(RADIATOR) PostAuthHook Stopped Working
Hugh Irvine
hugh at open.com.au
Wed Sep 5 01:32:46 CDT 2001
Hello Jason -
I note that the accounting request that you show below is an
Accounting-On, probably due to "ewong" running some command on the
NAS. I don't know whether your hook deals with this? Note that the
easiest way to test hook code is by putting print commands in the
code and running Radiator from the command line with -foreground
-log_stdout and -trace 4 so you can see immediately on the console
output what is going on. You should also make sure that the hook code
is being compiled properly at startup by looking at the startup
messages in the same manner.
hth
Hugh
At 11:18 +1000 01/9/5, Separovic, Jason wrote:
>Hi,
>
>I had radiator working with my PostAuthHook just how I wanted.
>Then I made some changes to the PostAuthHook. All I did (I think?) was
>create a new user in my database and then I updated the new
>username/password in the config files. Now My PostAuthHook does not work.
>And I'm at a loss to realise why??
>
>Here is an Accounting Request that should be inserted into my database
>through the PostAuthHook.
>But now the Hook is not even being called. I'm pretty confident in saying
>that because I added a 'write to file' at the beginning of the hook to test
>it. But to no success.
>
>I noticed some talk about a patch for the PostAuthHook but I'm not sure if I
>need it.
>Weird.
>It was working...
>Now it's not.
>
>Help!
>
>I'm using Radiator 2.17.1
>
>I have another problem to. My auth log is logging successes but not
>failures.
>
>============================================================================
>========
>
>Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
>*** Received from 192.168.0.9 port 1445 ....
>Code: Accounting-Request
>Identifier: 60
>Authentic: <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
>Attributes:
> Acct-Status-Type = Accounting-On
> Acct-Session-Id = "0"
> Acct-Authentic = RADIUS
> Acct-Authentic = RADIUS
> User-Name = "ewong"
> Command-Code = "Command-Code (level: 10): system show ac"
> NAS-IP-Address = 192.168.0.9
>
>Wed Sep 5 10:47:43 2001: DEBUG: Check if Handler Realm=SSR should be used
>to handle this requestWed Sep 5 10:47:43 2001: DEBUG: Handling request with
>Handler 'Realm=SSR'
>Wed Sep 5 10:47:43 2001: DEBUG: Deleting all sessions for 192.168.0.9
>Wed Sep 5 10:47:43 2001: DEBUG: got On/Off from 192.168.0.9
>Wed Sep 5 10:47:43 2001: DEBUG: Handling with Radius::AuthSQL
>Wed Sep 5 10:47:43 2001: DEBUG: Handling accounting with Radius::AuthSQL
>Wed Sep 5 10:47:43 2001: DEBUG: Accounting accepted
>Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
>*** Sending to 192.168.0.9 port 1445 ....
>Code: Accounting-Response
>Identifier: 60
>Authentic: <180><189>mBY<157><156>X<152><14><7><180><150><1>@<174>
>Attributes:
>
>============================================================================
>========
>
># radius configuration file
>
>Foreground yes
>LogStdout no
>Trace 4
>LogDir /opt/radiator/log
>DbDir /usr/local/mysql/var/radiusdb
>DictionaryFile /opt/radiator/dictionary
>AuthPort 1812
>AcctPort 1813
>BindAddress 192.168.0.10
>
><ClientListSQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> GetClientQuery select ip,secret,NULL,NULL,realm from device,model
>where modelID=model.ID;
></ClientListSQL>
>
><Handler Realm=SSR>
> PreAuthHook file:"/opt/radiator/PreAuthHook"
> PostAuthHook file:"/opt/radiator/SSRAccounting"
> <AuthLog SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> Table authorisation
> LogSuccess 1
> LogFailure 1
> SuccessQuery insert into
>authorisation(date,username,deviceIP,status) values('%Y-%m-%d
>%H:%M:%S','%U','%N',1)
> FailureQuery insert into
>authorisation(date,username,deviceIP,status) values('%Y-%m-%d
>%H:%M:%S','%U','%N',0)
> </AuthLog>
> <AuthBy SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> RejectEmptyPassword
>
