(RADIATOR) PostAuthHook & AuthLog SQL
Hugh Irvine
hugh at open.com.au
Thu Oct 13 19:22:27 CDT 2005
Hello Jason -
You can configure the AuthBy SQL clause to do whatever you require.
See section 6.29 in the Radiator 3.13 reference manual ("doc/ref.html").
regards
Hugh
On 13 Oct 2005, at 22:36, jason at freemotion.bb wrote:
> hugh you are the man, that did the trick for me, thanks alot for
> that :D
>
> last question for you, if there a way to get AuthBy SQL to work
> with the same
> database tables or similar to ATDefaults in the Emerald Handler??
>
> we have a lot of products configured, but i am moving away from the
> emerald
> database layout, but i do not see anything wrong with how that
> table is layed
> out...
>
> and for anyone that is trying to do what i am going here is the
> hook code that
> is working..
>
> sub {
> &main::log($main::LOG_DEBUG, "Entering PostAuthHook");
>
> my $p = ${$_[0]};
> my $rp = ${$_[1]};
> my $handled = $_[2];
> my $reason = $_[3];
>
> my $code = $p->code;
>
> return unless $code eq 'Access-Request';
>
> my $porttype = $p->get_attr('NAS-Port-Type');
> my $uname = $p->get_attr('User-Name');
>
> &main::log($main::LOG_DEBUG, "PreClientHook $porttype, $uname");
>
> my $dbh = DBI->connect( qq[DBI:ODBC:Emerald],'sa','ffbarb2' )
> or die &main::log($main::LOG_DEBUG,qq[PostAuthHook():
> $DBI::errstr\n]);
>
> my $sql = qq[select login, PortTypeAllowed from SubAccounts where
> login=\'$uname'];
>
> my $sth = $dbh->prepare($sql); $sth->execute;
>
> while (my @r = $sth->fetchrow_array) {
> if (@r) {
> my ($u, $r) = @r;
> &main::log($main::LOG_DEBUG,qq[Checking Port type
> allowance for
> $uname]);
> if ($porttype ne $r)
> {
> &main::log($main::LOG_DEBUG,qq[Warning: User $uname port
> type wrong.]);
> $$handled = $main::REJECT;
> $$reason = 'Sorry you are not allowed on that port';
> }
> }
> }
>
> $dbh->disconnect;
> return;
> }
>
>
> Quoting Hugh Irvine <hugh at open.com.au>:
>
>
>>
>> Hello Jason -
>>
>> You should return the reason string in the fourth parameter.
>>
>> Here is an example from "goodies/hooks.txt".
>>
>>
>> This is an example PostAuthHook showing how to cause a REJECT.
>> Note the definition of $handled and $reason.
>> Also note the use of $$handled and $$reason.
>>
>> sub
>> {
>> my $p = ${$_[0]};
>> my $rp = ${$_[1]};
>> my $handled = $_[2];
>> my $reason = $_[3];
>>
>> my $code = $p->code;
>>
>> return unless $code eq 'Access-Request';
>>
>> my $timeout = $rp->get_attr('Session-Timeout');
>>
>> if($timeout <= 0)
>> {
>> $$handled = $main::REJECT;
>> $$reason = 'No time remaining';
>> }
>> }
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 13 Oct 2005, at 09:53, jason at freemotion.bb wrote:
>>
>>
>>> Yes RejectHasReason has been defind.
>>> and every other problem, ie bad password, Expireation passed etc
>>>
>>> can you think of anything else...
>>>
>>> Jason
>>>
>>> Quoting Hugh Irvine <hugh at open.com.au>:
>>>
>>>
>>>
>>>>
>>>> Hello Jason -
>>>>
>>>> Have you configured RejectHasReason in the Realm?
>>>>
>>>> See section 6.17.23 in the Radiator 3.13 reference manual.
>>>>
>>>> There are also a number of example hooks in "goodies/hooks.txt".
