Alternatively, ports can also be used on any number of entries.  
+# If the secret is not present, it uses the RADIUS_Secret.
+#
+# RADIUS_Host radius1.nocat.net:1645*secret1,radius2.nocat.net:1812,radius3.nocat.net*secret3
+#
+# RADIUS_TimeOut is optional and defaults to the Authen::Radius 
+# default timeout.
+#
+# RADIUS_TimeOut 5
+#
+# Finally, RADIUS_Order controls the order in which RADIUS
+# servers are used.  The acceptable values are "Ordered" 
+# (the default) and Random (which will share the load 
+# among the servers.
+#
+# RADIUS_Order Random
+#     **** End RADIUS Configuration ****
 
 ### Fin!
Index: bin/checkrad
===================================================================
RCS file: bin/checkrad
diff -N bin/checkrad
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ bin/checkrad	5 Oct 2003 18:38:43 -0000	1.1
@@ -0,0 +1,23 @@
+#!/usr/bin/perl
+
+require HTTP::Request;
+require LWP::UserAgent;
+
+my $debug = true;
+
+# 192.168.0.1 0 foo 01058159212184670
+my ($nas, $user, $session) = @ARGV;
+
+my $request = HTTP::Request->new(GET => "http://$nas:5280/status");
+my $ua = LWP::UserAgent->new;
+my $response = $ua->request($request);
+
+#my $pattern = qr/foo/g;
+foreach ($response->content)
+{
+	print "DEBUG: $_" if $debug;
+	#exit 0 if /$pattern/;
+	exit 0 if /$session/;
+}
+
+exit 1;
Index: bin/gateway
===================================================================
RCS file: /cvsroot/NoCatAuth/bin/gateway,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- bin/gateway	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ bin/gateway	23 Jun 2003 03:04:18 -0000	1.2
@@ -79,7 +79,8 @@
 
 END {
     unless (getppid) {
-        NoCat->log( 0, "Resetting firewall to initial settings." );
-        NoCat->firewall->reset;
+        #NoCat->log( 0, "Resetting firewall to initial settings." );
+        #NoCat->firewall->reset;
+        $server->stop;
     }
 }
Index: cgi-bin/login
===================================================================
RCS file: /cvsroot/NoCatAuth/cgi-bin/login,v
retrieving revision 1.1.1.1
retrieving revision 1.2.2.2
diff -u -r1.1.1.1 -r1.2.2.2
--- cgi-bin/login	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ cgi-bin/login	14 Jul 2003 16:13:43 -0000	1.2.2.2
@@ -67,11 +67,16 @@
     my $user = $authserv->user->fetch( $params->{user} );
 
     $authserv->display( LoginForm => "LoginBadUser" ) unless $user->id;
-    $authserv->display( LoginForm => "LoginBadPass" ) unless $user->authenticate( $params->{pass} );
+    $authserv->display( LoginForm => $user->reply_message ? $user->reply_message : "LoginBadPass" )
+    	unless $user->authenticate( $params->{pass} , $authserv->gateway_ip );
 
     # Set the service class based on the user's authorization (if any).
     my $member = join( " ", $user->groups );
     $params->{member} = $member if $member;	
+    
+    # Set the session timeout based on user's authorization (if any).
+    $params->{sessiontimeout} = $user->session_timeout;
+    $params->{idletimeout} = $user->idle_timeout;
 }
 
 # Finally, notify the gateway (and the user) as to the outcome.
Index: etc/checkrad.patch
===================================================================
RCS file: etc/checkrad.patch
diff -N etc/checkrad.patch
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ etc/checkrad.patch	5 Oct 2003 18:46:35 -0000	1.1
@@ -0,0 +1,32 @@
+--- checkrad.pl.in.old	Sun Oct  5 11:42:15 2003
++++ checkrad.pl.in	Sun Oct  5 11:42:22 2003
+@@ -1161,6 +1161,20 @@
+   ($login eq "$ARGV[3]\@$realm") ? 1 : 0;
+ }
+ 
++sub exec_extern
++{
++  my ($extern) = ($ARGV[0] =~ /^exec\|(.*)/);
++  my @args = @ARGV;
++  shift @args;
++
++  print LOG "  exec extern $extern " . join(' ', @args) . "\n" if ($debug);
++  $ret = system($extern, @args) >> 8;
++  print LOG "  exec extern returned $ret\n" if ($debug);
++  $ret = 2 if ($ret > 1);
++
++  return $ret;
++}
++
+ 
+ ###############################################################################
+ 
+@@ -1230,6 +1244,8 @@
+ 	$ret = &bay_finger;
+ } elsif ($ARGV[0] eq 'cisco_l2tp'){
+         $ret = &cisco_l2tp_snmp;
++} elsif ($ARGV[0] =~ /^exec\|/){
++        $ret = &exec_extern;
+ } elsif ($ARGV[0] eq 'other') {
+ 	$ret = 1;
+ } else {
Index: etc/clients.conf.sample
===================================================================
RCS file: etc/clients.conf.sample
diff -N etc/clients.conf.sample
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ etc/clients.conf.sample	5 Oct 2003 18:50:40 -0000	1.1
@@ -0,0 +1,11 @@
+#
+# SAPMLE: clients.conf - client configuration directives
+#
+#######################################################################
+
+client 192.168.0.1 {
+	secret		= nocat
+	shortname	= nocat
+	nastype		= exec|/usr/local/nocat/bin/checknocat.pl
+}
+
Index: etc/dictionary.nocat
===================================================================
RCS file: etc/dictionary.nocat
diff -N etc/dictionary.nocat
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ etc/dictionary.nocat	27 Jun 2003 02:51:52 -0000	1.1
@@ -0,0 +1,16 @@
+#
+#	The NoCat Vendor-Specific dictionary.
+#
+#	For a complete list of Private Enterprise Codes, see:
+#
+#	http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers
+#
+
+VENDOR		NoCat	32767
+
+BEGIN-VENDOR NoCat
+
+ATTRIBUTE	NoCat-Groups		1	string	# Space delimited list of groups
+ATTRIBUTE	NoCat-Groups-Admin	2	string	# Space delimited list of groups user is admin of
+
+END-VENDOR NoCat
Index: htdocs/login_ok.html
===================================================================
RCS file: /cvsroot/NoCatAuth/htdocs/login_ok.html,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- htdocs/login_ok.html	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ htdocs/login_ok.html	14 Jul 2003 16:13:43 -0000	1.1.1.1.2.1
@@ -1,7 +1,7 @@
 <html>
 <head>
     <title>Welcome, $user!</title>
-    <meta http-equiv="Refresh" content="$redirect" />
+    <meta http-equiv="Refresh" content="$redirecttime; URL=$redirect" />
 </head>
 <script language="JavaScript">
     window.open( "$popup", "NoCat_Login_Renewal", "width=250,height=180,scrollbars=no" );	
@@ -12,7 +12,7 @@
 <p><font face="Arial, Helvetica, sans-serif" size="3"><b>Welcome to the NoCat 
   network, $user!</b></font> </p>
 <p><font face="Verdana, Arial, Helvetica, sans-serif" size="1">You've logged in. 
-  You will be redirected within five seconds. If not, click
+  You will be redirected within $redirecttime seconds. If not, click
   <a href="$redirect">here</a> to continue.</font> </p>
 </body>
 
Index: htdocs/login_ok_nopopup.html
===================================================================
RCS file: htdocs/login_ok_nopopup.html
diff -N htdocs/login_ok_nopopup.html
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ htdocs/login_ok_nopopup.html	14 Jul 2003 16:13:43 -0000	1.2.2.1
@@ -0,0 +1,16 @@
+<html>
+<head>
+    <title>Welcome, $user!</title>
+    <meta http-equiv="Refresh" content="$redirecttime; URL=$redirect" />
+</head>
+
+<body bgcolor="#FFFFFF">
+<p><a href="http://nocat.net"><img src="/images/auth_logo.gif" width="112" height="35" border="0"></a> </p>
+<p><font face="Arial, Helvetica, sans-serif" size="3"><b>Welcome to the NoCat 
+  network, $user!</b></font> </p>
+<p><font face="Verdana, Arial, Helvetica, sans-serif" size="1">You've logged in. 
+  You will be redirected within $redirecttime seconds. If not, click
+  <a href="$redirect">here</a> to continue.</font> </p>
+</body>
+
+</html>
Index: htdocs/renew.html
===================================================================
RCS file: /cvsroot/NoCatAuth/htdocs/renew.html,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- htdocs/renew.html	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ htdocs/renew.html	14 Oct 2003 15:27:37 -0000	1.1.1.1.2.1
@@ -1,7 +1,7 @@
 <html>
 <head>
     <title>NoCat login agent</title>
-    <meta http-equiv="Refresh" content="$redirect" />
+    <meta http-equiv="Refresh" content="$redirecttime; $redirect" />
 </head>
 <body bgcolor="#FFFFFF">
 <p><a href="http://nocat.net" target="_blank"><img src="/images/auth_logo.gif" width="112" height="35" border="0"></a> </p>
Index: htdocs/renew_pasv.html
===================================================================
RCS file: /cvsroot/NoCatAuth/htdocs/renew_pasv.html,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- htdocs/renew_pasv.html	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ htdocs/renew_pasv.html	14 Oct 2003 15:25:23 -0000	1.1.1.1.2.1
@@ -1,7 +1,7 @@
 <html>
 <head>
     <title>NoCat login agent</title>
-    <meta http-equiv="Refresh" content="$redirect" />
+    <meta http-equiv="Refresh" content="$redirecttime; $redirect" />
 </head>
 <script language="JavaScript">
     setTimeout( "document.RenewalForm.submit()", $timeout * 1000 );
Index: htdocs/images/auth_logo.gif
===================================================================
RCS file: htdocs/images/auth_logo.gif
diff -N htdocs/images/auth_logo.gif
Binary files /tmp/cvsPhN0Xj and /dev/null differ
Index: htdocs/images/continue.gif
===================================================================
RCS file: htdocs/images/continue.gif
diff -N htdocs/images/continue.gif
Binary files /tmp/cvsV3bSq9 and /dev/null differ
Index: htdocs/images/login.gif
===================================================================
RCS file: htdocs/images/login.gif
diff -N htdocs/images/login.gif
Binary files /tmp/cvsZ8DbfG and /dev/null differ
Index: htdocs/images/logout.gif
===================================================================
RCS file: htdocs/images/logout.gif
diff -N htdocs/images/logout.gif
Binary files /tmp/cvslZV32Y and /dev/null differ
Index: htdocs/images/register.gif
===================================================================
RCS file: htdocs/images/register.gif
diff -N htdocs/images/register.gif
Binary files /tmp/cvsYoCXBQ and /dev/null differ
Index: htdocs/images/reset.gif
===================================================================
RCS file: htdocs/images/reset.gif
diff -N htdocs/images/reset.gif
Binary files /tmp/cvsylDI6L and /dev/null differ
Index: htdocs/images/skip.gif
===================================================================
RCS file: htdocs/images/skip.gif
diff -N htdocs/images/skip.gif
Binary files /tmp/cvs9SeUNx and /dev/null differ
Index: htdocs/images/update.gif
===================================================================
RCS file: htdocs/images/update.gif
diff -N htdocs/images/update.gif
Binary files /tmp/cvsPtoNbt and /dev/null differ
Index: lib/NoCat.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.3.2.1
diff -u -r1.1.1.1 -r1.3.2.1
--- lib/NoCat.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat.pm	14 Jul 2003 16:13:43 -0000	1.3.2.1
@@ -34,6 +34,7 @@
     PermitCmd	    => 'access.fw permit $MAC $IP $Class',
     DenyCmd	    => 'access.fw deny $MAC $IP $Class',
     InitCmd	    => "reset.fw",
+    StatsCmd	    => 'stats.fw $MAC $IP',
 
