[RADIATOR] IGNORE request after forwarding in PostAuthHook
Hugh Irvine
hugh at open.com.au
Mon May 18 00:54:34 CDT 2009
Hello Kiernan -
You should use an AuthBy INTERNAL in the Handler with an AuthHook:
<Handler>
Identifier default-handler
<AuthBy INTERNAL>
DefaultResult IGNORE
AuthHook file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
</AuthBy>
SessionDatabase null-session
</Handler>
See section 5.48 in the Radiator 4.4 reference manual ("doc/ref.pdf").
hope that helps
regards
Hugh
On 18 May 2009, at 13:02, Kiernan Mccoll wrote:
> Hi,
>
> I am configuring a radius server to forward incoming auth requests
> to one of two servers, depending on some external factors. (ie.
> Server A will not be able to handle requests that need to go to
> Server B).
>
> To accomplish this I am trying to send all requests to a handler
> with a PostAuthHook deciding which server to forward the requests to.
>
> It’s forwarding the requests fine, but returning Access-Rejected
> immediately afterwards instead of ignoring them as I intended.
> The error suggests that I need an AuthBy for the Handler, but it’s
> already getting past the Auth stage as it’s clearly executing my
> PostAuthHook.
>
> Is there a way to get this config to work? Or will I need to
> approach this completely differently? (with a PreHandlerHook, which
> will determine a Handler to use, for example)
>
> Regards,
> Kiernan McColl
>
> Here are the relevant parts of my config, code, and the resulting
> debug log:
>
> CONFIG:
> ==================
> <Handler>
> Identifier default-handler
> PostAuthHook file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
> SessionDatabase null-session
> </Handler>
>
> <SessionDatabase NULL>
> Identifier null-session
> </SessionDatabase>
>
>
> <AuthBy RADIUS>
> Identifier auth-a
> Host 10.1.1.39
> AuthPort 1645
> IgnoreReplySignature
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier auth-b
> Host 10.1.1.40
> AuthPort 1645
> IgnoreReplySignature
> </AuthBy>
>
>
> hook/handler.hook:
> ==================
> sub {
> my $op = ${$_[0]}; # request
> my $rp = ${$_[1]}; # reply
> my $handled = ${$_[2]}; # handledflag
> my $reason = ${$_[3]}; # reason
>
> &main::log( $main::LOG_INFO, "[START:" . $op-
> >{'OriginalUserName'} . "]" );
>
> # Request must go to either auth-a or auth-b depending
> # on some external conditions
> if ( &_proxyToServerB ) {
> &main::log( $main::LOG_INFO, "Forwarding to auth-b");
> my $authby = Radius::AuthGeneric::find('auth-b');
> $authby->handle_request($op);
> }
> else {
> &main::log( $main::LOG_INFO, "Forwarding to auth-a");
> my $authby = Radius::AuthGeneric::find('auth-a');
> $authby->handle_request($op);
> }
>
> &main::log( $main::LOG_INFO, "[END:" . $op-
> >{'OriginalUserName'} . "]" );
>
> # Ignore the request, as we will get a reply from auth-a or auth-
> b to send back
> $handled = $main::IGNORE;
> return $main::IGNORE;
> };
>
>
> LOG:
> ==================
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 47272 ....
>
> Code: Access-Request
> Identifier: 206
> Attributes:
> User-Name = "testuser1"
>
> Mon May 18 18:19:41 2009: DEBUG: Handling request with Handler ''
> Mon May 18 18:19:41 2009: INFO: [START:testuser1]
> Mon May 18 18:19:41 2009: INFO: Forwarding to auth-b
> Mon May 18 18:19:41 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Sending to 10.1.1.40 port 1645 ....
>
> Code: Access-Request
> Identifier: 6
> Attributes:
> User-Name = "testuser1"
>
> Mon May 18 18:19:41 2009: INFO: [END:testuser1]
> Mon May 18 18:19:41 2009: INFO: Access rejected for testuser1: No
> AuthBy found
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 47272 ....
>
> Code: Access-Reject
> Identifier: 206
> Attributes:
> Reply-Message = "Request Denied"
>
> Mon May 18 18:19:41 2009: DEBUG: Received reply in AuthRADIUS for
> req 6 from 10.1.1.40:1645
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Received from 10.1.1.40 port 1645 ....
>
> Code: Access-Accept
> Identifier: 6
> Attributes:
> Service-Type = Framed
> Framed-Protocol = PPP
> cisco-avpair = "ip:addr-pool=default"
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list