[RADIATOR] multiple AuthBy GROUPs

Hugh Irvine hugh at open.com.au
Sun Oct 11 23:59:20 CDT 2009


Hello Matt -

Here is what I get with Radiator 4.4:


.....

<Handler>

         AuthByPolicy ContinueAlways

         <AuthBy GROUP>
                 Identifier Group1
                 AddToRequest OSC-Environment-Identifier = Group1
                 <AuthBy INTERNAL>
                         DefaultResult REJECT
                 </AuthBy>
         </AuthBy>

         <AuthBy GROUP>
                 Identifier Group2
                 AddToRequest OSC-Environment-Identifier = Group2
                 <AuthBy INTERNAL>
                         DefaultResult REJECT
                 </AuthBy>
         </AuthBy>

         <AuthBy GROUP>
                 Identifier Group3
                 AddToRequest OSC-Environment-Identifier = Group3
                 <AuthBy INTERNAL>
                         DefaultResult REJECT
                 </AuthBy>
         </AuthBy>

         <AuthBy RADIUS>
                 Host localhost
                 AuthPort 1812
                 AcctPort 1813
                 Secret mysecret
         </AuthBy>

</Handler>


.....

Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 59791 ....
Code:       Access-Request
Identifier: 48
Authentic:  <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password =  
<213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>

Mon Oct 12 15:45:18 2009: DEBUG: Handling request with Handler ''
Mon Oct 12 15:45:18 2009: DEBUG:  Deleting session for mikem,  
203.63.154.1, 1234
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group1
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by  
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group2
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by  
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group3
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by  
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthRADIUS
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy RADIUS creates new local  
socket '0.0.0.0:0' for sending requests
Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1812 ....
Code:       Access-Request
Identifier: 1
Authentic:  <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password =  
<213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>
	OSC-Environment-Identifier = "Group1"
	OSC-Environment-Identifier = "Group2"
	OSC-Environment-Identifier = "Group3"



The AuthBy RADIUS doesn't change anything - it is just a simple way to  
see what is in the request in the debug log.

regards

Hugh



On 12 Oct 2009, at 12:07, Matt wrote:

> Hi Hugh,
>
> Your test does demonstrate the functionality i'm after.  I see the  
> additions in the  request when I run the same test.
>
> Two things break the example.   Firstly if I change the AuthByPolicy  
> to ContinueWhileReject -  example below. AddToRequest doesnt seem to  
> do anything.     Secondly removing  AuthBy Radius breaks  
> AddToRequest as well.. Am I right in saying AuthBy Radius is  
> required in the handler when adding attributes with AddToRequest?
>
> Thanks.  It might be time for me to read the manual again ;)
>
> Matt.
>
>
> <Handler>
>
>        AuthByPolicy ContinueWhileReject
>
>        <AuthBy GROUP>
>                Identifier Group1
>                AddToRequest OSC-Environment-Identifier = Group1
>                <AuthBy INTERNAL>
>                        DefaultResult REJECT
>                </AuthBy>
>        </AuthBy>
>
>        <AuthBy GROUP>
>                Identifier Group2
>                AddToRequest OSC-Environment-Identifier = Group2
>                <AuthBy INTERNAL>
>                 DefaultResult ACCEPT
>                </AuthBy>
>        </AuthBy>
>
> </Handler>
>
> On Mon, Oct 12, 2009 at 8:54 AM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Matt -
>
> I'm not sure I understand your question.
>
> Here is what I get in testing:
>
>
> <Handler>
>
>        AuthByPolicy ContinueAlways
>
>        <AuthBy GROUP>
>                Identifier Group1
>                AddToRequest OSC-Environment-Identifier = Group1
>                <AuthBy INTERNAL>
>                        DefaultResult ACCEPT
>                </AuthBy>
>        </AuthBy>
>
>        <AuthBy GROUP>
>                Identifier Group2
>                AddToRequest OSC-Environment-Identifier = Group2
>                <AuthBy INTERNAL>
>                        DefaultResult ACCEPT
>                </AuthBy>
>        </AuthBy>
>
>        <AuthBy GROUP>
>                Identifier Group3
>                AddToRequest OSC-Environment-Identifier = Group3
>                <AuthBy INTERNAL>
>                        DefaultResult ACCEPT
>                </AuthBy>
>        </AuthBy>
>
>        <AuthBy RADIUS>
>                Host localhost
>                AuthPort 1812
>                AcctPort 1813
>                Secret mysecret
>        </AuthBy>
>
> </Handler>
>
>
> gives this result:
>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 63821 ....
> Code:       Access-Request
> Identifier: 67
> Authentic:  <222><147><137>A<127><197><159><14>8<182>J<248>0} 
> <178><195>
> Attributes:
>        User-Name = "mikem"
>        Service-Type = Framed-User
>        NAS-IP-Address = 203.63.154.1
>        NAS-Identifier = "203.63.154.1"
>        NAS-Port = 1234
>        Called-Station-Id = "123456789"
>        Calling-Station-Id = "987654321"
>        NAS-Port-Type = Async
>        User-Password =  
> C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Handling request with Handler ''
> Mon Oct 12 09:48:37 2009: DEBUG:  Deleting session for mikem,  
> 203.63.154.1, 1234
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:  
> Group1
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed  
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:  
> Group2
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed  
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:  
> Group3
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed  
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy RADIUS creates new local  
> socket '0.0.0.0:0' for sending requests
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  <222><147><137>A<127><197><159><14>8<182>J<248>0} 
> <178><195>
> Attributes:
>        User-Name = "mikem"
>        Service-Type = Framed-User
>        NAS-IP-Address = 203.63.154.1
>        NAS-Identifier = "203.63.154.1"
>        NAS-Port = 1234
>        Called-Station-Id = "123456789"
>        Calling-Station-Id = "987654321"
>        NAS-Port-Type = Async
>        User-Password =  
> C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>        OSC-Environment-Identifier = "Group1"
>        OSC-Environment-Identifier = "Group2"
>        OSC-Environment-Identifier = "Group3"
>
>
> ....
>
> regards
>
> Hugh
>
>
>
>
> On 11 Oct 2009, at 23:25, Matt wrote:
>
> Hi,
>
> In a previous post, i've seen the below suggested to make use of  
> AddToRequest as "place holders".
> It would appear that although the request works its way through all  
> GROUPs, only the first AddToRequest gets applied. So in a   
> PostAuthHook for example, regardless of which GROUP authenticates  
> the user, I only ever see the value of AuthBy1 in the first GROUP.
> Am I missing something here ?
>
> Thanks in advance.. Matt.
>
>
> <Handler ....>
>        AuthByPolicy .....
>        <AuthBy GROUP>
>                <AuthBy LDAP2>
>                        .....
>                </AuthBy>
>                AddToRequest AuthBy1 = LDAP2
>
>        </AuthBy>
>        <AuthBy GROUP>
>                <AuthBy SQL>
>                        .....
>                </AuthBy>
>                AddToRequest AuthBy2 = SQL
>        </AuthBy>
>        .....
> </Handler>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator 
> )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list