     ### No. of seconds before logins/renewals expire.
     LoginTimeout    => 300,
@@ -45,6 +46,7 @@
     ### Authservice networking values.
     DataSource	    => "DBI",
     NotifyTimeout   => 30,
+    RedirectTime	=> 5,
 
     ### GPG Locations. Assumes it's in your path.
     GpgPath	    => "gpg",
@@ -376,6 +378,12 @@
     unshift @_, "Socket" if @_ == 1;
     require NoCat::Peer;
     return NoCat::Peer->new( Parent => $self, @_ );
+}
+
+sub accounting {
+    my $self = shift;
+    require NoCat::Accounting;
+    return NoCat::Accounting->new( Parent => $self, @_);
 }
 
 1;
Index: lib/Authen/Radius.pm
===================================================================
RCS file: lib/Authen/Radius.pm
diff -N lib/Authen/Radius.pm
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/Authen/Radius.pm	2 Aug 2003 21:07:10 -0000	1.1
@@ -0,0 +1,650 @@
+#############################################################################
+#                                                                           #
+# Radius Client module for Perl 5                                           #
+#                                                                           #
+# Written by Carl Declerck <carl@miskatonic.inbe.net>, (c)1997              #
+# All Rights Reserved. See the Perl Artistic License for copying & usage    #
+# policy.                                                                   #
+#                                                                           #
+# See the file 'Changes' in the distrution archive.                         #
+#                                                                           #
+#############################################################################
+
+package Authen::Radius;
+
+use FileHandle;
+use IO::Socket;
+use IO::Select;
+use Digest::MD5;
+
+use vars qw($VERSION @ISA @EXPORT);
+
+require Exporter;
+require AutoLoader;
+
+@ISA = qw(Exporter AutoLoader);
+@EXPORT = qw(ACCESS_REQUEST ACCESS_ACCEPT ACCESS_REJECT ACCOUNTING_REQUEST ACCOUNTING_RESPONSE);
+$VERSION = '0.081';
+
+my (%dict_id, %dict_name, %dict_val);
+my ($request_id) = $$ & 0xff;	# probably better than starting from 0
+my ($object_counter) = 1;       # to ensure unique sessionids
+my ($radius_error) = 'ENONE';
+
+#
+# we'll need to predefine these attr types so we can do simple password
+# verification without having to load a dictionary
+#
+
+$dict_id{1}{'type'} = 'string';	# set 'username' attr type to string
+$dict_id{2}{'type'} = 'string';	# set 'password' attr type to string
+$dict_id{4}{'type'} = 'ipaddr'; # set 'NAS-IP' attr type
+$dict_id{5}{'type'} = 'integer'; #set port number
+$dict_id{44}{'type'} = 'string'; #set port number
+
+sub ACCESS_REQUEST { 1; }
+sub ACCESS_ACCEPT  { 2; }
+sub ACCESS_REJECT  { 3; }
+sub ACCOUNTING_REQUEST { 4; }
+sub ACCOUNTING_RESPONSE { 5; };
+
+sub new {
+	my $class = shift;
+	my %h = @_;
+	my ($host, $port);
+	my $self = {};
+
+	bless $self, $class;
+
+	$self->set_error;
+
+	return $self->set_error('ENOHOST') unless $h{'Host'};
+	($host, $port) = split(/:/, $h{'Host'});
+	
+	if($h{'Accounting'}) {
+	    $self->{'Accounting'} = 1;
+	    $port = getservbyname('radacct', 'udp') unless $port;
+	    $port = 1646 unless $port;
+	} else {
+	    $port = getservbyname('radius', 'udp') unless $port;
+	    $port = 1645 unless $port;
+	}
+
+	$self->{'timeout'} = $h{'TimeOut'} ? $h{'TimeOut'} : 5;
+	$self->{'secret'} = $h{'Secret'};
+	$self->{'sock'} = new IO::Socket::INET(
+				PeerAddr => $host,
+				PeerPort => $port,
+				Type => SOCK_DGRAM,
+				Proto => 'udp',
+				TimeOut => $self->{'timeout'}
+	) or return $self->set_error('ESOCKETFAIL');
+
+	$self->{'objectcounter'} = $objectcounter++;
+	$self->{'sessioncounter'} = 0;
+	$self->{'nasip'} = $h{'NasIP'};
+	$self->{'nasip'} = $self->{'sock'}->sockhost unless $self->{'nasip'};
+
+	$self;
+}
+
+sub NewSessionId {
+    my $self = shift;
+    my $newvalue = shift;
+    if($newvalue) {
+	$self->{'currentsession'} = $newvalue;
+    } else {
+	$self->{'currentsession'} = $self->{'objectcounter'} . time . $$ . $self->{'sessioncounter'}++;
+    }
+    return $self->{'currentsession'};
+}
+
+sub CurrentSessionId {
+    my $self = shift;
+    return $self->{'currentsession'};
+}
+
+sub send_packet {
+	my ($self, $type) = @_;
+	my ($data);
+
+	$self->set_error;
+	$self->gen_authenticator unless defined $self->{'authenticator'};
+	$data = pack('C C n', $type, $request_id, 20 + length($self->{'attributes'}))
+				. $self->{'authenticator'} . $self->{'attributes'};
+ 
+       $self->{'Accounting'} && do {
+  		substr($data, 4, 16) = "\000" x 16;
+		my $ct = new Digest::MD5;
+		$ct->add ($data . $self->{'secret'});
+		substr($data, 4, 16) = $ct->digest ();
+		$self->{'authenticator'} = substr($data, 4, 16);
+	};
+	
+	$prev_request_id = $request_id;
+	$request_id = ($request_id + 1) & 0xff;
+
+	$self->{'sock'}->send ($data) || $self->set_error('ESENDFAIL');
+}
+
+sub recv_packet {
+	my ($self) = @_;
+	my ($data, $type, $id, $length, $auth, $sh);
+
+	$self->set_error;
+
+	$sh = new IO::Select($self->{'sock'}) or return $self->set_error('ESELECTFAIL');
+	$sh->can_read($self->{'timeout'}) or return $self->set_error('ETIMEOUT');
+
+	$self->{'sock'}->recv ($data, 65536) or return $self->set_error('ERECVFAIL');
+	($type, $id, $length, $auth, $self->{'attributes'}) = unpack('C C n a16 a*', $data);
+	return $self->set_error('EBADAUTH') if $auth ne $self->calc_authenticator($type, $id, $length);
+
+	$type;
+}  
+
+sub check_password {
+    my $self = shift;
+    my %args = @_;
+    if($args{'SessionId'} && $args{'SessionId'} eq 'NEW') {
+	$args{'SessionId'} = $self->NewSessionId();
+    }
+    my @Extra;
+    if($args{'Attributes'}) {
+	my $Extraref = $args{'Attributes'};
+	@Extra = @$Extraref;
+    }
+    return $self->check_pwd($args{'User'},$args{'Password'},$args{'NASPort'},$args{'SessionId'},@Extra);
+}
+
+sub check_pwd {
+	my ($self, $name, $pwd, $NASPort, $SessionId,@ExtraAttributes) = @_;
+	
+	$NASPort = '0' unless $NASPort;
+	$self->clear_attributes;
+	if($SessionId) {
+	    push(@ExtraAttributes,{ Name => 44, Value => $SessionId } );
+	}
+
+	$self->add_attributes (
+		{ Name => 1, Value => $name },
+		{ Name => 2, Value => $pwd },
+		{ Name => 4, Value => $self->{'nasip'}},
+	        { Name => 5, Value => $NASPort, Type => 'integer' },
+		@ExtraAttributes
+	);
+
+	my $sp_result = $self->send_packet (ACCESS_REQUEST);
+	if($sp_result) {
+	    my $rp_result = $self->recv_packet;
+	    if($rp_result && $rp_result == ACCESS_REJECT) {
+		$self->set_error('EBADPASS');
+	    }
+	    return ($rp_result && $rp_result == ACCESS_ACCEPT);
+	} else {
+	    return $sp_result;
+	}
+}
+
+sub start_acct {
+	my ($self, %args) = @_;
+	if(! $self->{'Accounting'}) {
+	    $self->set_error('NOACCT');
+	    return undef;
+	}
+	$self->clear_attributes;
+	my $ExtraAttributesRef = $args{'Attributes'};
+	$self->NewSessionId($args{'SessionId'});
+	
+	if(! $self->CurrentSessionId()) {
+	    $self->NewSessionId();
+	}
+
+
+
+	$self->add_attributes({ Name => 1, Value => $args{'User'}, Type => 'string' },  # User-Name
+			      { Name => 4, Value => $self->{'nasip'}, Type => 'ipaddr' }, # NAS-IP-Address
+			      { Name => 40, Value => '1', Type => 'integer' },
+			      { Name => 40, Value => '7', Type => 'integer' }, 
+			      { Name => 44, Value => $self->CurrentSessionId() },  #Acct-Session-Id
+			      @$ExtraAttributesRef
+);
+
+	$self->send_packet (ACCOUNTING_REQUEST) && return $self->{'currentsession'};
+      #	$self->send_packet (ACCOUNTING_REQUEST) && $self->recv_packet == ACCOUNTING_RESPONSE;
+}
+
+sub stop_acct {
+        my ($self, %args ) = @_;
+	if(! $self->{'Accounting'}) {
+	    $self->set_error('NOACCT');
+	    return undef;
+	}