> AuthSelect select password from user where username='%U'
> AuthColumnDef 0, Password, check
> </AuthBy>
></Handler>
>
><Handler Realm=SS>
> PreAuthHook file:"/opt/radiator/PreAuthHook"
> <AuthLog SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> Table authorisation
> LogSuccess 1
> LogFailure 1
> SuccessQuery insert into
>authorisation(date,username,deviceIP,status) values('%Y-%m-%d
>%H:%M:%S','%U','%N',1)
> FailureQuery insert into
>authorisation(date,username,deviceIP,status) values('%Y-%m-%d
>%H:%M:%S','%U','%N',0)
> </AuthLog>
> <AuthBy SQL>
> DBSource dbi:mysql:radiusdb
> DBUsername radiator
> DBAuth password
>
> RejectEmptyPassword
>
> AuthSelect select password from user where username='%U'
> AuthColumnDef 0, Password, check
> </AuthBy>
></Handler>
>
><Handler>
> PostAuthHook file:"/opt/radiator/SSRAccounting"
></Handler>
>
>============================================================================
>========
>PostAuthHook - not being called anymore
>
>use DBI;
>use DBD::mysql;
>
>sub {
> open(FILE, ">/opt/radiator/testacc");
> flock(FILE,2);
> print FILE "Hook is being called";
> flock(FILE,8);
> close(FILE);
>
> my $host = "localhost";
> my $dbname = "radiusdb";
> my $dbpasswd = "password";
> my $dbuser = "radiator";
> my $data_source = "DBI:mysql:database=$dbname;host=$host";
> my $dbh = DBI->connect($data_source, $dbuser, $dbpasswd);
> my $request = ${$_[0]};
> my $request_code = $request->code;
> my $request_id = $request->identifier;
>
> my $reply = ${$_[1]};
> my $reply_code = $reply->code;
> my $reply_id = $reply->identifier;
>
> my $subcodetype =
>$request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);
>
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
>localtime(time);
> my $timestamp = sprintf("%04d-%02d-%02d
>%02d:%02d:%02d",$year+1900,$mon+1,$mday,$hour,$min,$sec);
>
> my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
> my @tmp = split(/@/,$username);
> $username = $tmp[0];
>
> # get and format SSR Vendor-Specific Codes
> my $command = $request->get_attr('Command-Code');
> my $system = $request->get_attr('System-Code');
> my $shell = $request->get_attr('Shell-Code');
> my $snmp = $request->get_attr('Snmp-Code');
> my @tmp = split(/:/,$command);
> $command = substr($tmp[2],1);
> @tmp = split(/:/,$system);
> $system = substr($tmp[2],1);
> @tmp = split(/:/,$shell);
> $shell = substr($tmp[2],1);
> @tmp = split(/:/,$snmp);
> $snmp = substr($tmp[2],1);
>
> if($command ne '') {
> }
> elsif($system ne '') {
> $command = $system;
> }
> elsif($shell ne '') {
> $command = $shell;
> }
> elsif($snmp ne '') {
> $command = $snmp;
> }
>
> my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> if ($request_code == 'Accounting-Request' && $subcodetype ne("")) {
> my $userID = &select($dbh,"SELECT ID FROM user WHERE
>username='$username'");
>
> if(!($userID > 0)) {
> $userID = &select($dbh,"SELECT ID FROM user WHERE
>username='unknown'");
> }
>
> my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
>IP='$deviceIP'");
>
> &update($dbh,"INSERT INTO SSRaccounting
>(date,userID,deviceID,status,command) \
>
>VALUES('$timestamp','$userID','$deviceID','$subcodetype','$command')");
>
> return;
> }
>
> return;
>
> sub update {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> $sth->finish;
> return;
> }
>
> sub select {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> my $row = $sth->fetchrow();
> $sth->finish;
> return $row;
> }
>}
>
>============================================================================
>========
>PreAuthHook - This is working fine
>
>
>use DBI;
>use DBD::mysql;
>
>sub {
> my $host = "localhost";
> my $dbname = "radiusdb";
> my $dbpasswd = "password";
> my $dbuser = "radiator";
> my $data_source = "DBI:mysql:database=$dbname;host=$host";
> my $dbh = DBI->connect($data_source, $dbuser, $dbpasswd);
> my $request = ${$_[0]};
> my $request_code = $request->code;
> my $request_id = $request->identifier;
>
