(RADIATOR) Configuring AuthBy RADIUS from database?

Claudio Lapidus clapidus at gmail.com
Fri Sep 9 16:55:33 CDT 2005 

Hello all,

We have a situation where we need to use different authentication
methods based on responses received in run-time from an external
database. Specifically, there are situations where it may be needed to
proxy the request to one of different remote radius servers, while in
other cases the request can be resolved locally. In the former cases
the database will answer with the necessary data to prepare the proxy
operation, while in the latter the DB's answer will contain the
definitive attributes for include in the Access-Accept.

This is an example of the values the DB returns when a proxy operation
is needed:

sqlplus> SELECT radius.packradius.fretatt FROM dual;

radius.packradius.fretatt
---------------------------------------------------------------------------------
X-Modo=Proxy,X-Host0=10.0.0.95,X-AuthPort0=1812,X-AcctPort0=1813,X-Secret0=server1,X-Host1=10.0.0.95,X-AuthPort1=2812,X-AcctPort1=2813,X-Secret1=server2


And this is when a local accept is generated:
sqlplus> SELECT radius.packradius.fretatt FROM dual;

radius.packradius.fretatt
---------------------------------------------------------------------------------
X-Mode=Accept,Service-Type=Framed,Framed-Protocol=PPP,Framed-IP-Address=1.1.1.1


(the DB will tell whether it's appropiate or not to proxy based on
other criteria, not shown in the example)


So far, the following config reflects our idea:

<AuthBy SQL>
       Identifier      WithSQL
       DBSource        dbi:Oracle:host=streamer;sid=ORCL
       DBUsername      x
       DBAuth          x

       AuthSelect  SELECT radius.packradius.fretatt FROM dual
       AuthColumnDef 0, GENERIC,reply
</AuthBy>

<AuthBy RADIUS>
 Identifier RemoteRadius
 Host x.x.x.x
 etc...
</AuthBy>

<AuthBy INTERNAL>
       Identifier IgnoreIfProxy
       RequestHook file:"/etc/radiator/IgnoreIfNotProxy.cfg"
       DefaultResult ACCEPT
</AuthBy>
<Handler>
       Identifier Default
       <AuthBy GROUP>
               AuthByPolicy ContinueWhileIgnore
               <AuthBy GROUP>
                       AuthByPolicy ContinueAlways
                       AuthBy WithSQL
                       AuthBy IgnoreIfProxy
               </AuthBy>
               AuthBy RemoteRadius
       </AuthBy>
</Handler>

this is the hook mentioned above:
-----------------------------------------------------------------------
#/etc/radiator/IgnoreIfNotProxy.cfg
sub {
       my ($p,$rp,$ch) = @_;

       my $mode=$rp->get_attr('X-Mode');

       #&main::log($main::LOG_DEBUG, "MODE=$mode");
       return ($main::IGNORE, "Ignored for continue with proxy!") if
$mode=~/^Proxy$/i;
       return ($main::ACCEPT);
}
-----------------------------------------------------------------------

So, our intention is to have RemoteRadius somehow receive its
parameters (Host, etc.) in runtime, instead of having it statically
defined. We are aware that we could use SQLRADIUS for this, but we are
trying to avoid a second DB access. Can anybody devise a way to
achieve this?

thanks in advance
cl.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list