(RADIATOR) How to do conditions based on AVpair?
Hugh Irvine
hugh at open.com.au
Thu Aug 5 17:38:42 CDT 2004
Hello Jan -
You will need to use a ReplyHook in the AuthBy RADIUS clause and either
hard-wire the reply attributes or call another AuthBy clause.
There is an example ReplyHook in the file "goodies/hooks.txt" in the
Radiator 3.9 distribution.
This topic has also been discussed on the mailing list:
www.open.com.au/archives/radiator
regards
Hugh
On 6 Aug 2004, at 01:09, Jan Tomasek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi David,
>
>> try to add "AddToReplyIfNotExist" if will not contain.
>> But if will contain some unknown value, maybe is better delete this
>> attribut (StripFromRequest) and add new (AddToRequest) based on same
>> other ID parameter (@realm, IP, atd) - that's my first idea...
>
> Problem is that I need somehow safely recognize and handle testing
> accounts.
>
> At local radius I'am using this code:
> <AuthBy LDAP2>
> Identifier CheckLDAP
> [...]
> AuthAttrDef radiusTunnelPrivateGroupID,\
> Tunnel-Private-Group-ID,\
> reply
> AuthAttrDef radiusTunnelAssignmentID
> Tunnel-Assignment-ID,\
> reply
>
> [...]
> AllowInReply
> Tunnel-Private-Group-ID,Tunnel-Assignment-ID
> AddToReplyIfNotExist Tunnel-Private-Group-ID=1:100
> AddToReply Tunnel-Type=1:VLAN,\
> Tunnel-Medium-Type=1:Ether_802
> </AuthBy>
>
> That works perfeclty for LOCAL testing accounts (testing account for
> testing
> radius infrastructure). But if access-accept packet from our local
> radius will
> be proxied somewhere they will more likely drop our
> Tunnel-Private-Group-ID
> used for putting to right VLAN, because they will be using diferent
> number. So
> we decided to use aditional AV pair for easy identification of testing
> account.
>
> So I need some code in this handler:
>
> <Handler>
> <AuthBy RADIUS>
> <Host radius1.eduroam.cz>
> AuthPort 1812
> AcctPort 1813
> Secret xxx
> </Host>
> <Host radius2.eduroam.cz>
> AuthPort 1812
> AcctPort 1813
> Secret xxx
> </Host>
> </AuthBy>
>
> AllowInReply
> AddToReply Tunnel-Type=1:VLAN,\
> Tunnel-Medium-Type=1:Ether_802,\
> Tunnel-Private-Group-ID=1:100
> </Handler>
>
> Which will recognize those testing accounts and put them in diferent
> (non
> working VLAN) than users which should be placed into 100.
>
> I hope it's more clear now. But I'm still clueless how to get it
> working :)
>
> Thanks for your time
> - --
> - --------------------------------------------------------------
> Jan Tomasek aka Semik work: CESNET, z.s.p.o.
> http://www.tomasek.cz/ Zikova 4, 160 00 Praha 6
> Czech Republic
> phone(work): +420 2 2435 5279 http://www.cesnet.cz/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBEk3F79++DGvj6tMRAhEJAJ9r1XKvFNkuCelYCruQyngD/FURUwCfQbhq
> jw6OxS0V5dtNWn1i7WKtcZA=
> =gbXZ
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list