[RADIATOR] branching in AuthBy GROUP
Søren Schrøder
sch at telenor.dk
Mon Dec 3 02:39:12 CST 2012
Greetings list.
I've been using Radiator for many odd tasks, and I'm always happy to find that somehow there's always a radiator solution in the myriad of options.
This time though, I haven't seen the light, and found a nice solution .
what I want to accomplish:
do local auth, and in some cases, forward to other radius servers for them to do auth.
what I have done so far:
first I do auth based on a lookup in various data. Since the bussinessrules are rather complex, I have written my own AuthbyXXXX module, and it works as intended
inside AuthbyXXXX, a database contains (among others):
USER, PASS, IP, MASK, NEXTRADIUS
user1, pass1, 10.0.0.1 255.255.255.255, 0
user2, pass2, 10.0.0.2 255.255.255.255, 0
user3, pass3, 10.0.0.3 255.255.255.255, 1
user4, pass4, 10.0.0.4 255.255.255.255, 2
user1 and user2 are validated final (NEXTRADIUS=0)
user3 must be validated at another radius-server1 (NEXTRADIUS=1)
user4 must be validated at another radius-server2 (NEXTRADIUS=2)
user1 and user2 is returned $main::ACCEPT or $main::REJECT
user3 and user4 is returned $main::CHALLENGE, and I add an attribute (for example "Vendor-Specific=radX")
user5 (non existing in local) always gets REJECT since it doesn't exist in primary
I have build this GROUP (using AuthBy FILE to simulate the AuthBy RADIUS I'll need in production):
and AuthBy Group is set to continue if Challenge (AuthByPolicy)
conf:
<Realm>
<AuthBy GROUP>
AuthByPolicy ContinueWhileChallenge
<AuthBy XXXX>
#local auth in own module
</AuthBy>
<Handler Vendor-Specific=rad1>
<AuthBy FILE>
Filename users1
#here goes remote radius host, port, secret etc.
</AuthBy>
</Handler>
<Handler Vendor-Specific=rad2>
<AuthBy FILE>
Filename users2
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename users
</AuthBy>
</Handler>
</AuthBy>
</Realm>
but its not working the way I expected. When challenged, it DOES continue in GROUP, but it always hits the fallback handler, never the two specific rad1/rad2 handlers.
I guess this is because Vendor-Specific is added to the REPLY (using $p->{rp}->add_attr()), and HANDLER looks at the REQUEST ?
SO:
any great hints on how to do "if then" groups, based on lookups in an AuthBy XXXX module ???
If anything else fails, I'll build radius client function into AuthbyXXXX, and do the brancing and proxying inside the perl, but I like the clairity of AuthBy GROUP, and the fact that I can hand of the request to the remote server, and not worry about how bad (and it's a MS Radius, so it can bed really bad) it responds.
Thanks in advance for hints and thoughts.
/Søren
--
Søren Schrøder, Senior Architect, OSS, Core Engineering, Telenor
mailto:sch at telenor.dk, tel: (+45)60503045
More information about the radiator
mailing list