(RADIATOR) PostAuthHook Stopped Working

Separovic, Jason jseparov at uecomm.com.au
Tue Sep 4 20:18:05 CDT 2001


Hi,

I had radiator working with my PostAuthHook just how I wanted.
Then I made some changes to the PostAuthHook. All I did (I think?) was
create a new user in my database and then I updated the new
username/password in the config files. Now My PostAuthHook does not work.
And I'm at a loss to realise why??

Here is an Accounting Request that should be inserted into my database
through the PostAuthHook.
But now the Hook is not even being called. I'm pretty confident in saying
that because I added a 'write to file' at the beginning of the hook to test
it. But to no success.

I noticed some talk about a patch for the PostAuthHook but I'm not sure if I
need it.
Weird.
It was working...
Now it's not.

Help!

I'm using Radiator 2.17.1

I have another problem to. My auth log is logging successes but not
failures.

============================================================================
========

Wed Sep  5 10:47:43 2001: DEBUG: Packet dump:
*** Received from 192.168.0.9 port 1445 ....
Code:       Accounting-Request
Identifier: 60
Authentic:  <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
Attributes:
        Acct-Status-Type = Accounting-On
        Acct-Session-Id = "0"
        Acct-Authentic = RADIUS
        Acct-Authentic = RADIUS
        User-Name = "ewong"
        Command-Code = "Command-Code (level: 10): system show ac"
        NAS-IP-Address = 192.168.0.9

Wed Sep  5 10:47:43 2001: DEBUG: Check if Handler Realm=SSR should be used
to handle this requestWed Sep  5 10:47:43 2001: DEBUG: Handling request with
Handler 'Realm=SSR'
Wed Sep  5 10:47:43 2001: DEBUG:  Deleting all sessions for 192.168.0.9
Wed Sep  5 10:47:43 2001: DEBUG:  got On/Off from 192.168.0.9
Wed Sep  5 10:47:43 2001: DEBUG: Handling with Radius::AuthSQL
Wed Sep  5 10:47:43 2001: DEBUG: Handling accounting with Radius::AuthSQL
Wed Sep  5 10:47:43 2001: DEBUG: Accounting accepted
Wed Sep  5 10:47:43 2001: DEBUG: Packet dump:
*** Sending to 192.168.0.9 port 1445 ....
Code:       Accounting-Response
Identifier: 60
Authentic:  <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
Attributes:

============================================================================
========

# radius configuration file

Foreground      yes
LogStdout       no
Trace           4
LogDir          /opt/radiator/log
DbDir           /usr/local/mysql/var/radiusdb
DictionaryFile  /opt/radiator/dictionary
AuthPort        1812
AcctPort        1813
BindAddress     192.168.0.10

<ClientListSQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      radiator
        DBAuth          password

        GetClientQuery select ip,secret,NULL,NULL,realm from device,model
where modelID=model.ID;
</ClientListSQL>

<Handler Realm=SSR>
    PreAuthHook file:"/opt/radiator/PreAuthHook"
    PostAuthHook file:"/opt/radiator/SSRAccounting"
    <AuthLog SQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      radiator
        DBAuth          password

        Table authorisation
        LogSuccess 1
        LogFailure 1
        SuccessQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',1)
        FailureQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',0)
    </AuthLog>
    <AuthBy SQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      radiator
        DBAuth          password

        RejectEmptyPassword

        AuthSelect select password from user where username='%U'
        AuthColumnDef 0, Password, check
    </AuthBy>
</Handler>

<Handler Realm=SS>
    PreAuthHook file:"/opt/radiator/PreAuthHook"
    <AuthLog SQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      radiator
        DBAuth          password

        Table authorisation
        LogSuccess 1
        LogFailure 1
        SuccessQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',1)
        FailureQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',0)
    </AuthLog>
    <AuthBy SQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      radiator
        DBAuth          password

        RejectEmptyPassword

        AuthSelect select password from user where username='%U'
        AuthColumnDef 0, Password, check
    </AuthBy>
</Handler>

