[RADIATOR] Change-Filter-Request after an Access-Accept

Tim Jones tim.jones at fon.com
Wed Apr 3 03:39:26 CDT 2013


I am putting together a Proof-Of-Concept in which a Change-Filter-Request
is submitted to a CISCO ASR when we successfully authenticate via another
RADIUS server.

The flow should be:

   1. Tunnel opens
   2. 'user' (radpwtst) submits Access-Request to server
   3. server forwards Access-Request to another radiator server (auth-user)
   4. If server receives an Access-Reject, return immediately to user with
   Access-Reject
   5. Otherwise, submit a Change-Filter-Request to the ASR
   6. If server receives Change-Filter-ACKed, return the original
   Access-Accept to user, else return Access-Reject with Reply-Message of the
   Change-Filter-NAKed response.

I have this working currently with an AuthBy EXTERNAL and having radpwtst
sending the Change-Filter-Request, but I have been asked to find a
non-blocking method.
So far, I have it working up to the last step, but can't seem to 'find' the
reply packet coming back from the ASR and act on it.  The tracelog shows
that we send the Change-Filter-Request and receive the response, but
neither of the ReplyHooks are called to receive and process the reply.

Many thanks for any advice, tracelog below, with config files & hooks after.

----  server.log ----

Wed Apr  3 10:22:21 2013: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Wed Apr  3 10:22:21 2013: DEBUG: Reading dictionary file
'/usr/local/radius/dictionary'
Wed Apr  3 10:22:21 2013: DEBUG: Creating authentication port x.x.x.x:1812
Wed Apr  3 10:22:21 2013: DEBUG: Creating accounting port x.x.x.x:1813
Wed Apr  3 10:22:21 2013: NOTICE: Server started: Radiator 4.10 on debian
Wed Apr  3 10:22:32 2013: DEBUG: Packet dump:
*** Received from u.u.u.u port 41205 ....
Code:       Access-Request
Identifier: 91
Authentic:  <20><127><202><23><161><161>L l<244><217><206>6j<5>D
Attributes:
    User-Name = "test"
    Service-Type = Framed-User
    NAS-IP-Address = a.a.a.a
    NAS-Identifier = "a.a.a.a"
    NAS-Port = 1234
    Called-Station-Id = "123456789"
    Calling-Station-Id = "987654321"
    NAS-Port-Type = Async
    User-Password = y<168><233>GX<232><231><170>7<219>h<210>F<135>@<207>
    Acct-Session-Id = "0000035E"

Wed Apr  3 10:22:32 2013: DEBUG: Handling request with Handler '',
Identifier 'server-default'
Wed Apr  3 10:22:32 2013: DEBUG:  Deleting session for test, a.a.a.a, 1234
Wed Apr  3 10:22:32 2013: DEBUG: Handling with Radius::AuthRADIUS
Wed Apr  3 10:22:32 2013: DEBUG: AuthBy RADIUS creates new local socket
'x.x.x.x:0' for sending requests
Wed Apr  3 10:22:32 2013: DEBUG: Packet dump:
*** Sending to y.y.y.y port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  <20><127><202><23><161><161>L l<244><217><206>6j<5>D
Attributes:
    User-Name = "test"
    Service-Type = Framed-User
    NAS-IP-Address = a.a.a.a
    NAS-Identifier = "a.a.a.a"
    NAS-Port = 1234
    Called-Station-Id = "123456789"
    Calling-Station-Id = "987654321"
    NAS-Port-Type = Async
    User-Password = <22><195>5<151><9G<208><130><231>}<239><137><11>Q(
    Acct-Session-Id = "0000035E"

Wed Apr  3 10:22:32 2013: DEBUG: AuthBy RADIUS result: IGNORE,
Wed Apr  3 10:22:32 2013: DEBUG: Received reply in AuthRADIUS for req 1
from y.y.y.y:1645
Wed Apr  3 10:22:32 2013: DEBUG: Packet dump:
*** Received from y.y.y.y port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:
<247><4><168><241><231><176><247><195>M<206><199><3><244>J<15><188>
Attributes:

