(RADIATOR) Chaining AuthBy RADIUS
Frank Danielson
fdanielson at csky.com
Fri Jul 9 11:20:09 CDT 2004
I'm going to be out of town the next couple of weeks but will definitely
check it out and report the results when I get back. Thanks for help.
-Frank
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, July 09, 2004 12:28 AM
To: Frank Danielson
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Chaining AuthBy RADIUS
Hi Frank -
Interesting problem - neat solution.
In thinking about this a bit more and with some subsequent discussion
with Mike, we have now added a bit of code in AuthRADIUS.pm that checks
the value of $op->{RadiusResult} after the ReplyHook is run. This means
that you can do this in your hook code:
$op->{RadiusResult} = $main::IGNORE;
and the overall result of the first AuthBy RADIUS will be IGNORE (or
whatever you set it to).
Perhaps you could download the latest Radiator 3.9 patches and test
this for us?
Thanks for the idea - please let us know how you get on.
regards
Hugh
On 9 Jul 2004, at 04:05, Frank Danielson wrote:
> I recently had a requirement given to me to check a remote radius
> server for
> initial authentication before proxying a request to the server we
> normally
> do. The idea is that if the first server denies the user, they are
> denied,
> but if it accepts it we go on to the next server and check there.
> There are
> a few examples available in the mailing list archives and the hooks.txt
> about calling another AuthBy in a NoReplyHook but not much I could find
> about using it in a ReplyHook.
> So I took the example hook and implented a ReplyHook to authenticate
> the
> call after the response from the first RADIUS server. The problem I
> ran into
> was that Radiator would send a response after the initial reply and
> then
> another after the second round of authentication. After some thought I
> realized that I need to get Radiator to ignore the response from the
> inital
> server so that the second one could respond. This is what I came up
> with,
> since I couldn't find my answer in the mailing list archives I hope
> someday
> someone will find this useful.
>
> <AuthBy RADIUS>
> Identifier first_radius
> Host YYY.YYY.YYY.YYY
> UseExtendedIds
> Secret abc123
> AuthPort 1645
> AcctPort 1646
> IgnoreAccountingResponse
> StripFromReply Class
> ReplyHook sub { my $code = ${$_[0]}->code;\
> if ($code eq 'Access-Accept' or $code eq
> 'Accounting-Response') {\
> my $authby =
> Radius::AuthGeneric::find("second_radius");\
> $authby->handle_request(${$_[2]}, ${$_[1]});\
> ${$_[0]}->set_code('Accounting-Response');\
> }\
> }
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier second_radius
> Host XXX.XXX.XXX.XXX
> UseExtendedIds
> Secret abc123
> AuthPort 1812
> AcctPort 1813
> </AuthBy>
>
> <Handler>
> AuthBy first_radius
> </Handler>
>
> The idea is that the Handler sends the request to the first RADIUS
> server
> and if the request is denied, an Access-Reject is sent to the NAS and
> all is
> done. If the first RADIUS server accepts the call it is passed on to
> the
> second RADIUS server. In order to do this I had to use
> IgnoreAccountingResponse and then change the reply code in the original
> packet to 'Accounting-Response' for responses I wanted to be handled
> by the
> second RADIUS sever.
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list