(RADIATOR) PostAuthHook & AuthLog SQL

jason at freemotion.bb jason at freemotion.bb
Thu Oct 13 07:36:27 CDT 2005 

hugh you are the man, that did the trick for me, thanks alot for that :D

last question for you, if there a way to get AuthBy SQL to work with the same
database tables or similar to ATDefaults in the Emerald Handler??

we have a lot of products configured, but i am moving away from the emerald
database layout, but i do not see anything wrong with how that table is layed
out...

and for anyone that is trying to do what i am going here is the hook code that
is working..

sub {
    &main::log($main::LOG_DEBUG, "Entering PostAuthHook");

    my $p = ${$_[0]};
    my $rp = ${$_[1]};
    my $handled = $_[2];
    my $reason = $_[3];

    my $code = $p->code;

    return unless $code eq 'Access-Request';

    my $porttype = $p->get_attr('NAS-Port-Type');
    my $uname = $p->get_attr('User-Name');

    &main::log($main::LOG_DEBUG, "PreClientHook $porttype, $uname");

    my $dbh = DBI->connect( qq[DBI:ODBC:Emerald],'sa','ffbarb2' )
	or die &main::log($main::LOG_DEBUG,qq[PostAuthHook(): $DBI::errstr\n]);

    my $sql = qq[select login, PortTypeAllowed from SubAccounts where
login=\'$uname'];

    my $sth = $dbh->prepare($sql); $sth->execute;

    while (my @r = $sth->fetchrow_array) {
    if (@r) {
               my ($u, $r) = @r;
               &main::log($main::LOG_DEBUG,qq[Checking Port type allowance for
$uname]);
               if ($porttype ne $r)
		{
		&main::log($main::LOG_DEBUG,qq[Warning: User $uname port type wrong.]);
		$$handled = $main::REJECT;
		$$reason = 'Sorry you are not allowed on that port';
		}
            }
     }

   $dbh->disconnect;
   return;
}


Quoting Hugh Irvine <hugh at open.com.au>:

