[RADIATOR] multiple hosts

Alexander Hartmaier alexander.hartmaier at t-systems.at
Fri Nov 25 03:02:31 CST 2011 

I have one radiator that needs to ask two other radius servers one after 
another.
In the Handler i've configured the first radius server with an AuthBy 
RADIUS which includes a ReplyHook.

This is the hook script:

use strict;
use warnings;
use Data::Dumper;

# this hook copies the @proxied_attrs from the answer of the radius server
# to the request to the next radius server and dispatches another request
sub {
     my $p  = ${$_[0]};  # reply packet from remote radius server
     my $rp = ${$_[1]};  # reply packet to NAS
     my $op = ${$_[2]};  # original request packet
     my $sp = ${$_[3]};  # packet sent to remote radius server

     # Get the request code from the proxy reply.
     my $code = $p->code;
&main::log($main::LOG_DEBUG, "radius replied with $code");
     # default to reject
     $op->{RadiusResult} = $main::REJECT;

     # Only proxy if the current request was accepted
     if ($code eq 'Access-Accept') {
         # Set the correct reply code in the reply packet
         # or if the AuthBy is undefined set to Access-Reject.

         # Find the AuthBy clause with the same Identifier
         my $identifier = 'identifier-of-second-authby-radius';
         my $authby = Radius::AuthGeneric::find($identifier);
&main::log($main::LOG_DEBUG, "Found Handler with Identifier $identifier")
             if defined $authby;

         if (defined $authby) {
             # filter the attributes sent to the second radius server
             my @proxied_attrs = qw/
                 Framed-IP-Address
             /;
             for my $attr (@proxied_attrs) {
                 my $value = $p->get_attr($attr);
                 $op->add_attr($attr, $value);
             }

&main::log($main::LOG_DEBUG, Dumper($rp->{Attributes}));

             # Call handle_request for this AuthBy HANDLER
             my ($rc, $reason) = $authby->handle_request($op, $rp);

             $op->{RadiusResult} = $main::IGNORE;
         }
         else {
&main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
             $op->{RadiusResult} = $main::REJECT;
         }
     }
     # we don't need to forward the accounting response to the first 
radius server
     elsif ($code eq 'Accounting-Response') {
     }
     else {
&main::log($main::LOG_ERR, "radius server didn't accept the request");
     }
     return;
}

You configure the second radius server in your global radiator config 
with an AuthBy and give it the identifier used in the hook.
This AuthBy has a ReplyHook:

use strict;
use warnings;

# this is needed to respond to the original request from the radius client
sub {
     my $p  = ${$_[0]};  # proxy reply packet
     my $rp = ${$_[1]};  # reply packet to NAS
     my $op = ${$_[2]};  # original request packet
     my $sp = ${$_[3]};  # packet sent to proxy

     # Get the request code from the proxy reply.
     my $code = $p->code;

     # Set the correct reply code in the reply packet
     if ($code eq 'Access-Accept') {
         $op->{RadiusResult} = $main::ACCEPT;
     }
     else {
         $op->{RadiusResult} = $main::REJECT;
     }
     return;
}

...and a NoReplyHook:

use strict;
use warnings;

sub {
     my $p = ${$_[0]};
     my $fp = ${$_[1]};
     my $rp = ${$_[2]};

     $rp->set_code('Access-Accept');

     # reply to the Client that sent the request
     $p->{Client}->replyTo($p);
     return;
}

@list: please feel free to suggest improvements or simplification if 
possible!

Best regards, Alex

Am 2011-11-25 00:37, schrieb Judy Angel:
> Have you solved the multi hosts config in another way?
> Judy
>
> --On 24 November 2011 16:51 +0100 Alexander Hartmaier 
> <alexander.hartmaier at t-systems.at> wrote:
>
>> Synchronous will block the Radiator process until a reply is received or
>> the configured timeout is exceeded. During this time Radiator won't
>> handle any other requests and will be marked as unreachable by the 
>> radius
>> clients if their timeout*retry is lower than the combined timeout*retry
>> of the AuthBy RADIUS clauses.
>>
>> I strongly recommend to *NOT* use Synchronous, *EVER*.
>>
>> Best regards, Alexander Hartmaier
>>
>> Am 2011-11-23 02:21, schrieb Martin Burton:
>>
>>
>> Oops, forgot one important keyword in there.  You need to put the
>> Synchronous flag in the AuthBy RADIUS clause for host1.  If you don't
>> then Radiator will move onto the next AuthBy without waiting for a 
>> reply.
>>
>> <AuthBy RADIUS>
>> <Host host1.herts.ac.uk>
>>              Secret xxxx
>> </Host>
>>      Synchronous
>> </AuthBy>
>>
>>
>> Check the info in the Radiator manual about the implications of using
>> Synchronous though.
>>
>> Cheers,
>>
>> Martin.
>>
>> On 23/11/2011 01:10, Martin Burton wrote:
>>
>>
>>
>> You could probably achieve what you need using an AuthByPolicy, like:
>>
>> <Handler Realm= domain.ac.uk>
>>     RewriteUsername s/^([^@]+).*/$1/
>>     AuthByPolicy ContinueWhileReject
>> <AuthBy RADIUS>
>> <Host host1.herts.ac.uk>
>>             Secret xxxx
>> </Host>
>> </AuthBy>
>> <AuthBy RADIUS>
>> <Host host2.herts.ac.uk>
>>             Secret xxxxx
>> </Host>
>> </AuthBy>
>>     # Log accounting to the detail file in LogDir
>>     AcctLogFileName %L/detail
>> </Handler>
>>
>> HTH.
>>
>>
>> On 23/11/2011 00:01, Judy Angel wrote:
>>
>>
>>
>>
>> Radius V4.2.
>> I am looking to authenticate on two servers. If the userid is not
>> available  in host1 try host2. The config below works fine on host1 but
>> if the return  fails as the userid does not exist it does not check for
>> the userid in  host2. Should this be possible?
>>
>>
>> <Handler Realm= domain.ac.uk>
>>         RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADIUS>
>>
>> <Host host1.herts.ac.uk>
>>                 Secret xxxx
>> </Host>
>> <Host host2.herts.ac.uk>
>>                 Secret xxxxx
>> </Host>
>> </AuthBy>
>>       # Log accounting to the detail file in LogDir
>>     AcctLogFileName %L/detail
>> </Handler>
>>
>> Thanks
>> Judy Angel
>> University of Hertfordshire
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> "*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> "*"* Notice: This e-mail contains information that is confidential and
>> may be privileged. If you are not the intended recipient, please notify
>> the sender and then delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> "*"*
>
>

More information about the radiator mailing list