(RADIATOR) AuthBy GROUP and AuthBy Policy

Toomas Kärner tomkar at estpak.ee
Fri Jan 26 04:08:57 CST 2007 

Hi,

My radius has started acting "funny" in some point after some update
of radiator. Now I have traced it so far that something has changed in
a way which AuthByPolicy-s act in a <AuthBy Group>
Part of configuration:

<Realm DEFAULT>
    AuthLog LoginFailureLog
    RejectHasReason
        AuthBy FindAuthBy
PostAuthHook file:"/home/radius/etc/hooks/wn/PortalPostAuthHook.pl"
</Realm DEFAULT>

<AuthBy GROUP>
    Identifier FindAuthBy
    AuthByPolicy ContinueWhileIgnore
    <AuthBy SQL>
        Identifier GetInfoFromWnsession
        DBSource        dbi:mysql:xx
        DBUsername      xx
        DBAuth          xx

        AuthSelect      Select  \
                location_id, \
                mac_address \
                from  \
                plaah where s_id = '%{ETC-Session-Id}'
        AuthColumnDef   0,      ETC-Location-Id,request
        AuthColumnDef   1,      ETC-Mac,request
        NoDefault

    </AuthBy>
    ######################
    <AuthBy SQL>
        Identifier GetAuthType
        DBSource        dbi:mysql:xx
        DBUsername      xx
        DBAuth          xx

        AuthSelect      Select \
                if(isnull(auth_by),'RealmDefaultRejectAuth',auth_by) \
                from plaah2 where realm = '%R' or realm = 'undef' \
                order by product_id desc limit 1
        AuthColumnDef   0,      Auth-Type,check
        AcceptIfMissing
        NoDefault
    </AuthBy>
</AuthBy>

Explanation: GetAuthType gets a Auth-Type = AuthRoamingRadius

<AuthBy RADIUS>
        Identifier AuthRoamingRadius
        <Host localhost>
            Secret
            AuthPort 2001
            AcctPort
            Retries 0
            RetryTimeout 2
#           FailureBackoffTime 20
        </Host>
        AllowInReply    Reply-Message
        AllowInRequest  User-Name,User-Password,ETC-Member-Of,ETC-Session-Id,ETC-Location-Id
        ##################################
        ReplyHook    sub { \
            &main::log($main::LOG_DEBUG, "ReplyHook executed!"); \
            my $p      = ${$_[0]};\
            my $rp     = ${$_[1]};\
            my $code   = $p->code;\
            if ($code eq 'Access-Reject') { \
                &main::log($main::LOG_DEBUG, "ReplyHook found Reply-Message, giving it as a reason."); \
                my $message=${$_[2]}->get_attr('Reply-Message'); \
                ${$_[3]}=$message;\
            } \
        }
        ##################################
        NoReplyHook    sub { \
            &main::log($main::LOG_DEBUG, "NoReplyHook executed!"); \
            my $p      = ${$_[0]};\
            my $sp     = ${$_[1]};\
            my $rp     = ${$_[2]};\
            my $code   = $p->code;\
            if ($code eq 'Access-Request') { \
                $rp->set_code('Access-Reject'); \
                $rp->add_attr('Reply-Message', 'Access rejected because roaming service is currently unavailable.')
                $p->{Client}->replyTo($p); \
            } \
        }
        ##################################
</AuthBy>


In short:
1) all requests get some attributes added into from DB.
2) based on realm a search is run on DB and AuthBy module identifier
is found.
3) Request is handled in this "faulty" case by AuthBy RADIUS and sent
to some other server.
It should IGNORE then but it gives ACCEPT for some reason...


Debug 4:

Fri Jan 26 09:42:03 2007: DEBUG: Packet dump:
*** Received from xxxx port 33686 ....
Code:       Access-Request
Identifier: 227
Authentic:
Attributes:
        Service-Type = Login-User
        User-Name = "plaah at elion.ee"
        User-Password = "<195> <147><240>(<197><179><133>d~<1<145><174><177><9>"
        NAS-IP-Address = xx
        NAS-Port = 0
        ETC-Client-IP = yy
        ETC-Session-Id = 524481

Fri Jan 26 09:42:03 2007: DEBUG: Rewrote user name to plaah at elion.ee
Fri Jan 26 09:42:03 2007: DEBUG: PortalPreHandlerHook Executed

Fri Jan 26 09:42:03 2007: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 26 09:42:03 2007: DEBUG: SessDBWireless Deleting session for
plaah at elion.ee, yyy, 0
Fri Jan 26 09:42:04 2007: DEBUG: do query is: 'delete from wnsession where username = 'plaah at elion.ee' and framed_ip is null': 
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthGROUP: FindAuthBy
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL: GetInfoFromWnsession
Fri Jan 26 09:42:04 2007: DEBUG: Query is: 'Select      location_id, mac_address from  wnsession where s_id = '524481'': 
Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL looks for match with plaah at elion.ee [plaah at elion.ee]
Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL ACCEPT: : plaah at elion.ee [plaah at elion.ee]
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL: GetAuthType
Fri Jan 26 09:42:04 2007: DEBUG: Query is: 'Select
if(isnull(auth_by),'RealmDefaultRejectAuth',auth_by) from xxx where realm = 'elion.ee' or realm = 'undef' order by product_id desc limit 1':
Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL looks for match with plaah at elion.ee [plaah at elion.ee]
Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthRADIUS
Fri Jan 26 09:42:04 2007: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0' for sending requests
Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2001 ....
Code:       Access-Request
Identifier: 1
Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
Attributes:
        User-Name = "plaah at elion.ee"
        User-Password = "<134><166>b<222>L<155><176><210>d<145><28>0<186><248><191>5"
        ETC-Session-Id = 524481
        ETC-Location-Id = 90

Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL IGNORE: : plaah at elion.ee [plaah at elion.ee]
Fri Jan 26 09:42:04 2007: DEBUG: AuthBy GROUP result: ACCEPT, 
Fri Jan 26 09:42:04 2007: DEBUG: PostAuthHook Executed

Fri Jan 26 09:42:04 2007: DEBUG: Access accepted for plaah at elion.ee
Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
*** Sending to 172.16.250.218 port 33686 ....
Code:       Access-Accept
Identifier: 227
Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
Attributes:

Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2001 ....
Code:       Access-Reject
Identifier: 1
Authentic:  =@<19>><163>M;<131><247><246><191>%f<23>|t
Attributes:
        Reply-Message = "Request Denied"

Fri Jan 26 09:42:04 2007: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:2001
Fri Jan 26 09:42:04 2007: DEBUG: ReplyHook executed!
Fri Jan 26 09:42:04 2007: DEBUG: ReplyHook found Reply-Message, giving it as a reason.
Fri Jan 26 09:42:04 2007: INFO: Access rejected for plaah at elion.ee: Proxied
Fri Jan 26 09:42:04 2007: DEBUG: do query is: 'insert into ...' :
Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
*** Sending to yyy port 33686 ....
Code:       Access-Reject
Identifier: 227
Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
Attributes:
        Reply-Message = "Request Denied"


I can not get this "DEBUG: AuthBy GROUP result: ACCEPT," to be IGNORE.

Version 3.16

Rgds.
Toomas

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list