>
> Hello Jason -
>
> You should return the reason string in the fourth parameter.
>
> Here is an example from "goodies/hooks.txt".
>
>
> This is an example PostAuthHook showing how to cause a REJECT.
> Note the definition of $handled and $reason.
> Also note the use of $$handled and $$reason.
>
> sub
> {
>     my $p = ${$_[0]};
>     my $rp = ${$_[1]};
>     my $handled = $_[2];
>     my $reason = $_[3];
>
>     my $code = $p->code;
>
>     return unless $code eq 'Access-Request';
>
>     my $timeout = $rp->get_attr('Session-Timeout');
>
>     if($timeout <= 0)
>     {
>         $$handled = $main::REJECT;
>         $$reason = 'No time remaining';
>     }
> }
>
>
> regards
>
> Hugh
>
>
> On 13 Oct 2005, at 09:53, jason at freemotion.bb wrote:
>
>> Yes RejectHasReason has been defind.
>> and every other problem, ie bad password, Expireation passed etc
>>
>> can you think of anything else...
>>
>> Jason
>>
>> Quoting Hugh Irvine <hugh at open.com.au>:
>>
>>
>>>
>>> Hello Jason -
>>>
>>> Have you configured RejectHasReason in the Realm?
>>>
>>> See section 6.17.23 in the Radiator 3.13 reference manual.
>>>
>>> There are also a number of example hooks in "goodies/hooks.txt".
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 13 Oct 2005, at 04:20, jason at freemotion.bb wrote:
>>>
>>>
>>>> i have built a post auth hook to check to see if people are  
>>>> logging  into where
>>>> they are suppose to be and it works a treet but i have one  
>>>> problem,  when it
>>>> rejects some one and gose to log an error with AuthLog SQL it  dos 
>>>>  not give a
>>>> reason the %1 veriable returns a Null.
>>>>
>>>> here is the hook and a trace
>>>>
>>>> i hope some one can tell me how to get this to log a reason..
>>>>
>>>> --------- hook   
>>>> code---------------------------------------------------------
>>>>
>>>> sub {
>>>>     &main::log($main::LOG_DEBUG, "Entering PostAuthHook");
>>>>
>>>>     my $p = ${$_[0]};
>>>>     my $rp = ${$_[1]};
>>>>     my $result = ${$_[2]};
>>>>
>>>>     my $porttype = $p->get_attr('NAS-Port-Type');
>>>>     my $uname = $p->get_attr('User-Name');
>>>>
>>>>     &main::log($main::LOG_DEBUG, "PostAuthHook$porttype, $uname");
>>>>
>>>>     my $dbh = DBI->connect( qq[DBI:ODBC:XXXXXXX],'XXXXX','XXXXXXX' )
>>>>     or die &main::log($main::LOG_DEBUG,qq[PreAuth cliCheck():   
>>>> $DBI::errstr\n]);
>>>>
>>>>     my $sql = qq[select login, PortTypeAllowed from SubAccounts  where
>>>> login=\'$uname'];
>>>>
>>>>     my $sth = $dbh->prepare($sql); $sth->execute;
>>>>
>>>>     while (my @r = $sth->fetchrow_array) {
>>>>     if (@r) {
>>>>                my ($u, $r) = @r;
>>>>                &main::log($main::LOG_DEBUG,qq[Checking Port type   
>>>> allowance for
>>>> $uname]);
>>>>                if (($result == $main::ACCEPT) && ($porttype ne $r))
>>>>         {
>>>>         &main::log($main::LOG_DEBUG,qq[Warning: User $uname port   
>>>> type wrong.]);
>>>>         ${$_[2]} = $main::REJECT;
>>>>         ${$_[1]}->change_attr('Reply-Message' , 'Sorry you are  
>>>> not  allowed on that
>>>> port.')
>>>>
>>>>         }
>>>>             }
>>>>      }
>>>>
>>>>    $dbh->disconnect;
>>>>    return;
>>>> }
>>>>
>>>>
>>>> -------------- trace -------------------------------
>>>>
>>>> Wed Oct 12 14:04:46 2005: DEBUG: Radius::AuthSQL ACCEPT:
>>>> Wed Oct 12 14:04:46 2005: DEBUG: Entering PostAuthHook
>>>> Wed Oct 12 14:04:46 2005: DEBUG: PostAuthHook Ethernet, jason
>>>> Wed Oct 12 14:04:46 2005: DEBUG: Checking Port type allowance  for  jason
>>>> Wed Oct 12 14:04:46 2005: DEBUG: Warning: User jason port type  wrong.
>>>> Wed Oct 12 14:04:46 2005: INFO: Access rejected for jason:
>>>> Wed Oct 12 14:04:46 2005: DEBUG: do query is: 'INSERT into  
>>>> RadLogs  (RadLogMsgID,
>>>> LogDate,Username,Data,NASIdentifier,NASport,CallerID) values   
>>>> (NULL,GETDATE(),'ja
>>>> son','','xxx.xxx.xxx.50','179','00:0D:60:7A:0C:FE')':
>>>>
>>>> Wed Oct 12 14:04:46 2005: DEBUG: Packet dump:
>>>> *** Sending to 200.50.75.50 port 1032 ....
>>>> Code:       Access-Reject
>>>> Identifier: 71
>>>> Authentic:  ZgA):<194>N<210><220><149>H<171><217><241><127><138>
>>>> Attributes:
>>>>         MS-CHAP2-Success =   
>>>> "<1>S=B7207EDDAD07494EFB69F35F7FE7074498A0BDA8"
>>>>         Session-Timeout = 887640
>>>>         Service-Type = 2
>>>>         Framed-Protocol = 1
>>>>         Framed-Compression = 1
>>>>         Reply-Message = "Sorry you are not allowed on that port."
>>>>
>>>> ----------------------------------------------------------------
>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/ 
>>> archives/ radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/ 
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list