[RADIATOR] Executing an external script from Radiator
Martin Burton
mvb at sanger.ac.uk
Tue Jun 21 03:39:43 CDT 2011
Hi M P
I've had success using <AuthBy EXTERNAL> to allow Radiator to interface
with our homebrew network access control system.
If it helps at all our config looks like:
<Handler>
RejectHasReason
<AuthBy EXTERNAL>
Command /opt/config/authexternal
</AuthBy>
AuthLog naclog
</handler>
and /opt/config/authexternal looks like (the NAC module is our homegrown
NAC database interface):
#!/usr/bin/perl -w
use lib '/var/www/nac-mgmt/cgi/lib';
use Modern::Perl;
use NAC;
my $ACCEPT = 0;
my $REJECT = 1;
my $NOREPLY = 2;
my $csi;
my $ni;
my $np;
my $maddr;
my $vlan;
my $sw;
my $setvlanattr = "Extreme-Netlogin-VLAN-Tag";
my $replymessageattr = "Reply-Message";
my $replymessage = "UNAUTHORISED MACHINE!!!!!";
# Grab the calling station id, nas identifier and nas port from the request
while(<>) {
if (/Calling-Station-Id.+"(.+)"/) {
$csi = uc($1);
next;
}
if
(/NAS-IP-Address.+\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/
) {
$ni = $1;
next;
}
if (/NAS-Port-Id.+"(.+)"/) {
$np = $1;
next;
}
}
# Bomb out if we didn't get all of the params from the request!!!
if(!defined $csi || !defined $ni || !defined $np ) {
exit $NOREPLY;
}
# Check the system to see if this MAC been seen previously
# $maddr will be undefined if it's new
# Otherwise it will be a NAC::Mac object.
$maddr = NAC::Mac->new(
MAC => $csi,
);
if (!defined $maddr) {
# No record of the mac address, so we create one
# $maddr will be a NAC::Mac object upon success (undef otherwise)
$maddr = NAC::Mac->new(
MAC => $csi,
create => 1
);
}
# If we don't have a valid MAC object at this point we need to bomb out!
if (!defined $maddr) {
exit $NOREPLY;
}
# Try to grab the switch object representing this switch
$sw = NAC::Switch->new(
NASID => $ni,
);
# If there isn't a valid switch then we need to bomb out!
if (!defined $sw) {
exit $NOREPLY;
}
# Record where we saw this MAC connect
my $res = $maddr->set_switch(
switch => $sw,
port => $np
);
# If we failed to set the switch for some reason, then bomb out!
if (!defined $res) {
exit $NOREPLY;
}
if ($maddr->is_auth) {
# Get the vlan for this MAC;
$vlan = $maddr->get_vlan()->get_tag();
if (!defined $vlan) {
exit $NOREPLY;
}
say $setvlanattr . "=" . $vlan;
exit $ACCEPT;
}
else {
say "Reply-Message=\"$replymessage - $REJECT\"";
exit $REJECT;
}
Hopefully that helps.
Regards,
Martin.
On 21/06/2011 07:34, M P wrote:
> Hello all,
>
> How am I going to execute an external script when Radiator receives an
> Access-Request? This script will actually do an HTTP API request from an
> external HTTP server to get the userid then once the script have it on
> the same server as where the Radiator is running, Radiator will now
> respond an Access-Accept.
>
> Please advice. Thank you in advance.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Martin Burton
Senior Systems Administrator \\\|||///
Special Projects Team \\ ^ ^ //
Wellcome Trust Sanger Institute ( 6 6 )
-----------------------------------------oOOo-(_)-oOOo---
http://www.sanger.ac.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20110621/dc05e8b5/attachment-0001.bin
More information about the radiator
mailing list