[RADIATOR] Rejecting requests from within PostSearchHook

Hugh Irvine hugh at open.com.au
Wed Oct 29 00:57:51 CST 2008 

Hello Jon -

I don't think you need a hook for this, just a search filter:


	<AuthBy LDAP2>
		.....
		SearchFilter (&(%0=%1)(Fixed-master=%{NAS-IP-Address}))
		.....
	</AuthBy>


See section 5.36.15 in the Radiator 4.3.1 reference manual ("doc/ 
ref.pdf").

Otherwise you just need to add a user check item that you know will  
fail.

There are a number of example hooks in "goodies/hooks.txt".

hope that helps

regards

Hugh


On 29 Oct 2008, at 12:41, Jon Smaller wrote:

> Hi everyone,
>
> I run radiator version 4.3.1 on a redhat server. My current setup  
> is as follows:
>
> A modem comes online and sends a request as a broadcast to a proxy  
> device. The proxy device then constructs a radius request with the  
> mac address of the modem as the username and its own mac address as  
> the NAS-Identifier. After the radius server accepts this request,  
> the modem is associated/bound to that particular proxy device.  
> Because of the way this access technology works, when a modem comes  
> online, several proxy devices can receive the request from a single  
> modem and they all send radius requests to the same radius server.  
> I want to be able to configure radius in such a way that it will  
> reject requests from all proxy devices except the one that i  
> specify (I have all modems in an LDAP database along with an  
> attribute called 'Fixed-master' which contains the mac address of  
> the proxy device that I want the modem to be associated with.)
>
> I have written a PostSearchHook and have gotten so far as obtaining  
> the NAS-Identifier from the request packet and obtaining the mac  
> address of the authorized proxy device from the LDAP and comparing  
> the two. But i can't seem to figure out how to reject the request  
> from within the PostSearchHook.
>
> I have tried the following:
>
> $_[3]->{RadiusResult} = $main::REJECT;
>
> and
>
> $_[5]->set_code('Access-Reject');
>
> but none of them seems to work. Could someone help me and let me  
> know how i would go about Rejecting the request from within  
> PostSearchHook (if it is at all possible).
>
> Thank you,
> Jon
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list