(RADIATOR) PostAuthHook Stopped Working
Separovic, Jason
jseparov at uecomm.com.au
Tue Sep 4 23:21:35 CDT 2001
> -----Original Message-----
> From: Separovic, Jason
> Sent: Wednesday, September 05, 2001 2:21 PM
> To: Separovic, Jason
> Subject: RE: (RADIATOR) PostAuthHook Stopped Working
>
> It's working now.
> I had the restartWrapper going and as I was making the changes to the
> config I sent a NOHUP to the radiusd process.
> This did not work properly, so I killed all processes and then started the
> wrapper and the config worked fine.
>
> -----Original Message-----
> From: Separovic, Jason [SMTP:jseparov at uecomm.com.au]
> Sent: Wednesday, September 05, 2001 11:18 AM
> To: radiator at open.com.au
> Subject: (RADIATOR) PostAuthHook Stopped Working
>
> Hi,
>
> I had radiator working with my PostAuthHook just how I wanted.
> Then I made some changes to the PostAuthHook. All I did (I think?) was
> create a new user in my database and then I updated the new
> username/password in the config files. Now My PostAuthHook does not work.
> And I'm at a loss to realise why??
>
> Here is an Accounting Request that should be inserted into my database
> through the PostAuthHook.
> But now the Hook is not even being called. I'm pretty confident in saying
> that because I added a 'write to file' at the beginning of the hook to
> test
> it. But to no success.
>
> I noticed some talk about a patch for the PostAuthHook but I'm not sure if
> I
> need it.
> Weird.
> It was working...
> Now it's not.
>
> Help!
>
> I'm using Radiator 2.17.1
>
> I have another problem to. My auth log is logging successes but not
> failures.
>
> ==========================================================================
> ==
> ========
>
> Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
> *** Received from 192.168.0.9 port 1445 ....
> Code: Accounting-Request
> Identifier: 60
> Authentic: <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
> Attributes:
> Acct-Status-Type = Accounting-On
> Acct-Session-Id = "0"
> Acct-Authentic = RADIUS
> Acct-Authentic = RADIUS
> User-Name = "ewong"
> Command-Code = "Command-Code (level: 10): system show ac"
> NAS-IP-Address = 192.168.0.9
>
> Wed Sep 5 10:47:43 2001: DEBUG: Check if Handler Realm=SSR should be used
> to handle this requestWed Sep 5 10:47:43 2001: DEBUG: Handling request
> with
> Handler 'Realm=SSR'
> Wed Sep 5 10:47:43 2001: DEBUG: Deleting all sessions for 192.168.0.9
> Wed Sep 5 10:47:43 2001: DEBUG: got On/Off from 192.168.0.9
> Wed Sep 5 10:47:43 2001: DEBUG: Handling with Radius::AuthSQL
> Wed Sep 5 10:47:43 2001: DEBUG: Handling accounting with Radius::AuthSQL
> Wed Sep 5 10:47:43 2001: DEBUG: Accounting accepted
> Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
> *** Sending to 192.168.0.9 port 1445 ....
