(RADIATOR) AuthBySQL and PostAuthHook behaviour
Hugh Irvine
hugh at open.com.au
Thu Jun 6 13:45:03 CDT 2002
Hello Bruno -
What you describe is the correct behaviour. There is nothing in the rfc's
that state an access reject must be empty, and indeed there are lots of
people who *want* to include reply items in access rejects for various
reasons.
You can either call a hook that executes before the AuthBy clause and do the
reject there, or you can strip any reply attributes you don't want in the
existing PostAuthHook.
regards
Hugh
On Fri, 7 Jun 2002 04:03, Bruno Tiago Rodrigues wrote:
> Hi guys
> Here's something I've been worrying about for a while. As we were
> braintorming a while ago, some of us figured this could be a bug/feature
> instead of a programming issue. We managed to trim down the code to the
> following testing lines. Our doubt is if should be this the correct
> behaviour for
> Radiator. ..
>
> AuthBySQL gets the user reply attributes and then a PostAuthHook is called
> which simply denies the access to the user. Even so it denies the access,
> all the attributes which were stored by the AuthBySQL query are still sent
> back to the NAS...
>
> I used to work with a similar setup, using AuthByLDAP instead of AuthBySQL
> and I don't remember seeing this happen anywhere...
>
> Any help?
>
> >>> this is the authentication only radius configuration file
>
> LogDir /export/home/bter/logs
> DbDir /export/home/bter/cfg
> PidFile %L/authentication.pid
> LogFile %L/debug_auth.log
> Trace 4
> AuthPort 1645
> AcctPort
> DictionaryFile /usr/local/etc/dictionary
> RewriteUsername s/[^a-zA-Z0-9.\$\-\@\_]//gx
>
> <Client DEFAULT>
> Secret blashfoni
> DupInterval 0
> </Client>
>
> <AuthBy SQL>
> Identifier authdre
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth radrad
>
> # Let the user in if they have any time left, set
> # the Session-timeout to the time left
> AuthSelect select PASSWORD,LNSATTR from SUBSCRIBERS where
> USERNAME=%0
> AuthColumnDef 0,User-Password,check
> AuthColumnDef 1,GENERIC, reply
> </AuthBy>
> <Handler Service-Type="Outbound-User">
> AuthBy authdre
> PostAuthHook file:"%D/PostVPDN.hook"
> </Handler>
>
> <Handler User-Name=/\@/>
> AuthBy authdre
> PostAuthHook file:"%D/PostVPDN.hook"
> </Handler>
>
> >>> now this is PostVPDN.hook
>
> sub
>
>
> my $r = ${$_[0]}; #this is the request object
> my $rp = ${$_[1]}; #this is the response object
> my $result = ${$_[2]}; #this is the status of the authentication so
> far
>
> my $stype = $r->get_attr('Service-Type');
> my $code = $r->code;
>
>
> if ($code eq 'Access-Request')
>
> ${$_[2]} = $main::REJECT ;
> ${$_[1]}->change_attr('Reply-Message' , 'no way, jose');
> return;
> }
> }
>
> >>> this is the "radpwtst -secret blashfoni -user bruno at testedre -password
>
> bruno -noacct -trace" output
>
> sending Access-Request...
> Packet dump:
> *** Sending to 127.0.0.1 port 1645 ....
> Code: Access-Request
> Identifier: 87
> Authentic: 1234567890123456
> Attributes:
> User-Name = "bruno at testedre"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "<224>8C<211><128><182><224>:=<198>I]"
>
> Packet dump:
> *** Received from 127.0.0.1 port 1645 ....
> Code: Access-Reject
> Identifier: 87
> Authentic: <187><136><241>'<1>,<194><215>4<<9><199>= <22>S
> Attributes:
> cisco-avpair = "ip:addr-pool=ltwo"
> cisco-avpair = "service=ppp"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Reply-Message = "no way, jose"
> Reply-Message = "Request Denied"
>
> Rejected: no way, jose
>
> >>> and this is the radius debug log:
>
> Thu Jun 6 18:36:39 2002: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 45573 ....
> Code: Access-Request
> Identifier: 129
> Authentic: 1234567890123456
> Attributes:
> User-Name = "bruno at testedre"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "<224>8C<211><128><182><224>:=<198>I]"
>
> Thu Jun 6 18:36:39 2002: DEBUG: Rewrote user name to bruno at testedre
> Thu Jun 6 18:36:39 2002: DEBUG: Handling request with Handler
> 'User-Name=/\@/'
> Thu Jun 6 18:36:39 2002: DEBUG: Deleting session for bruno at testedre,
> 203.63.154.1, 1234
> Thu Jun 6 18:36:39 2002: DEBUG: Handling with Radius::AuthSQL
> Thu Jun 6 18:36:39 2002: DEBUG: Handling with Radius::AuthSQL: authdre
> Thu Jun 6 18:36:39 2002: DEBUG: Query is: select PASSWORD,LNSATTR from
> SUBSCRIBERS where USERNAME='bruno at testedre'
>
> Thu Jun 6 18:36:39 2002: DEBUG: Radius::AuthSQL looks for match with
> bruno at testedre
> Thu Jun 6 18:36:39 2002: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Jun 6 18:36:39 2002: INFO: Access rejected for bruno at testedre:
> Thu Jun 6 18:36:39 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 45573 ....
> Code: Access-Reject
> Identifier: 129
> Authentic: 1234567890123456
> Attributes:
> cisco-avpair = "ip:addr-pool=ltwo"
> cisco-avpair = "service=ppp"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Reply-Message = "nepias"
> Reply-Message = "Request Denied"
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list