[RADIATOR] RejectReason Problem with AuthHANDLER

Mon Jun 28 22:47:27 CDT 2010

Hello Alex -

Thanks for letting us know about this.

Should be fixed in the latest Radiator 4.6 patches.

regards

Hugh

On 28 Jun 2010, at 18:35, Alexander Hartmaier wrote:

> Hi,
> 
> Radiator doesn't send the RejectReason when using AuthHANDLER but instead the hardcoded return string from AuthHANDLER.pm.
> 
> This is an excerpt of my config:
> 
> <Handler Client-Identifier="hostname" Request-Type="Access-Request">
>     AuthByPolicy    ContinueUntilIgnore
> 
>     # Show any rejection reason to the end user
>     RejectHasReason
> 
>     <AuthBy LDAP2>
>         AuthAttrDef memberof,GENERIC,request
> 
>         # this populates Request:X-Identifier
>         PostSearchHook file:"%D/ldap_authselect_by_group.pl"
>     </AuthBy>
> 
>     <AuthBy HANDLER>
>         HandlerId %{Request:X-Identifier}
>     </AuthBy>
> </Handler>
>     
> 
> <Handler>
>     Identifier reject
> 
>     # Show any rejection reason to the end user
>     RejectHasReason
> 
>     <AuthBy INTERNAL>
>         AuthResult REJECT
>         RejectReason User isn't member of an OTP ldap group, rejecting
>     </AuthBy>
> </Handler>
> 
> This is the level 4 log where the issue can be seen:
> 
> Mon Jun 28 08:20:06 2010: DEBUG: Handling with AuthINTERNAL: 
> Mon Jun 28 08:20:06 2010: DEBUG: AuthBy INTERNAL result: REJECT, User isn't member of an OTP ldap group, rejecting
> Mon Jun 28 08:20:06 2010: DEBUG: AuthBy HANDLER result: REJECT, redirected by AuthHANDLER
> Mon Jun 28 08:20:06 2010: INFO: Access rejected for test: redirected by AuthHANDLER
> Mon Jun 28 08:20:06 2010: DEBUG: Packet dump:
> *** Sending to 1.2.3.4 port 1025 ....
> Code:       Access-Reject
> Identifier: 1
> Authentic:  <24>?N<127><151><193><229>Q<148><174>B!<1>^<233>*
> Attributes:
> Reply-Message = "redirected by AuthHANDLER"
> 
> 
> -- 
> Best regards, Alex
> 
> 
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.