+        $self->clear_attributes;
+	my $sessionid = $self->{'currentsession'};
+	$sessionid = $args{'SessionId'} if $args{'SessionId'};
+
+	my $ExtraAttributesRef = $args{'Attributes'};
+	$self->add_attributes ({ Name => 1, Value => $args{'User'}, Type => 'string' },
+			       { Name => 40, Value => '2', Type => 'integer' },
+			       { Name => 40, Value => '8', Type => 'integer' },
+			       { Name => 4, Value => $self->{'nasip'}, Type => 'ipaddr' }, # NAS-IP-Address
+			       { Name => 44, Value => $sessionid },  #Acct-Session-Id
+			       @$ExtraAttributesRef
+			       );
+
+	return $self->send_packet (ACCOUNTING_REQUEST);
+}
+
+sub update_acct {
+        my ($self, %args ) = @_;
+	if(! $self->{'Accounting'}) {
+	    $self->set_error('NOACCT');
+	    return undef;
+	}
+        $self->clear_attributes;
+	my $sessionid = $self->{'currentsession'};
+	$sessionid = $args{'SessionId'} if $args{'SessionId'};
+
+	my $ExtraAttributesRef = $args{'Attributes'};
+	$self->add_attributes ({ Name => 1, Value => $args{'User'}, Type => 'string' },
+			       { Name => 40, Value => '3', Type => 'integer' },
+			       { Name => 4, Value => $self->{'nasip'}, Type => 'ipaddr' }, # NAS-IP-Address
+			       { Name => 44, Value => $sessionid },  #Acct-Session-Id
+			       @$ExtraAttributesRef
+			       );
+
+	return $self->send_packet (ACCOUNTING_REQUEST) && return $self->{'currentsession'};
+}
+
+sub clear_attributes {
+	my ($self) = @_;
+
+	$self->set_error;
+
+	delete $self->{'attributes'};
+
+	1;
+}
+
+sub get_attributes {
+	my ($self) = @_;
+	my ($id, $length, $value, $type, $rawvalue, @a);
+	my ($vendor, $vendorid, $vendorlength, $vendorattrs, $vendorrawvalue, @v);
+	my ($attrs) = $self->{'attributes'};
+
+	$self->set_error;	
+
+	while (length($attrs)) {
+		($id, $length, $attrs) = unpack('C C a*', $attrs);
+		($rawvalue, $attrs) = unpack('a' . ($length - 2) . ' a*', $attrs);
+                if (26 == $id) {
+			# Vendor Specific Attributes
+			($vendor, $vendorattrs) = unpack('N a*', $rawvalue);
+			while(length($vendorattrs))
+			{
+				($vendorid, $vendorlength, $vendorattrs) = unpack('C C a*', $vendorattrs);
+				($vendorrawvalue, $vendorattrs) = unpack('a' . ($vendorlength) . ' a*', $vendorattrs);
+				push (@v, {	'Code' => $vendorid,
+						'RawValue' => $vendorrawvalue }
+				);
+			}
+			$value = \@v;
+			push (@a, {	'Name' => defined $dict_id{$id}{'name'} ? $dict_id{$id}{'name'} : $id,
+					'Code' => $id,
+					'RawValue' => $rawvalue,
+					'Vendor' => $vendor,
+					'VendorAttributes' => \@v }
+			);
+		} else {
+			# Standard Attributes
+			$type = $dict_id{$id}{'type'};
+			if ($type && $type eq "string") {
+				$value = $rawvalue;
+			} elsif ($type && $type eq "integer") {
+				$value = unpack('N', $rawvalue);
+				$value = $dict_val{$id}{$value} if defined $dict_val{$id}{$value};
+			} elsif ($type && $type eq "ipaddr") {
+				$value = inet_ntoa($rawvalue);
+			}
+			push (@a, {	'Name' => defined $dict_id{$id}{'name'} ? $dict_id{$id}{'name'} : $id,
+					'Code' => $id,
+					'Value' => $value,
+					'RawValue' => $rawvalue }
+			);
+		}
+	}
+
+	@a;
+}
+
+sub add_attributes {
+	my ($self, @a) = @_;
+	my ($a, $id, $type, $value);
+
+	$self->set_error;
+
+	for $a (@a) {
+		$id = defined $dict_name{$a->{'Name'}}{'id'} ? $dict_name{$a->{'Name'}}{'id'} : int($a->{'Name'});
+		$type = defined $a->{'Type'} ? $a->{'Type'} : $dict_id{$id}{'type'};
+		if ($type eq "string") {
+			$value = $a->{'Value'};
+			if ($id == 2) {
+				$self->gen_authenticator;
+				$value = $self->encrypt_pwd($value);
+			}
+		} elsif ($type eq "integer") {
+			$value = pack('N', int($a->{'Value'}));
+		} elsif ($type eq "ipaddr") {
+			$value = inet_aton($a->{'Value'});
+		} else {
+			next;
+		}
+		
+		if(defined($value)) {
+		    $self->{'attributes'} .= pack('C C', $id, length($value) + 2) . $value;
+		} else {
+		    warn "no value sent for attribute $id";
+		}
+	}
+
+	1;
+}
+
+sub calc_authenticator {
+	my ($self, $type, $id, $length) = @_;
+	my ($hdr, $ct);
+
+	$self->set_error;
+
+	$hdr = pack('C C n', $type, $id, $length);
+	$ct = new Digest::MD5;
+	$ct->reset ();
+	$ct->add ($hdr, $self->{'authenticator'}, $self->{'attributes'}, $self->{'secret'});
+
+	$ct->digest();
+}
+
+sub gen_authenticator {
+	my ($self) = @_;
+	my ($ct);
+
+	$self->set_error;
+
+	$ct = new Digest::MD5;
+	$ct->reset ();
+	# the following could be improved a lot
+	$ct->add (sprintf("%08x%04x", time, $$), $self->{'attributes'});
+
+	$self->{'authenticator'} = $ct->digest();
+}
+
+
+sub encrypt_pwd {
+	my ($self, $pwd) = @_;
+	my ($i, $ct, @pwdp, @xor);
+
+	$self->set_error;
+
+	# this only works for passwords <= 16 chars, anyone use longer passwords?
+	$pwd .= "\0" x (16 - length($pwd) % 16);
+	@pwdp = unpack('C16', pack('a16', $pwd));
+	$ct = new Digest::MD5;
+	$ct->reset ();
+	$ct->add ($self->{'secret'}, $self->{'authenticator'});
+	@xor = unpack('C16', $ct->digest());
+	for $i (0..15) {
+		$pwdp[$i] ^= $xor[$i];
+	}
+
+	pack('C' . length($pwd), @pwdp);
+}
+
+sub load_dictionary {
+	shift;
+	my ($file) = @_;
+	my ($fh, $cmd, $name, $id, $type);
+
+	$file = "/etc/raddb/dictionary" unless $file;
+	$fh = new FileHandle($file) or die "Can't open dictionary '$file' ($!)\n";
+
+	while (<$fh>) {
+		chomp;
+		($cmd, $name, $id, $type) = split(/\s+/);
+		next if (!$cmd || $cmd =~ /^#/);
+		if ($cmd =~ /^attribute$/i) {
+			$dict_id{$id}{'name'} = $name;
+			$dict_id{$id}{'type'} = $type;
+			$dict_name{$name}{'id'} = $id;
+			$dict_name{$name}{'type'} = $type;
+		} elsif ($cmd =~ /^value$/i) {
+			$dict_val{$dict_name{$name}{'id'}}{$type} = $id;
+		}
+	}
+	$fh->close;
+
+	1;
+}
+
+sub set_error {
+	my ($self, $error) = @_;
+
+	$radius_error = $self->{'error'} = defined $error ? $error : 'ENONE';
+
+	undef;
+}
+
+sub get_error {
+	my ($self) = @_;
+
+	$self->{'error'};
+}
+
+sub strerror {
+	my ($self, $error) = @_;
+
+	my %errors = (
+		'ENONE',		'none',
+		'ESELECTFAIL',	'select creation failed',
+		'ETIMEOUT',		'timed out waiting for packet',
+		'ESOCKETFAIL',	'socket creation failed',
+		'ENOHOST',		'no host specified',
+		'EBADAUTH',		'bad response authenticator',
+		'ESENDFAIL',	'send failed',
+		'ERECVFAIL',	'receive failed',
+		'NOACCT',      'trying to use accounting methods without calling new with the accounting flag',
+		'EBADPASS',     'Authentication was OK, but the wrong un/pw was used'
+	);
+
+	return $errors{$radius_error} unless ref($self);
+	$errors{defined $error ? $error : $self->{'error'}};
+}
+
+	
+
+1;
+__END__
+
+=head1 NAME
+
+RadiusPerl - provide simple Radius client facilities (aka Authen::Radius)
+
+=head1 SYNOPSIS
+
+  use Authen::Radius;
+  
+  $r = new Authen::Radius(Host => 'myserver', Secret => 'mysecret');
+  print "auth result=", $r->check_password(User => 'myname', 
+                                           Password => 'mypwd',
+                                           NASPort => 1,
+                                           SessionId => 'NEW'), "\n";
+
+  $r = new Authen::Radius(Host => 'myserver', Secret => 'mysecret');
+  Authen::Radius->load_dictionary;
+  $r->add_attributes (
+  		{ Name => 'User-Name', Value => 'myname' },
+  		{ Name => 'Password', Value => 'mypwd' }
+  );
+  $r->send_packet (1) and $type = $r->recv_packet;
+  print "server response type = $type\n";
+  for $a ($r->get_attributes) {
+  	print "attr: name=$a->{'Name'} value=$a->{'Value'}\n";
+  }
+
+
+  $acct = new Authen::Radius(Host => 'myserver', Secret => 'mysecret', Accounting => 1);
+  my $sessionid = $acct->start_acct(User => 'myname',
+                                    Attributes => [{Name => 8, Value => '1.2.3.4', Type => 'ipaddr'},
+                                                   {Name => 9, Value => '255.255.255.0', Type => 'ipaddr'}
