(RADIATOR) Dynamic selection of authentication module questio n ?

Frank Danielson fdanielson at csky.com
Mon Feb 11 10:50:04 CST 2008


The PreHandlerHook only has access to the request packet but attributes
added to the request can be added to the reply later on in a
PreProcessingHook inside your Handler.

<Handler Identifier-Attribute=local>
	PreProcessingHook sub { ${$_[1]}->add_attr('tacacsauthgroup',
${$_[0]}->get_attr('tacacsauthgroup'));}
      AuthByPolicy ContinueUntilReject
      AuthBy SQLAuthentication
      AuthLog LogAuthentication
      # Log accounting to the detail file in LogDir
      AcctLogFileName %L/detail
</Handler>

You may also be able to use AddToReply tacacsauthgroup=%{tacacsauthgroup}
inside of an AuthBy to insert the value of the tacacsauthgroup parameter
from the request into the response. 

Frank Danielson
Infrastructure Architect

ClearSky Mobile Media
56 E. Pine St.
Orlando, FL 32801
USA

fdanielson at csky.com

-----Original Message-----
From: Markus Moeller [mailto:huaraz at moeller.plus.com]
Sent: Saturday, February 09, 2008 1:32 PM
To: radiator at open.com.au
Subject: Re: (RADIATOR) Dynamic selection of authentication module
question ?


Thank you for the feedback. I see how that could work. In my case I think it

would mean all what I do in my LDAPSelect (which is a <AuthBy LDAP2>) needs 
to be done in the PreHandler.  Does the prehandler have access to the reply 
packet too ? I am asking since my LDAP2  sets a reply attribute for use in 
the TACACS authorisation with GroupMemberAttr T-GROUP and I wouldn't  like 
to connect twice to the ldap server.

<AuthBy LDAP2>
..
        AuthAttrDef     tacacsauthgroup,T-GROUP,reply
..
</AuthBy>

Thank you
Markus

----- Original Message ----- 
From: "Frank Danielson" <fdanielson at csky.com>
To: <radiator at open.com.au>
Sent: Saturday, February 09, 2008 3:53 PM
Subject: RE: (RADIATOR) Dynamic selection of authentication module question 
?


> This can be accomplished using a hook. There is an example of choosing and
> calling an AuthBy module in hooks.txt.  Or you can use a PreHandler hook 
> in
> your client clause to add an atribute that is used later in choosing a
> Handler.
>
> Here's an over simplified example. You'd have to write something to
> implement the logic that chooses the identifier.
>
> <Client>
> Client config
> # Fake a new attribute into the request
> PreHandlerHook sub { my $identifer=some chooser logic; \
> ${$_[0]}->add_attr('Identifier-Atrribute', $identifier);}
> </Client>
>
> <Handler Identifier-Attribute=local>
>       AuthByPolicy ContinueUntilReject
>       AuthBy SQLAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Handler>
>
> <Handler Identifier-Attribute=central>
>       AuthByPolicy ContinueUntilReject
>       AuthBy PAMAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Handler>
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> fdanielson at csky.com
>
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz at moeller.plus.com]
> Sent: Saturday, February 09, 2008 9:53 AM
> To: radiator at open.com.au
> Subject: (RADIATOR) Dynamic selection of authentication module question ?
>
>
> Is it possible to select an authentication module more dynamically (e.g.
> depending on the result of a previous module) ?
>
> I was thinking of the following:
>
> <AuthBy PAM>
>        Identifier PAMAuthentication
>        service radiusd
> </AuthBy>
>
> <AuthBy SQL>
>        Identifier SQLAuthentication
>        .
>        .
> </AuthBy>
>
> <Realm>
>        AuthByPolicy ContinueUntilReject
>        AuthBy LDAPSelect
> # Now call either AuthBy or pass it again through the correct realm 
> section
>        AuthBy %{AuthID}
>        AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
> # or
>       Realm %{UserRealm}
> #
> </Realm>
>
> <Realm local.com>
>       AuthByPolicy ContinueUntilReject
>       AuthBy SQLAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Realm>
>
> <Realm central.com>
>       AuthByPolicy ContinueUntilReject
>       AuthBy PAMAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Realm>
>
> Usually you would use the realm of a user to decide what to do with <REALM
> userrealm>, but in my case an  application can not provide the realm
> details. I can get the realm from an ldap server and can either set a
> variable, add it to the request as an attribute or as a check item.
> The only problem I have is I can not dynamically select the Authentication
> module nor process it via another Handler or Realm statement.
>
> Or can I ?
>
> Thank you
> Markus
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list