[RADIATOR] branching in AuthBy GROUP

Heikki Vatiainen hvn at open.com.au
Mon Dec 3 06:07:46 CST 2012


On 12/03/2012 10:39 AM, Søren Schrøder wrote:

> do local auth, and in some cases, forward to other radius servers for them to do auth. 

Hello Søren,

it currently fails because a Handler insidea an AuthBy is not something
that Radiator supports. I tried your configuration snippet, and
unfortunately it does not log an error either to hint about this.

You could consider the example below: The outer GROUP steps through all
inner GROUPs as long as the groups return Reject. Within the inner
groups, AuthBy INTERNAL checks if the request should be handled by the
proxy that's part of the group.

Instead of using Handler's selectors, this uses AuthBy INTERNAL and
RequestHook to decide if the request belongs to this GROUP and it's
proxy or if the outer GROUP should continue and try the next inner GROUP.

<Realm>
    AuthByPolicy ContinueWhileChallenge
    <AuthBy XXXX>
        #local auth in own module
    </AuthBy>

    <AuthBy GROUP>
        AuthByPolicy ContinueWhileReject
        <AuthBy GROUP>
            AuthByPolicy ContinueUntilIgnore
            <AuthBy INTERNAL>
                # RequestHook:
                # return $main::REJECT unless Vendor-Specific is rad1
            </AuthBy>
            <AuthBy RADIUS>
                # Proxy to rad1. AuthBy returns Ignore
            </AuthBy>
        </AuthBy>
        # Similar Group for rad2, rad3, etc.
   </AuthBy>
</Realm>

> <Realm>
>         <AuthBy GROUP>
>                 AuthByPolicy ContinueWhileChallenge
>                 <AuthBy XXXX>
>                         #local auth in own module
>                 </AuthBy>
>                 <Handler Vendor-Specific=rad1>
>                         <AuthBy FILE>
>                                 Filename users1
>                                 #here goes remote radius host, port, secret etc.
>                         </AuthBy>
>                 </Handler>
>                 <Handler Vendor-Specific=rad2>
>                         <AuthBy FILE>
>                                 Filename users2
>                         </AuthBy>
>                 </Handler>
>                 <Handler>
>                         <AuthBy FILE>
>                                 Filename users
>                         </AuthBy>
>                 </Handler>
>         </AuthBy>
> </Realm>	
> 
> but its not working the way I expected. When challenged, it DOES continue in GROUP, but it always hits the fallback handler, never the two specific rad1/rad2 handlers.
> 
> I guess this is because Vendor-Specific is added to the REPLY (using $p->{rp}->add_attr()), and HANDLER looks at the REQUEST ?
> 
> SO:
> 
> any great hints on how to do "if then" groups, based on lookups in an AuthBy XXXX module ???
> 
> If anything else fails, I'll build radius client function into AuthbyXXXX, and do the brancing and proxying inside the perl, but I like the clairity of AuthBy GROUP, and the fact that I can hand of the request to the remote server, and not worry about how bad (and it's a MS Radius, so it can bed really bad) it responds.
> 
> Thanks in advance for hints and thoughts.
> 
> /Søren
> 
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list