(RADIATOR) How to do conditions based on AVpair?

Hugh Irvine hugh at open.com.au
Thu Aug 5 17:38:42 CDT 2004


Hello Jan -

You will need to use a ReplyHook in the AuthBy RADIUS clause and either 
hard-wire the reply attributes or call another AuthBy clause.

There is an example ReplyHook in the file "goodies/hooks.txt" in the 
Radiator 3.9 distribution.

This topic has also been discussed on the mailing list:

	www.open.com.au/archives/radiator

regards

Hugh


On 6 Aug 2004, at 01:09, Jan Tomasek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi David,
>
>> try to add "AddToReplyIfNotExist" if will not contain.
>> But if will contain some unknown value, maybe is better delete this
>> attribut (StripFromRequest) and add new (AddToRequest) based on same
>> other ID parameter (@realm, IP, atd) - that's my first idea...
>
> Problem is that I need somehow safely recognize and handle testing 
> accounts.
>
> At local radius I'am using this code:
> <AuthBy LDAP2>
>         Identifier CheckLDAP
>         [...]
> 	AuthAttrDef     radiusTunnelPrivateGroupID,\
> 			Tunnel-Private-Group-ID,\
> 			reply
> 	AuthAttrDef	radiusTunnelAssignmentID
> 			Tunnel-Assignment-ID,\
> 			reply
>
> 	[...]
>         AllowInReply            
> Tunnel-Private-Group-ID,Tunnel-Assignment-ID
>         AddToReplyIfNotExist    Tunnel-Private-Group-ID=1:100
>         AddToReply              Tunnel-Type=1:VLAN,\
>                                 Tunnel-Medium-Type=1:Ether_802
> </AuthBy>
>
> That works perfeclty for LOCAL testing accounts (testing account for 
> testing
> radius infrastructure). But if access-accept packet from our local 
> radius will
> be proxied somewhere they will more likely drop our 
> Tunnel-Private-Group-ID
> used for putting to right VLAN, because they will be using diferent 
> number. So
> we decided to use aditional AV pair for easy identification of testing 
> account.
>
> So I need some code in this handler:
>
> <Handler>
>         <AuthBy RADIUS>
>                 <Host radius1.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>                 <Host radius2.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>         </AuthBy>
>
> 	AllowInReply
> 	AddToReply	Tunnel-Type=1:VLAN,\
> 			Tunnel-Medium-Type=1:Ether_802,\
> 			Tunnel-Private-Group-ID=1:100
> </Handler>
>
> Which will recognize those testing accounts and put them in diferent 
> (non
> working VLAN) than users which should be placed into 100.
>
> I hope it's more clear now. But I'm still clueless how to get it 
> working :)
>
> Thanks for your time
> - --
> - --------------------------------------------------------------
> Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
> http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
>                                       Czech Republic
> phone(work): +420 2 2435 5279         http://www.cesnet.cz/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBEk3F79++DGvj6tMRAhEJAJ9r1XKvFNkuCelYCruQyngD/FURUwCfQbhq
> jw6OxS0V5dtNWn1i7WKtcZA=
> =gbXZ
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list