(RADIATOR) Chaining AuthBy RADIUS

Frank Danielson fdanielson at csky.com
Thu Jul 8 13:05:13 CDT 2004 

I recently had a requirement given to me to check a remote radius server for
initial authentication before proxying a request to the server we normally
do. The idea is that if the first server denies the user, they are denied,
but if it accepts it we go on to the next server and check there. There are
a few examples available in the mailing list archives and the hooks.txt
about calling another AuthBy in a NoReplyHook but not much I could find
about using it in a ReplyHook.
So I took the example hook and implented a ReplyHook to authenticate the
call after the response from the first RADIUS server. The problem I ran into
was that Radiator would send a response after the initial reply and then
another after the second round of authentication. After some thought I
realized that I need to get Radiator to ignore the response from the inital
server so that the second one could respond. This is what I came up with,
since I couldn't find my answer in the mailing list archives I hope someday
someone will find this useful.

<AuthBy RADIUS>
        Identifier first_radius
        Host YYY.YYY.YYY.YYY
        UseExtendedIds
        Secret abc123
        AuthPort 1645
        AcctPort 1646
        IgnoreAccountingResponse
        StripFromReply Class
        ReplyHook sub { my $code = ${$_[0]}->code;\
                        if ($code eq 'Access-Accept' or $code eq
'Accounting-Response') {\
                        my $authby =
Radius::AuthGeneric::find("second_radius");\
                        $authby->handle_request(${$_[2]}, ${$_[1]});\
                        ${$_[0]}->set_code('Accounting-Response');\
                        }\
                }
</AuthBy>

<AuthBy RADIUS>
        Identifier second_radius
        Host XXX.XXX.XXX.XXX
        UseExtendedIds
        Secret abc123
        AuthPort 1812
        AcctPort 1813
 </AuthBy>

<Handler>
        AuthBy first_radius
</Handler>

The idea is that the Handler sends the request to the first RADIUS server
and if the request is denied, an Access-Reject is sent to the NAS and all is
done. If the first RADIUS server accepts the call it is passed on to the
second RADIUS server. In order to do this I had to use
IgnoreAccountingResponse and then change the reply code in the original
packet to 'Accounting-Response' for responses I wanted to be handled by the
second RADIUS sever.

Frank Danielson
Infrastructure Architect

ClearSky Mobile Media
56 E. Pine St.
Orlando, FL 32801
USA

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list