[RADIATOR] Multiple AuthBy RADIUS blocks
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Wed Mar 10 10:51:46 CST 2010
I've managed to get it working.
I didn't understand at first that the second ReplyHook is needed,
without it the response from the second radius server is thrown away
instead of replied to the radius client.
Can you add fixing AuthBy RADIUS to your todo list for the next version?
Being unable to chain AuthBy RADIUS is really a problem, especially for
my coworkers which aren't experienced perl coders like me but should be
able to support this configuration as well.
Thanks!
I've modified the hook a bit to make it easier to define which
attributes should be proxied:
# this hook copies the @proxied_attrs from the answer of the radius
server
# to the request to the next radius server and dispatches another
request
sub {
my $p = ${$_[0]}; # reply packet from remote radius server
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to remote radius server
# Find the AuthBy clause with the same Identifier
my $identifier = 'tma-radius';
my $authby = Radius::AuthGeneric::find($identifier);
&main::log($main::LOG_DEBUG, "Found Handler with Identifier
$identifier")
if defined $authby;
# Get the request code from the proxy reply.
my $code = $p->code;
&main::log($main::LOG_DEBUG, "radius replied with $code");
# Only proxy if the current request was accepted
if ($code eq 'Access-Accept') {
# Set the correct reply code in the reply packet
# or if the AuthBy is undefined set to Access-Reject.
if (defined $authby) {
my @proxied_attrs = qw/
Framed-IP-Address
/;
for my $attr (@proxied_attrs) {
my $value = $p->get_attr($attr);
$op->add_attr($attr, $value);
}
# Call handle_request for this AuthBy HANDLER
my ($rc, $reason) = $authby->handle_request($op, $rp);
$op->{RadiusResult} = $main::IGNORE;
}
else {
&main::log($main::LOG_ERR, "No AuthBy with Identifier
$identifier");
$op->{RadiusResult} = $main::REJECT;
}
}
else {
&main::log($main::LOG_ERR, "radius server didn't accept the
request");
}
return;
}
--
Best regards, Alex
Am Mittwoch, den 10.03.2010, 10:48 +0100 schrieb Hartmaier Alexander:
> Thanks Hugh, that's exactly what I need.
>
> Is there a specific reason why the request gets proxied to a handler
> which uses the AuthBy RADIUS instead of directly proxying to the AuthBy
> or is this not possible?
>
> The proxy.pl hook code has a little glitch.
> Found AuthBy with Identifier $identifier is logged even if it isn't.
> To fix it you can add 'if $authby;' to the end of the line.
>
> --
> Best regards, Alex
>
>
> Am Mittwoch, den 10.03.2010, 01:49 +0100 schrieb Hugh Irvine:
> > Hello Alex -
> >
> > Thanks for the interesting question.
> >
> > There is in fact an example ReplyHook in "goodies/hooks.txt", however it does not show how to deal with multiple proxies.
> >
> > Here is an example, using two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause.
> >
> > The first Handler calls the first AuthBy RADIUS clause which contains a ReplyHook to continue processing.
> >
> > This ReplyHook adds the required reply attribute(s) from the proxy reply to the original request so they can be retrieved later, then it calls an AuthBy HANDLER clause to redispatch the request to a second Handler.
> >
> > The second Handler proxies to the second proxy target and calls a second ReplyHook.
> >
> > The second ReplyHook sets the final RadiusResult to ACCEPT.
> >
> > Hopefully you get the idea.
> >
> >
> > This is the configuration file:
> >
> >
> > Foreground
> > LogStdout
> > LogDir .
> > DbDir .
> > # User a lower trace level in production systems:
> > Trace 5
> >
> > AuthPort 1645
> > AcctPort 1646
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <Client DEFAULT>
> > Secret mysecret
> > DupInterval 0
> > </Client>
> >
> > <AuthBy RADIUS>
> > Identifier Proxy1
> > Host localhost
> > Secret mysecret
> > AuthPort 11645
> > AcctPort 11646
> > ReplyHook file:"%D/proxy.pl"
> > </AuthBy>
> >
> > <AuthBy RADIUS>
> > Identifier Proxy2
> > Host localhost
> > Secret mysecret
> > AuthPort 22645
> > AcctPort 22646
> > ReplyHook file:"%D/proxy2.pl"
> > AddToReply cisco-avpair = %{cisco-avpair}
> > </AuthBy>
> >
> > <AuthBy HANDLER>
> > Identifier ForwardToProxy2
> > HandlerId %{OSC-AVPAIR}
> > </AuthBy>
> >
> > <Handler>
> > Identifier Proxy1
> > AuthBy Proxy1
> > </Handler>
> >
> > <Handler>
> > Identifier Proxy2
> > AuthBy Proxy2
> > </Handler>
> >
> >
> > And here are the two ReplyHook's:
> >
> >
> > # proxy.pl
> >
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]}; # reply packet to NAS
> > my $op = ${$_[2]}; # original request packet
> > my $sp = ${$_[3]}; # packet sent to proxy
> >
> > # Find the AuthBy clause with the same Identifier
> > my $identifier = 'ForwardToProxy2';
> > my $authby = Radius::AuthGeneric::find($identifier);
> > &main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");
> >
> > # Get the request code from the proxy reply.
> > my $code = $p->code;
> >
> > if ($code eq 'Access-Accept')
> > {
> > # Set the correct reply code in the reply packet
> > # or if the AuthBy is undefined set to Access-Reject.
> >
> > if (defined $authby)
> > {
> > my $avpair = $p->get_attr('cisco-avpair');
> > $op->add_attr('cisco-avpair', $avpair);
> > $op->add_attr('OSC-AVPAIR', 'Proxy2');
> >
> > # Call handle_request for this AuthBy HANDLER
> > my ($rc, $reason) = $authby->handle_request($op, $rp);
> >
> > $op->{RadiusResult} = $main::IGNORE;
> > }
> > else
> > {
> > &main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
> > $op->{RadiusResult} = $main::REJECT;
> > }
> > }
> > return;
> > }
> >
> >
> >
> > # proxy2.pl
> >
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]}; # reply packet to NAS
> > my $op = ${$_[2]}; # original request packet
> > my $sp = ${$_[3]}; # packet sent to proxy
> >
> >
> > # Get the request code from the proxy reply.
> > my $code = $p->code;
> >
> > if ($code eq 'Access-Accept')
> > {
> > # Set the correct reply code in the reply packet
> > $op->{RadiusResult} = $main::ACCEPT;
> > }
> > return;
> > }
> >
> >
> > regards
> >
> > Hugh
> >
> >
> > On 9 Mar 2010, at 23:48, Alexander Hartmaier wrote:
> >
> > > Hi!
> > >
> > > I have to proxy to two radius servers one after the other to gather
> > > different attributes.
> > > Because AuthBy RADIUS responds with an IGNORE the second AuthBy is never
> > > hit.
> > > I couldn't find an example in the goodies which shows how to deal with
> > > that.
> > > I assume a ReplyHook in the first AuthBy RADIUS clause is needed...
> > >
> > > --
> > > Best regards, Alex
> > >
> > >
> > >
> > >
> > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> > > Handelsgericht Wien, FN 79340b
> > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > > Notice: This e-mail contains information that is confidential and may be privileged.
> > > If you are not the intended recipient, please notify the sender and then
> > > delete this e-mail immediately.
> > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list