[RADIATOR] Multiple AuthBy RADIUS blocks
Hugh Irvine
hugh at open.com.au
Tue Mar 9 18:49:37 CST 2010
Hello Alex -
Thanks for the interesting question.
There is in fact an example ReplyHook in "goodies/hooks.txt", however it does not show how to deal with multiple proxies.
Here is an example, using two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause.
The first Handler calls the first AuthBy RADIUS clause which contains a ReplyHook to continue processing.
This ReplyHook adds the required reply attribute(s) from the proxy reply to the original request so they can be retrieved later, then it calls an AuthBy HANDLER clause to redispatch the request to a second Handler.
The second Handler proxies to the second proxy target and calls a second ReplyHook.
The second ReplyHook sets the final RadiusResult to ACCEPT.
Hopefully you get the idea.
This is the configuration file:
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 5
AuthPort 1645
AcctPort 1646
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<AuthBy RADIUS>
Identifier Proxy1
Host localhost
Secret mysecret
AuthPort 11645
AcctPort 11646
ReplyHook file:"%D/proxy.pl"
</AuthBy>
<AuthBy RADIUS>
Identifier Proxy2
Host localhost
Secret mysecret
AuthPort 22645
AcctPort 22646
ReplyHook file:"%D/proxy2.pl"
AddToReply cisco-avpair = %{cisco-avpair}
</AuthBy>
<AuthBy HANDLER>
Identifier ForwardToProxy2
HandlerId %{OSC-AVPAIR}
</AuthBy>
<Handler>
Identifier Proxy1
AuthBy Proxy1
</Handler>
<Handler>
Identifier Proxy2
AuthBy Proxy2
</Handler>
And here are the two ReplyHook's:
# proxy.pl
sub
{
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
# Find the AuthBy clause with the same Identifier
my $identifier = 'ForwardToProxy2';
my $authby = Radius::AuthGeneric::find($identifier);
&main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");
# Get the request code from the proxy reply.
my $code = $p->code;
if ($code eq 'Access-Accept')
{
# Set the correct reply code in the reply packet
# or if the AuthBy is undefined set to Access-Reject.
if (defined $authby)
{
my $avpair = $p->get_attr('cisco-avpair');
$op->add_attr('cisco-avpair', $avpair);
$op->add_attr('OSC-AVPAIR', 'Proxy2');
# Call handle_request for this AuthBy HANDLER
my ($rc, $reason) = $authby->handle_request($op, $rp);
$op->{RadiusResult} = $main::IGNORE;
}
else
{
&main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
$op->{RadiusResult} = $main::REJECT;
}
}
return;
}
# proxy2.pl
sub
{
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
# Get the request code from the proxy reply.
my $code = $p->code;
if ($code eq 'Access-Accept')
{
# Set the correct reply code in the reply packet
$op->{RadiusResult} = $main::ACCEPT;
}
return;
}
regards
Hugh
On 9 Mar 2010, at 23:48, Alexander Hartmaier wrote:
> Hi!
>
> I have to proxy to two radius servers one after the other to gather
> different attributes.
> Because AuthBy RADIUS responds with an IGNORE the second AuthBy is never
> hit.
> I couldn't find an example in the goodies which shows how to deal with
> that.
> I assume a ReplyHook in the first AuthBy RADIUS clause is needed...
>
> --
> Best regards, Alex
>
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list