+                                                  ],
+                                    SessionId => $acct->CurrentSessionId()
+                                    );
+  $acct->stop_acct(User => 'myname',
+                   SessionId  => $id,
+                   Attributes => [{Name => 8, Value => '1.2.3.4', Type => 'ipaddr'},
+                                  {Name => 9, Value => '255.255.255.0', Type => 'ipaddr'}
+                                 ]
+    );
+
+
+=head1 DESCRIPTION
+
+The C<Authen::Radius> module provides a simple class that allows you to 
+send/receive Radius requests/responses to/from a Radius server as well as
+send/receive Radius accounting packets.
+
+=head1 CONSTRUCTOR
+
+=over 4
+
+=item new ( Host => HOST, Secret => SECRET [, Accounting => 1][, TimeOut => TIMEOUT] [, NasIP => '1.2.3.4' )
+
+Creates & returns a blessed reference to a Radius object, or undef on
+failure.  The Accounting flag must be set if you wish to call
+start_acct or stop_acct.  Error status may be retrieved with
+C<Authen::Radius::get_error> (errorcode) or C<Authen::Radius::strerror> 
+(verbose error string).  The C<NasIP> is completely optional but allows
+one to specify a different IP address for the RADIUS server to see.
+
+=back
+
+=head1 METHODS
+
+=over 4
+
+=item load_dictionary ( [ DICTIONARY ] )
+
+Loads the definitions in the specified Radius dictionary file (standard 
+Livingston radiusd format). Tries to load 'C</etc/raddb/dictionary>' when no 
+argument is specified, or dies.
+
+=item check_password ( User => USERNAME, Password => PASSWORD, NASPort => NASPORT, SessionId => SESSIONID, Attributes => ATTRIBUTES )
+
+Provides a cleaner interface to checking passwords given a C<USERNAME>
+and C<PASSWORD>.  Optionally, a C<NASPORT> and C<SESSIONID> may be
+passed.  A special C<SESSIONID> of "NEW" will create and store a new
+session id by calling NewSessionId.  Any additional attributes can
+also be specified in the same fashion as accounting attributes (see
+examples above).  This function returns 1 if the C<PASSWORD> is
+correct or undef otherwise.
+
+=item check_pwd ( USERNAME, PASSWORD [, NAS-Port] [, Session-Id] )
+
+This is kept for historic compatibility.  Checks with the Radius
+server if the specified C<PASSWORD> is valid for user C<USERNAME>.
+Optionally, a C<NAS-Port> may be specified.  If a C<NAS-Port> is
+specified, you pay also specify a C<Session-Id>.  If the session id is
+not passed, it will not be passed to the authentication server.  The
+function returns 1 if the C<PASSWORD> is correct, or undef otherwise.
+
+=item start_acct ( User => USERNAME, Attributes => [{Name => 8, Value => '1.2.3.4', Type => 'ipaddr'}, {Name => 9, Value => '255.255.255.0', Type => 'ipaddr'} ], SessionId => SESSIONID)
+
+Sends the Radius server an accounting start message with the specified
+C<USERNAME> and the optional C<Attributes>, such as the ones suggested
+above (these may be integrated to do dictionary lookups in the
+future).  Note that the brackets are not optional.  A C<SESSIONID> is
+optionally passed as well.  If not passed, a new one will be
+generated.
+
+=item stop_acct ( User => USERNAME, SessionId => 1, Attributes => [{Name => 8, Value => '1.2.3.4', Type => 'ipaddr'}, {Name => 9, Value => '255.255.255.0', Type => 'ipaddr'} ])
+
+Sends the Radius server an accounting stop message with the specified 
+C<USERNAME> and the optional C<SessionId> retrieved from start_acct and 
+any other optionl C<Attributes> as suggested.
+
+=item NewSessionId
+
+Creates and returns a new session id and stores it for later retrieval.
+
+=item CurrentSessionId
+
+Returns the current Session-Id.
+
+=item add_attributes ( { Name => NAME, Value => VALUE [, Type => TYPE] }, ... )
+
+Adds any number of Radius attributes to the current Radius object. Attributes
+are specified as a list of anon hashes. They may be C<Name>d with their 
+dictionary name (provided a dictionary has been loaded first), or with 
+their raw Radius attribute-type values. The C<Type> pair should be specified 
+when adding attributes that are not in the dictionary (or when no dictionary 
+was loaded). Values for C<TYPE> can be 'C<string>', 'C<integer>' or 'C<ipaddr>'.
+
+=item get_attributes
+
+Returns a list of references to anon hashes with the following key/value
+pairs : { Name => NAME, Code => RAWTYPE, Value => VALUE, RawValue =>
+RAWVALUE }. Each hash represents an attribute in the current object. The 
+C<Name> and C<Value> pairs will contain values as translated by the 
+dictionary (if one was loaded). The C<Code> and C<RawValue> pairs always 
+contain the raw attribute type & value as received from the server.
+
+=item clear_attributes
+
+Clears all attributes for the current object.
+
+=item send_packet ( REQUEST_TYPE )
+
+Packs up a Radius packet based on the current secret & attributes and
+sends it to the server with a Request type of C<REQUEST_TYPE>. Exported
+C<REQUEST_TYPE> methods are 'C<ACCESS_REQUEST>', 'C<ACCESS_ACCEPT>' 
+and 'C<ACCESS_REJECT>'. Returns the number of bytes sent, or undef on failure.
+
+=item recv_packet
+
+Receives a Radius reply packet. Returns the Radius Reply type (see possible
+values for C<REQUEST_TYPE> in method C<send_packet>) or undef on failure. Note 
+that failure may be due to a failed recv() or a bad Radius response 
+authenticator. Use C<get_error> to find out.
+
+=item get_error
+
+Returns the last C<ERRORCODE> for the current object. Errorcodes are one-word
+strings always beginning with an 'C<E>'.
+
+=item strerror ( [ ERRORCODE ] )
+
+Returns a verbose error string for the last error for the current object, or
+for the specified C<ERRORCODE>.
+
+=back
+
+=head2 EXPORT
+
+ACCESS_REQUEST
+ACCESS_ACCEPT
+ACCESS_REJECT
+ACCOUNTING_REQUEST
+ACCOUNTING_RESPONSE
+
+are all values exported by default for historic reasons.
+
+=head1 AUTHOR
+
+Carl Declerck <carl@miskatonic.inbe.net>
+
+=head1 SEE ALSO
+
+none
+
+=cut
+
Index: lib/NoCat/Accounting.pm
===================================================================
RCS file: lib/NoCat/Accounting.pm
diff -N lib/NoCat/Accounting.pm
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/NoCat/Accounting.pm	23 Jun 2003 03:09:36 -0000	1.1
@@ -0,0 +1,66 @@
+package NoCat::Accounting;
+
+use NoCat qw( ANY );
+use strict;
+use vars qw( @ISA @REQUIRED );
+
+@ISA	    = 'NoCat';
+@REQUIRED   = qw( AccountingMethod );
+
+my @API_Methods = qw(
+    create_session_id;
+    start;
+    stop;
+    update;
+);
+
+sub _virtual {
+    my ($self, $func) = @_;
+
+    require Carp;
+    Carp::croak( ref($self), " does not implement a $func method" );
+}
+
+for my $method ( @API_Methods ) {
+    no strict 'refs';
+    *{__PACKAGE__ . "::$method"} = sub { _virtual($_[0], $method) };
+}
+
+# Dummy methods
+
+sub create_session_id {
+    # do nothing
+}
+
+sub start {
+    # do nothing
+}
+
+sub stop {
+    # do nothing
+}
+
+sub update
+{
+    # do nothing
+}
+
+# The one non-dummy function.
+#
+sub new {
+    my $self	= shift;
+    my $class	= ref( $self ) || $self;
+
+    if ( $class eq __PACKAGE__ ) {
+	# We've been called as NoCat::Accounting->new, which means we need to
+	# load nocat.conf and figure out which data source plugin we're 
+	# supposed to use.
+	return $self->instantiate( AccountingMethod => @_ );
+    } else {
+	# We've been called as NoCat::Accounting::Foo->new, so pass arguments
+	# to NoCat->new and return.
+	return $self->SUPER::new( @_ );
+    }
+}
+
+1;
Index: lib/NoCat/AuthService.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/AuthService.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- lib/NoCat/AuthService.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/AuthService.pm	14 Jul 2003 16:13:43 -0000	1.1.1.1.2.1
@@ -288,10 +288,10 @@
     
