(RADIATOR) SQLRADIUS result
Hugh Irvine
hugh at open.com.au
Sat Feb 19 00:06:11 CST 2005
Hello Claudio -
The first and most fundamental problem is that the AuthBy SQLRADIUS
clause will _always_ return IGNORE as it is based on the AuthBy RADIUS
clause which forwards the request to the proxy target and immediately
returns IGNORE (the reply is processed asynchronously).
The correct way to do what you descibe is with a NoReplyHook and there
is an example showing how to do this in the file "goodies/hooks.txt".
regards
Hugh
On 19 Feb 2005, at 01:12, Claudio Lapidus wrote:
> Hello,
>
> I'm trying to handle a series of realms, a portion of which are to be
> used to select a remote Radius to forward the request to, and the
> remaining are to be resolved locally, with no intervening upstream
> server.
>
> The intended approach is to use an authby sqlradius in the first
> place, and if the query returns no rows (no matching realm), fallback
> to a subsequent authby sql, to resolve the realm as local.
>
> My draft configuration looks like
>
> ----------------------------------------------
> <AuthBy GROUP>
> Identifier Proxies-SQL
> AuthByPolicy ContinueWhileIgnore
> <AuthBy SQLRADIUS>
> DBSource dbi:mysql:radius
> HostSelect select \
> r.host, r.secret, r.authport,
> r.acctport, \
> r.retries, r.retrytimeout,
> r.failurepolicy \
> from \
> remote_radius r natural join
> remote_domains d \
> where \
> domain = '%R' \
> and \
> r.orden >= %0 \
> order by \
> r.orden, rand() \
> limit 1
>
> HostColumnDef 0, Host
> HostColumnDef 1, Secret
> HostColumnDef 2, AuthPort
> HostColumnDef 3, AcctPort
> HostColumnDef 4, Retries
> HostColumnDef 5, RetryTimeout
> HostColumnDef 6, failurePolicy
>
> NumHosts 1
> </AuthBy>
> <AuthBy SQL>
> DBSource dbi:mysql:radius
> AuthSelect select replyattr from local_domains \
> where domain = '%R'
>
> AuthColumnDef 0, GENERIC, reply
> </AuthBy>
> </AuthBy>
>
> <Handler>
> AuthBy Proxies-SQL
> </Handler>
> ----------------------------------------------
>
> The (weak) theory behind it being that the sqlradius would return with
> IGNORE only if the query returns no host, but I test with both valid
> and invalid realms and it always ends up with IGNORE. The end of the
> story is that *both* authby's get processed. Besides, there are a
> couple more of strange things (at least to me), please see the trace:
>
> Fri Feb 18 18:21:04 2005 562803: DEBUG: Packet dump:
> *** Received from 126.1.1.251 port 1088 ....
> Code: Access-Request
> Identifier: 141
> Authentic: 1234567890123456
> Attributes:
> User-Name = "claudio at valid-remote-domain"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Fri Feb 18 18:21:04 2005 564772: DEBUG: Handling request with Handler
> ''
> Fri Feb 18 18:21:04 2005 566267: DEBUG: Deleting session for
> claudio at valid-remote-domain, 203.63.154.1, 1234
> Fri Feb 18 18:21:04 2005 567125: DEBUG: Handling with Radius::AuthGROUP
> Fri Feb 18 18:21:04 2005 567812: DEBUG: Handling with
> Radius::AuthRADIUS
> Fri Feb 18 18:21:04 2005 569287: DEBUG: Query is: 'select r.host,
> r.secret, r.authport, r.acctport, r.retries, r.retrytimeout,
> r.failurepolicy from remote_radius r natural join remote_domains d
> where domain = 'valid-remote-domain' and r.orden >= 1 order by
> r.orden, rand() limit 1':
> Fri Feb 18 18:21:04 2005 642515: DEBUG: AuthBy RADIUS creates new
> local socket '0.0.0.0' for sending requests
> Fri Feb 18 18:21:04 2005 645099: DEBUG: Packet dump:
> *** Sending to 10.68.44.97 port 1645 ....
> Code: Access-Request
> Identifier: 1
> Authentic: 1234567890123456
> Attributes:
> User-Name = "claudio at valid-remote-domain"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "<18><30>G<226><189><6><27><152><140>
> <13>(<4>i<229><167>"
>
> Fri Feb 18 18:21:04 2005 646666: DEBUG: Handling with Radius::AuthSQL
> Fri Feb 18 18:21:04 2005 647494: DEBUG: Handling with Radius::AuthSQL:
> Fri Feb 18 18:21:04 2005 649513: DEBUG: Query is: 'select replyattr
> from local_domains where domain = 'valid-remote-domain'':
> Fri Feb 18 18:21:04 2005 652284: DEBUG: Radius::AuthSQL looks for
> match with claudio at valid-remote-domain
> Fri Feb 18 18:21:04 2005 653640: DEBUG: Query is: 'select replyattr
> from local_domains where domain = ''':
> Fri Feb 18 18:21:04 2005 655818: DEBUG: AuthBy GROUP result: REJECT,
> No such user
> Fri Feb 18 18:21:04 2005 656919: INFO: Access rejected for
> claudio at valid-remote-domain: No such user
> Fri Feb 18 18:21:04 2005 659520: DEBUG: Packet dump:
> *** Sending to 126.1.1.251 port 1088 ....
> Code: Access-Reject
> Identifier: 141
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
>
> Fri Feb 18 18:21:04 2005 693612: DEBUG: Packet dump:
> *** Received from 10.68.44.97 port 1645 ....
> Code: Access-Accept
> Identifier: 1
> Authentic: <231><255><232>)<181><133>>kl<5>34<4><128><241>?
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Fri Feb 18 18:21:04 2005 695296: DEBUG: Received reply in AuthRADIUS
> for req 1 from 10.68.44.97:1645
> Fri Feb 18 18:21:04 2005 697127: DEBUG: Access accepted for
> claudio at valid-remote-domain
> Fri Feb 18 18:21:04 2005 701740: DEBUG: Packet dump:
> *** Sending to 126.1.1.251 port 1088 ....
> Code: Access-Accept
> Identifier: 141
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
>
> So, how can I prevent the second authby to execute if the first
> succeeds in proxying the packet?
>
> Besides, why the query from authby sql is executed twice, the second
> time with a single quote in place of the realm?
>
> And why the final (and late) accept issued by the server includes the
> Reply-Message from the previous reject?
>
> thanks in advance
> cl.
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list