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 13 Oct 2005, at 04:20, jason at freemotion.bb wrote:
>>>>
>>>>
>>>>
>>>>> i have built a post auth hook to check to see if people are
>>>>> logging into where
>>>>> they are suppose to be and it works a treet but i have one
>>>>> problem, when it
>>>>> rejects some one and gose to log an error with AuthLog SQL it
>>>>> dos not give a
>>>>> reason the %1 veriable returns a Null.
>>>>>
>>>>> here is the hook and a trace
>>>>>
>>>>> i hope some one can tell me how to get this to log a reason..
>>>>>
>>>>> --------- hook
>>>>> code---------------------------------------------------------
>>>>>
>>>>> sub {
>>>>> &main::log($main::LOG_DEBUG, "Entering PostAuthHook");
>>>>>
>>>>> my $p = ${$_[0]};
>>>>> my $rp = ${$_[1]};
>>>>> my $result = ${$_[2]};
>>>>>
>>>>> my $porttype = $p->get_attr('NAS-Port-Type');
>>>>> my $uname = $p->get_attr('User-Name');
>>>>>
>>>>> &main::log($main::LOG_DEBUG, "PostAuthHook$porttype, $uname");
>>>>>
>>>>> my $dbh = DBI->connect( qq
>>>>> [DBI:ODBC:XXXXXXX],'XXXXX','XXXXXXX' )
>>>>> or die &main::log($main::LOG_DEBUG,qq[PreAuth cliCheck():
>>>>> $DBI::errstr\n]);
>>>>>
>>>>> my $sql = qq[select login, PortTypeAllowed from
>>>>> SubAccounts where
>>>>> login=\'$uname'];
>>>>>
>>>>> my $sth = $dbh->prepare($sql); $sth->execute;
>>>>>
>>>>> while (my @r = $sth->fetchrow_array) {
>>>>> if (@r) {
>>>>> my ($u, $r) = @r;
>>>>> &main::log($main::LOG_DEBUG,qq[Checking Port
>>>>> type allowance for
>>>>> $uname]);
>>>>> if (($result == $main::ACCEPT) && ($porttype ne
>>>>> $r))
>>>>> {
>>>>> &main::log($main::LOG_DEBUG,qq[Warning: User $uname
>>>>> port type wrong.]);
>>>>> ${$_[2]} = $main::REJECT;
>>>>> ${$_[1]}->change_attr('Reply-Message' , 'Sorry you are
>>>>> not allowed on that
>>>>> port.')
>>>>>
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> $dbh->disconnect;
>>>>> return;
>>>>> }
>>>>>
>>>>>
>>>>> -------------- trace -------------------------------
>>>>>
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: Radius::AuthSQL ACCEPT:
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: Entering PostAuthHook
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: PostAuthHook Ethernet, jason
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: Checking Port type allowance
>>>>> for jason
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: Warning: User jason port type
>>>>> wrong.
>>>>> Wed Oct 12 14:04:46 2005: INFO: Access rejected for jason:
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: do query is: 'INSERT into
>>>>> RadLogs (RadLogMsgID,
>>>>> LogDate,Username,Data,NASIdentifier,NASport,CallerID) values
>>>>> (NULL,GETDATE(),'ja
>>>>> son','','xxx.xxx.xxx.50','179','00:0D:60:7A:0C:FE')':
>>>>>
>>>>> Wed Oct 12 14:04:46 2005: DEBUG: Packet dump:
>>>>> *** Sending to 200.50.75.50 port 1032 ....
>>>>> Code: Access-Reject
>>>>> Identifier: 71
>>>>> Authentic: ZgA):<194>N<210><220><149>H<171><217><241><127><138>
>>>>> Attributes:
>>>>> MS-CHAP2-Success =
>>>>> "<1>S=B7207EDDAD07494EFB69F35F7FE7074498A0BDA8"
>>>>> Session-Timeout = 887640
>>>>> Service-Type = 2
>>>>> Framed-Protocol = 1
>>>>> Framed-Compression = 1
>>>>> Reply-Message = "Sorry you are not allowed on that port."
>>>>>
>>>>> ----------------------------------------------------------------
>>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list