[RADIATOR] multiple AuthBy GROUPs
Matt
mnaismith at gmail.com
Mon Oct 12 01:05:44 CDT 2009
Hi,
Thanks for your help but I'm not getting anywhere. I suspect I've not been
very clear in the description of the problem. I'll re-think what i'm doing
another day..
Matt.
On Mon, Oct 12, 2009 at 2:59 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Matt -
>
> Here is what I get with Radiator 4.4:
>
>
> .....
>
> <Handler>
>
> AuthByPolicy ContinueAlways
>
> <AuthBy GROUP>
> Identifier Group1
> AddToRequest OSC-Environment-Identifier = Group1
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group2
> AddToRequest OSC-Environment-Identifier = Group2
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier Group3
> AddToRequest OSC-Environment-Identifier = Group3
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </AuthBy>
>
> <AuthBy RADIUS>
> Host localhost
> AuthPort 1812
> AcctPort 1813
> Secret mysecret
> </AuthBy>
>
> </Handler>
>
>
> .....
>
> Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 59791 ....
> Code: Access-Request
> Identifier: 48
> Authentic: <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> <213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>
>
> Mon Oct 12 15:45:18 2009: DEBUG: Handling request with Handler ''
> Mon Oct 12 15:45:18 2009: DEBUG: Deleting session for mikem, 203.63.154.1,
> 1234
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group1
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
> DefaultResult
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group2
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
> DefaultResult
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthGROUP: Group3
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with AuthINTERNAL:
> Mon Oct 12 15:45:18 2009: DEBUG: AuthBy GROUP result: REJECT, Fixed by
> DefaultResult
> Mon Oct 12 15:45:18 2009: DEBUG: Handling with Radius::AuthRADIUS
> Mon Oct 12 15:45:18 2009: DEBUG: AuthBy RADIUS creates new local socket '
> 0.0.0.0:0' for sending requests
> Mon Oct 12 15:45:18 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic: <231><200>;N<<144>'@_<19><16><165><244><13>+<16>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> <213><241>~<229><168><25><208>V<183><249>#3<172><187><23><192>
> OSC-Environment-Identifier = "Group1"
> OSC-Environment-Identifier = "Group2"
> OSC-Environment-Identifier = "Group3"
>
>
>
> The AuthBy RADIUS doesn't change anything - it is just a simple way to see
> what is in the request in the debug log.
>
> regards
>
> Hugh
>
>
>
>
> On 12 Oct 2009, at 12:07, Matt wrote:
>
> Hi Hugh,
>>
>> Your test does demonstrate the functionality i'm after. I see the
>> additions in the request when I run the same test.
>>
>> Two things break the example. Firstly if I change the AuthByPolicy to
>> ContinueWhileReject - example below. AddToRequest doesnt seem to do
>> anything. Secondly removing AuthBy Radius breaks AddToRequest as well..
>> Am I right in saying AuthBy Radius is required in the handler when adding
>> attributes with AddToRequest?
>>
>> Thanks. It might be time for me to read the manual again ;)
>>
>> Matt.
>>
>>
>> <Handler>
>>
>> AuthByPolicy ContinueWhileReject
>>
>> <AuthBy GROUP>
>> Identifier Group1
>> AddToRequest OSC-Environment-Identifier = Group1
>> <AuthBy INTERNAL>
>> DefaultResult REJECT
>> </AuthBy>
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier Group2
>> AddToRequest OSC-Environment-Identifier = Group2
>> <AuthBy INTERNAL>
>> DefaultResult ACCEPT
>> </AuthBy>
>> </AuthBy>
>>
>> </Handler>
>>
>> On Mon, Oct 12, 2009 at 8:54 AM, Hugh Irvine <hugh at open.com.au> wrote:
>>
>> Hello Matt -
>>
>> I'm not sure I understand your question.