Wed Apr  3 10:22:32 2013: DEBUG: IN REPLYHOOK COA
Wed Apr  3 10:22:32 2013: DEBUG: Recieved: Access-Accept
Wed Apr  3 10:22:32 2013: DEBUG: Auth Sucess
Wed Apr  3 10:22:32 2013: DEBUG: Launching CoA
Wed Apr  3 10:22:32 2013: DEBUG: Handling with Radius::AuthRADIUS
Wed Apr  3 10:22:32 2013: DEBUG: Packet dump:
*** Sending to z.z.z.z port 1650 ....
Code:       Change-Filter-Request
Identifier: 1
Authentic:  <223><0><22>j<178><153><8><169><13><12><169><201><200><234><28>l
Attributes:
    Acct-Session-Id = "0000035E"
    cisco-avpair =
"qos-policy-out=add-class(sub,(class-default),police(30000))"

Wed Apr  3 10:22:32 2013: DEBUG: Received reply in AuthRADIUS for req 1
from z.z.z.z:1650
Wed Apr  3 10:22:32 2013: DEBUG: Packet dump:
*** Received from z.z.z.z port 1650 ....
Code:       Change-Filter-Request-ACKed
Identifier: 1
Authentic:  #'<232><204>h<149><222><15>-<5><140><152><207><29><196><28>
Attributes:
    Cisco-Account-Info = "St.t.t.t"
    Cisco-Account-Info = "$IVirtual-Access2.1"



---- radiator.cfg ----

LogDir          /var/log/radiator/
DictionaryFile  /usr/local/radius/dictionary
PidFile         /var/run/radius/server.pid
DbDir           /etc/radiator/

BindAddress x.x.x.x
AuthPort 1812
AcctPort 1813

<Log FILE>
        Filename %L/server.log
        Trace 4
</Log>

<Client DEFAULT>
        Secret coa
        DupInterval 0
</Client>

<AuthLog FILE>
    Identifier defaultlog
    Filename /var/log/radiator/server-auth.log
    LogSuccess 1
    LogFailure 1
    SuccessFormat %l %n -> OK
    FailureFormat %l %n -> FAIL
</AuthLog>

<AuthBy RADIUS>
    Identifier auth-user
    Host y.y.y.y
    Secret prx
    AuthPort 1645
    AcctPort 1646
    ReplyHook file:"/usr/local/radius/replyhook-authuser.pl"
</AuthBy>

<AuthBy RADIUS>
    Identifier lns-coa
    Host z.z.z.z
    Secret poc
    AuthPort 1650
    AcctPort 1650
    NoForwardAccounting
    ReplyHook file:"/usr/local/radius/replyhook-lns-coa.pl"
</AuthBy>



---- replyhook-authuser.pl ----

sub
{
    use strict;
    &main::log($main::LOG_DEBUG, 'IN REPLYHOOK AUTH-USER');
    my $p = ${$_[0]};   # proxy reply packet
    my $rp = ${$_[1]};  # reply packet to NAS
    my $op = ${$_[2]};  # original request packet
    my $sp = ${$_[3]};  # packet sent to proxy

    # Just dump the code to see what it is...
    my $code = $p->code;
    &main::log($main::LOG_DEBUG, "Recieved: $code");

    if ($p->code eq 'Access-Accept')
    {
        &main::log($main::LOG_DEBUG, 'Auth Sucess');
        my $authby_identifier="lns-coa";
        my $coa_authby;
        if ($coa_authby = Radius::AuthGeneric::find($authby_identifier))
        {
            &main::log($main::LOG_DEBUG, 'Launching CoA');

            my $coa_p = new Radius::Radius $main::dictionary;

            $coa_p->set_code('Change-Filter-Request');
            $coa_p->set_authenticator("\000" x 16);
            $coa_p->add_attr('Acct-Session-Id',
$op->get_attr('Acct-Session-Id'));
            $coa_p->add_attr('cisco-avpair',
'qos-policy-out=add-class(sub,(class-default),police(30000))');

            my ($rc, $reason) = $coa_authby->handle_request($coa_p);
            $p->{RadiusResult} = $main::IGNORE;
        }
        else
        {
            &main::log($main::LOG_ERR, "No AuthBy with Identifier
$authby_identifier");
            $p->set_code('Access-Reject');
            $p->{RadiusResult} = $main::REJECT;
        }
    }
}



---- replyhook-lns-coa.pl ----

sub
{
    use strict;

    &main::log($main::LOG_DEBUG, 'IN REPLYHOOK LNS-COA');
}


Tim Jones
*Technology & Quality
*
**
**
tim.jones at fon.com
Skype: Tim.Jones.Fon

C/ Quintanavides 15. Edificio 2, Planta 1ª
Parque Empresarial Vía Norte, de Metrovacesa
28050 Las Tablas. Madrid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130403/a06912a1/attachment.html 


More information about the radiator mailing list