<Handler>
        PostAuthHook file:"/opt/radiator/SSRAccounting"
</Handler>

============================================================================
========
PostAuthHook - not being called anymore

use DBI;
use DBD::mysql;

sub {
   open(FILE, ">/opt/radiator/testacc");
   flock(FILE,2);
   print FILE "Hook is being called";
   flock(FILE,8);
   close(FILE);

   my $host = "localhost";
   my $dbname = "radiusdb";
   my $dbpasswd = "password";
   my $dbuser = "radiator";
   my $data_source = "DBI:mysql:database=$dbname;host=$host";
   my $dbh  = DBI->connect($data_source, $dbuser, $dbpasswd);
   my $request      = ${$_[0]};
   my $request_code = $request->code;
   my $request_id   = $request->identifier;

   my $reply        = ${$_[1]};
   my $reply_code   = $reply->code;
   my $reply_id     = $reply->identifier;

   my $subcodetype =
$request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);

   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
localtime(time);
   my $timestamp = sprintf("%04d-%02d-%02d
%02d:%02d:%02d",$year+1900,$mon+1,$mday,$hour,$min,$sec);

   my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
   my @tmp = split(/@/,$username);
   $username = $tmp[0];

   # get and format SSR Vendor-Specific Codes
   my $command = $request->get_attr('Command-Code');
   my $system  = $request->get_attr('System-Code');
   my $shell   = $request->get_attr('Shell-Code');
   my $snmp   = $request->get_attr('Snmp-Code');
   my @tmp = split(/:/,$command);
   $command = substr($tmp[2],1);
   @tmp = split(/:/,$system);
   $system = substr($tmp[2],1);
   @tmp = split(/:/,$shell);
   $shell = substr($tmp[2],1);
   @tmp = split(/:/,$snmp);
   $snmp = substr($tmp[2],1);

   if($command ne '') {
   }
   elsif($system ne '') {
      $command = $system;
   }
   elsif($shell ne '') {
      $command = $shell;
   }
   elsif($snmp ne '') {
      $command = $snmp;
   }

   my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);

   if ($request_code == 'Accounting-Request' && $subcodetype ne("")) {
      my $userID = &select($dbh,"SELECT ID FROM user WHERE
username='$username'");

      if(!($userID > 0)) {
         $userID = &select($dbh,"SELECT ID FROM user WHERE
username='unknown'");
      }

      my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
IP='$deviceIP'");

      &update($dbh,"INSERT INTO SSRaccounting
(date,userID,deviceID,status,command) \
 
VALUES('$timestamp','$userID','$deviceID','$subcodetype','$command')");

      return;
   }

   return;

   sub update {
      my $connection  = $_[0];
      my $sth  = $connection->prepare($_[1]);
      $sth->execute;
      $sth->finish;
      return;
   }

   sub select {
      my $connection  = $_[0];
      my $sth  = $connection->prepare($_[1]);
      $sth->execute;
      my $row = $sth->fetchrow();
      $sth->finish;
      return $row;
   }
}

============================================================================
========
PreAuthHook - This is working fine


use DBI;
use DBD::mysql;

sub {
   my $host = "localhost";
   my $dbname = "radiusdb";
   my $dbpasswd = "password";
   my $dbuser = "radiator";
   my $data_source = "DBI:mysql:database=$dbname;host=$host";
   my $dbh  = DBI->connect($data_source, $dbuser, $dbpasswd);
   my $request      = ${$_[0]};
   my $request_code = $request->code;
   my $request_id   = $request->identifier;

   my $reply        = ${$_[1]};
   my $reply_code   = $reply->code;
   my $reply_id     = $reply->identifier;

   my $subcodetype =
$request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);

   my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
localtime(time);
   my $timestamp = sprintf("%04d-%02d-%02d
%02d:%02d:%02d",$year+1900,$mon,$mday,$hour,$min,$sec);

   my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
   my @tmp = split(/@/,$username);
   $username = $tmp[0];

