(RADIATOR) problem with changing attributes during an PreAuthHook

Atto Lorenz alorenz at gmx.net
Fri Jan 11 07:39:42 CST 2002 

The problem is, that I can define only one calling-station-id in the check
attributes. But the user is allowed to call from up to fife numbers.

> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, January 11, 2002 2:38 AM
> To: Atto Lorenz; radiator at open.com.au
> Cc: Atto Lorenz; alorenz at cybernet-ag.net
> Subject: Re: (RADIATOR) problem with changing attributes during an
> PreAuthHook
>
>
>
> Hello Atto -
>
> Why don't you just use a check item in the user definition?
>
> 	someuser  Calling-Station-Id = 11223344
>
> Your AuthBy SQL clause would look something like this:
>
> 	<AuthBy SQL>
> 		.....
> 		AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
> 			from SUBSCRIBERS where USERNAME = '%n'
> 		AuthColumnDef 0, Password, check
> 		AuthColumnDef 1, GENERIC, check
> 		AuthColumnDef 2, GENERIC, reply
> 		.....
> 	</AuthBy>
>
> BTW - the latest version of Radiator is 2.19 and you should
> really consider
> upgrading.
>
> Have a look at section 6.28 in the Radiator 2.19 reference manual.
>
> regards
>
> Hugh
>
>
> On Thu, 10 Jan 2002 20:31, Atto Lorenz wrote:
> > Hi,
> >
> > today I tried to write an PreAuthHook, which checks the
> Calling-Station-ID.
> > I have stored the telephonenumbers also in the database.
> >
> > The idea to check the calling_station_id was to compare the
> > calling_station_id from the user with the calling_station_ids from the
> > database. If the calling_staton_id from the user don't match one number
> > from the database, the hook change the password from the user and the
> > normal following authentication fails/reject's the user.
> >
> > At first I tested the hook with radpwtst script. With the
> script the hook
> > reject a user if the calling_station_id is wrong. So all was
> working fine.
> > The next step was to test it with a real NAS. But with this
> test the hook
> > didn’t work. In the debug log and the accounting data I can see
> if I change
> > attributes but the NAS get always an Access-Accept.
> >
> > Must I use an other command the change attributes? I tried it with
> > ${$_[0]}->change_attr('....') and with ${$_[1]}->change_attr('...')
> >
> > An other idea was the use a PostAuthHook and use the
> > ${$_[1]}->set_code('Access-Reject'). But this solution also didn't work.
> >
> > Are there any bugs in the Radiator version 2.16, which damages
> the hook's?
> > I looked in the history of the next versions but I can't find
> any relevant
> > information’s.
> >
> > #
> > # PreAuthHook for Radiator
> > #
> > # Check if the caller_id is ok and deny or permit the user
> > #
> > sub
> > {
> >         my $request = ${$_[0]};
> >         my $reply = ${$_[1]};
> >
> >         # Get Username and split it in username and realmname
> >         my($realmusername)=$request->getUserName();
> >         my($username,$realmname)=$realmusername=~/^(.+?)@(.+?)$/;
> >         my($dialok)=1;
> >
> >         # Get Calling-Station-Id if not exist quit
> >
> my($calling_station_id)=$request->get_attr('Calling-Station-Id');
> >         if(!$calling_station_id)
> >         {
> >                 return();
> >         }
> >
> >         # get the caller_id from database if caller_id not exist quit
> >         my($authby_handle)= Radius::AuthGeneric::find('callerid');
> >         my($query)= "select * from snapshot where
> loginname='$username' AND
> > realmname='$realmname'";
> >         my($sth)= $authby_handle->prepareAndExecute($query);
> >         my($val)=$sth->fetchrow_hashref();
> >
> >         if(!$val->{caller_id})
> >         {
> >                 return();
> >         }
> >
> >         # check if caller_id is ok
> >         my(@callerid)=split(/,/,$val->{caller_id});
> >         $calling_station_id=~s/^0*//;
> >         foreach(@callerid)
> >         {
> >                 $dialok=0;
> >                 s/^0*//;
> >                 if($_ eq $calling_station_id)
> >                 {
> >                          $dialok=1;
> >                         last;
> >                 }
> >          }
> >
> > 	  # if wrong calling_station_id change the password
> >         if ( not $dialok ) {
> >                 ${$_[0]}->change_attr('User-Password',"xxx");
> >                 ${$_[1]}->change_attr('User-Password',"xxx");
> >                 #$reply->set_code ('Access-Reject');
> >         }
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list