(RADIATOR) AuthBy INTERNAL: AddToReply doesn't work with AuthHook

Roy Badami roy.badami at globalgraphics.com
Tue Aug 31 10:31:56 CDT 2004


When using an AuthHook in an AuthBy INTERNAL clause, AddToReply isn't
honoured.

It seems to be because hookResult in AuthINTERNAL.pm doesn't call
adjustReply

I've worked around it by adding the relevent items in the AuthHook
instead, but is this a bug?

Relevent sections of the config and trace 4 below

       -roy

------------------------------------------------------------------------
radius.cfg

Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4
 
 
# c2-hall
<Client 172.16.16.2>
        Secret mysecret
        Identifier cisco-ios-vpn
</Client>

# The IOS box does group authorization by means of a RADIUS Access-Request
# with User-Name set to the group name (in our case the group name is
# always the same as the user name) and User-Password of cisco
# and Service-Type of Outbound-User
 
<Handler Client-Identifier=cisco-ios-vpn, Service-Type=Outbound-User>
 
        PreAuthHook file:"/u/ldisk/roy/config/grouphook.pl"
 
        <AuthBy INTERNAL>
                AuthHook file:"/u/ldisk/roy/config/ikekeyhook.pl"
                AddToReply cisco-avpair="ipsec:key-exchange=ike",cisco-avpair="ipsec:dns-servers=172.16.16.8 172.16.16.9",cisco-avpair="ipsec:wins-servers=172.16.16.12",cisco-avpair="ipsec:addr-pool=ippool",cisco-avpair="ipsec:inacl=155"
        </AuthBy>
 
</Handler>

------------------------------------------------------------------------
grouphook.pl
# This hook reads a Unix-style group file and adds GGS-Group
# attributes to the request so they can be checked by subsequent hooks
sub
{
    my $p = ${$_[0]};
    my $user = $p->get_attr('User-Name');
    open FILE, "/u/ldisk/roy/config/group";
    while (<FILE>) {
        chomp;
        next if /^#/;
        if (/^([^:]+):[^:]*:[^:]*:(.*)/) {
            $p->add_attr('GGS-Group',$1) if grep { $_ eq $user } split (',',$2);
        }
    }
    close FILE;
}


------------------------------------------------------------------------
ikekeyhook.pl

sub
{
    my $p = $_[0];
    my $rp = $_[1];
    my $user = $p->get_attr('User-Name');
    my $pass = $p->decodedPassword;
    my $key;
    # Sanity check: password in the request should always be cisco
    return $main::REJECT unless $pass eq 'cisco';
    # Reject unless user is a member of vpn group
    return $main::REJECT unless grep {$_ eq 'vpn'} $p->get_attr('GGS-Group');
    # Search for key in ike-key file
    open FILE, "/u/ldisk/roy/config/ike-key";
    while (<FILE>) {
        chomp;
        next if /^#/;
        if (/^([^:]+):(.*)/ && $1 eq $user) {
            $key = $2;
            last;
        }
    }
    close FILE;
    # If we found a key, copy it to the Tunnel-Password attribute and ACCEPT
    # If no key set, then reject
    if ($key) {
        $rp->add_attr('Tunnel-Password',$key);
        $main::ACCEPT;
    } else {
        $main::REJECT;
    }
}

------------------------------------------------------------------------

[@watson:config]# ../bin/radiusd -config_file radius.cfg
Tue Aug 31 15:45:52 2004: DEBUG: Reading users file /u/ldisk/roy/config/users
Tue Aug 31 15:45:52 2004: DEBUG: Reading users file /u/ldisk/roy/config/users-mac
Tue Aug 31 15:45:52 2004: DEBUG: Finished reading configuration file 'radius.cfg'
This Radiator license will expire on 2005-02-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact admin at open.com.au
 
Tue Aug 31 15:45:52 2004: DEBUG: Reading dictionary file './dictionary'
Tue Aug 31 15:45:52 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Aug 31 15:45:52 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Aug 31 15:45:52 2004: NOTICE: Server started: Radiator 3.9 on watson (LOCKED)
Tue Aug 31 15:46:04 2004: DEBUG: Packet dump:
*** Received from 172.16.16.2 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  <239><194>Qw'<28>gc<236><12><236>.<206><183><5><19>
Attributes:
        NAS-IP-Address = 172.16.16.2
        NAS-Port = 500
        NAS-Port-Type = Virtual
        User-Name = "roy"
        Calling-Station-Id = "62.188.17.68"
        User-Password = "<144><202><251>U<169><193><216><188>M<202>i<20>W<153><9>'"
        Service-Type = Outbound-User
 
Tue Aug 31 15:46:04 2004: DEBUG: Handling request with Handler 'Client-Identifier=cisco-ios-vpn, Service-Type=Outbound-User'
Tue Aug 31 15:46:04 2004: DEBUG:  Deleting session for roy, 172.16.16.2, 500
Tue Aug 31 15:46:04 2004: DEBUG: Handling with AuthINTERNAL:
roy:cisco
Searching for key
Key:9daddFqCxcdvhutYrxAfWS3kdEZz9U4
Tue Aug 31 15:46:04 2004: DEBUG: Access accepted for roy
Tue Aug 31 15:46:04 2004: DEBUG: Packet dump:
*** Sending to 172.16.16.2 port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:  <239><194>Qw'<28>gc<236><12><236>.<206><183><5><19>
Attributes:
        Tunnel-Password = "mypassword"

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list