(RADIATOR) PreAuthHook q'n.

Hugh Irvine hugh at open.com.au
Mon Mar 15 02:01:21 CST 2004 

Hi Dean -

The problem here is that you can't reject a request before it passes 
through the AuthBy clauses.

You should either use a stored procedure in your database (if stored 
procedures are supported), or you can use an SQL query in the AuthBy 
SQL clause to check the Calling-Station-Id at the same time as the 
Password (and anything else). Alternatively you can just use a second 
AuthBy SQL clause to check the Calling-Station-Id. Or finally you can 
use a PostAuthHook to do the check.

regards

Hugh


On 15 Mar 2004, at 17:57, Dean McDonald wrote:

> Hiya
>
> Just a question regarding PreAuthHook - Sorry if this has gone thru 
> the list many times.
>
> I'm just trying to put in a small DB query as a PreAuthHook, to check 
> whether Calling-Station-Id exists in a table before doing the 
> AuthSelect (and rejecting if it does exist).
>
> What I'm finding is; after the PreAuthHook is executed, the auth still 
> moves on to the next (?) Auth method regardless of what the 
> PreAuthHook returns (ie even if an Access-Reject comes back, it still 
> moves on to Auth SQL, and the user gets auth'd.
>
> I notice in RadPing the an Access-Reject does come back, and all seems 
> good, but when I actually dial it does get connected in the end (shown 
> in the logs).
>
> 'm sure I've just stuffed up the Handler / AuthBy order.. but I can't 
> seem to nail it :(
>
> Note - I'm intending on having Handlers for each access type (dial, 
> DSL, etc)
>
> # Global variables
> Foreground
> DbDir           /opt/Radiator/current
> LogDir          /var/log/radius
> LogFile         %L/%h-%Y-%m.log
> PidFile         %L/radiusd.pid
>
> DictionaryFile %D/dictionary
>
> Trace           4
>
> AuthPort        1645
> AcctPort        1646
>
> <Client DEFAULT>
>        Secret  foo
>        DupInterval 0
> </Client>
>
> #
> # Auth Methods
> #
> <AuthBy FILE>
>        Identifier reject
>        Filename %D/etc/reject.cfg
> </AuthBy>
>
> # DIAL
> <Handler NAS-Port-Type=Async>
>        RewriteUsername s/^([^@]+).*/$1/
>        PreAuthHook file:"%D/hooks/cliCheck.pl"
>        <AuthBy SQL>
>                include %D/etc/mysql_Dial.cfg
>        </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Type=Virtual>
>        RewriteUsername s/^([^@]+).*/$1/
>        <AuthBy SQL>
>                include %D/etc/mysql_DSL.cfg
>        </AuthBy>
> </Handler>
>
>
> *** Received from x.x.x.x port 2101 ....
> Code:       Access-Request
> Identifier: 64
> Authentic:        1079332822
> Attributes:
>        User-Name = "foo at foo.net"
>        CHAP-Password = 
> <211>=<15><168>H<194><221>pZ<7><3><213>f;<197><10><217>
>        NAS-Port-Type = Async
>        Calling-Station-Id = "123456789"
>
> Mon Mar 15 17:40:10 2004: DEBUG: Handling request with Handler 
> 'NAS-Port-Type=Async'
> Mon Mar 15 17:40:10 2004: DEBUG: Rewrote user name to foo
> Mon Mar 15 17:40:10 2004: DEBUG:  Deleting session for foo at foo.net, 
> x.x.x.x,
> Mon Mar 15 17:40:10 2004: DEBUG: PreAuth cliCheck(): checking foo / 
> 123456789
> Mon Mar 15 17:40:10 2004: DEBUG: PreAuth cliCheck(): block exists for 
> 123456789 or foo
> Mar 15 17:40:10 2004: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 2101 ....
> Code:       Access-Reject
> Identifier: 64
> Authentic:        1079332822
> Attributes:
>        Reply-Message = "rejected for some reason"
>
> ** Request should just stop here, not continue on to AuthSQL **  (?)
>
> Mon Mar 15 17:40:10 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Mar 15 17:40:10 2004: DEBUG: Handling with Radius::AuthSQL: 
> mysql_Dial
> Mon Mar 15 17:40:10 2004: DEBUG: Query is: 'SELECT PASSWORD, 
> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME = 'foo' and 
> TIMELEFT > 0':
>
> Mon Mar 15 17:40:10 2004: DEBUG: Radius::AuthSQL looks for match with 
> foo
> Mon Mar 15 17:40:10 2004: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Mar 15 17:40:10 2004: DEBUG: Access accepted for foo
> Mon Mar 15 17:40:10 2004: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 2101 ....
> Code:       Access-Accept
> Identifier: 64
> Authentic:        1079332822
> Attributes:
>        Reply-Message = "rejected for some reason"
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        Framed-IP-Netmask = 255.255.255.255
>
> Here is the cliCheck code (sorry, its a big ugly..) - the db query 
> itself seems to work fine though.
>
> # -*- mode: Perl -*-
> #
> sub
> {
>        my $p = ${$_[0]};
>        my $rp = ${$_[1]};
>
>        my $cli = $p->get_attr('Calling-Station-Id');
>        my $uname = $p->get_attr('User-Name');
>
>        return if ($p->code ne 'Access-Request');
>
>        &main::log($main::LOG_DEBUG,qq[PreAuth cliCheck(): checking 
> $uname / $cli]);
>
>        my $dbh = DBI->connect( 
> qq[DBI:mysql:radius:localhost],'dbluser','dbpass' )
>                        or die &main::log($main::LOG_DEBUG,qq[PreAuth 
> cliCheck(): $DBI::errstr\n]);
>
>        my $sql = qq[select USERNAME,CALLERID,COMMENTS from
>                        RADBLOCKS where CALLERID = \'$cli\' or 
> USERNAME=\'$uname'];
>
>        my $sth = $dbh->prepare($sql); $sth->execute;
>
>        while (my @r = $sth->fetchrow_array) {
>                if (@r) {
>                        my ($u, $r, $c) = @r;
>                        &main::log($main::LOG_DEBUG,qq[PreAuth 
> cliCheck(): block exists for $cli or $uname]);
>                        $rp->set_code('Access-Reject');               
> <--- unsure about below here
>                        $rp->change_attr('Reply-Message', $c);a
>                        $p->{Client}->replyTo($p);
>                }
>        }
>        $dbh->disconnect;
>        return;
>
>
> Any help is appreciated,
>
> Deano.
>
> _________________________________________________________________
> Find love today with ninemsn personals. Click here:  
> http://ninemsn.match.com
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list