     my $redirect = $vars{redirect} || $self->{HomePage};
 
-    # Add a refresh time of five seconds... unless one is already set.
-    $vars{redirect} = $redirect = "5; URL=$redirect" unless $redirect =~ /^\d+;/o;
+    # Add a refresh time of 30 seconds...
+    $vars{redirecttime} = my $redirecttime = $self->{RedirectTime};
 
-    push @headers, -Refresh => $redirect;
+    push @headers, -Refresh => "$redirecttime; URL=$redirect";
     # push @headers, -Cookie => $self->{Cookie} if $self->{Cookie};
 
     # Hit the g/w with the ticket first if there is one, get a 304, 
Index: lib/NoCat/Firewall.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Firewall.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.5.2.1
diff -u -r1.1.1.1 -r1.5.2.1
--- lib/NoCat/Firewall.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Firewall.pm	2 Aug 2003 20:31:24 -0000	1.5.2.1
@@ -7,7 +7,7 @@
 use constant BY_IP	=> 2;
 
 @ISA	    = 'NoCat';
-@REQUIRED   = qw( ResetCmd PermitCmd DenyCmd GatewayMode );
+@REQUIRED   = qw( ResetCmd PermitCmd DenyCmd StatsCmd GatewayMode );
 
 # These config parameters can (potentially) be determined dynamically.
 my @Dynamic_Required = qw( InternalDevice ExternalDevice LocalNetwork );
@@ -248,5 +248,76 @@
 
     return @ns;
 }
+
+#
+# Returns the current stats on a firewall rule or all rules.
+#
+# If mac and/or ip parameters are specified then only one line should be
+# returned from the external command. This line should be formatted as follows:
+# <InOctets> <OutOctets> [LastIn] [LastOut]
+# Where:
+#   InOctets is the number of bytes passed inbound to the client (download).
+#   OutOctets is the number of bytes passed outbound from the client (upload).
+#   LastIn is optional timestamp of last inbound packet.
+#   LastOut is optional timestamp of last outbound packet.
+#
+# If no mac or ip parameters are specified then the external command should
+# return one line for each client rule.  The lines should be formatted as follows:
+# <IP|MAC> <InOctets> <OutOctets> [LastIn] [LastOut]
+# Where:
+#   MAC is the MAC address of the client
+#   IP is the IP address of the client
+#   You must specify only MAC or IP address, not both.
+#
+
+sub stats {
+    my ( $self, $mac, $ip ) = @_;
+
+    my %stats;
+
+    my $cmd = $self->format( $self->{"\uStatsCmd"}, {
+    MAC   => $mac,
+    IP    => $ip
+    });
+
+    local %ENV = %ENV;
+    $ENV{$_}   = ( defined( $self->{$_} ) ? $self->{$_} : "" ) for @Perform_Export;
+    $ENV{PATH} = "$FindBin::Bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
+    $self->log(7, "Gathering stats from firewall with cmd='$cmd'.");
+
+    return unless open(STATS, "$cmd |");
+    if ($mac || $ip)
+    {
+        my $line;
+        if (defined ($line = <STATS>))
+        {
+            my @parts = split(' ', $line);
+            if ($#parts >= 1)
+            {
+                %stats = ( InOctets   => $parts[0] ||= 0,
+                           OutOctets  => $parts[1] ||= 0,
+                           PacketTime => $parts[2] ||= 0,
+                         );
+            }
+        }
+    }
+    else
+    {
+        while (<STATS>)
+        {
+            my @parts = split;
+            next if ($#parts < 2);
+
+            $stats{$parts[0]} = { InOctets   => $parts[1] ||= 0,
+                                  OutOctets  => $parts[2] ||= 0,
+                                  PacketTime => $parts[3] ||= 0,
+                                };
+        }
+    }
+    close(STATS);
+
+    return \%stats;
+}
+
 
 1;
Index: lib/NoCat/Gateway.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Gateway.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.4.2.1
diff -u -r1.1.1.1 -r1.4.2.1
--- lib/NoCat/Gateway.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Gateway.pm	14 Jul 2003 16:13:43 -0000	1.4.2.1
@@ -108,6 +108,9 @@
     my $inactive = time + $self->{IdleTimeout}; # Only check every 5 minutes
     my $expired  = time + 10; # Check no more often than every 10s
 
+    # Setup for accounting updates
+    my $update = time + $self->{AccountingUpdateInterval};
+
     # Handle connections as they come in.
     #
     while ( 1 ) {
@@ -128,6 +131,12 @@
             $inactive += $self->{IdleTimeout}; 
         }
 
+        # See if it is time to do accounting updates;
+        if ( $self->{AccountingUpdateInterval} && time > $update) {
+            $self->update_accounting;
+            $update += $self->{AccountingUpdateInterval};
+        }
+
         # Have we caught a HUP?  If so, re-initialize log files.
         if ( $hup ) {
             $self->open_log;
@@ -383,6 +392,7 @@
     # Update its expiration timestamp.
     #
     $peer->timestamp(1);
+    $peer->session_time;
 
     # Get *our* notion of what the peer's service class should be.
     #
@@ -408,6 +418,8 @@
 	} else {
 	    $self->log( 5, "User ", $peer->user, " permitted in class $class" );
 	    $action = PERMIT;
+        my $acct = $self->accounting();
+        $acct->start($peer, $fw->stats($peer->mac, $peer->ip));
 	}
 
 	$peer->status( $class );
@@ -441,6 +453,8 @@
 	scalar localtime $peer->connect_time, "." ); 
 
     my $fw = $self->firewall( GatewayAddr => $peer->gateway_ip );
+    my $acct = $self->accounting();
+    $acct->stop($peer, $fw->stats($mac, $peer->ip));
     $fw->deny( $class, $mac, $peer->ip ); 
 
     $peer->status( DENY );
@@ -535,9 +549,9 @@
 
 sub status {
     my ( $self, $peer, $url ) = @_;
-    my ( $FormatOn, $FormatOff, $ConnectedMin, $MinLeft, $Mac, $MacSearch );
+    my ( $FormatOn, $FormatOff, $ConnectedMin, $MinLeft, $Mac, $MacSearch, $SessionId );
     my $user_table = qq{<tr><th>User</th><th>Connected Since</th><th>Connected
-	Minutes</th><th>Minutes left</th><th>MAC Address</th></tr>\n};
+	Minutes</th><th>Minutes left</th><th>MAC Address</th><th>Session Id</th></tr>\n};
 
     for my $u (values %{$self->{Peer}}) {
         if ( $u->ip eq $peer->socket->peerhost ) {
@@ -549,17 +563,18 @@
         }
 	my $id = ($self->{GatewayMode} eq "Open" ? $u->ip : $u->user);
         $ConnectedMin = time() - $u->connect_time;
-        $MinLeft = int (( $self->{LoginTimeout} - $ConnectedMin ) / 60);
+        $MinLeft = $u->session_timeout ? int (( $u->session_timeout - $ConnectedMin ) / 60) : "unlimited";
         $ConnectedMin = int ( $ConnectedMin / 60 );
         substr($Mac,9,5) = "XX:XX" if $Mac = $u->mac;
 	    # Mask the MAC for the saftey of the guilty
         $MacSearch = substr($Mac,0,2) . substr($Mac,3,2) . substr($Mac,6,2);
+        $SessionId = $peer->session_id;
 	$user_table .= qq{<tr><td>$FormatOn$id$FormatOff</td>}
-            . qq{<td>$FormatOn} . localtime($u->connect_time) . qq{$FormatOff</td>}
-	    . qq{<td align="center">$FormatOn$ConnectedMin$FormatOff</td>}
-            . qq{<td align="center">$FormatOn$MinLeft$FormatOff</td>}
-	    . qq{<td align="center">$FormatOn<a 
-href="http://standards.ieee.org/cgi-bin/ouisearch?$MacSearch">$Mac</a>$FormatOff</td></tr>\n};
+		. qq{<td>$FormatOn} . localtime($u->connect_time) . qq{$FormatOff</td>}
+		. qq{<td align="center">$FormatOn$ConnectedMin$FormatOff</td>}
+		. qq{<td align="center">$FormatOn$MinLeft$FormatOff</td>}
+		. qq{<td align="center">$FormatOn<a href="http://standards.ieee.org/cgi-bin/ouisearch?$MacSearch">$Mac</a>$FormatOff</td>}
+	    . qq{<td align="center">$FormatOn$SessionId$FormatOff</td></tr>\n};
     }
 
