Is: Split Horizon Was: (RADIATOR) PreProxyHook

Rok Papez rok.papez at arnes.si
Wed Dec 8 06:05:16 CST 2004 

Hello Hugh and others :).

Dne sobota 20 november 2004 00:44 ste napisali:

> Normally the proxy target is defined by a Realm or Handler clause and 
> hence a PreProcessingHook or PreAuthHook makes sense in that context.

Actualy you need access to the AuthRADIUS object so you can
check the Hosts variables.

> 
> Your previous mail does not mention how you are selecting the proxy 
> target?

Like this:

# ----------------------
# some.org.tld
# ----------------------
<Client 10.1.1.1> 
        Identifier      some.org.tld
        Secret         secret
</Client>

<Handler Realm=/^some\.org\.tld$|^.*\.some\.org\.tld$/>
        <AuthBy RADIUS>
                Host     10.1.1.1
                Secret   secret
                AuthPort 1812
                AcctPort 1813
                OutPort  1814
                StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, NAS-IP-Address
                SplitHorizon
        </AuthBy>
</Handler>

======================================================
I've implemented split horizon so if proxied request is sent to the
same host group as it came from, then request is rejected. The
code below unfortunately won't work for a host with multiple
RADIUS servers.

In this patch is the most elegant way I managed to implement it.
Feel free to review/use it.

--- AuthRADIUS.pm.orig  Mon Dec  6 14:49:09 2004
+++ AuthRADIUS.pm.tmp   Tue Dec  7 15:33:56 2004
@@ -43,6 +43,7 @@
      'UseExtendedIds'             => 'flag',
      'ClearTextTunnelPassword'    => 'flag',
      'AllowInRequest'             => 'string',
+     'SplitHorizon'               => 'flag',
      );
 
 # This is a hash of requests for which we are awaiting replies
@@ -147,6 +148,25 @@
     my ($self, $p, $dummy, $extra_checks) = @_;
 
     $self->log($main::LOG_DEBUG, "Handling with Radius::AuthRADIUS", $p);
+
+    # Split Horizon check
+    # Check if we received from one of the servers we are sending to.  Unfortunately
+    # becouse OutPort is not set, we can't include it in a check.
+    if($self->{SplitHorizon}) {
+        my $hostTo;
+       my $hostToAddx;
+
+       foreach $hostTo (@{$self->{Hosts}}) {
+           foreach $hostToAddx (@{$hostTo->{Address}}) {
+               if ($hostToAddx == $p->{RecvFromAddress}) {
+                   $self->log($main::LOG_WARNING, "SplitHorizon - Radius loop detected. Req from: " .
+                                                  Radius::Util::inet_ntop($p->{RecvFromAddress}) .
+                                                   " loops back.");
+                   return ($main::REJECT, "SplitHorizon - Radius loop detected");
+               }
+            }
+       }
+    }
 
     # Now we might fork before processing the request
     # Should only do this for "slow" authentication methods



-- 
lep pozdrav,
Rok Papež.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list