[RADIATOR] Multiple AuthBy RADIUS blocks

Hugh Irvine hugh at open.com.au
Wed Mar 10 15:56:25 CST 2010 

Hello Alex -

Actually - the debug line is there to show what is happening - whether found or not.

regards

Hugh


On 10 Mar 2010, at 20:48, Alexander Hartmaier wrote:

> Thanks Hugh, that's exactly what I need.
> 
> Is there a specific reason why the request gets proxied to a handler
> which uses the AuthBy RADIUS instead of directly proxying to the AuthBy
> or is this not possible?
> 
> The proxy.pl hook code has a little glitch.
> Found AuthBy with Identifier $identifier is logged even if it isn't.
> To fix it you can add 'if $authby;' to the end of the line.
> 
> -- 
> Best regards, Alex
> 
> 
> Am Mittwoch, den 10.03.2010, 01:49 +0100 schrieb Hugh Irvine:
>> Hello Alex -
>> 
>> Thanks for the interesting question.
>> 
>> There is in fact an example ReplyHook in "goodies/hooks.txt", however it does not show how to deal with multiple proxies.
>> 
>> Here is an example, using two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause.
>> 
>> The first Handler calls the first AuthBy RADIUS clause which contains a ReplyHook to continue processing.
>> 
>> This ReplyHook adds the required reply attribute(s) from the proxy reply to the original request so they can be retrieved later, then it calls an AuthBy HANDLER clause to redispatch the request to a second Handler.
>> 
>> The second Handler proxies to the second proxy target and calls a second ReplyHook.
>> 
>> The second ReplyHook sets the final RadiusResult to ACCEPT.
>> 
>> Hopefully you get the idea.
>> 
>> 
>> This is the configuration file:
>> 
>> 
>> Foreground
>> LogStdout
>> LogDir		.
>> DbDir		.
>> # User a lower trace level in production systems:
>> Trace 		5
>> 
>> AuthPort 1645
>> AcctPort 1646
>> 
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>> 	Secret	mysecret
>> 	DupInterval 0
>> </Client>
>> 
>> <AuthBy RADIUS>
>> 	Identifier Proxy1
>> 	Host localhost
>> 	Secret mysecret
>> 	AuthPort  11645
>> 	AcctPort  11646
>> 	ReplyHook file:"%D/proxy.pl"
>> </AuthBy>
>> 
>> <AuthBy RADIUS>
>> 	Identifier Proxy2
>> 	Host localhost
>> 	Secret mysecret
>> 	AuthPort  22645
>> 	AcctPort  22646
>> 	ReplyHook file:"%D/proxy2.pl"
>> 	AddToReply cisco-avpair = %{cisco-avpair}
>> </AuthBy>
>> 
>> <AuthBy HANDLER>
>> 	Identifier ForwardToProxy2
>> 	HandlerId %{OSC-AVPAIR}
>> </AuthBy>
>> 
>> <Handler>
>> 	Identifier Proxy1
>> 	AuthBy Proxy1
>> </Handler>
>> 
>> <Handler>
>> 	Identifier Proxy2
>> 	AuthBy Proxy2
>> </Handler>
>> 
>> 
>> And here are the two ReplyHook's:
>> 
>> 
>> # proxy.pl
>> 
>> sub 
>> {
>>    my $p = ${$_[0]};	# proxy reply packet
>>    my $rp = ${$_[1]};	# reply packet to NAS
>>    my $op = ${$_[2]};	# original request packet
>>    my $sp = ${$_[3]};	# packet sent to proxy 
>> 
>>    # Find the AuthBy clause with the same Identifier        
>>    my $identifier = 'ForwardToProxy2';
>>    my $authby = Radius::AuthGeneric::find($identifier);
>>    &main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");
>> 
>>    # Get the request code from the proxy reply.
>>    my $code = $p->code;
>> 
>>    if ($code eq 'Access-Accept')
>>    {
>>        # Set the correct reply code in the reply packet
>>        # or if the AuthBy is undefined set to Access-Reject.
>> 
>>        if (defined $authby)
>>        {
>>            my $avpair = $p->get_attr('cisco-avpair');
>>            $op->add_attr('cisco-avpair', $avpair);
>>            $op->add_attr('OSC-AVPAIR', 'Proxy2');
>> 
>>            # Call handle_request for this AuthBy HANDLER
>>            my ($rc, $reason) = $authby->handle_request($op, $rp);
>> 
>>            $op->{RadiusResult} = $main::IGNORE;
>> 	}
>>        else
>>        {
>>            &main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");  
>>            $op->{RadiusResult} = $main::REJECT;
>>        }
>>    }
>>    return;
>> }
>> 
>> 
>> 
>> # proxy2.pl
>> 
>> sub 
>> {
>>    my $p = ${$_[0]};	# proxy reply packet
>>    my $rp = ${$_[1]};	# reply packet to NAS
>>    my $op = ${$_[2]};	# original request packet
>>    my $sp = ${$_[3]};	# packet sent to proxy 
>> 
>> 
>>    # Get the request code from the proxy reply.
>>    my $code = $p->code;
>> 
>>    if ($code eq 'Access-Accept')
>>    {
>>        # Set the correct reply code in the reply packet        
>>        $op->{RadiusResult} = $main::ACCEPT;
>>    }
>>    return;
>> }
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 9 Mar 2010, at 23:48, Alexander Hartmaier wrote:
>> 
>>> Hi!
>>> 
>>> I have to proxy to two radius servers one after the other to gather
>>> different attributes.
>>> Because AuthBy RADIUS responds with an IGNORE the second AuthBy is never
>>> hit.
>>> I couldn't find an example in the goodies which shows how to deal with
>>> that.
>>> I assume a ReplyHook in the first AuthBy RADIUS clause is needed...
>>> 
>>> --
>>> Best regards, Alex
>>> 
>>> 
>>> 
>>> 
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list