[RADIATOR] Conditionally deleting Reply-Message attribute in Access-Reject
Adnan Smajlovic
adnan.smajlovic at thecloud.net
Tue Aug 11 10:40:05 CDT 2009
Hi,
We are currently trying to find a way to remove the Reply-Message from an
Access-Reject if that message is equivalent to a particular string. This is
using Radiator 4.4.
A client sends a request to a RADIUS proxy, which adds an attribute before
sending it off for authentication by our core RADIUS server. We're happy
for the Reply-Message to be sent back if it is something we consider useful,
but certain strings (e.g. 'Proxied') we do not want to display to our
clients.
The application presenting error messages to the client has a default string
(with associated language translations) which is only presented if a
Reply-Message is not found. Amending the application to be more flexible
with the replies it gets is currently not an option.
In the debug example below I've tried using a ReplyHook to delete the
relevant attribute from the reply if the value is equal to 'Proxied', but
the proxy adds it back in before sending the Access-Reject back to the
client. Attempting to change it to another string works as expected.
Sample (handler) code excerpt:
<Handler>
PreAuthHook sub { /
# attribute addition not shown
}
<AuthBy SQLRADIUS>
# host select and column definitions not shown
ReplyHook sub { \
&main::log($main::LOG_DEBUG, "Running ReplyHook"); \
my $rp = ${$_[1]}; \
my $result = $rp->code; \
my $reply = $rp->get_attr('Reply-Message'); \
&main::log($main::LOG_DEBUG, "Result = $result, Reply =
$reply"); \
if (($result eq 'Access-Reject') && ($reply eq
'Proxied')) { \
&main::log($main::LOG_DEBUG, "Deleting
Reply-Message attribute"); \
$rp->delete_attr('Reply-Message'); \
$reply = $rp->get_attr('Reply-Message'); \
&main::log($main::LOG_DEBUG, "Reply: $reply"); \
} \
}
</AuthBy>
RejectHasReason
AccountingHandled
</Handler>
Tue Aug 11 13:23:15 2009: DEBUG: Running ReplyHook
Tue Aug 11 13:23:15 2009: DEBUG: Result = Access-Reject, Reply = Proxied
Tue Aug 11 13:23:15 2009: DEBUG: Deleting Reply-Message attribute
Tue Aug 11 13:23:15 2009: DEBUG: Reply:
Tue Aug 11 13:23:15 2009: INFO: Access rejected for 123 at test.co.uk: Proxied
Tue Aug 11 13:23:15 2009: DEBUG: Packet dump:
*** Sending to 10.46.0.1 port 1814 ....
Code: Access-Reject
Identifier: 9
Authentic: <250><235>`<226>m<29><171>y<195><10><129>O<26><224>/<0>
Attributes:
Reply-Message = "Proxied"
Proxy-State = 142
I assume this the default behaviour. Any ideas on how to achieve such a
conditional Reply-Message attribute deletion using Radiator?
Regards,
--
Adnan Smajlovic
The Cloud Networks Ltd.
http://www.thecloud.net/more-information/contact-us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20090811/78343b94/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2254 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20090811/78343b94/attachment-0001.bin
More information about the radiator
mailing list