> Code: Accounting-Response
> Identifier: 60
> Authentic: <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
> Attributes:
>
> ==========================================================================
> ==
> ========
>
> # radius configuration file
>
> Foreground yes
> LogStdout no
> Trace 4
> LogDir /opt/radiator/log
> DbDir /usr/local/mysql/var/radiusdb
> DictionaryFile /opt/radiator/dictionary
> AuthPort 1812
> AcctPort 1813
> BindAddress 192.168.0.10
>
> <ClientListSQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> GetClientQuery select ip,secret,NULL,NULL,realm from device,model
> where modelID=model.ID;
> </ClientListSQL>
>
> <Handler Realm=SSR>
> PreAuthHook file:"/opt/radiator/PreAuthHook"
> PostAuthHook file:"/opt/radiator/SSRAccounting"
> <AuthLog SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> Table authorisation
> LogSuccess 1
> LogFailure 1
> SuccessQuery insert into
> authorisation(date,username,deviceIP,status) values('%Y-%m-%d
> %H:%M:%S','%U','%N',1)
> FailureQuery insert into
> authorisation(date,username,deviceIP,status) values('%Y-%m-%d
> %H:%M:%S','%U','%N',0)
> </AuthLog>
> <AuthBy SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> RejectEmptyPassword
>
> AuthSelect select password from user where username='%U'
> AuthColumnDef 0, Password, check
> </AuthBy>
> </Handler>
>
> <Handler Realm=SS>
> PreAuthHook file:"/opt/radiator/PreAuthHook"
> <AuthLog SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> Table authorisation
> LogSuccess 1
> LogFailure 1
> SuccessQuery insert into
> authorisation(date,username,deviceIP,status) values('%Y-%m-%d
> %H:%M:%S','%U','%N',1)
> FailureQuery insert into
> authorisation(date,username,deviceIP,status) values('%Y-%m-%d
> %H:%M:%S','%U','%N',0)
> </AuthLog>
> <AuthBy SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> RejectEmptyPassword
>
> AuthSelect select password from user where username='%U'
> AuthColumnDef 0, Password, check
> </AuthBy>
> </Handler>
>
> <Handler>
> PostAuthHook file:"/opt/radiator/SSRAccounting"
> </Handler>
>
> ==========================================================================
> ==
> ========
> PostAuthHook - not being called anymore
>
> use DBI;
> use DBD::mysql;
>
> sub {
> open(FILE, ">/opt/radiator/testacc");
> flock(FILE,2);
> print FILE "Hook is being called";
> flock(FILE,8);
> close(FILE);
>
> my $host = "localhost";
> my $dbname = "radiusdb";
> my $dbpasswd = "password";
> my $dbuser = "radiator";
> my $data_source = "DBI:mysql:database=$dbname;host=$host";
> my $dbh = DBI->connect($data_source, $dbuser, $dbpasswd);
> my $request = ${$_[0]};
> my $request_code = $request->code;
> my $request_id = $request->identifier;
>
> my $reply = ${$_[1]};
> my $reply_code = $reply->code;
> my $reply_id = $reply->identifier;
>
> my $subcodetype =
> $request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);
>
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> localtime(time);
> my $timestamp = sprintf("%04d-%02d-%02d
> %02d:%02d:%02d",$year+1900,$mon+1,$mday,$hour,$min,$sec);
>
> my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
> my @tmp = split(/@/,$username);
> $username = $tmp[0];
>
> # get and format SSR Vendor-Specific Codes
> my $command = $request->get_attr('Command-Code');
> my $system = $request->get_attr('System-Code');
> my $shell = $request->get_attr('Shell-Code');
> my $snmp = $request->get_attr('Snmp-Code');
> my @tmp = split(/:/,$command);
> $command = substr($tmp[2],1);
> @tmp = split(/:/,$system);
> $system = substr($tmp[2],1);
> @tmp = split(/:/,$shell);
> $shell = substr($tmp[2],1);
> @tmp = split(/:/,$snmp);
> $snmp = substr($tmp[2],1);
>
> if($command ne '') {
> }
> elsif($system ne '') {
> $command = $system;
> }
> elsif($shell ne '') {
> $command = $shell;
> }
> elsif($snmp ne '') {
> $command = $snmp;
> }
>
> my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> if ($request_code == 'Accounting-Request' && $subcodetype ne("")) {
> my $userID = &select($dbh,"SELECT ID FROM user WHERE
> username='$username'");
>
> if(!($userID > 0)) {
> $userID = &select($dbh,"SELECT ID FROM user WHERE
> username='unknown'");
> }
>
> my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
> IP='$deviceIP'");
>
> &update($dbh,"INSERT INTO SSRaccounting
> (date,userID,deviceID,status,command) \
>
> VALUES('$timestamp','$userID','$deviceID','$subcodetype','$command')");
>
> return;
> }
>
> return;
>
