(RADIATOR) Handler/AuthBy clause composition
Hugh Irvine
hugh at open.com.au
Thu Aug 18 01:37:30 CDT 2005
Hi Frank -
Thanks for your interesting question.
You can use any AuthByPolicy with an AuthBy RADIUS clause, as long as
there is only one AuthBy RADIUS clause and as long as it is the last
one in the sequence. You are correct that the AuthBy RADIUS clause
immediately returns IGNORE, which is why you can't use it in the
middle of an AuthBy sequence. However if it is the last AuthBy in the
sequence, then the result of the eventual reply from the proxy target
will be the condition that is tested at the completion of the packet
processing.
In this particular case, the AuthBy LDAP2 clause will be checked
first, and if it fails then the sequence will continue to the AuthBy
RADIUS clause with the ultimate result of the proxy reply being the
overall result of the sequence. The AuthBy RADIUS clause does indeed
return IGNORE and Radiator continues to process other radius
requests, but all of the pending packet state is preserved until the
proxy reply is processed. When the proxy reply comes back, Radiator
re-enters the "normal" packet processing cycle at the point where the
pending packet state was preserved and it is only at this point in
time that the overall reply is sent back to the NAS (or whatever
client sent the original request). Of course if no reply ever comes
back, the request is timed out and the pending packet state is
discarded.
The code in "Radius/AuthRADIUS.pm" is very enlightening.
best regards
Hugh
On 18 Aug 2005, at 13:26, Frank Danielson wrote:
> Hi Hugh-
>
> Wouldn't the AuthBy RADIUS cause a problem with this because it
> immediately
> returns an IGNORE to the group after forwarding the request? Or is the
> behaviour different inside of an AuthBy GROUP clause?
>
> I would have guessed that Chris would need either two different AuthBy
> RADIUS clauses with thier own AddToReply or a ReplyHook in the
> AuthBy RADIUS
> that added the correct reply attribute based on the Identifier.
>
> Either that or use the Synchronous directive in the AuthBy RADIUS
> which has
> its own set of baggage.
>
> -Frank
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Wednesday, August 17, 2005 6:32 PM
> To: chills at ne-worcs.ac.uk
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Handler/AuthBy clause composition
>
>
>
> Hello Chris -
>
> Try something like this:
>
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> ...
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier CheckRADIUS
> ...
> </AuthBy>
>
> <Handler Identifier=Site1-Switch>
>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy GROUP>
> AuthBy CheckLDAP
> AddToReply Tunnel-Private-Group-ID=21
> </AuthBy>
>
> <AuthBy GROUP>
> AuthBy CheckRADIUS
> AddToReply Tunnel-Private-Group-ID=22
> </AuthBy>
>
> </Handler>
>
> <Handler Identifier=Site1-Wap>
>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy GROUP>
> AuthBy CheckLDAP
> AddToReply Tunnel-Private-Group-ID=23
> </AuthBy>
>
> <AuthBy GROUP>
> AuthBy CheckRADIUS
> AddToReply Tunnel-Private-Group-ID=24
> </AuthBy>
>
> </Handler>
>
>
> regards
>
> Hugh
>
>
> On 18 Aug 2005, at 01:28, Chris Hills wrote:
>
>
>> Hi
>>
>> I would like to use the same AuthBy clause, but specify some
>> different AddToReply attributes depending upon the Handler it is
>> used in.
>>
>> For example,
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> ...
>> </AuthBy>
>>
>> <AuthBy RADIUS>
>> Identifier CheckRADIUS
>> ...
>> </AuthBy>
>>
>> <Handler Identifier=Site1-Switch>
>> <AuthBy CheckLDAP>
>> ^ AddToReply Tunnel-Private-Group-ID=21
>>
>> <AuthBy CheckRADIUS>
>> ^ AddToReply Tunnel-Private-Group-ID=22
>> </Handler>
>>
>> <Handler Identifier=Site1-Wap>
>> <AuthBy CheckLDAP>
>> ^ AddToReply Tunnel-Private-Group-ID=23
>>
>> <AuthBy CheckRADIUS>
>> ^ AddToReply Tunnel-Private-Group-ID=24
>> </Handler>
>>
>> What is the best way to write this in the config file, without
>> having to resort to distinctive AuthBy clauses?
>>
>> Regards
>>
>> --
>> Chris Hills | Tel: +44 (0)1527 572754
>> IT Services | Fax: +44 (0)1527 572901
>> North East Worcestershire College | Web: http://www.ne-worcs.ac.uk/
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list