(RADIATOR) Testing Radius traffic - SOLVED

Claudio Lapidus c_lapidus at hotmail.com
Mon Sep 29 05:39:29 CDT 2003


Oh, my! And I thought it was a typo. I deleted it on purpose! Later, when it
didn't function I didn't even remember about it. It's working fine now.
Thank you for your help, Hugh.

cheers
cl.

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Claudio Lapidus" <c_lapidus at hotmail.com>
Cc: <radiator at open.com.au>
Sent: Monday, September 29, 2003 4:05 AM
Subject: Re: (RADIATOR) Testing Radius traffic


>
> Hello Claudio -
>
> Please look at my example again:
>
> sub
> {
>      my $p = ${$_[0]};   # original request packet
>      my $rp = ${$_[1]};  # reply packet to NAS
>      my $handled = $_[2]; # flag to indicate ACCEPT, REJECT or IGNORE
>
>      # Only deal with authentication requests
>      my $code = $p->code();
>      return unless $code eq 'Access-Request';
>
>      if (.....)
>      {
>          $$handled = $main::IGNORE;
>          .....
>      }
>      return;
> }
>
> Note that $handled is passed as a reference to a variable, and to alter
> the contents of that variable you *must* use
>
> $$handled = $main::IGNORE;
>
> regards
>
> Hugh
>
> PS - I know it is not obvious, so you should have a look at the code in
> "Radius/Handler.pm" to see what goes on.
>
> PPS - the easiest way to see what is going on inside hooks is to add
> simple "print ...." statements, then run radiusd from the command line
> so you can see the output:
>
> perl radiusd -foreground -log_stdout -trace 4 -config_file .....
>
>
>
> On Monday, Sep 29, 2003, at 12:45 Australia/Melbourne, Claudio Lapidus
> wrote:
>
> > Hello Hugh
> >
> > For the first case, I finally decided to flag the packet with a special
> > value (Tiemstamp=0) and trap it in a dedicated handler, it works a
> > charm,
> > but the replies...
> >
> >> For the second case, yes you can use a PostAuthHook and alter the
> >> reply
> >> to IGNORE.
> >
> > Hmm, I must be missing something, I modified your example to work with
> > accounting requests, but it should have worked the same, IMHO:
> >
> > $ cat discard_response.pl
> > sub
> > {
> >      use constant THRESHOLD => 0.3;
> >
> >      my $p = ${$_[0]};   # original request packet
> >      my $rp = ${$_[1]};  # reply packet to NAS
> >      my $handled = $_[2]; # flag to indicate ACCEPT, REJECT or IGNORE
> >
> >      # Only deal with accounting requests
> >      my $code = $p->code();
> >      return unless $code eq 'Accounting-Request';
> >
> >      my $r = rand;
> >      if ($r < THRESHOLD) {
> >          $handled = $main::IGNORE;
> >          &main::log($main::LOG_DEBUG, "Response IGNORED");
> >      }
> >      return;
> > }
> >
> > and the config is
> >
> > Foreground
> > LogStdout
> > Trace           4
> >
> > # this one works OK
> > PreClientHook   file:"/export/home/radiator/discard_request.pl"
> >
> > <Client 127.0.0.1>
> >         Secret          secret
> >         NasType         Cisco
> >         PreHandlerHook  file:"/export/home/radiator/ciscoavpair.pl"
> > </Client>
> >
> > <AuthBy INTERNAL>
> >         Identifier      TheDropper
> >         DefaultResult   IGNORE
> > </AuthBy>
> >
> > <AuthBy SQL>
> >         Identifier      Acct-Handler
> >         DBSource        dbi:Pg:dbname=xxxxx
> >         DBUsername      yyyyy
> >         DBAuth          zzzzz
> >         FailureBackoffTime      30
> >
> >         AccountingTable ACCOUNTING_CISCO
> >         AcctColumnDef NAS_IP_Address,NAS-IP-Address
> >         AcctColumnDef Cisco_NAS_Port,Cisco-NAS-Port
> >         # lots of column defs here...
> >
> >         AcctFailedLogFileName   /var/log/radiator_%d-%m-%Y_failed.log
> > </AuthBy SQL>
> >
> >
> > # Temp handler for traffic test
> > <Handler Timestamp=0>
> >         AuthBy  TheDropper
> > </Handler>
> >
> >
> > # Main handler
> > <Handler Request-Type=Accounting-Request>
> >
> >         # this is the one giving trouble...
> >         PostAuthHook
> > file:"/export/home/radiator/discard_response.pl"
> >         AuthBy                  Acct-Handler
> > </Handler>
> >
> >
> > To test, I use
> >
> > $ radpwtst -iterations 1 -s 127.0.0.1 -secret secret -noauth
> > Timestamp=1234567890
> > sending Accounting-Request Start...
> > OK
> > sending Accounting-Request Stop...
> > OK
> >
> > But the trace shows
> > ...
> > Sun Sep 28 23:34:03 2003: DEBUG: Handling request with Handler
> > 'Request-Type=Accounting-Request'
> > Sun Sep 28 23:34:03 2003: DEBUG:  Adding session for mikem,
> > 203.63.154.1,
> > 1234
> > Sun Sep 28 23:34:03 2003: DEBUG: Handling with Radius::AuthSQL
> > Sun Sep 28 23:34:03 2003: DEBUG: Handling accounting with
> > Radius::AuthSQL
> > Sun Sep 28 23:34:03 2003: DEBUG: do query is: 'insert into
> > ACCOUNTING_CISCO
> > (time_stamp,NAS_Port_Type,NAS_IP_Address,Calling_Station_Id,Acct_Status
> > _Type
> > ,User_Name,Acct_Session_Id,Called_Station_Id,Service_Type,Acct_Delay_Ti
> > me)
> > values
> > ('1234567890','Async','203.63.154.1','987654321','Start','mikem','00001
> > 234',
> > '123456789','Framed-User','0')':
> >
> > Sun Sep 28 23:34:04 2003: DEBUG: Response IGNORED
> > Sun Sep 28 23:34:04 2003: DEBUG: Accounting accepted
> > Sun Sep 28 23:34:04 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 33804 ....
> > Code:       Accounting-Response
> > Identifier: 108
> > Authentic:  <5>P<154><218><183><181><135><28>/.<140><142>77<251><250>
> > Attributes:
> >
> > So the hook says it set the reply to IGNORE, but then the handler is
> > accepting it anyway?
> > cl.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list