     $self->log( 8, "Serving status page ", $peer->socket->peerhost );
@@ -587,6 +602,42 @@
     $peer->socket->print(
 	"HTTP/1.1 204 No Reponse\r\n\r\n" );
     $peer->socket->close;
+}
+
+# NOTE: We may what to offload this to a separate thread after it gets a set of peers.
+#       Not sure how long this could take against some accountings schemes and how
+#       that might impact the reset of NoCat.
+sub update_accounting {
+    my $self = shift;
+
+    my $fw = $self->firewall();
+    my $acct = $self->accounting();
+
+    my $stats = $fw->stats();
+    return unless defined $stats;
+
+    while ( my ($token, $peer) = each %{$self->{Peer}} ) {
+        my $s = ${$stats}{$peer->ip} ||= ${$stats}{$peer->mac};
+        next unless defined $s;
+
+        $acct->update($peer, $s);
+    }
+}
+
+# Added to safely stop each peer's accounting.  After the while loop the firewall should
+# be in the intial state, but forcing it to be safe.  We should probably assert that it
+# is so we can detect firewall/peer leaks and log them.
+sub stop {
+    my $self = shift;
+
+    $self->log(0, "Denying all peers.");
+
+    while ( my ($token, $peer) = each %{$self->{Peer}} ) {
+        $self->deny($peer);
+    }
+
+    $self->log(0, "Reseting firewall to initial state.");
+    $self->firewall->reset;
 }
 
 1;
Index: lib/NoCat/Peer.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Peer.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.3.2.1
diff -u -r1.1.1.1 -r1.3.2.1
--- lib/NoCat/Peer.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Peer.pm	14 Jul 2003 16:13:43 -0000	1.3.2.1
@@ -14,6 +14,7 @@
     $self->socket( $self->{Socket} ) if defined $self->{Socket};
     $self->class( "", "" ) unless defined $self->{Class};
     $self->groups( $self->{Groups} || "" ) unless ref $self->{Groups};
+    $self->session_timeout;
     $self->timestamp;
     return $self;
 }
@@ -79,8 +80,12 @@
 
 sub timestamp {
     my ( $self, $reset ) = @_;
+
+    # $self->log( 9, "Peer::timestamp called: $self=[$self->{Timestamp}] (@_)" );
+    # $self->log( 10, "Peer::timestamp called by: " . join(' ', caller) );
+
     $self->connect_time; # Seed ConnectTime...
-    $self->{Timestamp} = time + $self->{LoginTimeout} 
+    $self->{Timestamp} = time + $self->{SessionTimeout} 
 	if defined $reset or not defined $self->{Timestamp};
     return $self->{Timestamp};
 }
@@ -88,9 +93,9 @@
 sub expired {
     my $self = shift;
     if ( $self->{MaxPingMisses} ) {
-        return ($self->heartbeat > $self->{MaxPingMisses}) 
-    } else {
-	return ($self->timestamp < time)
+		return ($self->heartbeat > $self->{MaxPingMisses}) 
+    } elsif ( $self->{SessionTimeout} ) {
+		return ($self->timestamp <= time)
     }
 }
 
@@ -152,6 +157,61 @@
 	if $groups;
 
     return @$list;
+}
+
+sub session_timeout {
+    my ( $self, $session_timeout ) = @_;
+
+    # $self->log( 9, "Peer::session_timeout called: $self=[$self->{SessionTimeout}] (@_)" );
+
+    if (defined $session_timeout) {
+    	$self->{SessionTimeout} = $session_timeout;
+    	$self->timestamp(1);
+    }
+    
+    if (!defined $self->{SessionTimeout}) {
+    	$self->{SessionTimeout} = $self->{LoginTimeout};
+    	$self->timestamp(1);
+    }    
+
+    return $self->{SessionTimeout};
+}
+
+sub session_id {
+    my ( $self, $session_id ) = @_;
+    
+    # $self->log( 9, "Peer::session_id called: $self=[$self->{Session_Id}] (@_)" );
+    
+    $self->{Session_Id} = $session_id if defined $session_id;
+    return $self->{Session_Id};
+}
+
+sub session_time {
+    my ($self, $reset) = @_;
+
+    # $self->log( 9, "Peer::session_time called: $self=[$self->{SessionTime}] (@_)" );
+    # $self->log( 10, "Peer::session_time called by: " . join(' ', caller) );
+    
+    $self->{SessionTime} = time 
+		if defined $reset or not defined $self->{SessionTime};
+		
+    return time - $self->{SessionTime};
+}
+
+sub idle_timeout {
+    my ( $self, $idle_timeout ) = @_;
+
+    #$self->log( 9, "Peer::idle_timeout called: $self=[$self->{IdleTimeout}] (@_)" );
+
+    if (defined $idle_timeout) {
+    	$self->{IdleTimeout} = $idle_timeout;
+    }
+    
+    if (!defined $self->{IdleTimeout}) {
+    	$self->{IdleTimeout} = 0; #$self->{IdleTimeout_Default};
+    }    
+
+    return $self->{IdleTimeout};
 }
 
 1;
Index: lib/NoCat/User.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/User.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.2.2.3
diff -u -r1.1.1.1 -r1.2.2.3
--- lib/NoCat/User.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/User.pm	14 Jul 2003 16:13:43 -0000	1.2.2.3
@@ -108,17 +108,57 @@
 #    password matches the existing hashed password.
 #
 sub authenticate {
-    my ( $self, $user_pw )  = @_;
-    return $self->source->authenticate_user( $user_pw,$self );
+    my ( $self, $user_pw, $gateway )  = @_;
+    return $self->source->authenticate_user( $user_pw, $self, $gateway );
 }
 
 sub groups {
-    my ( $self ) = @_;
+    my ( $self, $groups ) = @_;
 
-    $self->{Group} = $self->source->fetch_groups_by_user( $self ) || {}
-	unless $self->{Group};
+	if ( defined $groups ) {
+		$self->{Group} = $groups;
+	}
+	
+	$self->{Group} = $self->source->fetch_groups_by_user( $self ) || {}
+		unless $self->{Group};
 
     return( wantarray ? keys %{$self->{Group}} : $self->{Group} );
+}
+
+sub session_timeout {
+    my ( $self, $session_timeout ) = @_;
+    
+    if ( defined $session_timeout ) {
+    	$self->{SessionTimeout} = $session_timeout;
+    }
+    
+    $self->{SessionTimeout} = 0
+        unless $self->{SessionTimeout};
+        
+    return( $self->{SessionTimeout} );
+}
+
+sub idle_timeout {
+    my ( $self, $idle_timeout ) = @_;
+
+    if ( defined $idle_timeout ) {
+    	$self->{IdleTimeout} = $idle_timeout;
+    }
+    
+    $self->{IdleTimeout} = 0
+        unless $self->{IdleTimeout};
+        
+    return( $self->{IdleTimeout} );
+}
+
+sub reply_message {
+    my ( $self, $reply_message ) = @_;
+
+    if ( defined $reply_message ) {
+    	$self->{ReplyMessage} = $reply_message;
+    }
+            
+    return( $self->{ReplyMessage} );
 }
 
