[RADIATOR] Multiple AuthBy RADIUS blocks

Hugh Irvine hugh at open.com.au
Wed Mar 10 16:06:48 CST 2010


Hello Alex -

I'm pleased you've got it working the way you want it.

It isn't possible to "fix" the AuthBy RADIUS clause - it works the way it does because it doesn't wait for a response from a remote host that may never come.

The way to operate an AuthBy RADIUS the way you describe is to use the "Synchronous" flag - but this implies waiting for the response to come back from the remote host which is a dangerous thing to do. Ie. Radiator will wait forever if a reply doesn't come back.

An alternative approach is to use a separate instance of Radiator to do this "special" processing instead of having it in your "mainline" and proxy to it first.

My example code was just that - I simply hacked it together to give you an idea of how to do it.

regards

Hugh



On 11 Mar 2010, at 03:51, Alexander Hartmaier wrote:

> I've managed to get it working.
> I didn't understand at first that the second ReplyHook is needed,
> without it the response from the second radius server is thrown away
> instead of replied to the radius client.
> 
> Can you add fixing AuthBy RADIUS to your todo list for the next version?
> 
> Being unable to chain AuthBy RADIUS is really a problem, especially for
> my coworkers which aren't experienced perl coders like me but should be
> able to support this configuration as well.
> 
> Thanks!
> 
> I've modified the hook a bit to make it easier to define which
> attributes should be proxied:
> 
> # this hook copies the @proxied_attrs from the answer of the radius
> server
> # to the request to the next radius server and dispatches another
> request
> sub {
>    my $p  = ${$_[0]};  # reply packet from remote radius server
>    my $rp = ${$_[1]};  # reply packet to NAS
>    my $op = ${$_[2]};  # original request packet
>    my $sp = ${$_[3]};  # packet sent to remote radius server
> 
>    # Find the AuthBy clause with the same Identifier        
>    my $identifier = 'tma-radius';
>    my $authby = Radius::AuthGeneric::find($identifier);
>    &main::log($main::LOG_DEBUG, "Found Handler with Identifier
> $identifier")
>        if defined $authby;
> 
>    # Get the request code from the proxy reply.
>    my $code = $p->code;
>    &main::log($main::LOG_DEBUG, "radius replied with $code");
> 
>    # Only proxy if the current request was accepted
>    if ($code eq 'Access-Accept') {
>        # Set the correct reply code in the reply packet
>        # or if the AuthBy is undefined set to Access-Reject.
> 
>        if (defined $authby) {
>            my @proxied_attrs = qw/
>                Framed-IP-Address
>            /;
>            for my $attr (@proxied_attrs) {
>                my $value = $p->get_attr($attr);
>                $op->add_attr($attr, $value);
>            }
> 
>            # Call handle_request for this AuthBy HANDLER
>            my ($rc, $reason) = $authby->handle_request($op, $rp);
> 
>            $op->{RadiusResult} = $main::IGNORE;
>        }
>        else {
>            &main::log($main::LOG_ERR, "No AuthBy with Identifier
> $identifier");
>            $op->{RadiusResult} = $main::REJECT;
>        }
>    }
>    else {
>        &main::log($main::LOG_ERR, "radius server didn't accept the
> request");
>    }
>    return;
> }
> 
> -- 
> Best regards, Alex
> 
> 
> Am Mittwoch, den 10.03.2010, 10:48 +0100 schrieb Hartmaier Alexander:
>> Thanks Hugh, that's exactly what I need.
>> 
>> Is there a specific reason why the request gets proxied to a handler
>> which uses the AuthBy RADIUS instead of directly proxying to the AuthBy
>> or is this not possible?
>> 
>> The proxy.pl hook code has a little glitch.
>> Found AuthBy with Identifier $identifier is logged even if it isn't.
>> To fix it you can add 'if $authby;' to the end of the line.
>> 
>> -- 
>> Best regards, Alex
>> 
>> 
>> Am Mittwoch, den 10.03.2010, 01:49 +0100 schrieb Hugh Irvine:
>>> Hello Alex -
>>> 
>>> Thanks for the interesting question.
>>> 
>>> There is in fact an example ReplyHook in "goodies/hooks.txt", however it does not show how to deal with multiple proxies.
>>> 
>>> Here is an example, using two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause.
>>> 
>>> The first Handler calls the first AuthBy RADIUS clause which contains a ReplyHook to continue processing.
>>> 
