(RADIATOR) No Access-Reject but a different profile

Hugh Irvine hugh at open.com.au
Wed Dec 7 16:36:21 CST 2005


Hello Toomas -

Yes you will need to add your message to the request packet in the  
previous AuthBy.

Note that you can use any name you wish for this "pseudo-attribute".

regards

Hugh


On 7 Dec 2005, at 21:12, Toomas Kärner wrote:

> I'm getting somewhere but I'm little stuck (I know a workaround  
> already bu I
> dont like it because it involves hook).
> Config of a special AuthBy that will find special profile to your  
> user if it
> got denied
> <AuthBy SQL>
>         Identifier      AuthAccept
>         DBSource        dbi:mysql:
>         DBUsername
>         DBAuth
>         AuthSelect      select
> in_policy,out_policy,qos_profile,timeout,idle_timeout, \
>                         from denyprofiles \
>                         where MESSAGE = '%{Reply:Reply-Message}'
>         AuthColumnDef   0,      ERX-Ingress-Policy-Name, reply
>         AuthColumnDef   1,      ERX-Egress-Policy-Name, reply
>         AuthColumnDef   2,      ERX-QoS-Profile-Name, reply
>         AuthColumnDef   3,      Session-Timeout, reply
>         AuthColumnDef   4,      Idle-Timeout, reply
>         AcceptIfMissing
>         NoDefault
> </AuthBy>
> It "should" work but in log I see:
> Wed Dec  7 09:57:58 2005: DEBUG: AuthBy SQL result: REJECT, Bad  
> Password
> (result from earlier AuthBy's)
> Wed Dec  7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Dec  7 09:57:58 2005: DEBUG: Handling with Radius::AuthSQL:  
> AuthAccept
> Wed Dec  7 09:57:58 2005: DEBUG: Query is: 'select
> in_policy,out_policy,qos_profile,timeout,idle_timeout from  
> denyprofiles
> where MESSAGE = ''':
>
> Message contains emty string for some reason...
> Its probably because auth_result_message gets inserted into reply  
> (as a
> Reply-Message) in the very late stage of processing.
> Workaround could be by fetching it and puting it into request before
> executing AuthSelect and then doing AuthSelect with the Reply- 
> Message from
> the request.
>
> Let me know what you think.
>
> Rgds.
> Toomas
>
> ----- Original Message -----
> From: "Toomas Kärner" <tomkar at estpak.ee>
> To: "Hugh Irvine" <hugh at open.com.au>
> Cc: <radiator at open.com.au>
> Sent: Tuesday, December 06, 2005 2:37 PM
> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>
>
>> Hi Hugh,
>>
>> I had such a "magic" in the PostAuthHook but I'd like to rid of it  
>> there
> and
>> do it more with config :). Sound weird? haa ... you haven't seen my
>> implementation ways of radiator :D I have some ideas already. I'll  
>> how
> they
>> work out and let you know.
>>
>> Rgds.
>> Toomas
>>
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Toomas Kärner" <tomkar at estpak.ee>
>> Cc: <radiator at open.com.au>
>> Sent: Tuesday, December 06, 2005 12:28 AM
>> Subject: Re: (RADIATOR) No Access-Reject but a different profile
>>
>>
>>>
>>> Hello Toomas -
>>>
>>> This is very simple to do with a PostAuthHook.
>>>
>>> Here is an example I wrote for another customer which should give  
>>> you
>>> the idea:
>>>
>>>
>>> # postauth.pl
>>> # Hugh Irvine, 20051129
>>>
>>> sub
>>> {
>>>      my $p = ${$_[0]};
>>>      my $rp = ${$_[1]};
>>>      my $handled = $_[2];
>>>      my $reason = $_[3];
>>>
>>>      return unless ${$handled} == $main::REJECT || ${$handled} ==
>>> $main::REJECT_IMMEDIATE;
>>>
>>>      return unless ${$reason} =~ 'Simultaneous-Use' || ${$reason} =~
>>> 'Check item';
>>>
>>>      # Set the Identifier
>>>      my $identifier = 'AllocateIPAddress';
>>>      &main::log($main::LOG_DEBUG, "Using Identifier $identifier");
>>>
>>>      # Find the AuthBy clause with the same Identifier
>>>      my $authby = Radius::AuthGeneric::find($identifier);
>>>
>>>      if (defined $authby)
>>>      {
>>>          &main::log($main::LOG_DEBUG, "Found AuthBy with Identifier
>>> $identifier");
>>>
>>>          # add the PoolHint to the reply
>>>          $rp->add_attr('Framed-Pool', 'RESTRICTED');
>>>
>>>          # Call handle_request for this AuthBy DYNADDRESS
>>>          my $rc = $authby->handle_request($p, $rp);
>>>
>>>          if ($rc == $main::ACCEPT)
>>>          {
>>>              &main::log($main::LOG_DEBUG, "Allocate IP address
>>> succeeded");
>>>              $$handled = $main::ACCEPT;
>>>              $$reason = 'Conditional ACCEPT';
>>>          }
>>>      }
>>>      else
>>>      {
>>>          &main::log($main::LOG_ERR, "No AuthBy with Identifier
>>> $identifier found for address allocation");
>>>      }
>>>      return;
>>> }
>>>
>>>
>>> This code checks the result of the previous AuthBy(s) and the reject
>>> reason and in certain circumstances allocates an IP address from the
>>> RESTRICTED pool and returns an Access-Accept. You can add additional
>>> reply attributes as required and of course you don't need to do the
>>> address allocation if your address pools are defined on your NAS
>>> equipment.
>>>
>>> Please let me know how you get on.
>>>
>>> hope that helps
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 5 Dec 2005, at 20:30, Toomas Kärner wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm gathering my thoughts on solution that would rather give a
>>>> scpecific set
>>>> of parameters to a user upon a "failed" login rather than Access-
>>>> Reject.
>>>> These profiles should also be different depending on the cause of
>>>> "failure"
>>>> and in some cases it still should give Access-Reject.
>>>> It's part of my plan to get HD call levels lower - if thses
>>>> profiles will
>>>> direct subscriber to a "educational" web page for that specific
>>>> error that
>>>> he/she encountered then there would be no reason to call. Also it
>>>> would
>>>> reduce the load on radius servers since logged in router causes no
>>>> load but
>>>> once-in-a-second-trying router causes load. If it would get in I
>>>> would get
>>>> rid of that extra load.
>>>> I have several (better and worse) ways of doing it but I'd like to
>>>> get some
>>>> other opinions.
>>>> Let me know how YOU would do this. It would probably benefit us  
>>>> all.
>>>>
>>>> Rgds.
>>>> Toomas
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/ 
>>> archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database  
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>> systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list