[RADIATOR] Rejecting requests from within PostSearchHook

Jon Smaller jesterx at gmail.com
Wed Oct 29 16:18:52 CST 2008


Thanks for pointing me in the right direction Hugh! There is other stuff i
have to do in the postsearchhook but adding a user check item that would
definitely fail solved my problem.
Thanks!

On Wed, Oct 29, 2008 at 5:57 PM, Hugh Irvine <hugh at open.com.au> wrote:

>
> Hello Jon -
>
> I don't think you need a hook for this, just a search filter:
>
>
>        <AuthBy LDAP2>
>                .....
>                SearchFilter (&(%0=%1)(Fixed-master=%{NAS-IP-Address}))
>                .....
>        </AuthBy>
>
>
> See section 5.36.15 in the Radiator 4.3.1 reference manual ("doc/ref.pdf").
>
> Otherwise you just need to add a user check item that you know will fail.
>
> There are a number of example hooks in "goodies/hooks.txt".
>
> hope that helps
>
> regards
>
> Hugh
>
>
>
> On 29 Oct 2008, at 12:41, Jon Smaller wrote:
>
>  Hi everyone,
>>
>> I run radiator version 4.3.1 on a redhat server. My current setup is as
>> follows:
>>
>> A modem comes online and sends a request as a broadcast to a proxy device.
>> The proxy device then constructs a radius request with the mac address of
>> the modem as the username and its own mac address as the NAS-Identifier.
>> After the radius server accepts this request, the modem is associated/bound
>> to that particular proxy device. Because of the way this access technology
>> works, when a modem comes online, several proxy devices can receive the
>> request from a single modem and they all send radius requests to the same
>> radius server. I want to be able to configure radius in such a way that it
>> will reject requests from all proxy devices except the one that i specify (I
>> have all modems in an LDAP database along with an attribute called
>> 'Fixed-master' which contains the mac address of the proxy device that I
>> want the modem to be associated with.)
>>
>> I have written a PostSearchHook and have gotten so far as obtaining the
>> NAS-Identifier from the request packet and obtaining the mac address of the
>> authorized proxy device from the LDAP and comparing the two. But i can't
>> seem to figure out how to reject the request from within the PostSearchHook.
>>
>> I have tried the following:
>>
>> $_[3]->{RadiusResult} = $main::REJECT;
>>
>> and
>>
>> $_[5]->set_code('Access-Reject');
>>
>> but none of them seems to work. Could someone help me and let me know how
>> i would go about Rejecting the request from within PostSearchHook (if it is
>> at all possible).
>>
>> Thank you,
>> Jon
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20081030/3865f2c3/attachment.html>


More information about the radiator mailing list