(RADIATOR) ReplyHook question
Hugh Irvine
hugh at open.com.au
Wed Jun 21 20:46:22 CDT 2006
Hello Frank, Hello Alex -
The RADIUS proxy code in "Radius/AuthRADIUS.pm" deals with 4 separate
instances of RADIUS request packets. There is the original request as
received from the NAS ($op), there is the reply packet which is being
prepared to be returned to the NAS ($rp), there is the packet which
is being sent to the remote proxy ($sp), and there is the reply which
has been received from the remote proxy ($p). The sequence of events
is as follows: the original request is received from the NAS, a new
reply packet is created which will ultimately be sent back to the
NAS, another new packet is created to be forwarded to the remote
proxy and the contents of the original packet are copied into it, and
when the reply comes back from the remote proxy there is an instance
created for it. This being the case you should find the same
attirbutes in both $op and $sp, unless attributes have been added or
removed by other means.
${$_[2]} is the original request $op
${$_[3]} is the forwarded request $sp
As Frank mentions, not all NAS equipment sends NAS-IP-Address, so you
should check a trace 4 debug to verify what you are working with.
hope that helps
regards
Hugh
On 22 Jun 2006, at 02:29, Frank Danielson wrote:
> Hi Alex-
>
> The NAS-IP-Address should be in the original packet. I have seen
> NAS'es that
> do not send a NAS-IP-Address attribute. This may sound obvious but
> have you
> checked to make sure the attribute is actually in the incoming
> request?
>
> Also in looking at some of my own replyhook code I am using ${$_
> [3]} as the
> original packet instead of ${$_[2]} as suggested by the
> documentation. I
> don't remember what led up to that but it is working and I am
> getting the
> NAS-IP-Address attribute from it.
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> fdanielson at csky.com
>
> -----Original Message-----
> From: Alex Sharaz [mailto:A.Sharaz at hull.ac.uk]
> Sent: Wednesday, June 21, 2006 11:57 AM
> To: radiator at open.com.au
> Subject: (RADIATOR) ReplyHook question
>
>
> Chaps,
> I'm writing a ReplyHook that'll return a Tunnel-Private-Group-Id (and
> other attributes) based upon where the authentication request comes
> from. For this I need the NAS-IP-Address attribute so that I can
> decide
> what values to pass back.
>
> In radius.cfg I've got
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
> # Proxy to a non-EAP capable server
> Identifier eap-mschapv2
> <AuthBy RADIUS>
> Host a.b.c.d
> Secret <secret>
> AuthPort 1812
> AcctPort 1813
> LocalAddress %{GlobalVar:myIp}
> StripFromRequest ConvertedFromEAPMSCHAPV2
> ReplyHook file:"%D/gen_wired_vlans_replyhook.pl"
> </AuthBy>
> AuthLog eaplog
> PostAuthHook file:"%D/calling_station_hook_requests.pl"
> </Handler>
>
> And in the ReplyHook file I've got
>
> my $vlanid='740';
> #
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]}; # reply packet to NAS
> my $op = ${$_[2]}; # original request packet
> my $sp = ${$_[3]}; # packet sent to proxy
>
> my $code = $p->code;
>
>
> my $ASCIIvlan;
> my $binaryvlan;
> my $tag;
>
> &main::log($main::LOG_DEBUG, "Calling
> get_wired_vlans_replyhook.pl\n");
> if ($code eq 'Access-Accept')
> {
> #
> # get some info about the caller
> #
> my $callingid=$op->get_attr('Calling-Station-Id');
> my $nasip1=$op->get_attr('NAS-IP-Address');
> my $id=$op->get_attr('User-Name');
>
> if(defined($callingid))
> {
> &main::log($main::LOG_DEBUG, "Calling-Station=$callingid");
> }
> if(defined($nasip1))
> {
> &main::log($main::LOG_DEBUG, "Nas-Ip=$nasip1");
> }
> if(defined($id))
> {
> &main::log($main::LOG_DEBUG, "User-Name=$id");
> }
>
>
> Looking in my log file, the calling station id is there and so is the
> userid but the nas-ip-address isn't. Am I correct in assuming that its
> because at that point the nas-ip-addresss isn't in the packet that
> gets
> passed off to the radius proxy?
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list