[RADIATOR] IGNORE request after forwarding in PostAuthHook
Kiernan Mccoll
kiernan at staff.iinet.net.au
Sun May 17 22:02:42 CDT 2009
Hi,
I am configuring a radius server to forward incoming auth requests to one of two servers, depending on some external factors. (ie. Server A will not be able to handle requests that need to go to Server B).
To accomplish this I am trying to send all requests to a handler with a PostAuthHook deciding which server to forward the requests to.
It's forwarding the requests fine, but returning Access-Rejected immediately afterwards instead of ignoring them as I intended.
The error suggests that I need an AuthBy for the Handler, but it's already getting past the Auth stage as it's clearly executing my PostAuthHook.
Is there a way to get this config to work? Or will I need to approach this completely differently? (with a PreHandlerHook, which will determine a Handler to use, for example)
Regards,
Kiernan McColl
Here are the relevant parts of my config, code, and the resulting debug log:
CONFIG:
==================
<Handler>
Identifier default-handler
PostAuthHook file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
SessionDatabase null-session
</Handler>
<SessionDatabase NULL>
Identifier null-session
</SessionDatabase>
<AuthBy RADIUS>
Identifier auth-a
Host 10.1.1.39
AuthPort 1645
IgnoreReplySignature
</AuthBy>
<AuthBy RADIUS>
Identifier auth-b
Host 10.1.1.40
AuthPort 1645
IgnoreReplySignature
</AuthBy>
hook/handler.hook:
==================
sub {
my $op = ${$_[0]}; # request
my $rp = ${$_[1]}; # reply
my $handled = ${$_[2]}; # handledflag
my $reason = ${$_[3]}; # reason
&main::log( $main::LOG_INFO, "[START:" . $op->{'OriginalUserName'} . "]" );
# Request must go to either auth-a or auth-b depending
# on some external conditions
if ( &_proxyToServerB ) {
&main::log( $main::LOG_INFO, "Forwarding to auth-b");
my $authby = Radius::AuthGeneric::find('auth-b');
$authby->handle_request($op);
}
else {
&main::log( $main::LOG_INFO, "Forwarding to auth-a");
my $authby = Radius::AuthGeneric::find('auth-a');
$authby->handle_request($op);
}
&main::log( $main::LOG_INFO, "[END:" . $op->{'OriginalUserName'} . "]" );
# Ignore the request, as we will get a reply from auth-a or auth-b to send back
$handled = $main::IGNORE;
return $main::IGNORE;
};
LOG:
==================
Mon May 18 18:19:41 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 47272 ....
Code: Access-Request
Identifier: 206
Attributes:
User-Name = "testuser1"
Mon May 18 18:19:41 2009: DEBUG: Handling request with Handler ''
Mon May 18 18:19:41 2009: INFO: [START:testuser1]
Mon May 18 18:19:41 2009: INFO: Forwarding to auth-b
Mon May 18 18:19:41 2009: DEBUG: Handling with Radius::AuthRADIUS
Mon May 18 18:19:41 2009: DEBUG: Packet dump:
*** Sending to 10.1.1.40 port 1645 ....
Code: Access-Request
Identifier: 6
Attributes:
User-Name = "testuser1"
Mon May 18 18:19:41 2009: INFO: [END:testuser1]
Mon May 18 18:19:41 2009: INFO: Access rejected for testuser1: No AuthBy found
Mon May 18 18:19:41 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 47272 ....
Code: Access-Reject
Identifier: 206
Attributes:
Reply-Message = "Request Denied"
Mon May 18 18:19:41 2009: DEBUG: Received reply in AuthRADIUS for req 6 from 10.1.1.40:1645
Mon May 18 18:19:41 2009: DEBUG: Packet dump:
*** Received from 10.1.1.40 port 1645 ....
Code: Access-Accept
Identifier: 6
Attributes:
Service-Type = Framed
Framed-Protocol = PPP
cisco-avpair = "ip:addr-pool=default"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090518/9dd6c941/attachment.html>
More information about the radiator
mailing list