> sub update {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> $sth->finish;
> return;
> }
>
> sub select {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> my $row = $sth->fetchrow();
> $sth->finish;
> return $row;
> }
> }
>
> ==========================================================================
> ==
> ========
> PreAuthHook - This is working fine
>
>
> use DBI;
> use DBD::mysql;
>
> sub {
> my $host = "localhost";
> my $dbname = "radiusdb";
> my $dbpasswd = "password";
> my $dbuser = "radiator";
> my $data_source = "DBI:mysql:database=$dbname;host=$host";
> my $dbh = DBI->connect($data_source, $dbuser, $dbpasswd);
> my $request = ${$_[0]};
> my $request_code = $request->code;
> my $request_id = $request->identifier;
>
> my $reply = ${$_[1]};
> my $reply_code = $reply->code;
> my $reply_id = $reply->identifier;
>
> my $subcodetype =
> $request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);
>
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> localtime(time);
> my $timestamp = sprintf("%04d-%02d-%02d
> %02d:%02d:%02d",$year+1900,$mon,$mday,$hour,$min,$sec);
>
> my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
> my @tmp = split(/@/,$username);
> $username = $tmp[0];
>
> # if username=user replace with unknown
> if($username eq("user")) {
> &invalidate($request);
> }
>
> my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> print("Detecting Access-Request from $deviceIP\n");
>
> # get Device from database
> my $userID = &select($dbh,"SELECT ID FROM user WHERE
> username='$username'");
> my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
> IP='$deviceIP'");
> my $modelID = &select($dbh,"SELECT modelID FROM device WHERE
> ID='$deviceID'");
>
> if(!defined($userID)) {
> $userID=0;
> }
>
> if($modelID==1) { # SSR8600
> print("Device Type is SSR8600\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==5) { # SSR8000
> print("Device Type is SSR8000\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==6) { # RS3000
> print("Device Type is RS3000\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==2) { # SS2200
> print("Device Type is SS2200\n");
> if(&getPermission($dbh,$userID,$deviceID)==1) { # read-only
> &setSS2200access($reply,"ro");
> print("User has read access\n");
> return;
> }
> elsif(&getPermission($dbh,$userID,$deviceID)==2) { # read-write
> &setSS2200access($reply,"rw");
> print("User has read-write access\n");
> return;
> }
> elsif(&getPermission($dbh,$userID,$deviceID)==3) { # super-user
> &setSS2200access($reply,"su");
> print("User has super-user access\n");
> return;
> }
> }
>
> print("User has no access\n");
> &invalidate($request);
> return;
>
> sub invalidate {
> $_[0]->change_attr('User-Password','no access');
> }
>
> sub setSS2200access {
> $_[0]->add_attr('FilterID',"Enterasys:version=1:mgmt=$_[1]");
> }
>
> sub update {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> $sth->finish;
> return;
> }
>
> sub select {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> my $row = $sth->fetchrow();
> $sth->finish;
> return $row;
> }
>
> sub getPermission {
> my $userID = $_[1];
> my $deviceID = $_[2];
> my $tmp = 0;
> my $myref;
> my $accesslevel = 0;
> my $connection = $_[0];
>
> my $modelID = &select($connection,"SELECT modelID FROM device WHERE
> ID='$deviceID'");
> my $networkID = &select($connection,"SELECT networkID FROM device
> WHERE ID='$deviceID'");
> my $all = &select($connection,"SELECT ID from device WHERE ID < 11
> AND
> modelID=$modelID and networkID=$networkID");
>
> my $sth = $connection->prepare("SELECT * from
> usertogroup,usergroupPermission,level \
> WHERE usertogroup.userID=$userID \
> AND
> usertogroup.usergroupID=usergroupPermission.usergroupID \ceID=$all) \
> AND
> usergroupPermission.levelID=level.ID");
> $sth->execute;
>
> while ($myref = $sth->fetchrow_hashref()) {
> if(($tmp = $myref->{'type'}) > $accesslevel) {
> $accesslevel = $tmp;
> }
> }
>
> $sth->finish();
>
> $sth = $connection->prepare("SELECT * from userPermission,level \
> WHERE
> (userPermission.deviceID=$deviceID OR userPermission.deviceID=$all) \
> AND
> userPermission.userID=$userID
> \
> AND
> userPermission.levelID=level.ID");
> $sth->execute;
>
> while ($myref = $sth->fetchrow_hashref()) {
> if(($tmp = $myref->{'type'}) > $accesslevel) {
> $accesslevel = $tmp;
> }
> }
>
> $sth->finish();
> return $accesslevel;
> }
> }
>
> ========================================================================
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list