[RADIATOR] Add atttributes to request. How?

Hugh Irvine hugh at open.com.au
Wed Feb 8 23:17:12 UTC 2023 

Hello Pavel -

Yes I see your point.

Unfortunately, AuthBy FILE doesn’t have a way to do this, unlike AuthBy SQL for example.

However, here is a simple way to do it:


<Handler>
        AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>
                Filename %D/users.test1
        </AuthBy>
        <AuthBy GROUP>
                AddToRequest OSC-Group-Identifier = %{Reply:OSC-Group-Identifier}
                <AuthBy FILE>
                        Filename %D/users.test2
                </AuthBy>
        </AuthBy>
</Handler>


Here are the users files I tested with:


# users.test1

hugh Password=hugh
        OSC-Group-Identifier = something


# users.test2

DEFAULT OSC-Group-Identifier=something
        Reply-Message = GREAT


and here is the DEBUG output:


Radiator-4.27-1 % perl radpwtst -user hugh -password hugh -noacct   
              
sending Access-Request
4ff03830 Thu Feb  9 10:08:52 2023 354961: DEBUG: Packet dump:
4ff03830 *** Received from 127.0.0.1 port 58195 ....
4ff03830 Code:       Access-Request
4ff03830 Identifier: 174
4ff03830 Authentic:  RE&]<18><244>}V<187><227><128><248><247>NP<130>
4ff03830 Attributes:
4ff03830 User-Name = "hugh"
4ff03830 Service-Type = Framed-User
4ff03830 NAS-IP-Address = 203.63.154.1
4ff03830 NAS-Identifier = "203.63.154.1"
4ff03830 NAS-Port = 1234
4ff03830 Called-Station-Id = "123456789"
4ff03830 Calling-Station-Id = "987654321"
4ff03830 NAS-Port-Type = Async
4ff03830 User-Password = <162><243>5<150> <226>QY}u<209>b<168><30><153>5
4ff03830  4ff03830 Thu Feb  9 10:08:52 2023 355278: DEBUG: Handling request with Handler '', Identifier ''
4ff03830 Thu Feb  9 10:08:52 2023 355501: DEBUG: SessINTERNAL: Deleting session for hugh, 203.63.154.1, 1234
4ff03830 Thu Feb  9 10:08:52 2023 355722: DEBUG: Handling with Radius::AuthFILE:  4ff03830 Thu Feb  9 10:08:52 2023 356113: DEBUG: Reading users file ./users.test1
4ff03830 Thu Feb  9 10:08:52 2023 356684: DEBUG: Radius::AuthFILE looks for match with 'hugh' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 356905: DEBUG: Radius::AuthFILE ACCEPT: : 'hugh' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 357083: DEBUG: AuthBy FILE result: ACCEPT,  4ff03830 Thu Feb  9 10:08:52 2023 357214: DEBUG: Handling with Radius::AuthGROUP:  4ff03830 Thu Feb  9 10:08:52 2023 357438: DEBUG: Handling with Radius::AuthFILE:  4ff03830 Thu Feb  9 10:08:52 2023 357599: DEBUG: Reading users file ./users.test2
4ff03830 Thu Feb  9 10:08:52 2023 357979: DEBUG: Radius::AuthFILE looks for match with 'hugh' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 358117: DEBUG: Radius::AuthFILE REJECT: No such user: 'hugh' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 358286: DEBUG: Radius::AuthFILE looks for match with 'DEFAULT' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 358427: DEBUG: Radius::AuthFILE ACCEPT: : 'DEFAULT' [hugh]
4ff03830 Thu Feb  9 10:08:52 2023 358556: DEBUG: Radius::AuthGROUP:  result: ACCEPT,  4ff03830 Thu Feb  9 10:08:52 2023 358676: DEBUG: AuthBy GROUP result: ACCEPT,  4ff03830 Thu Feb  9 10:08:52 2023 358801: DEBUG: Access accepted for hugh
4ff03830 Thu Feb  9 10:08:52 2023 359059: DEBUG: Packet dump:
4ff03830 *** Sending to 127.0.0.1 port 58195 ....
4ff03830 Code:       Access-Accept
4ff03830 Identifier: 174
4ff03830 Authentic:  <1>c<136><175><209>M<4><239><251><29><210><157>z<222><216>I
4ff03830 Attributes:
4ff03830 OSC-Group-Identifier = "something"
4ff03830 Reply-Message = "GREAT"
4ff03830 


Hopefully that helps.

regards

Hugh


> On 9 Feb 2023, at 02:15, Pavel Krasotin via radiator <radiator at lists.open.com.au> wrote:
> 
> Hi All - 
> 
> what is the best way to add attributes to request?
> I would like to authenticate users from one file and add reply attributes from another selecting them by custom attribute, ex. My-User-Group.
> 
> I've done this with PostAuthHook but I think it's ugly.
> 
> Here is my config.
> 
> radiator.cfg:
> ...
> <AuthBy FILE>
>     Identifier  L2TP-USERS
>     Filename    %D/conf.d/l2tp-users
>     PostAuthHook sub { \
>         my ($req, $rep, $handled, $reason) = @_; \
>         if (${$handled} == $main::ACCEPT && ${$req}->code() eq 'Access-Request') \
>         {\
>             my $my_group = ${$rep}->get_attr('My-User-Group'); \
>             &main::log($main::LOG_DEBUG, "Group: " . $my_group); \
>             if ($my_group) {\
>                 ${$req}-> add_attr('My-User-Group',$my_group); \
>             } \
>         } \
>     };
> </AuthBy>
> 
> <AuthBy FILE>
>     AuthenticateAttribute My-User-Group
>     Identifier  L2TP-PROFILE
>     Filename    %D/conf.d/l2tp-profile
> </AuthBy>
> 
> <AuthBy GROUP>
>     Identifier  LOGINUSER
>     AuthByPolicy ContinueUntilReject
>     AuthBy      L2TP-USERS
>     AuthBy      L2TP-PROFILE
> </AuthBy>
> 
> <Handler Service-Type = Framed-User>
>     AuthBy LOGINUSER
>     ...
>     StripFromReply My-User-Group
> </Handler>
> 
> conf.d/l2tp-users:
> user User-Password="password"
>         My-User-Group="l2tp"
> 
> conf.d/l2tp-profile:
> l2tp
>         Service-Type = Framed-User,
>         Framed-Protocol = PPP
> 
> --
> Best wishes
> Pavel
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator



--

Hugh Irvine
hugh at open.com.au <mailto:hugh at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.

More information about the radiator mailing list