> my $reply = ${$_[1]};
> my $reply_code = $reply->code;
> my $reply_id = $reply->identifier;
>
> my $subcodetype =
>$request->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE);
>
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
>localtime(time);
> my $timestamp = sprintf("%04d-%02d-%02d
>%02d:%02d:%02d",$year+1900,$mon,$mday,$hour,$min,$sec);
>
> my $username = $request->getAttrByNum($Radius::Radius::USER_NAME);
> my @tmp = split(/@/,$username);
> $username = $tmp[0];
>
> # if username=user replace with unknown
> if($username eq("user")) {
> &invalidate($request);
> }
>
> my $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> $deviceIP = $request->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
>
> print("Detecting Access-Request from $deviceIP\n");
>
> # get Device from database
> my $userID = &select($dbh,"SELECT ID FROM user WHERE
>username='$username'");
> my $deviceID = &select($dbh,"SELECT ID FROM device WHERE
>IP='$deviceIP'");
> my $modelID = &select($dbh,"SELECT modelID FROM device WHERE
>ID='$deviceID'");
>
> if(!defined($userID)) {
> $userID=0;
> }
>
> if($modelID==1) { # SSR8600
> print("Device Type is SSR8600\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==5) { # SSR8000
> print("Device Type is SSR8000\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==6) { # RS3000
> print("Device Type is RS3000\n");
> if(&getPermission($dbh,$userID,$deviceID)==3) {
> print("User has enable access\n");
> return;
> }
> }
> if($modelID==2) { # SS2200
> print("Device Type is SS2200\n");
> if(&getPermission($dbh,$userID,$deviceID)==1) { # read-only
> &setSS2200access($reply,"ro");
> print("User has read access\n");
> return;
> }
> elsif(&getPermission($dbh,$userID,$deviceID)==2) { # read-write
> &setSS2200access($reply,"rw");
> print("User has read-write access\n");
> return;
> }
> elsif(&getPermission($dbh,$userID,$deviceID)==3) { # super-user
> &setSS2200access($reply,"su");
> print("User has super-user access\n");
> return;
> }
> }
>
> print("User has no access\n");
> &invalidate($request);
> return;
>
> sub invalidate {
> $_[0]->change_attr('User-Password','no access');
> }
>
> sub setSS2200access {
> $_[0]->add_attr('FilterID',"Enterasys:version=1:mgmt=$_[1]");
> }
>
> sub update {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> $sth->finish;
> return;
> }
>
> sub select {
> my $connection = $_[0];
> my $sth = $connection->prepare($_[1]);
> $sth->execute;
> my $row = $sth->fetchrow();
> $sth->finish;
> return $row;
> }
>
> sub getPermission {
> my $userID = $_[1];
> my $deviceID = $_[2];
> my $tmp = 0;
> my $myref;
> my $accesslevel = 0;
> my $connection = $_[0];
>
> my $modelID = &select($connection,"SELECT modelID FROM device WHERE
>ID='$deviceID'");
> my $networkID = &select($connection,"SELECT networkID FROM device
>WHERE ID='$deviceID'");
> my $all = &select($connection,"SELECT ID from device WHERE ID < 11 AND
>modelID=$modelID and networkID=$networkID");
>
> my $sth = $connection->prepare("SELECT * from
>usertogroup,usergroupPermission,level \
> WHERE usertogroup.userID=$userID \
> AND
>usertogroup.usergroupID=usergroupPermission.usergroupID \ceID=$all) \
> AND
>usergroupPermission.levelID=level.ID");
> $sth->execute;
>
> while ($myref = $sth->fetchrow_hashref()) {
> if(($tmp = $myref->{'type'}) > $accesslevel) {
> $accesslevel = $tmp;
> }
> }
>
> $sth->finish();
>
> $sth = $connection->prepare("SELECT * from userPermission,level \
> WHERE
>(userPermission.deviceID=$deviceID OR userPermission.deviceID=$all) \
> AND userPermission.userID=$userID
>\
> AND
>userPermission.levelID=level.ID");
> $sth->execute;
>
> while ($myref = $sth->fetchrow_hashref()) {
> if(($tmp = $myref->{'type'}) > $accesslevel) {
> $accesslevel = $tmp;
> }
> }
>
> $sth->finish();
> return $accesslevel;
> }
>}
>
>========================================================================
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list