(RADIATOR) AuthBy GROUP and AuthBy Policy

Hugh Irvine hugh at open.com.au
Fri Jan 26 17:24:28 CST 2007 

Hello Toomas -

This is indeed "funny" - Mike and I both think that there is a typo  
or some other problem in the configuration file as our testing here  
shows that AuthByPolicy ContinueWhileIgnore does exactly that,  
however your debug appears to be operating with AuthByPolicy  
ContinueWhileAccpet.

BTW - the configuration file you show below will not work as you  
expect in any case, because AuthByPolicy ContinueWhileIgnore will  
only progress past the first AuthBy SQL clause if it returns Ignore,  
which should only happen if the database query times out.

I think more investigation is required and we will need to see the  
complete configuration file (as an attachment preferably).

regards

Hugh


On 26 Jan 2007, at 21:08, Toomas Kärner wrote:

> Hi,
>
> My radius has started acting "funny" in some point after some update
> of radiator. Now I have traced it so far that something has changed in
> a way which AuthByPolicy-s act in a <AuthBy Group>
> Part of configuration:
>
> <Realm DEFAULT>
>     AuthLog LoginFailureLog
>     RejectHasReason
>         AuthBy FindAuthBy
> PostAuthHook file:"/home/radius/etc/hooks/wn/PortalPostAuthHook.pl"
> </Realm DEFAULT>
>
> <AuthBy GROUP>
>     Identifier FindAuthBy
>     AuthByPolicy ContinueWhileIgnore
>     <AuthBy SQL>
>         Identifier GetInfoFromWnsession
>         DBSource        dbi:mysql:xx
>         DBUsername      xx
>         DBAuth          xx
>
>         AuthSelect      Select  \
>                 location_id, \
>                 mac_address \
>                 from  \
>                 plaah where s_id = '%{ETC-Session-Id}'
>         AuthColumnDef   0,      ETC-Location-Id,request
>         AuthColumnDef   1,      ETC-Mac,request
>         NoDefault
>
>     </AuthBy>
>     ######################
>     <AuthBy SQL>
>         Identifier GetAuthType
>         DBSource        dbi:mysql:xx
>         DBUsername      xx
>         DBAuth          xx
>
>         AuthSelect      Select \
>                 if(isnull(auth_by),'RealmDefaultRejectAuth',auth_by) \
>                 from plaah2 where realm = '%R' or realm = 'undef' \
>                 order by product_id desc limit 1
>         AuthColumnDef   0,      Auth-Type,check
>         AcceptIfMissing
>         NoDefault
>     </AuthBy>
> </AuthBy>
>
> Explanation: GetAuthType gets a Auth-Type = AuthRoamingRadius
>
> <AuthBy RADIUS>
>         Identifier AuthRoamingRadius
>         <Host localhost>
>             Secret
>             AuthPort 2001
>             AcctPort
>             Retries 0
>             RetryTimeout 2
> #           FailureBackoffTime 20
>         </Host>
>         AllowInReply    Reply-Message
>         AllowInRequest  User-Name,User-Password,ETC-Member-Of,ETC- 
> Session-Id,ETC-Location-Id
>         ##################################
>         ReplyHook    sub { \
>             &main::log($main::LOG_DEBUG, "ReplyHook executed!"); \
>             my $p      = ${$_[0]};\
>             my $rp     = ${$_[1]};\
>             my $code   = $p->code;\
>             if ($code eq 'Access-Reject') { \
>                 &main::log($main::LOG_DEBUG, "ReplyHook found Reply- 
> Message, giving it as a reason."); \
>                 my $message=${$_[2]}->get_attr('Reply-Message'); \
>                 ${$_[3]}=$message;\
>             } \
>         }
>         ##################################
>         NoReplyHook    sub { \
>             &main::log($main::LOG_DEBUG, "NoReplyHook executed!"); \
>             my $p      = ${$_[0]};\
>             my $sp     = ${$_[1]};\
>             my $rp     = ${$_[2]};\
>             my $code   = $p->code;\
>             if ($code eq 'Access-Request') { \
>                 $rp->set_code('Access-Reject'); \
>                 $rp->add_attr('Reply-Message', 'Access rejected  
> because roaming service is currently unavailable.')
>                 $p->{Client}->replyTo($p); \
>             } \
>         }
>         ##################################
> </AuthBy>
>
>
> In short:
> 1) all requests get some attributes added into from DB.