 1;
Index: lib/NoCat/Accounting/File.pm
===================================================================
RCS file: lib/NoCat/Accounting/File.pm
diff -N lib/NoCat/Accounting/File.pm
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/NoCat/Accounting/File.pm	25 Jun 2003 03:57:44 -0000	1.4
@@ -0,0 +1,57 @@
+package NoCat::Accounting::File;
+
+use NoCat::Source;
+use Authen::Radius;
+use strict;
+use vars qw( @ISA @REQUIRED );
+
+@ISA        = qw( NoCat::Source );
+@REQUIRED   = qw(
+    AccountingFile_Path
+);
+
+
+sub create_session_id {
+
+    return int(rand(1000000000));
+}
+
+sub start {
+    my ($self, $peer, $stats) = @_;
+
+    $self->log(7, "Accounting starting for $stats.");
+
+    if (! $peer->session_id)
+    {
+        $peer->session_id($self->create_session_id());
+    }
+
+    return $self->do_accounting('Start', $peer, $stats);
+}
+
+sub stop {
+    my $self = shift;
+
+    return $self->do_accounting('Stop', @_);
+}
+
+sub update {
+    my $self = shift;
+
+    return $self->do_accounting('Update', @_);
+}
+
+sub do_accounting {
+    my ($self, $type, $peer, $stats) = @_;
+
+    open(FILE, ">>$self->{AccountingFile_Path}");
+    print FILE time().": $type: SessionID=".$peer->session_id.
+	" User=".$peer->user." Gateway=".$self->{GatewayAddr}." ID=".$peer->id.
+	" InOctets=".${$stats}{'InOctets'}." OutOctest=".${$stats}{'OutOctets'}.
+	" SessionTime=".$peer->session_time."\n";
+    close(FILE);
+
+    return 1;
+}
+
+1;
Index: lib/NoCat/Accounting/None.pm
===================================================================
RCS file: lib/NoCat/Accounting/None.pm
diff -N lib/NoCat/Accounting/None.pm
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/NoCat/Accounting/None.pm	23 Jun 2003 03:09:36 -0000	1.1
@@ -0,0 +1,26 @@
+package NoCat::Accounting::None;
+
+use NoCat::Source;
+use Authen::Radius;
+use strict;
+use vars qw( @ISA @REQUIRED );
+
+@ISA        = qw( NoCat::Accounting );
+
+sub create_session_id {
+    return undef;
+}
+
+sub start {
+    return 1;
+}
+
+sub stop {
+    return 1;
+}
+
+sub update {
+    return 1;
+}
+
+1;
Index: lib/NoCat/Accounting/RADIUS.pm
===================================================================
RCS file: lib/NoCat/Accounting/RADIUS.pm
diff -N lib/NoCat/Accounting/RADIUS.pm
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ lib/NoCat/Accounting/RADIUS.pm	14 Jul 2003 16:13:43 -0000	1.2.2.1
@@ -0,0 +1,175 @@
+package NoCat::Accounting::RADIUS;
+
+use NoCat::Source;
+use Authen::Radius;
+use strict;
+use vars qw( @ISA @REQUIRED );
+
+@ISA        = qw( NoCat::Accounting );
+@REQUIRED   = qw(
+    RADIUS_Host RADIUS_Secret
+);
+
+sub radius {
+    my ($self) = @_;
+
+    unless ($self->{Radius}) {
+    my $r;
+    my $Hosts = $self->{RadiusHostsToUse};
+
+    if(! defined($Hosts)) {  #This is really the first time through and I need to generate my list of servers
+        $self->{RADIUS_Host} =~ s/,,/,/g;  #just to eliminate any blank entries
+        my(@Hosts) = split(/,/,$self->{RADIUS_Host});
+        if($self->{RADIUS_Order} && $self->{RADIUS_Order}) {  #mix em up.
+        my @TmpHosts;
+        my %UsedHosts;
+        for(my $i=0;$i <= $#Hosts; $i++) {
+            my $TmpHost;
+            while(! $TmpHost || ($TmpHost && $UsedHosts{$TmpHost})) {
+            $TmpHost = $Hosts[int(rand($#Hosts + 1))];
+            last if ! $UsedHosts{$TmpHost};
+            }
+            $UsedHosts{$TmpHost} = 1;
+            $TmpHosts[$i] = $TmpHost;
+        }
+        @Hosts = @TmpHosts;
+        }
+         $self->{RadiusHostsToUse} = \@Hosts;  #List generated.
+    }
+
+    if($self->{RadiusHostsToUse}) {   #go through servers one by one
+        foreach my $Host (@{$self->{RadiusHostsToUse}}) {
+        my $Secret = $self->{RADIUS_Secret} ? $self->{RADIUS_Secret} : "";
+        if($Host =~ s/\*(.*)$//) {
+            $Secret = $1;
+        }
+        $self->log( 0, "Connecting to RADIUS server $Host with Timeout " . $self->{RADIUS_TimeOut} );
+        $r  = Authen::Radius->new(
+                        Host    => $Host,
+                        Secret  => $Secret,
+                        Timeout => $self->{RADIUS_TimeOut},
+                        Accounting  => 1
+                        );
+        last if $r;   #If we have a good connection, we're done
+        $self->log( 0, "Failed to connect to RADIUS server $Host" );
+        }
+        if ($r) {  # This is almost always the case...
+        $self->{Radius} = $r;
+        } else {
+        $self->log( 0, "Can't connect to RADIUS server(s) $self->{RADIUS_Host}" );
+        }
+    } else {
+        return undef;  #no host for them!
+    }
+    }
+
+    return $self->{Radius};
+}
+
+sub usenextserver {  #If I fail, take the most recent host out and
+    my $self = shift;
+    return unless $self->{RadiusHostsToUse};   #unless I've been through the radius sub above, forget it
+    my @Hosts = @{$self->{RadiusHostsToUse}};
+    my $popped = shift(@Hosts);  #say goodbye to the first one
+    $self->log(0, "popped $popped in usenextserver");
+    undef($self->{Radius});  #so radius above will get a new one.
+    $self->{RadiusHostsToUse} = \@Hosts;
+}
+
+sub create_session_id {
+    my $self = shift;
+
+    return $self->radius->NewSessionID();
+}
+
+sub start {
+    my ($self, $peer, $stats) = @_;
+
+    if (! $peer->session_id)
+    {
+        $peer->session_id($self->radius->NewSessionId());
+    }
+
+    return $self->accounting({ Name => 1, Value => $peer->user, Type => 'string' },		# User-Name
+                 { Name => 4, Value => $self->{GatewayAddr}, Type => 'ipaddr' },		# NAS-IP-Address
+                 { Name => 31, Value => $peer->id, Type => 'string' },					# Calling-Station-Id
+                 { Name => 40, Value => '1', Type => 'integer' },						# Acct-Status-Type(Start)
+                 { Name => 40, Value => '7', Type => 'integer' },						# Acct-Status-Type(Accounting-On)
+                 { Name => 44, Value => $peer->session_id, Type => 'string'},			# Acct-Session-Id
+                 { Name => 42, Value => ${$stats}{'InOctets'}, Type => 'integer' },		# Acct-Input-Octets  - These are not really legal on
+                 { Name => 43, Value => ${$stats}{'OutOctets'}, Type => 'integer' },	# Acct-Output-Octets - start, but everyone does it.
+                 #{ Name => 46, Value => $peer->session_time, Type => 'integer' }		# Acct-Session-Time  - Illegal on start
+                 );
+}
+
+sub stop {
+    my ($self, $peer, $stats) = @_;
+
+    return $self->accounting({ Name => 1, Value => $peer->user, Type => 'string' },		# User-Name
+                 { Name => 4, Value => $self->{GatewayAddr}, Type => 'ipaddr' },		# NAS-IP-Address
+                 { Name => 31, Value => $peer->id, Type => 'string' },					# Calling-Station-Id
+                 { Name => 40, Value => '2', Type => 'integer' },						# Acct-Status-Type(Stop)
+                 { Name => 40, Value => '8', Type => 'integer' },						# Acct-Status-Type(Accounting-Off)
+                 { Name => 44, Value => $peer->session_id, Type => 'string'},			# Acct-Session-Id
+                 { Name => 42, Value => ${$stats}{'InOctets'}, Type => 'integer' },		# Acct-Input-Octets
+                 { Name => 43, Value => ${$stats}{'OutOctets'}, Type => 'integer' },	# Acct-Output-Octets
+                 { Name => 46, Value => $peer->session_time, Type => 'integer' }		# Acct-Session-Time
+                 );
+}
+
+sub update {
+    my ($self, $peer, $stats) = @_;
+
+    return $self->accounting({ Name => 1, Value => $peer->user, Type => 'string' },		# User-Name
+                 { Name => 4, Value => $self->{GatewayAddr}, Type => 'ipaddr' },		# NAS-IP-Address
+                 { Name => 31, Value => $peer->id, Type => 'string' },					# Calling-Station-Id
+                 { Name => 40, Value => '3', Type => 'integer' },						# Acct-Status-Type(Alive)
+                 { Name => 44, Value => $peer->session_id, Type => 'string'},			# Acct-Session-Id
+                 { Name => 42, Value => ${$stats}{'InOctets'}, Type => 'integer' },		# Acct-Input-Octets  - These are not really legal on
+                 { Name => 43, Value => ${$stats}{'OutOctets'}, Type => 'integer' },	# Acct-Output-Octets - update, but everyone does it.
+                 #{ Name => 46, Value => $peer->session_time, Type => 'integer' }		# Acct-Session-Time  - Illegal on update
+                 );
+}
+
+sub accounting {
+    my ($self, @attributes) = @_;
+
+    my $result;
+    my $loop = 0;
+    while(! $loop) {
+    my $radius = $self->radius();
+    # mimic the start_acct from Authen::Radius
+    $radius->clear_attributes;
+
+    $radius->add_attributes(@attributes);
+
+    my $radiuscheckok = 0;
+    if($radius->send_packet (Authen::Radius::ACCOUNTING_REQUEST())) {
+        my $radiusresult = $radius->recv_packet;
+        if(defined($radiusresult)) {
+        $radiuscheckok = 1;
+        }
+    }
+
+    if(! $radiuscheckok) {
+        my(@TmpHosts) = @{$self->{RadiusHostsToUse}};
+        if(! $#TmpHosts) {  #it failed because we've run out of servers
+        $loop = 1;
+        $result = 0;
+        $self->log(0,"Out of servers to try");
+        } else {
+        $self->log(0,"Going to the next server: check the secret/port/reachability of this one");
+        $self->usenextserver;
+        }
+    } else {
+        $loop = 1;
+    }
+    }
+    return $result;
+}
+
+1;
+
+# TODO: Add NAS-Port
+# TODO: Add NAS-Port-Type
+# TODO: Add Acct-Terminate-Cause on stop.
Index: lib/NoCat/Gateway/Captive.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Gateway/Captive.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- lib/NoCat/Gateway/Captive.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Gateway/Captive.pm	14 Jul 2003 16:13:43 -0000	1.1.1.1.2.1
@@ -65,6 +65,13 @@
     $client->user( $auth{User} ); 
     $client->groups( $auth{Member} );
 
+	# Set session timeout if it exists.
+	$client->session_timeout( $auth{Sessiontimeout} )
+		if defined $auth{Sessiontimeout};
+	# Set idle timeout if it exists.
+	$client->idle_timeout( $auth{Idletimeout} )
+		if defined $auth{Idletimeout};
+
     # Store the new token away for when the peer renews its login.
     $client->token(1);
 
Index: lib/NoCat/Gateway/Passive.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Gateway/Passive.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- lib/NoCat/Gateway/Passive.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Gateway/Passive.pm	23 Jun 2003 04:46:36 -0000	1.2
@@ -48,7 +48,8 @@
 	token    => $peer->token, 
 	redirect => $request, 
 	timeout	 => $self->{LoginTimeout},
-	gateway  => $peer->socket->sockhost . ":$self->{GatewayPort}"
+	#gateway  => $peer->socket->sockhost . ":$self->{GatewayPort}"
+	gateway  => $self->{GatewayAddr} . ":$self->{GatewayPort}"
     };
 }
 
