(RADIATOR) problem with changing attributes during an PreAuthHook
Hugh Irvine
hugh at open.com.au
Thu Jan 10 19:37:48 CST 2002
Hello Atto -
Why don't you just use a check item in the user definition?
someuser Calling-Station-Id = 11223344
Your AuthBy SQL clause would look something like this:
<AuthBy SQL>
.....
AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
from SUBSCRIBERS where USERNAME = '%n'
AuthColumnDef 0, Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
.....
</AuthBy>
BTW - the latest version of Radiator is 2.19 and you should really consider
upgrading.
Have a look at section 6.28 in the Radiator 2.19 reference manual.
regards
Hugh
On Thu, 10 Jan 2002 20:31, Atto Lorenz wrote:
> Hi,
>
> today I tried to write an PreAuthHook, which checks the Calling-Station-ID.
> I have stored the telephonenumbers also in the database.
>
> The idea to check the calling_station_id was to compare the
> calling_station_id from the user with the calling_station_ids from the
> database. If the calling_staton_id from the user don't match one number
> from the database, the hook change the password from the user and the
> normal following authentication fails/reject's the user.
>
> At first I tested the hook with radpwtst script. With the script the hook
> reject a user if the calling_station_id is wrong. So all was working fine.
> The next step was to test it with a real NAS. But with this test the hook
> didn’t work. In the debug log and the accounting data I can see if I change
> attributes but the NAS get always an Access-Accept.
>
> Must I use an other command the change attributes? I tried it with
> ${$_[0]}->change_attr('....') and with ${$_[1]}->change_attr('...')
>
> An other idea was the use a PostAuthHook and use the
> ${$_[1]}->set_code('Access-Reject'). But this solution also didn't work.
>
> Are there any bugs in the Radiator version 2.16, which damages the hook's?
> I looked in the history of the next versions but I can't find any relevant
> information’s.
>
> #
> # PreAuthHook for Radiator
> #
> # Check if the caller_id is ok and deny or permit the user
> #
> sub
> {
> my $request = ${$_[0]};
> my $reply = ${$_[1]};
>
> # Get Username and split it in username and realmname
> my($realmusername)=$request->getUserName();
> my($username,$realmname)=$realmusername=~/^(.+?)@(.+?)$/;
> my($dialok)=1;
>
> # Get Calling-Station-Id if not exist quit
> my($calling_station_id)=$request->get_attr('Calling-Station-Id');
> if(!$calling_station_id)
> {
> return();
> }
>
> # get the caller_id from database if caller_id not exist quit
> my($authby_handle)= Radius::AuthGeneric::find('callerid');
> my($query)= "select * from snapshot where loginname='$username' AND
> realmname='$realmname'";
> my($sth)= $authby_handle->prepareAndExecute($query);
> my($val)=$sth->fetchrow_hashref();
>
> if(!$val->{caller_id})
> {
> return();
> }
>
> # check if caller_id is ok
> my(@callerid)=split(/,/,$val->{caller_id});
> $calling_station_id=~s/^0*//;
> foreach(@callerid)
> {
> $dialok=0;
> s/^0*//;
> if($_ eq $calling_station_id)
> {
> $dialok=1;
> last;
> }
> }
>
> # if wrong calling_station_id change the password
> if ( not $dialok ) {
> ${$_[0]}->change_attr('User-Password',"xxx");
> ${$_[1]}->change_attr('User-Password',"xxx");
> #$reply->set_code ('Access-Reject');
> }
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list