[RADIATOR] IGNORE request after forwarding in PostAuthHook

Hugh Irvine hugh at open.com.au
Mon May 18 02:07:51 CDT 2009 

Thanks for letting me know.

Hugh


On 18 May 2009, at 16:16, Kiernan Mccoll wrote:

> Yep, that's got it working.
>
> Mon May 18 22:10:04 2009: DEBUG: AuthBy INTERNAL result: IGNORE,
>
> Thanks Hugh!
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, May 18, 2009 1:55 PM
> To: Kiernan Mccoll
> Cc: 'radiator at open.com.au'
> Subject: Re: [RADIATOR] IGNORE request after forwarding in  
> PostAuthHook
>
>
> Hello Kiernan -
>
> You should use an AuthBy INTERNAL in the Handler with an AuthHook:
>
>
> <Handler>
>     Identifier  default-handler
>     <AuthBy INTERNAL>
>         DefaultResult IGNORE
>         AuthHook    file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
>     </AuthBy>
>     SessionDatabase null-session
> </Handler>
>
>
> See section 5.48 in the Radiator 4.4 reference manual ("doc/ref.pdf").
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 18 May 2009, at 13:02, Kiernan Mccoll wrote:
>
>> Hi,
>>
>> I am configuring a radius server to forward incoming auth requests
>> to one of two servers, depending on some external factors. (ie.
>> Server A will not be able to handle requests that need to go to
>> Server B).
>>
>> To accomplish this I am trying to send all requests to a handler
>> with a PostAuthHook deciding which server to forward the requests to.
>>
>> It's forwarding the requests fine, but returning Access-Rejected
>> immediately afterwards instead of ignoring them as I intended.
>> The error suggests that I need an AuthBy for the Handler, but it's
>> already getting past the Auth stage as it's clearly executing my
>> PostAuthHook.
>>
>> Is there a way to get this config to work? Or will I need to
>> approach this completely differently? (with a PreHandlerHook, which
>> will determine a Handler to use, for example)
>>
>> Regards,
>> Kiernan McColl
>>
>> Here are the relevant parts of my config, code, and the resulting
>> debug log:
>>
>> CONFIG:
>> ==================
>> <Handler>
>>    Identifier  default-handler
>>    PostAuthHook    file:"%{GlobalVar:HOMEDIR}/hook/handler.hook"
>>    SessionDatabase null-session
>> </Handler>
>>
>> <SessionDatabase NULL>
>>        Identifier null-session
>> </SessionDatabase>
>>
>>
>> <AuthBy RADIUS>
>>        Identifier  auth-a
>>        Host                            10.1.1.39
>>        AuthPort                        1645
>>        IgnoreReplySignature
>> </AuthBy>
>>
>> <AuthBy RADIUS>
>>        Identifier      auth-b
>>        Host                            10.1.1.40
>>        AuthPort                        1645
>>        IgnoreReplySignature
>> </AuthBy>
>>
>>
>> hook/handler.hook:
>> ==================
>> sub {
>>    my $op          = ${$_[0]}; # request
>>    my $rp          = ${$_[1]}; # reply
>>    my $handled     = ${$_[2]}; # handledflag
>>    my $reason      = ${$_[3]}; # reason
>>
>>    &main::log( $main::LOG_INFO, "[START:" . $op-
>>> {'OriginalUserName'} . "]" );
>>
>>    # Request must go to either auth-a or auth-b depending
>>    # on some external conditions
>>    if ( &_proxyToServerB ) {
>>        &main::log( $main::LOG_INFO, "Forwarding to auth-b");
>>        my $authby = Radius::AuthGeneric::find('auth-b');
>>        $authby->handle_request($op);
>>    }
>>    else {
>>        &main::log( $main::LOG_INFO, "Forwarding to auth-a");
>>        my $authby = Radius::AuthGeneric::find('auth-a');
>>        $authby->handle_request($op);
>>    }
>>
>>    &main::log( $main::LOG_INFO, "[END:" . $op-
>>> {'OriginalUserName'} . "]" );
>>
>>    # Ignore the request, as we will get a reply from auth-a or auth-
>> b to send back
>>    $handled = $main::IGNORE;
>>    return $main::IGNORE;
>> };
>>
>>
>> LOG:
>> ==================
>> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 47272 ....
>>
>> Code:       Access-Request
>> Identifier: 206
>> Attributes:
>>        User-Name = "testuser1"
>>
>> Mon May 18 18:19:41 2009: DEBUG: Handling request with Handler ''
>> Mon May 18 18:19:41 2009: INFO: [START:testuser1]
>> Mon May 18 18:19:41 2009: INFO: Forwarding to auth-b
>> Mon May 18 18:19:41 2009: DEBUG: Handling with Radius::AuthRADIUS
>> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
>> *** Sending to 10.1.1.40 port 1645 ....
>>
>> Code:       Access-Request
>> Identifier: 6
>> Attributes:
>>        User-Name = "testuser1"
>>
>> Mon May 18 18:19:41 2009: INFO: [END:testuser1]
>> Mon May 18 18:19:41 2009: INFO: Access rejected for testuser1: No
>> AuthBy found
>> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 47272 ....
>>
>> Code:       Access-Reject
>> Identifier: 206
>> Attributes:
>>        Reply-Message = "Request Denied"
>>
>> Mon May 18 18:19:41 2009: DEBUG: Received reply in AuthRADIUS for
>> req 6 from 10.1.1.40:1645
>> Mon May 18 18:19:41 2009: DEBUG: Packet dump:
>> *** Received from 10.1.1.40 port 1645 ....
>>
>> Code:       Access-Accept
>> Identifier: 6
>> Attributes:
>>        Service-Type = Framed
>>        Framed-Protocol = PPP
>>        cisco-avpair = "ip:addr-pool=default"
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list