(RADIATOR) Problems with additonal test after an AuthRADIUS

Hugh Irvine hugh at open.com.au
Wed Dec 19 21:58:14 CST 2001 

Hello Stefan -

The problem you have is due to the way the AuthBy RADIUS clause executes 
which is asynchronously - it always returns to the mainline code immediately.

If you want to have an additional AuthBy clause called after the proxied 
request is replied to, you will need to use a ReplyHook. There is an example 
that you can use (with modifications of course) in the file 
"goodies/hooks.txt" in the Radiator distribution.

regards

Hugh


On Thu, 20 Dec 2001 10:58, Stefan.Gruendel at mlp-ag.com wrote:
> Hello,
>
> we are using a one time password generator which has a radius
> interface. This one is hosted at an outsourcing provider, so I
> want to maintain local profiles for the different users types.
>
> I proxy the authentication request to the OTP radius server and
> add an additional stage for the profiles as outlined in the
> examples. (see the attached config-, user- and profile-files)
>
> The problem is that after the successful radius proxy authenti-
> cation the request returns with an Access-Accept but no further
> processing of the profiles is done.
> (please have a look at the trace at the end)
>
> Without the radius proxying everything works fine with the
> profiles, so what's my mistake ?
>
> Do you have any ideas ?
>
>
> Thanks in advance
> Stefan Gründel
>
>
> ---------------------------------------------------------------
> Stefan Gründel                       stefan.gruendel at mlp-ag.com
> IT Security
> MLP Login GmbH                   Tel.: +49 / (0)6221 / 308-2378
> Forum 7                          Fax.: +49 / (0)6221 / 308-1621
> 69126 Heidelberg
>
>
> Radiator Configuration:
> -----------------------
> Foreground
> LogStdout
>
> Trace 4
>
> # Set this to the directory where your logfile and details file are to go
> LogDir /var/log/radius
>
> # PID File in /var/run
> PidFile /var/run/radiusd.pid
>
> # Set this to the database directory. It should contain these files:
> # users           The user database
> # dictionary      The dictionary for your NAS
> DbDir /usr/local/etc/raddb
>
> AuthPort 1645
> AcctPort 1646
>
> <Client localhost>
>     Secret mysecret
>     DupInterval 0
>     Identifier RAS
> </Client>
>
> #----------------------
> # RADIUS_PROXY
> #----------------------
> <AuthBy RADIUS>
>     Identifier RADIUS_PROXY
>     <Host y.y.y.y>
>         Secret xxxxxxxx
>     </Host>
> </AuthBy>
>
> #----------------------
> # LOCAL_PROFILE
> #----------------------
> <AuthBy GROUP>
>     Identifier LOCAL_PROFILE
>     AuthByPolicy ContinueWhileAccept
>     RewriteUsername s/^([^@]+).*/$1/
>     <AuthBy FILE>
>         Filename /usr/local/etc/raddb/dynamic_users
>     </AuthBy>
>     <AuthBy FILE>
>         Filename /usr/local/etc/raddb/profiles
>         # Pseudo-Attribut Profile entfernen
>         StripFromReply Profile
>     </AuthBy>
> </AuthBy>
>
> #----------------------
> # Handler
> #----------------------
> <Handler Request-Type = Accounting-Request>
>     # lokales Accounting in ein File
>     AcctLogFileName /var/log/radius/detail
> </Handler>
>
> <Handler>
>     AuthByPolicy ContinueWhileAccept
>     RewriteUsername s/^(.*)/$1\@MLP/
>     AuthBy RADIUS_PROXY
>     AuthBy LOCAL_PROFILE
> </Handler>
>
> -------------------------------------------------------------
> File profiles:
> --------------
> DEFAULT Reply:Profile = RAS-Login
>         Service-Type       = Framed-User,
>         Framed-Protocol    = PPP,
>         Filter-Id          = RAS-Login
>
>
> Userfile:
> ---------
> sgruende  Client-Identifier = RAS
>           Profile         = RAS-Login
>
> -------------------------------------------------------------
>
> linux:/usr/local/etc/raddb # radpwtst -s localhost -secret mysecret
> -nostart -nostop -trace -user sgruende -password 59894217
>
> gives:
>
> Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 32843 ....
> Code:       Access-Request
> Identifier: 178
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "sgruende"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "<204><178>g<148><155>n5<193><188>8<9><160><216>}x<153>"
>
> Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler Request-Type =
> Accounting-Request should be used to handle this request
> Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler  should be used to handle
> this request
> Thu Dec 20 00:52:14 2001: DEBUG: Handling request with Handler ''
> Thu Dec 20 00:52:14 2001: DEBUG: Rewrote user name to sgruende at MLP
> Thu Dec 20 00:52:14 2001: DEBUG:  Deleting session for sgruende,
> 203.63.154.1, 1234
> Thu Dec 20 00:52:14 2001: DEBUG: Handling with Radius::AuthRADIUS
> Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
> *** Sending to 10.96.177.6 port 1645 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "sgruende at MLP"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "<167><173><207>C<242><179>@<153><182>(S<164><215>U<214>-"
>
> Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
> *** Received from 10.96.177.6 port 1645 ....
> Code:       Access-Accept
> Identifier: 1
> Authentic:  <176>;<164><227>8/<203><174><149><176><13><146>C<195><146><152>
> Attributes:
>         Framed-Protocol = PPP
>         Filter-Id = "std.in"
>         Framed-MTU = 1500
>         Reply-Message = "geschafft"
>         Session-Timeout = 900
>         Framed-IP-Address = 255.255.255.254
>         Service-Type = Framed-User
>
> Thu Dec 20 00:52:14 2001: DEBUG: Received reply in AuthRADIUS for req 1
> from 10.96.177.6:1645
> Thu Dec 20 00:52:14 2001: DEBUG: Access accepted for sgruende at MLP
> Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32843 ....
> Code:       Access-Accept
> Identifier: 178
> Authentic:  1234567890123456
> Attributes:
>         Framed-Protocol = PPP
>         Filter-Id = "std.in"
>         Framed-MTU = 1500
>         Reply-Message = "geschafft"
>         Session-Timeout = 900
>         Framed-IP-Address = 255.255.255.254
>         Service-Type = Framed-User
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list