>>
>> Here is what I get in testing:
>>
>>
>> <Handler>
>>
>> AuthByPolicy ContinueAlways
>>
>> <AuthBy GROUP>
>> Identifier Group1
>> AddToRequest OSC-Environment-Identifier = Group1
>> <AuthBy INTERNAL>
>> DefaultResult ACCEPT
>> </AuthBy>
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier Group2
>> AddToRequest OSC-Environment-Identifier = Group2
>> <AuthBy INTERNAL>
>> DefaultResult ACCEPT
>> </AuthBy>
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier Group3
>> AddToRequest OSC-Environment-Identifier = Group3
>> <AuthBy INTERNAL>
>> DefaultResult ACCEPT
>> </AuthBy>
>> </AuthBy>
>>
>> <AuthBy RADIUS>
>> Host localhost
>> AuthPort 1812
>> AcctPort 1813
>> Secret mysecret
>> </AuthBy>
>>
>> </Handler>
>>
>>
>> gives this result:
>>
>>
>> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 63821 ....
>> Code: Access-Request
>> Identifier: 67
>> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}<178><195>
>> Attributes:
>> User-Name = "mikem"
>> Service-Type = Framed-User
>> NAS-IP-Address = 203.63.154.1
>> NAS-Identifier = "203.63.154.1"
>> NAS-Port = 1234
>> Called-Station-Id = "123456789"
>> Calling-Station-Id = "987654321"
>> NAS-Port-Type = Async
>> User-Password = C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>>
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling request with Handler ''
>> Mon Oct 12 09:48:37 2009: DEBUG: Deleting session for mikem,
>> 203.63.154.1, 1234
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group1
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
>> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
>> DefaultResult
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group2
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
>> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
>> DefaultResult
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthGROUP: Group3
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with AuthINTERNAL:
>> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy GROUP result: ACCEPT, Fixed by
>> DefaultResult
>> Mon Oct 12 09:48:37 2009: DEBUG: Handling with Radius::AuthRADIUS
>> Mon Oct 12 09:48:37 2009: DEBUG: AuthBy RADIUS creates new local socket '
>> 0.0.0.0:0' for sending requests
>> Mon Oct 12 09:48:37 2009: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 1812 ....
>> Code: Access-Request
>> Identifier: 1
>> Authentic: <222><147><137>A<127><197><159><14>8<182>J<248>0}<178><195>
>> Attributes:
>> User-Name = "mikem"
>> Service-Type = Framed-User
>> NAS-IP-Address = 203.63.154.1
>> NAS-Identifier = "203.63.154.1"
>> NAS-Port = 1234
>> Called-Station-Id = "123456789"
>> Calling-Station-Id = "987654321"
>> NAS-Port-Type = Async
>> User-Password = C<136>Kd<180><240>><11>f<175><254>k<168><217>Y<155>
>> OSC-Environment-Identifier = "Group1"
>> OSC-Environment-Identifier = "Group2"
>> OSC-Environment-Identifier = "Group3"
>>
>>
>> ....
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>> On 11 Oct 2009, at 23:25, Matt wrote:
>>
>> Hi,
>>
>> In a previous post, i've seen the below suggested to make use of
>> AddToRequest as "place holders".
>> It would appear that although the request works its way through all
>> GROUPs, only the first AddToRequest gets applied. So in a PostAuthHook for
>> example, regardless of which GROUP authenticates the user, I only ever see
>> the value of AuthBy1 in the first GROUP.
>> Am I missing something here ?
>>
>> Thanks in advance.. Matt.
>>
>>
>> <Handler ....>
>> AuthByPolicy .....
>> <AuthBy GROUP>
>> <AuthBy LDAP2>
>> .....
>> </AuthBy>
>> AddToRequest AuthBy1 = LDAP2
>>
>> </AuthBy>
>> <AuthBy GROUP>
>> <AuthBy SQL>
>> .....
>> </AuthBy>
>> AddToRequest AuthBy2 = SQL
>> </AuthBy>
>> .....
>> </Handler>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (
>> www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (
> www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20091012/2dfa8f4f/attachment-0001.html
More information about the radiator
mailing list