[RADIATOR] Multiple AuthBy RADIUS blocks

Hugh Irvine hugh at open.com.au
Tue Mar 9 18:49:37 CST 2010 

Hello Alex -

Thanks for the interesting question.

There is in fact an example ReplyHook in "goodies/hooks.txt", however it does not show how to deal with multiple proxies.

Here is an example, using two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause.

The first Handler calls the first AuthBy RADIUS clause which contains a ReplyHook to continue processing.

This ReplyHook adds the required reply attribute(s) from the proxy reply to the original request so they can be retrieved later, then it calls an AuthBy HANDLER clause to redispatch the request to a second Handler.

The second Handler proxies to the second proxy target and calls a second ReplyHook.

The second ReplyHook sets the final RadiusResult to ACCEPT.

Hopefully you get the idea.


This is the configuration file:


Foreground
LogStdout
LogDir		.
DbDir		.
# User a lower trace level in production systems:
Trace 		5

AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	mysecret
	DupInterval 0
</Client>

<AuthBy RADIUS>
	Identifier Proxy1
	Host localhost
	Secret mysecret
	AuthPort  11645
	AcctPort  11646
	ReplyHook file:"%D/proxy.pl"
</AuthBy>

<AuthBy RADIUS>
	Identifier Proxy2
	Host localhost
	Secret mysecret
	AuthPort  22645
	AcctPort  22646
	ReplyHook file:"%D/proxy2.pl"
	AddToReply cisco-avpair = %{cisco-avpair}
</AuthBy>

<AuthBy HANDLER>
	Identifier ForwardToProxy2
	HandlerId %{OSC-AVPAIR}
</AuthBy>

<Handler>
	Identifier Proxy1
	AuthBy Proxy1
</Handler>

<Handler>
	Identifier Proxy2
	AuthBy Proxy2
</Handler>


And here are the two ReplyHook's:


# proxy.pl

sub 
{
    my $p = ${$_[0]};	# proxy reply packet
    my $rp = ${$_[1]};	# reply packet to NAS
    my $op = ${$_[2]};	# original request packet
    my $sp = ${$_[3]};	# packet sent to proxy 

    # Find the AuthBy clause with the same Identifier        
    my $identifier = 'ForwardToProxy2';
    my $authby = Radius::AuthGeneric::find($identifier);
    &main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");

    # Get the request code from the proxy reply.
    my $code = $p->code;

    if ($code eq 'Access-Accept')
    {
        # Set the correct reply code in the reply packet
        # or if the AuthBy is undefined set to Access-Reject.
        
        if (defined $authby)
        {
            my $avpair = $p->get_attr('cisco-avpair');
            $op->add_attr('cisco-avpair', $avpair);
            $op->add_attr('OSC-AVPAIR', 'Proxy2');

            # Call handle_request for this AuthBy HANDLER
            my ($rc, $reason) = $authby->handle_request($op, $rp);

            $op->{RadiusResult} = $main::IGNORE;
	}
        else
        {
            &main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");  
            $op->{RadiusResult} = $main::REJECT;
        }
    }
    return;
}



# proxy2.pl

sub 
{
    my $p = ${$_[0]};	# proxy reply packet
    my $rp = ${$_[1]};	# reply packet to NAS
    my $op = ${$_[2]};	# original request packet
    my $sp = ${$_[3]};	# packet sent to proxy 


    # Get the request code from the proxy reply.
    my $code = $p->code;

    if ($code eq 'Access-Accept')
    {
        # Set the correct reply code in the reply packet        
        $op->{RadiusResult} = $main::ACCEPT;
    }
    return;
}


regards

Hugh


On 9 Mar 2010, at 23:48, Alexander Hartmaier wrote:

> Hi!
> 
> I have to proxy to two radius servers one after the other to gather
> different attributes.
> Because AuthBy RADIUS responds with an IGNORE the second AuthBy is never
> hit.
> I couldn't find an example in the goodies which shows how to deal with
> that.
> I assume a ReplyHook in the first AuthBy RADIUS clause is needed...
> 
> --
> Best regards, Alex
> 
> 
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list