(RADIATOR) Testing Radius traffic

Hugh Irvine hugh at open.com.au
Mon Sep 29 02:05:26 CDT 2003


Hello Claudio -

Please look at my example again:

sub
{
     my $p = ${$_[0]};   # original request packet
     my $rp = ${$_[1]};  # reply packet to NAS
     my $handled = $_[2]; # flag to indicate ACCEPT, REJECT or IGNORE

     # Only deal with authentication requests
     my $code = $p->code();
     return unless $code eq 'Access-Request';

     if (.....)
     {
         $$handled = $main::IGNORE;
         .....
     }
     return;
}

Note that $handled is passed as a reference to a variable, and to alter  
the contents of that variable you *must* use

	$$handled = $main::IGNORE;

regards

Hugh

PS - I know it is not obvious, so you should have a look at the code in  
"Radius/Handler.pm" to see what goes on.

PPS - the easiest way to see what is going on inside hooks is to add  
simple "print ...." statements, then run radiusd from the command line  
so you can see the output:

	perl radiusd -foreground -log_stdout -trace 4 -config_file .....



On Monday, Sep 29, 2003, at 12:45 Australia/Melbourne, Claudio Lapidus  
wrote:

> Hello Hugh
>
> For the first case, I finally decided to flag the packet with a special
> value (Tiemstamp=0) and trap it in a dedicated handler, it works a  
> charm,
> but the replies...
>
>> For the second case, yes you can use a PostAuthHook and alter the  
>> reply
>> to IGNORE.
>
> Hmm, I must be missing something, I modified your example to work with
> accounting requests, but it should have worked the same, IMHO:
>
> $ cat discard_response.pl
> sub
> {
>      use constant THRESHOLD => 0.3;
>
>      my $p = ${$_[0]};   # original request packet
>      my $rp = ${$_[1]};  # reply packet to NAS
>      my $handled = $_[2]; # flag to indicate ACCEPT, REJECT or IGNORE
>
>      # Only deal with accounting requests
>      my $code = $p->code();
>      return unless $code eq 'Accounting-Request';
>
>      my $r = rand;
>      if ($r < THRESHOLD) {
>          $handled = $main::IGNORE;
>          &main::log($main::LOG_DEBUG, "Response IGNORED");
>      }
>      return;
> }
>
> and the config is
>
> Foreground
> LogStdout
> Trace           4
>
> # this one works OK
> PreClientHook   file:"/export/home/radiator/discard_request.pl"
>
> <Client 127.0.0.1>
>         Secret          secret
>         NasType         Cisco
>         PreHandlerHook  file:"/export/home/radiator/ciscoavpair.pl"
> </Client>
>
> <AuthBy INTERNAL>
>         Identifier      TheDropper
>         DefaultResult   IGNORE
> </AuthBy>
>
> <AuthBy SQL>
>         Identifier      Acct-Handler
>         DBSource        dbi:Pg:dbname=xxxxx
>         DBUsername      yyyyy
>         DBAuth          zzzzz
>         FailureBackoffTime      30
>
>         AccountingTable ACCOUNTING_CISCO
>         AcctColumnDef NAS_IP_Address,NAS-IP-Address
>         AcctColumnDef Cisco_NAS_Port,Cisco-NAS-Port
>         # lots of column defs here...
>
>         AcctFailedLogFileName   /var/log/radiator_%d-%m-%Y_failed.log
> </AuthBy SQL>
>
>
> # Temp handler for traffic test
> <Handler Timestamp=0>
>         AuthBy  TheDropper
> </Handler>
>
>
> # Main handler
> <Handler Request-Type=Accounting-Request>
>
>         # this is the one giving trouble...
>         PostAuthHook
> file:"/export/home/radiator/discard_response.pl"
>         AuthBy                  Acct-Handler
> </Handler>
>
>
> To test, I use
>
> $ radpwtst -iterations 1 -s 127.0.0.1 -secret secret -noauth
> Timestamp=1234567890
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
> But the trace shows
> ...
> Sun Sep 28 23:34:03 2003: DEBUG: Handling request with Handler
> 'Request-Type=Accounting-Request'
> Sun Sep 28 23:34:03 2003: DEBUG:  Adding session for mikem,  
> 203.63.154.1,
> 1234
> Sun Sep 28 23:34:03 2003: DEBUG: Handling with Radius::AuthSQL
> Sun Sep 28 23:34:03 2003: DEBUG: Handling accounting with  
> Radius::AuthSQL
> Sun Sep 28 23:34:03 2003: DEBUG: do query is: 'insert into  
> ACCOUNTING_CISCO
> (time_stamp,NAS_Port_Type,NAS_IP_Address,Calling_Station_Id,Acct_Status 
> _Type
> ,User_Name,Acct_Session_Id,Called_Station_Id,Service_Type,Acct_Delay_Ti 
> me)
> values
> ('1234567890','Async','203.63.154.1','987654321','Start','mikem','00001 
> 234',
> '123456789','Framed-User','0')':
>
> Sun Sep 28 23:34:04 2003: DEBUG: Response IGNORED
> Sun Sep 28 23:34:04 2003: DEBUG: Accounting accepted
> Sun Sep 28 23:34:04 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 33804 ....
> Code:       Accounting-Response
> Identifier: 108
> Authentic:  <5>P<154><218><183><181><135><28>/.<140><142>77<251><250>
> Attributes:
>
> So the hook says it set the reply to IGNORE, but then the handler is
> accepting it anyway?
> cl.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list