[RADIATOR] multiple AuthBy GROUPs
Matt
mnaismith at gmail.com
Sun Oct 11 20:07:20 CDT 2009
Hi Hugh,
Your test does demonstrate the functionality i'm after. I see the additions
in the request when I run the same test.
Two things break the example. Firstly if I change the AuthByPolicy to
ContinueWhileReject - example below. AddToRequest doesnt seem to do
anything. Secondly removing AuthBy Radius breaks AddToRequest as well..
Am I right in saying AuthBy Radius is required in the handler when adding
attributes with AddToRequest?
Thanks. It might be time for me to read the manual again ;)
Matt.
<Handler>
AuthByPolicy ContinueWhileReject
<AuthBy GROUP>
Identifier Group1
AddToRequest OSC-Environment-Identifier = Group1
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
</AuthBy>
<AuthBy GROUP>
Identifier Group2
AddToRequest OSC-Environment-Identifier = Group2
<AuthBy INTERNAL>
DefaultResult ACCEPT
</AuthBy>
</AuthBy>
</Handler>
On Mon, Oct 12, 2009 at 8:54 AM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Matt -
>
> I'm not sure I understand your question.
>
> Here is what I get in testing:
>
>
> <Handler>
>
> AuthByPolicy ContinueAlways
>
> <AuthBy GROUP>
> Identifier Group1
> AddToRequest OSC-Environment-Identifier = Group1
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group2
> AddToRequest OSC-Environment-Identifier = Group2
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group3
> AddToRequest OSC-Environment-Identifier = Group3
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy RADIUS>
> Host localhost
> AuthPort 1812
> AcctPort 1813
> Secret mysecret
> </AuthBy>
>
> </Handler>
>
>
> gives this result:
>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 63821 ....
> Code: Access-Request
> Identifier: 67
> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}<178><195>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Handling request with Handler ''
> Mon Oct 12 09:48:37 2009: DEBUG: Deleting session for mikem, 203.63.154.1,
> 1234
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group1
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
> DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group2
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
> DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group3
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
> DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy RADIUS creates new local socket '
> 0.0.0.0:0' for sending requests
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}<178><195>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
> OSC-Environment-Identifier = "Group1"
> OSC-Environment-Identifier = "Group2"
> OSC-Environment-Identifier = "Group3"
>
>
> ....
>
> regards
>
> Hugh
>
>
>
>
> On 11 Oct 2009, at 23:25, Matt wrote:
>
> Hi,
>>
>> In a previous post, i've seen the below suggested to make use of
>> AddToRequest as "place holders".
>> It would appear that although the request works its way through all
>> GROUPs, only the first AddToRequest gets applied. So in a PostAuthHook for
>> example, regardless of which GROUP authenticates the user, I only ever see
>> the value of AuthBy1 in the first GROUP.
>> Am I missing something here ?
>>
>> Thanks in advance.. Matt.
>>
>>
>> <Handler ....>
>> AuthByPolicy .....
>> <AuthBy GROUP>
>> <AuthBy LDAP2>
>> .....
>> </AuthBy>
>> AddToRequest AuthBy1 = LDAP2
>>
>> </AuthBy>
>> <AuthBy GROUP>
>> <AuthBy SQL>
>> .....
>> </AuthBy>
>> AddToRequest AuthBy2 = SQL
>> </AuthBy>
>> .....
>> </Handler>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (
> www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20091012/4e79e8be/attachment-0001.html
More information about the radiator
mailing list