>>> This ReplyHook adds the required reply attribute(s) from the proxy reply to the original request so they can be retrieved later, then it calls an AuthBy HANDLER clause to redispatch the request to a second Handler.
>>> 
>>> The second Handler proxies to the second proxy target and calls a second ReplyHook.
>>> 
>>> The second ReplyHook sets the final RadiusResult to ACCEPT.
>>> 
>>> Hopefully you get the idea.
>>> 
>>> 
>>> This is the configuration file:
>>> 
>>> 
>>> Foreground
>>> LogStdout
>>> LogDir		.
>>> DbDir		.
>>> # User a lower trace level in production systems:
>>> Trace 		5
>>> 
>>> AuthPort 1645
>>> AcctPort 1646
>>> 
>>> # You will probably want to add other Clients to suit your site,
>>> # one for each NAS you want to work with
>>> <Client DEFAULT>
>>> 	Secret	mysecret
>>> 	DupInterval 0
>>> </Client>
>>> 
>>> <AuthBy RADIUS>
>>> 	Identifier Proxy1
>>> 	Host localhost
>>> 	Secret mysecret
>>> 	AuthPort  11645
>>> 	AcctPort  11646
>>> 	ReplyHook file:"%D/proxy.pl"
>>> </AuthBy>
>>> 
>>> <AuthBy RADIUS>
>>> 	Identifier Proxy2
>>> 	Host localhost
>>> 	Secret mysecret
>>> 	AuthPort  22645
>>> 	AcctPort  22646
>>> 	ReplyHook file:"%D/proxy2.pl"
>>> 	AddToReply cisco-avpair = %{cisco-avpair}
>>> </AuthBy>
>>> 
>>> <AuthBy HANDLER>
>>> 	Identifier ForwardToProxy2
>>> 	HandlerId %{OSC-AVPAIR}
>>> </AuthBy>
>>> 
>>> <Handler>
>>> 	Identifier Proxy1
>>> 	AuthBy Proxy1
>>> </Handler>
>>> 
>>> <Handler>
>>> 	Identifier Proxy2
>>> 	AuthBy Proxy2
>>> </Handler>
>>> 
>>> 
>>> And here are the two ReplyHook's:
>>> 
>>> 
>>> # proxy.pl
>>> 
>>> sub 
>>> {
>>>    my $p = ${$_[0]};	# proxy reply packet
>>>    my $rp = ${$_[1]};	# reply packet to NAS
>>>    my $op = ${$_[2]};	# original request packet
>>>    my $sp = ${$_[3]};	# packet sent to proxy 
>>> 
>>>    # Find the AuthBy clause with the same Identifier        
>>>    my $identifier = 'ForwardToProxy2';
>>>    my $authby = Radius::AuthGeneric::find($identifier);
>>>    &main::log($main::LOG_DEBUG, "Found AuthBy with Identifier $identifier");
>>> 
>>>    # Get the request code from the proxy reply.
>>>    my $code = $p->code;
>>> 
>>>    if ($code eq 'Access-Accept')
>>>    {
>>>        # Set the correct reply code in the reply packet
>>>        # or if the AuthBy is undefined set to Access-Reject.
>>> 
>>>        if (defined $authby)
>>>        {
>>>            my $avpair = $p->get_attr('cisco-avpair');
>>>            $op->add_attr('cisco-avpair', $avpair);
>>>            $op->add_attr('OSC-AVPAIR', 'Proxy2');
>>> 
>>>            # Call handle_request for this AuthBy HANDLER
>>>            my ($rc, $reason) = $authby->handle_request($op, $rp);
>>> 
>>>            $op->{RadiusResult} = $main::IGNORE;
>>> 	}
>>>        else
>>>        {
>>>            &main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");  
>>>            $op->{RadiusResult} = $main::REJECT;
>>>        }
>>>    }
>>>    return;
>>> }
>>> 
>>> 
>>> 
>>> # proxy2.pl
>>> 
>>> sub 
>>> {
>>>    my $p = ${$_[0]};	# proxy reply packet
>>>    my $rp = ${$_[1]};	# reply packet to NAS
>>>    my $op = ${$_[2]};	# original request packet
>>>    my $sp = ${$_[3]};	# packet sent to proxy 
>>> 
>>> 
>>>    # Get the request code from the proxy reply.
>>>    my $code = $p->code;
>>> 
>>>    if ($code eq 'Access-Accept')
>>>    {
>>>        # Set the correct reply code in the reply packet        
>>>        $op->{RadiusResult} = $main::ACCEPT;
>>>    }
>>>    return;
>>> }
>>> 
>>> 
>>> regards
>>> 
>>> Hugh
>>> 
>>> 
>>> On 9 Mar 2010, at 23:48, Alexander Hartmaier wrote:
>>> 
>>>> Hi!
>>>> 
>>>> I have to proxy to two radius servers one after the other to gather
>>>> different attributes.
>>>> Because AuthBy RADIUS responds with an IGNORE the second AuthBy is never
>>>> hit.
>>>> I couldn't find an example in the goodies which shows how to deal with
>>>> that.
>>>> I assume a ReplyHook in the first AuthBy RADIUS clause is needed...
>>>> 
>>>> --
>>>> Best regards, Alex
>>>> 
>>>> 
>>>> 
>>>> 
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>>> Handelsgericht Wien, FN 79340b
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>>> If you are not the intended recipient, please notify the sender and then
>>>> delete this e-mail immediately.
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
>>> 
>>> NB: 
>>> 
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets), 
>>> together with a trace 4 debug showing what is happening?
>>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list