(RADIATOR) SQLRADIUS result
Claudio Lapidus
c_lapidus at hotmail.com
Fri Feb 18 16:12:19 CST 2005
Hello,
I'm trying to handle a series of realms, a portion of which are to be used
to select a remote Radius to forward the request to, and the remaining are
to be resolved locally, with no intervening upstream server.
The intended approach is to use an authby sqlradius in the first place, and
if the query returns no rows (no matching realm), fallback to a subsequent
authby sql, to resolve the realm as local.
My draft configuration looks like
----------------------------------------------
<AuthBy GROUP>
Identifier Proxies-SQL
AuthByPolicy ContinueWhileIgnore
<AuthBy SQLRADIUS>
DBSource dbi:mysql:radius
HostSelect select \
r.host, r.secret, r.authport,
r.acctport, \
r.retries, r.retrytimeout,
r.failurepolicy \
from \
remote_radius r natural join
remote_domains d \
where \
domain = '%R' \
and \
r.orden >= %0 \
order by \
r.orden, rand() \
limit 1
HostColumnDef 0, Host
HostColumnDef 1, Secret
HostColumnDef 2, AuthPort
HostColumnDef 3, AcctPort
HostColumnDef 4, Retries
HostColumnDef 5, RetryTimeout
HostColumnDef 6, failurePolicy
NumHosts 1
</AuthBy>
<AuthBy SQL>
DBSource dbi:mysql:radius
AuthSelect select replyattr from local_domains \
where domain = '%R'
AuthColumnDef 0, GENERIC, reply
</AuthBy>
</AuthBy>
<Handler>
AuthBy Proxies-SQL
</Handler>
----------------------------------------------
The (weak) theory behind it being that the sqlradius would return with
IGNORE only if the query returns no host, but I test with both valid and
invalid realms and it always ends up with IGNORE. The end of the story is
that *both* authby's get processed. Besides, there are a couple more of
strange things (at least to me), please see the trace:
Fri Feb 18 18:21:04 2005 562803: DEBUG: Packet dump:
*** Received from 126.1.1.251 port 1088 ....
Code: Access-Request
Identifier: 141
Authentic: 1234567890123456
Attributes:
User-Name = "claudio at valid-remote-domain"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Fri Feb 18 18:21:04 2005 564772: DEBUG: Handling request with Handler ''
Fri Feb 18 18:21:04 2005 566267: DEBUG: Deleting session for
claudio at valid-remote-domain, 203.63.154.1, 1234
Fri Feb 18 18:21:04 2005 567125: DEBUG: Handling with Radius::AuthGROUP
Fri Feb 18 18:21:04 2005 567812: DEBUG: Handling with Radius::AuthRADIUS
Fri Feb 18 18:21:04 2005 569287: DEBUG: Query is: 'select r.host, r.secret,
r.authport, r.acctport, r.retries, r.retrytimeout, r.failurepolicy from
remote_radius r natural join remote_domains d where domain =
'valid-remote-domain' and r.orden >= 1 order by r.orden, rand() limit 1':
Fri Feb 18 18:21:04 2005 642515: DEBUG: AuthBy RADIUS creates new local
socket '0.0.0.0' for sending requests
Fri Feb 18 18:21:04 2005 645099: DEBUG: Packet dump:
*** Sending to 10.68.44.97 port 1645 ....
Code: Access-Request
Identifier: 1
Authentic: 1234567890123456
Attributes:
User-Name = "claudio at valid-remote-domain"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<18><30>G<226><189><6><27><152><140>
<13>(<4>i<229><167>"
Fri Feb 18 18:21:04 2005 646666: DEBUG: Handling with Radius::AuthSQL
Fri Feb 18 18:21:04 2005 647494: DEBUG: Handling with Radius::AuthSQL:
Fri Feb 18 18:21:04 2005 649513: DEBUG: Query is: 'select replyattr from
local_domains where domain = 'valid-remote-domain'':
Fri Feb 18 18:21:04 2005 652284: DEBUG: Radius::AuthSQL looks for match with
claudio at valid-remote-domain
Fri Feb 18 18:21:04 2005 653640: DEBUG: Query is: 'select replyattr from
local_domains where domain = ''':
Fri Feb 18 18:21:04 2005 655818: DEBUG: AuthBy GROUP result: REJECT, No such
user
Fri Feb 18 18:21:04 2005 656919: INFO: Access rejected for
claudio at valid-remote-domain: No such user
Fri Feb 18 18:21:04 2005 659520: DEBUG: Packet dump:
*** Sending to 126.1.1.251 port 1088 ....
Code: Access-Reject
Identifier: 141
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Fri Feb 18 18:21:04 2005 693612: DEBUG: Packet dump:
*** Received from 10.68.44.97 port 1645 ....
Code: Access-Accept
Identifier: 1
Authentic: <231><255><232>)<181><133>>kl<5>34<4><128><241>?
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Fri Feb 18 18:21:04 2005 695296: DEBUG: Received reply in AuthRADIUS for req
1 from 10.68.44.97:1645
Fri Feb 18 18:21:04 2005 697127: DEBUG: Access accepted for
claudio at valid-remote-domain
Fri Feb 18 18:21:04 2005 701740: DEBUG: Packet dump:
*** Sending to 126.1.1.251 port 1088 ....
Code: Access-Accept
Identifier: 141
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Service-Type = Framed-User
Framed-Protocol = PPP
So, how can I prevent the second authby to execute if the first succeeds in
proxying the packet?
Besides, why the query from authby sql is executed twice, the second time
with a single quote in place of the realm?
And why the final (and late) accept issued by the server includes the
Reply-Message from the previous reject?
thanks in advance
cl.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list