(RADIATOR) PostAuthHook nightmares.

Hugh Irvine hugh at open.com.au
Mon Nov 25 22:10:19 CST 2002 

Hello Steve -

I am not sure I understand your question regarding two instances of the 
hook.

The usual case is to seperate the processing for the two cases using 
either Realms or (more generally) Handlers.

And with an AuthBy FILE as you describe, you don't usually need a hook 
at all - you just need to define your address pools to use whatever 
comes back from the database lookup, and use an AuthByPolicy 
ContinueWhileAccept to control the two AuthBy clauses.

In the case of the AuthBy RADIUS clause, you need a ReplyHook because 
the reply comes back asynchronously from the proxy.

And yes you can add your own Reply-Message - just call 
"delete_attr(....)" first before adding your new one.

You are correct in pointing out that reply attributes in an 
Access-Reject don't usually cause problems. However you might want to 
look at using "AllowInReply" in your Authby RADIUS clause to limit the 
reply attributes that you will accept from a proxy. Then if you want to 
delete even those, you can use the reference to "AllowInReply" when you 
call "delete_attr".

regards

Hugh


On Tuesday, Nov 26, 2002, at 14:32 Australia/Melbourne, Steve Phillips 
wrote:

> At 16:02 26/11/2002, Hugh Irvine wrote:
>
>> Hello Steve -
>>
>> There are some example hooks including a ReplyHook that does pretty 
>> much what you require in the file "goodies/hooks.txt".
>>
>> If you have any further questions, please let me know.
>
> Found that after I posted the message :-) I'm am now busy LARTing 
> myself and rewriting my script - It appears however that I will still 
> need two separate instances of the script, one to handle Local Authing 
> by AuthBy FILE and one to handle AuthBy RADIUS, would that be right ?
>
> Also, is there a way, when changing the reply code to an 
> Access-Reject, to insert your own Reply-Message to something other 
> than "Request Denied" ? it appears that $rp->change_attr and 
> $rp->delete_attr('Reply-Message'); simply add another Reply-Message 
> Attribute and dont actually delete the "Request Denied" reply.
>
> Also :-)
>
> When changing the message code to an Access-Reject, is there a way to 
> delete all the current attributes in the reply packet as these are 
> still sending back information such as "Framed-MTU" etc etc (this is 
> mostly cosmetic I guess as it does not appear to actually break 
> anything)
>
> Thanks,
>
> -- 
> Steve.
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list