[RADIATOR] multiple AuthBy GROUPs
Hugh Irvine
hugh at open.com.au
Sun Oct 11 23:59:20 CDT 2009
Hello Matt -
Here is what I get with Radiator 4.4:
.....
<Handler>
AuthByPolicy ContinueAlways
<AuthBy GROUP>
Identifier Group1
AddToRequest OSC-Environment-Identifier = Group1
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
</AuthBy>
<AuthBy GROUP>
Identifier Group2
AddToRequest OSC-Environment-Identifier = Group2
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
</AuthBy>
<AuthBy GROUP>
Identifier Group3
AddToRequest OSC-Environment-Identifier = Group3
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
</AuthBy>
<AuthBy RADIUS>
Host localhost
AuthPort 1812
AcctPort 1813
Secret mysecret
</AuthBy>
</Handler>
.....
Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 59791 ....
Code: Access-Request
Identifier: 48
Authentic: <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
<213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>
Mon Oct 12 15:45:18 2009: DEBUG: Handling request with Handler ''
Mon Oct 12 15:45:18 2009: DEBUG: Deleting session for mikem,
203.63.154.1, 1234
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group1
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group2
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group3
Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
DefaultResult
Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthRADIUS
Mon Oct 12 15:45:18 2009: DEBUG: AuthBy RADIUS creates new local
socket '0.0.0.0:0' for sending requests
Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1812 ....
Code: Access-Request
Identifier: 1
Authentic: <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
<213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>
OSC-Environment-Identifier = "Group1"
OSC-Environment-Identifier = "Group2"
OSC-Environment-Identifier = "Group3"
The AuthBy RADIUS doesn't change anything - it is just a simple way to
see what is in the request in the debug log.
regards
Hugh
On 12 Oct 2009, at 12:07, Matt wrote:
> Hi Hugh,
>
> Your test does demonstrate the functionality i'm after. I see the
> additions in the request when I run the same test.
>
> Two things break the example. Firstly if I change the AuthByPolicy
> to ContinueWhileReject - example below. AddToRequest doesnt seem to
> do anything. Secondly removing AuthBy Radius breaks
> AddToRequest as well.. Am I right in saying AuthBy Radius is
> required in the handler when adding attributes with AddToRequest?
>
> Thanks. It might be time for me to read the manual again ;)
>
> Matt.
>
>
> <Handler>
>
> AuthByPolicy ContinueWhileReject
>
> <AuthBy GROUP>
> Identifier Group1
> AddToRequest OSC-Environment-Identifier = Group1
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group2
> AddToRequest OSC-Environment-Identifier = Group2
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> </Handler>
>
> On Mon, Oct 12, 2009 at 8:54 AM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Matt -
>
> I'm not sure I understand your question.
>
> Here is what I get in testing:
>
>
> <Handler>
>
> AuthByPolicy ContinueAlways
>
> <AuthBy GROUP>
> Identifier Group1
> AddToRequest OSC-Environment-Identifier = Group1
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group2
> AddToRequest OSC-Environment-Identifier = Group2
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group3
> AddToRequest OSC-Environment-Identifier = Group3
> <AuthBy INTERNAL>
> DefaultResult ACCEPT
> </AuthBy>
> </AuthBy>
>
> <AuthBy RADIUS>
> Host localhost
> AuthPort 1812
> AcctPort 1813
> Secret mysecret
> </AuthBy>
>
> </Handler>
>
>
> gives this result:
>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 63821 ....
> Code: Access-Request
> Identifier: 67
> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}
> <178><195>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>
> Mon Oct 12 09:48:37 2009: DEBUG: Handling request with Handler ''
> Mon Oct 12 09:48:37 2009: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:
> Group1
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:
> Group2
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP:
> Group3
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed
> by DefaultResult
> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy RADIUS creates new local
> socket '0.0.0.0:0' for sending requests
> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}
> <178><195>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
> OSC-Environment-Identifier = "Group1"
> OSC-Environment-Identifier = "Group2"
> OSC-Environment-Identifier = "Group3"
>
>
> ....
>
> regards
>
> Hugh
>
>
>
>
> On 11 Oct 2009, at 23:25, Matt wrote:
>
> Hi,
>
> In a previous post, i've seen the below suggested to make use of
> AddToRequest as "place holders".
> It would appear that although the request works its way through all
> GROUPs, only the first AddToRequest gets applied. So in a
> PostAuthHook for example, regardless of which GROUP authenticates
> the user, I only ever see the value of AuthBy1 in the first GROUP.
> Am I missing something here ?
>
> Thanks in advance.. Matt.
>
>
> <Handler ....>
> AuthByPolicy .....
> <AuthBy GROUP>
> <AuthBy LDAP2>
> .....
> </AuthBy>
> AddToRequest AuthBy1 = LDAP2
>
> </AuthBy>
> <AuthBy GROUP>
> <AuthBy SQL>
> .....
> </AuthBy>
> AddToRequest AuthBy2 = SQL
> </AuthBy>
> .....
> </Handler>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator
> )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list