Index: lib/NoCat/Source/RADIUS.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Source/RADIUS.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.2.2.3
diff -u -r1.1.1.1 -r1.2.2.3
--- lib/NoCat/Source/RADIUS.pm	23 Jun 2003 03:02:53 -0000	1.1.1.1
+++ lib/NoCat/Source/RADIUS.pm	14 Jul 2003 16:13:43 -0000	1.2.2.3
@@ -14,52 +14,52 @@
     my ($self) = @_;
 
     unless ($self->{Radius}) {
-	my $r;
-	my $Hosts = $self->{RadiusHostsToUse};
-
-	if(! defined($Hosts)) {  #This is really the first time through and I need to generate my list of servers
-	    $self->{RADIUS_Host} =~ s/,,/,/g;  #just to eliminate any blank entries
-	    my(@Hosts) = split(/,/,$self->{RADIUS_Host});
-	    if($self->{RADIUS_Order} && $self->{RADIUS_Order}) {  #mix em up.
-		my @TmpHosts;
-		my %UsedHosts;
-		for(my $i=0;$i <= $#Hosts; $i++) {
-		    my $TmpHost;
-		    while(! $TmpHost || ($TmpHost && $UsedHosts{$TmpHost})) {
-			$TmpHost = $Hosts[int(rand($#Hosts + 1))];
-			last if ! $UsedHosts{$TmpHost};
-		    }	
-		    $UsedHosts{$TmpHost} = 1;
-		    $TmpHosts[$i] = $TmpHost;
-		}
-		@Hosts = @TmpHosts;
-	    }
-	     $self->{RadiusHostsToUse} = \@Hosts;  #List generated.
-	} 
-
-	if($self->{RadiusHostsToUse}) {   #go through servers one by one
-	    foreach my $Host (@{$self->{RadiusHostsToUse}}) {
-		my $Secret = $self->{RADIUS_Secret} ? $self->{RADIUS_Secret} : "";
-		if($Host =~ s/\*(.*)$//) {
-		    $Secret = $1;
+		my $r;
+		my $Hosts = $self->{RadiusHostsToUse};
+	
+		if(! defined($Hosts)) {  #This is really the first time through and I need to generate my list of servers
+		    $self->{RADIUS_Host} =~ s/,,/,/g;  #just to eliminate any blank entries
+		    my(@Hosts) = split(/,/,$self->{RADIUS_Host});
+		    if($self->{RADIUS_Order} && $self->{RADIUS_Order}) {  #mix em up.
+			my @TmpHosts;
+			my %UsedHosts;
+			for(my $i=0;$i <= $#Hosts; $i++) {
+			    my $TmpHost;
+			    while(! $TmpHost || ($TmpHost && $UsedHosts{$TmpHost})) {
+				$TmpHost = $Hosts[int(rand($#Hosts + 1))];
+				last if ! $UsedHosts{$TmpHost};
+			    }	
+			    $UsedHosts{$TmpHost} = 1;
+			    $TmpHosts[$i] = $TmpHost;
+			}
+			@Hosts = @TmpHosts;
+		    }
+		     $self->{RadiusHostsToUse} = \@Hosts;  #List generated.
+		} 
+	
+		if($self->{RadiusHostsToUse}) {   #go through servers one by one
+		    foreach my $Host (@{$self->{RadiusHostsToUse}}) {
+				my $Secret = $self->{RADIUS_Secret} ? $self->{RADIUS_Secret} : "";
+				if($Host =~ s/\*(.*)$//) {
+				    $Secret = $1;
+				}
+				$self->log( 0, "Connecting to RADIUS server $Host with Timeout " . $self->{RADIUS_TimeOut} );
+				$r  = Authen::Radius->new(  
+							    Host	=> $Host,
+							    Secret	=> $Secret,
+							    Timeout => $self->{RADIUS_TimeOut}
+							    );
+				last if $r;   #If we have a good connection, we're done
+				$self->log( 0, "Failed to connect to RADIUS server $Host" );
+			}
+		    if ($r) {  # This is almost always the case...
+				$self->{Radius} = $r;
+		    } else {
+				$self->log( 0, "Can't connect to RADIUS server(s) $self->{RADIUS_Host}" );
+	    	}
+		} else {
+		    return undef;  #no host for them!
 		}
-		$self->log( 0, "Connecting to RADIUS server $Host with Timeout " . $self->{RADIUS_TimeOut} );
-		$r  = Authen::Radius->new(  
-					    Host	=> $Host,
-					    Secret	=> $Secret,
-					    Timeout => $self->{RADIUS_TimeOut}
-					    );
-		last if $r;   #If we have a good connection, we're done
-		$self->log( 0, "Failed to connect to RADIUS server $Host" );
-	    }
-	    if ($r) {  # This is almost always the case...
-		$self->{Radius} = $r;
-	    } else {
-		$self->log( 0, "Can't connect to RADIUS server(s) $self->{RADIUS_Host}" );
-	    }
-	} else {
-	    return undef;  #no host for them!
-	}
     }
 
     return $self->{Radius};
@@ -76,7 +76,7 @@
 }
 
 sub authenticate_user {
-    my ($self, $user_pw, $user) = @_;
+    my ($self, $user_pw, $user, $gateway) = @_;
 
     my $result;
     my $loop = 0;
@@ -86,7 +86,9 @@
 	$radius->clear_attributes;
 	$radius->add_attributes (
 				 { Name => 1, Value => $user->id },
-				 { Name => 2, Value => $user_pw }
+				 { Name => 2, Value => $user_pw },
+				 { Name => 4, Value => $gateway, Type => 'ipaddr' },
+				 { Name => 5, Value => 0, Type => 'integer' }
 	);
 
 	my $radiuscheckok = 0;
@@ -96,10 +98,12 @@
 		$radiuscheckok = 1;
 		$result = 1 if $radiusresult == Authen::Radius::ACCESS_ACCEPT();
 		if($radiusresult == 2) {
+		    $self->process_attributes($user, $radius->get_attributes());		    
 		    $result = 1;
 		} else {
 		    if($radiusresult == Authen::Radius::ACCESS_REJECT()) {
-			$self->log(0,"User rejected!");
+		    	$self->process_attributes($user, $radius->get_attributes());		    
+			$self->log(0,"User rejected, " . $user->reply_message . "!");
 		    } else {
 			$self->log(0,"Radius failure: unknown cause");
 		    }
@@ -121,9 +125,45 @@
 	    $loop = 1;
 	}
     }
+    
+    
     return $result;
 }
 
+sub process_attributes {
+	my ($self, $user, @attributes) = @_;
 
+	my %groups;
 
+	for my $a (@attributes) {
+		if ((26 == $a->{'Code'}) && (32767 == $a->{'Vendor'})) {
+			# Vendor: NoCat
+			for my $v (@{$a->{'VendorAttributes'}}) {
+				if (1 == $v->{'Code'}) {
+					# Attribute: NoCat-Groups
+					foreach (split(' ', $a->{'RawValue'})) {
+						$groups{$_} = 0;
+					}
+				} elsif (2 == $v->{'Code'}) {
+					# Attribute: NoCat-Groups-Admin
+					foreach (split(' ', $a->{'RawValue'})) {
+						$groups{$_} = 1;
+					}
+				}
+			}
+		# Standard Attributes
+		} elsif (27 == $a->{'Code'}) {
+			# Attribute: Session-Timeout
+			$user->session_timeout(unpack('N', $a->{'RawValue'}));
+		} elsif (28 == $a->{'Code'}) {
+			# Attribute: Idle-Timeout
+			$user->idle_timeout(unpack('N', $a->{'RawValue'}));
+		} elsif (18 == $a->{'Code'}) {
+			# Attribute: Reply-Message
+			$user->reply_message($a->{'RawValue'});
+		}
+	}
+	
+	$user->groups(\%groups);
+}
 1;
Index: libexec/iptables/stats.fw
===================================================================
RCS file: libexec/iptables/stats.fw
diff -N libexec/iptables/stats.fw
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ libexec/iptables/stats.fw	2 Aug 2003 21:28:07 -0000	1.2.2.1
@@ -0,0 +1,51 @@
+#!/bin/sh 
+# Specific
+# Must output in the following form:
+# <in octets> <out octets> ???<last packet time>
+#
+
+if [ "$1" != "" ]; then
+{
+
+{ iptables -L NoCat_Inbound -t filter -vnx --line-numbers;iptables -L NoCat -t mangle -vnx --line-numbers;} | awk -v IP=$2 -- ' 
+{ 
+		if( /ACCEPT/)
+		{
+			if( $10 == IP )
+			{
+					inOctets = $3;
+			}
+		}
+		if( /MARK/)
+		{
+			if( $9 == IP )
+			{
+					outOctets = $3;
+					printf("%d %d\n", inOctets, outOctets);
+			}
+		}
+
+}
+'
+}
+else
+{
+{ iptables -L NoCat_Inbound -t filter -vnx --line-numbers;iptables -L NoCat -t mangle -vnx --line-numbers;} | awk -- '
+{
+                if( /ACCEPT/)
+                {
+			ins[$10] = $3;
+                }
+                if( /MARK/)
+                {
+			if( $9 in ins )
+			{
+                                        outOctets = $3;
+                                        printf("%s %d %d\n", $9, ins[$9], $3 );
+			}
+                }
+
+}
+'
+}
+fi