[RADIATOR] IGNORE request after forwarding in PostAuthHook

Kiernan Mccoll kiernan at staff.iinet.net.au
Mon May 18 01:16:17 CDT 2009 

Yep, that's got it working.

Mon May 18 22:10:04 2009: DEBUG: AuthBy INTERNAL result: IGNORE,

Thanks Hugh!


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Monday, May 18, 2009 1:55 PM
To: Kiernan Mccoll
Cc: 'radiator at open.com.au'
Subject: Re: [RADIATOR] IGNORE request after forwarding in PostAuthHook


Hello Kiernan -

You should use an AuthBy INTERNAL in the Handler with an AuthHook:


<Handler>
     Identifier  default-handler
     <AuthBy INTERNAL>
         DefaultResult IGNORE
         AuthHook    file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
     </AuthBy>
     SessionDatabase null-session
</Handler>


See section 5.48 in the Radiator 4.4 reference manual ("doc/ref.pdf").

hope that helps

regards

Hugh


On 18 May 2009, at 13:02, Kiernan Mccoll wrote:

> Hi,
>
> I am configuring a radius server to forward incoming auth requests
> to one of two servers, depending on some external factors. (ie.
> Server A will not be able to handle requests that need to go to
> Server B).
>
> To accomplish this I am trying to send all requests to a handler
> with a PostAuthHook deciding which server to forward the requests to.
>
> It's forwarding the requests fine, but returning Access-Rejected
> immediately afterwards instead of ignoring them as I intended.
> The error suggests that I need an AuthBy for the Handler, but it's
> already getting past the Auth stage as it's clearly executing my
> PostAuthHook.
>
> Is there a way to get this config to work? Or will I need to
> approach this completely differently? (with a PreHandlerHook, which
> will determine a Handler to use, for example)
>
> Regards,
> Kiernan McColl
>
> Here are the relevant parts of my config, code, and the resulting
> debug log:
>
> CONFIG:
> ==================
> <Handler>
>     Identifier  default-handler
>     PostAuthHook    file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
>     SessionDatabase null-session
> </Handler>
>
> <SessionDatabase NULL>
>         Identifier null-session
> </SessionDatabase>
>
>
> <AuthBy RADIUS>
>         Identifier  auth-a
>         Host                            10.1.1.39
>         AuthPort                        1645
>         IgnoreReplySignature
> </AuthBy>
>
> <AuthBy RADIUS>
>         Identifier      auth-b
>         Host                            10.1.1.40
>         AuthPort                        1645
>         IgnoreReplySignature
> </AuthBy>
>
>
> hook/handler.hook:
> ==================
> sub {
>     my $op          = ${$_[0]}; # request
>     my $rp          = ${$_[1]}; # reply
>     my $handled     = ${$_[2]}; # handledflag
>     my $reason      = ${$_[3]}; # reason
>
>     &main::log( $main::LOG_INFO, "[START:" . $op-
> >{'OriginalUserName'} . "]" );
>
>     # Request must go to either auth-a or auth-b depending
>     # on some external conditions
>     if ( &_proxyToServerB ) {
>         &main::log( $main::LOG_INFO, "Forwarding to auth-b");
>         my $authby = Radius::AuthGeneric::find('auth-b');
>         $authby->handle_request($op);
>     }
>     else {
>         &main::log( $main::LOG_INFO, "Forwarding to auth-a");
>         my $authby = Radius::AuthGeneric::find('auth-a');
>         $authby->handle_request($op);
>     }
>
>     &main::log( $main::LOG_INFO, "[END:" . $op-
> >{'OriginalUserName'} . "]" );
>
>     # Ignore the request, as we will get a reply from auth-a or auth-
> b to send back
>     $handled = $main::IGNORE;
>     return $main::IGNORE;
> };
>
>
> LOG:
> ==================
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 47272 ....
>
> Code:       Access-Request
> Identifier: 206
> Attributes:
>         User-Name = "testuser1"
>
> Mon May 18 18:19:41 2009: DEBUG: Handling request with Handler ''
> Mon May 18 18:19:41 2009: INFO: [START:testuser1]
> Mon May 18 18:19:41 2009: INFO: Forwarding to auth-b
> Mon May 18 18:19:41 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Sending to 10.1.1.40 port 1645 ....
>
> Code:       Access-Request
> Identifier: 6
> Attributes:
>         User-Name = "testuser1"
>
> Mon May 18 18:19:41 2009: INFO: [END:testuser1]
> Mon May 18 18:19:41 2009: INFO: Access rejected for testuser1: No
> AuthBy found
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 47272 ....
>
> Code:       Access-Reject
> Identifier: 206
> Attributes:
>         Reply-Message = "Request Denied"
>
> Mon May 18 18:19:41 2009: DEBUG: Received reply in AuthRADIUS for
> req 6 from 10.1.1.40:1645
> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
> *** Received from 10.1.1.40 port 1645 ....
>
> Code:       Access-Accept
> Identifier: 6
> Attributes:
>         Service-Type = Framed
>         Framed-Protocol = PPP
>         cisco-avpair = "ip:addr-pool=default"
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list