> 2) based on realm a search is run on DB and AuthBy module identifier
> is found.
> 3) Request is handled in this "faulty" case by AuthBy RADIUS and sent
> to some other server.
> It should IGNORE then but it gives ACCEPT for some reason...
>
>
> Debug 4:
>
> Fri Jan 26 09:42:03 2007: DEBUG: Packet dump:
> *** Received from xxxx port 33686 ....
> Code:       Access-Request
> Identifier: 227
> Authentic:
> Attributes:
>         Service-Type = Login-User
>         User-Name = "plaah at elion.ee"
>         User-Password = "<195> <147><240> 
> (<197><179><133>d~<1<145><174><177><9>"
>         NAS-IP-Address = xx
>         NAS-Port = 0
>         ETC-Client-IP = yy
>         ETC-Session-Id = 524481
>
> Fri Jan 26 09:42:03 2007: DEBUG: Rewrote user name to plaah at elion.ee
> Fri Jan 26 09:42:03 2007: DEBUG: PortalPreHandlerHook Executed
>
> Fri Jan 26 09:42:03 2007: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Jan 26 09:42:03 2007: DEBUG: SessDBWireless Deleting session for
> plaah at elion.ee, yyy, 0
> Fri Jan 26 09:42:04 2007: DEBUG: do query is: 'delete from  
> wnsession where username = 'plaah at elion.ee' and framed_ip is null':
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthGROUP:  
> FindAuthBy
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL:  
> GetInfoFromWnsession
> Fri Jan 26 09:42:04 2007: DEBUG: Query is: 'Select       
> location_id, mac_address from  wnsession where s_id = '524481'':
> Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL looks for match  
> with plaah at elion.ee [plaah at elion.ee]
> Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL ACCEPT: :  
> plaah at elion.ee [plaah at elion.ee]
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthSQL:  
> GetAuthType
> Fri Jan 26 09:42:04 2007: DEBUG: Query is: 'Select
> if(isnull(auth_by),'RealmDefaultRejectAuth',auth_by) from xxx where  
> realm = 'elion.ee' or realm = 'undef' order by product_id desc  
> limit 1':
> Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL looks for match  
> with plaah at elion.ee [plaah at elion.ee]
> Fri Jan 26 09:42:04 2007: DEBUG: Handling with Radius::AuthRADIUS
> Fri Jan 26 09:42:04 2007: DEBUG: AuthBy RADIUS creates new local  
> socket '0.0.0.0' for sending requests
> Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 2001 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
> Attributes:
>         User-Name = "plaah at elion.ee"
>         User-Password =  
> "<134><166>b<222>L<155><176><210>d<145><28>0<186><248><191>5"
>         ETC-Session-Id = 524481
>         ETC-Location-Id = 90
>
> Fri Jan 26 09:42:04 2007: DEBUG: Radius::AuthSQL IGNORE: :  
> plaah at elion.ee [plaah at elion.ee]
> Fri Jan 26 09:42:04 2007: DEBUG: AuthBy GROUP result: ACCEPT,
> Fri Jan 26 09:42:04 2007: DEBUG: PostAuthHook Executed
>
> Fri Jan 26 09:42:04 2007: DEBUG: Access accepted for plaah at elion.ee
> Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
> *** Sending to 172.16.250.218 port 33686 ....
> Code:       Access-Accept
> Identifier: 227
> Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
> Attributes:
>
> Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 2001 ....
> Code:       Access-Reject
> Identifier: 1
> Authentic:  =@<19>><163>M;<131><247><246><191>%f<23>|t
> Attributes:
>         Reply-Message = "Request Denied"
>
> Fri Jan 26 09:42:04 2007: DEBUG: Received reply in AuthRADIUS for  
> req 1 from 127.0.0.1:2001
> Fri Jan 26 09:42:04 2007: DEBUG: ReplyHook executed!
> Fri Jan 26 09:42:04 2007: DEBUG: ReplyHook found Reply-Message,  
> giving it as a reason.
> Fri Jan 26 09:42:04 2007: INFO: Access rejected for plaah at elion.ee:  
> Proxied
> Fri Jan 26 09:42:04 2007: DEBUG: do query is: 'insert into ...' :
> Fri Jan 26 09:42:04 2007: DEBUG: Packet dump:
> *** Sending to yyy port 33686 ....
> Code:       Access-Reject
> Identifier: 227
> Authentic:  <8><160><198><16>x<192><251>?S<245><166>.<127><225><29>2
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> I can not get this "DEBUG: AuthBy GROUP result: ACCEPT," to be IGNORE.
>
> Version 3.16
>
> Rgds.
> Toomas
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list