(RADIATOR) AuthBySQL and PostAuthHook behaviour

Bruno Tiago Rodrigues bofh at netc.pt
Thu Jun 6 13:03:49 CDT 2002 

Hi guys
Here's something I've been worrying about for a while. As we were
braintorming a while ago, some of us figured this could be a bug/feature
instead of a programming issue. We managed to trim down the code to the
following testing lines. Our doubt is if should be this the correct
behaviour for
Radiator. ..

AuthBySQL gets the user reply attributes and then a PostAuthHook is called
which simply denies the access to the user. Even so it denies the access,
all the attributes which were stored by the AuthBySQL query are still sent
back to the NAS...

I used to work with a similar setup, using AuthByLDAP instead of AuthBySQL
and I don't remember seeing this happen anywhere...

Any help?



>>> this is the authentication only radius configuration file

LogDir          /export/home/bter/logs
DbDir           /export/home/bter/cfg
PidFile         %L/authentication.pid
LogFile     %L/debug_auth.log
Trace           4
AuthPort                1645
AcctPort
DictionaryFile          /usr/local/etc/dictionary
RewriteUsername s/[^a-zA-Z0-9.\$\-\@\_]//gx

<Client DEFAULT>
        Secret  blashfoni
        DupInterval 0
</Client>

<AuthBy SQL>
        Identifier      authdre
        # Adjust DBSource, DBUsername, DBAuth to suit your DB
        DBSource        dbi:mysql:radius
        DBUsername      radius
        DBAuth          radrad

        # Let the user in if they have any time left, set
        # the Session-timeout to the time left
        AuthSelect select PASSWORD,LNSATTR from SUBSCRIBERS where
USERNAME=%0
        AuthColumnDef   0,User-Password,check
        AuthColumnDef   1,GENERIC, reply
</AuthBy>
<Handler Service-Type="Outbound-User">
        AuthBy          authdre
        PostAuthHook file:"%D/PostVPDN.hook"
</Handler>

<Handler User-Name=/\@/>
        AuthBy          authdre
        PostAuthHook file:"%D/PostVPDN.hook"
</Handler>



>>> now this is PostVPDN.hook


sub


 my $r          = ${$_[0]}; #this is the request object
 my $rp         = ${$_[1]}; #this is the response object
 my $result     = ${$_[2]}; #this is the status of the authentication so far

 my $stype      = $r->get_attr('Service-Type');
 my $code       = $r->code;


if ($code eq 'Access-Request')

                ${$_[2]} = $main::REJECT ;
                ${$_[1]}->change_attr('Reply-Message' , 'no way, jose');
                return;
        }
}



>>> this is the "radpwtst -secret blashfoni -user bruno at testedre -password
bruno -noacct -trace" output

sending Access-Request...
Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 87
Authentic:  1234567890123456
Attributes:
        User-Name = "bruno at testedre"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<224>8C<211><128><182><224>:=<198>I]"

Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Reject
Identifier: 87
Authentic:  <187><136><241>'<1>,<194><215>4<<9><199>= <22>S
Attributes:
        cisco-avpair = "ip:addr-pool=ltwo"
        cisco-avpair = "service=ppp"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Reply-Message = "no way, jose"
        Reply-Message = "Request Denied"

Rejected: no way, jose


>>> and this is the radius debug log:


Thu Jun  6 18:36:39 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 45573 ....
Code:       Access-Request
Identifier: 129
Authentic:  1234567890123456
Attributes:
        User-Name = "bruno at testedre"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<224>8C<211><128><182><224>:=<198>I]"

Thu Jun  6 18:36:39 2002: DEBUG: Rewrote user name to bruno at testedre
Thu Jun  6 18:36:39 2002: DEBUG: Handling request with Handler
'User-Name=/\@/'
Thu Jun  6 18:36:39 2002: DEBUG:  Deleting session for bruno at testedre,
203.63.154.1, 1234
Thu Jun  6 18:36:39 2002: DEBUG: Handling with Radius::AuthSQL
Thu Jun  6 18:36:39 2002: DEBUG: Handling with Radius::AuthSQL: authdre
Thu Jun  6 18:36:39 2002: DEBUG: Query is: select PASSWORD,LNSATTR from
SUBSCRIBERS where USERNAME='bruno at testedre'

Thu Jun  6 18:36:39 2002: DEBUG: Radius::AuthSQL looks for match with
bruno at testedre
Thu Jun  6 18:36:39 2002: DEBUG: Radius::AuthSQL ACCEPT:
Thu Jun  6 18:36:39 2002: INFO: Access rejected for bruno at testedre:
Thu Jun  6 18:36:39 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 45573 ....
Code:       Access-Reject
Identifier: 129
Authentic:  1234567890123456
Attributes:
        cisco-avpair = "ip:addr-pool=ltwo"
        cisco-avpair = "service=ppp"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Reply-Message = "nepias"
        Reply-Message = "Request Denied"


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list