   # if username=user replace with unknown
   if($username eq("user")) {
      &invalidate($request);
   }

   my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);

   $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);

   print("Detecting Access-Request from $deviceIP\n");

   # get Device from database
   my $userID = &select($dbh,"SELECT ID FROM user WHERE
username='$username'");
   my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
IP='$deviceIP'");
   my $modelID = &select($dbh,"SELECT modelID FROM device WHERE
ID='$deviceID'");

   if(!defined($userID)) {
      $userID=0;
   }

   if($modelID==1) {     # SSR8600
      print("Device Type is SSR8600\n");
      if(&getPermission($dbh,$userID,$deviceID)==3) {
         print("User has enable access\n");
         return;
      }
   }
   if($modelID==5) {     # SSR8000
      print("Device Type is SSR8000\n");
      if(&getPermission($dbh,$userID,$deviceID)==3) {
         print("User has enable access\n");
         return;
      }
   }
   if($modelID==6) {     # RS3000
      print("Device Type is RS3000\n");
      if(&getPermission($dbh,$userID,$deviceID)==3) {
         print("User has enable access\n");
         return;
      }
   }
   if($modelID==2) {     # SS2200
      print("Device Type is SS2200\n");
      if(&getPermission($dbh,$userID,$deviceID)==1) {  # read-only
         &setSS2200access($reply,"ro");
         print("User has read access\n");
         return;
      }
      elsif(&getPermission($dbh,$userID,$deviceID)==2) {  # read-write
         &setSS2200access($reply,"rw");
         print("User has read-write access\n");
         return;
      }
      elsif(&getPermission($dbh,$userID,$deviceID)==3) {  # super-user
         &setSS2200access($reply,"su");
         print("User has super-user access\n");
         return;
      }
   }

   print("User has no access\n");
   &invalidate($request);
   return;

   sub invalidate {
      $_[0]->change_attr('User-Password','no access');
   }

   sub setSS2200access {
      $_[0]->add_attr('FilterID',"Enterasys:version=1:mgmt=$_[1]");
   }

   sub update {
      my $connection  = $_[0];
      my $sth  = $connection->prepare($_[1]);
      $sth->execute;
      $sth->finish;
      return;
   }

   sub select {
      my $connection  = $_[0];
      my $sth  = $connection->prepare($_[1]);
      $sth->execute;
      my $row = $sth->fetchrow();
      $sth->finish;
      return $row;
   }

   sub getPermission {
      my $userID = $_[1];
      my $deviceID = $_[2];
      my $tmp = 0;
      my $myref;
      my $accesslevel = 0;
      my $connection  = $_[0];

      my $modelID = &select($connection,"SELECT modelID FROM device WHERE
ID='$deviceID'");
      my $networkID = &select($connection,"SELECT networkID FROM device
WHERE ID='$deviceID'");
      my $all = &select($connection,"SELECT ID from device WHERE ID < 11 AND
modelID=$modelID and networkID=$networkID");

      my $sth  = $connection->prepare("SELECT * from
usertogroup,usergroupPermission,level \
                                        WHERE usertogroup.userID=$userID \
                                          AND
usertogroup.usergroupID=usergroupPermission.usergroupID \ceID=$all) \
                                          AND
usergroupPermission.levelID=level.ID");
      $sth->execute;

      while ($myref = $sth->fetchrow_hashref()) {
         if(($tmp = $myref->{'type'}) > $accesslevel) {
            $accesslevel = $tmp;
         }
      }

      $sth->finish();

      $sth  = $connection->prepare("SELECT * from userPermission,level \
                                        WHERE
(userPermission.deviceID=$deviceID OR userPermission.deviceID=$all) \
                                          AND userPermission.userID=$userID
\
                                          AND
userPermission.levelID=level.ID");
      $sth->execute;

      while ($myref = $sth->fetchrow_hashref()) {
         if(($tmp = $myref->{'type'}) > $accesslevel) {
            $accesslevel = $tmp;
         }
      }

      $sth->finish();
      return $accesslevel;
   }
}

========================================================================

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list