(RADIATOR) PreAuthHook q'n.

Dean McDonald notdean at hotmail.com
Mon Mar 15 00:57:56 CST 2004 

Hiya

Just a question regarding PreAuthHook - Sorry if this has gone thru the list 
many times.

I'm just trying to put in a small DB query as a PreAuthHook, to check 
whether Calling-Station-Id exists in a table before doing the AuthSelect 
(and rejecting if it does exist).

What I'm finding is; after the PreAuthHook is executed, the auth still moves 
on to the next (?) Auth method regardless of what the PreAuthHook returns 
(ie even if an Access-Reject comes back, it still moves on to Auth SQL, and 
the user gets auth'd.

I notice in RadPing the an Access-Reject does come back, and all seems good, 
but when I actually dial it does get connected in the end (shown in the 
logs).

'm sure I've just stuffed up the Handler / AuthBy order.. but I can't seem 
to nail it :(

Note - I'm intending on having Handlers for each access type (dial, DSL, 
etc)

# Global variables
Foreground
DbDir           /opt/Radiator/current
LogDir          /var/log/radius
LogFile         %L/%h-%Y-%m.log
PidFile         %L/radiusd.pid

DictionaryFile %D/dictionary

Trace           4

AuthPort        1645
AcctPort        1646

<Client DEFAULT>
        Secret  foo
        DupInterval 0
</Client>

#
# Auth Methods
#
<AuthBy FILE>
        Identifier reject
        Filename %D/etc/reject.cfg
</AuthBy>

# DIAL
<Handler NAS-Port-Type=Async>
        RewriteUsername s/^([^@]+).*/$1/
        PreAuthHook file:"%D/hooks/cliCheck.pl"
        <AuthBy SQL>
                include %D/etc/mysql_Dial.cfg
        </AuthBy>
</Handler>

<Handler NAS-Port-Type=Virtual>
        RewriteUsername s/^([^@]+).*/$1/
        <AuthBy SQL>
                include %D/etc/mysql_DSL.cfg
        </AuthBy>
</Handler>


*** Received from x.x.x.x port 2101 ....
Code:       Access-Request
Identifier: 64
Authentic:        1079332822
Attributes:
        User-Name = "foo at foo.net"
        CHAP-Password = 
<211>=<15><168>H<194><221>pZ<7><3><213>f;<197><10><217>
        NAS-Port-Type = Async
        Calling-Station-Id = "123456789"

Mon Mar 15 17:40:10 2004: DEBUG: Handling request with Handler 
'NAS-Port-Type=Async'
Mon Mar 15 17:40:10 2004: DEBUG: Rewrote user name to foo
Mon Mar 15 17:40:10 2004: DEBUG:  Deleting session for foo at foo.net, x.x.x.x,
Mon Mar 15 17:40:10 2004: DEBUG: PreAuth cliCheck(): checking foo / 
123456789
Mon Mar 15 17:40:10 2004: DEBUG: PreAuth cliCheck(): block exists for 
123456789 or foo
Mar 15 17:40:10 2004: DEBUG: Packet dump:
*** Sending to x.x.x.x port 2101 ....
Code:       Access-Reject
Identifier: 64
Authentic:        1079332822
Attributes:
        Reply-Message = "rejected for some reason"

** Request should just stop here, not continue on to AuthSQL **  (?)

Mon Mar 15 17:40:10 2004: DEBUG: Handling with Radius::AuthSQL
Mon Mar 15 17:40:10 2004: DEBUG: Handling with Radius::AuthSQL: mysql_Dial
Mon Mar 15 17:40:10 2004: DEBUG: Query is: 'SELECT PASSWORD, CHECKATTR, 
REPLYATTR from SUBSCRIBERS where USERNAME = 'foo' and TIMELEFT > 0':

Mon Mar 15 17:40:10 2004: DEBUG: Radius::AuthSQL looks for match with foo
Mon Mar 15 17:40:10 2004: DEBUG: Radius::AuthSQL ACCEPT:
Mon Mar 15 17:40:10 2004: DEBUG: Access accepted for foo
Mon Mar 15 17:40:10 2004: DEBUG: Packet dump:
*** Sending to x.x.x.x port 2101 ....
Code:       Access-Accept
Identifier: 64
Authentic:        1079332822
Attributes:
        Reply-Message = "rejected for some reason"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255

Here is the cliCheck code (sorry, its a big ugly..) - the db query itself 
seems to work fine though.

# -*- mode: Perl -*-
#
sub
{
        my $p = ${$_[0]};
        my $rp = ${$_[1]};

        my $cli = $p->get_attr('Calling-Station-Id');
        my $uname = $p->get_attr('User-Name');

        return if ($p->code ne 'Access-Request');

        &main::log($main::LOG_DEBUG,qq[PreAuth cliCheck(): checking $uname / 
$cli]);

        my $dbh = DBI->connect( 
qq[DBI:mysql:radius:localhost],'dbluser','dbpass' )
                        or die &main::log($main::LOG_DEBUG,qq[PreAuth 
cliCheck(): $DBI::errstr\n]);

        my $sql = qq[select USERNAME,CALLERID,COMMENTS from
                        RADBLOCKS where CALLERID = \'$cli\' or 
USERNAME=\'$uname'];

        my $sth = $dbh->prepare($sql); $sth->execute;

        while (my @r = $sth->fetchrow_array) {
                if (@r) {
                        my ($u, $r, $c) = @r;
                        &main::log($main::LOG_DEBUG,qq[PreAuth cliCheck(): 
block exists for $cli or $uname]);
                        $rp->set_code('Access-Reject');               <--- 
unsure about below here
                        $rp->change_attr('Reply-Message', $c);a
                        $p->{Client}->replyTo($p);
                }
        }
        $dbh->disconnect;
        return;


Any help is appreciated,

Deano.

_________________________________________________________________
Find love today with ninemsn personals. Click here:  
http://ninemsn.match.com

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list