[RADIATOR] ReplyHook Setting code of reply packet

Hugh Irvine hugh at open.com.au
Tue Apr 9 03:18:15 CDT 2013 

Hi Tim -

Interesting problem - I'm not surprised you're perplexed - so was I for a while.

In any case, it turns out that there is special processing for Change-Filter-Request in Radius/Handler.pm.

So the answer is this:


sub
{
    use strict;
    
    &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
    
    my $p = ${$_[0]};   # proxy reply packet
    my $rp = ${$_[1]};  # reply packet to NAS
    my $op = ${$_[2]};  # original request packet
    my $sp = ${$_[3]};  # packet sent to proxy
    
    if ($p->code eq 'Change-Filter-Request-ACKed')
    {
        &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
        $op->set_code('Access-Request');
        $rp->set_code('Access-Accept');
        $op->{RadiusResult}=$main::ACCEPT;
    }
    else
    {
        &main::log($main::LOG_DEBUG, 'CoA Rejected');
        $rp->set_code('Access-Reject');
        #$op->{RadiusResult}=$main::REJECT;
    }
}


Here is the result, using two Radiator instances - radpwtst sends to the first on port 1645 which in turn proxies to the second on port 11645:


…..

Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh -code Change-Filter-Request -trace 4

Tue Apr  9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
sending Change-Filter-Request...
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Change-Filter-Request
Identifier: 65
Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 64444 ....
Code:       Change-Filter-Request
Identifier: 65
Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr  9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0:0' for sending requests
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11645 ....
Code:       Change-Filter-Request
Identifier: 1
Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE, 
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56174 ....
Code:       Change-Filter-Request
Identifier: 1
Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr  9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL: 
Tue Apr  9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult
Tue Apr  9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56174 ....
Code:       Change-Filter-Request-ACKed
Identifier: 1
Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:11645
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 11645 ....
Code:       Change-Filter-Request-ACKed
Identifier: 1
Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: IN REPLYHOOK
Tue Apr  9 18:09:35 2013: DEBUG: CoA Acknowledged
Tue Apr  9 18:09:35 2013: DEBUG: Access accepted for 
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 64444 ....
Code:       Access-Accept
Identifier: 65
Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Accept
Identifier: 65
Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:

…..


hope that helps

regards

Hugh


On 9 Apr 2013, at 01:33, Tim Jones <tim.jones at fon.com> wrote:

> Hi all,
> 
> I have a Radiator instance acting as a proxy, receiving Access-Request and converting it to a Change-Filter-Request before sending it on again. When it receives the response, it should reply to the originator with Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed it receives.
> 
> In the ReplyHook, I have a very simple if statement checking the code, and changing it in the response. The response is then sent back to the NAS, but without the code I specify.
> 
> Best regards,
> 
> Config & trace logs
> 
> ---- radius.cfg ----
> 
> <Handler Request-Type=Access-Request, Client-Identifier=proxy_client>
>     Identifier access-request_proxy_handler
>     PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl"
>     <AuthBy RADIUS>
>         # Partner-router
>         Host x.x.x.x
>         AuthPort 1812
>         Secret partner-secret
>         AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class, Session-Timeout, Idle-Timeout
>         ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl"
>     </AuthBy>
> </Handler>
> 
> ---- preauthhook.pl ----
> 
> sub
> {
>     use strict;
>     
>     &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK');
>     
>     my $p = ${$_[0]};
>     $p->set_code('Change-Filter-Request');
> }
> 
> ---- replyhook.pl ----
> 
> sub
> {
>     use strict;
>     
>     &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
>     
>     my $p = ${$_[0]};   # proxy reply packet
>     my $rp = ${$_[1]};  # reply packet to NAS
>     my $op = ${$_[2]};  # original request packet
>     my $sp = ${$_[3]};  # packet sent to proxy
>     
>     if ($p->code eq 'Change-Filter-Request-ACKed')
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
>         $rp->set_code('Access-Accept');
>         $op->{RadiusResult}=$main::ACCEPT;
>     }
>     else
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Rejected');
>         $rp->set_code('Access-Reject');
>         #$op->{RadiusResult}=$main::REJECT;
>     }
> }
> 
> ---- log ----
> 
> 
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 57791 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I
> Attributes:
>     User-Name = "test"
>     NAS-IP-Address = n.n.n.n
>     NAS-Identifier = "n.n.n.n"
>     Called-Station-Id = "123456789"
>     Calling-Station-Id = "987654321"
>     NAS-IP-Address = i.i.i.i
>     Calling-Station-Id = "11:11:11:11:11:11"
>     Class = "PartnerClassAttribute"
>     Session-Timeout = 600
>     User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&<
> 
> Mon Apr  8 15:30:33 2013: DEBUG: Handling request with Handler 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier 'access-request_proxy_handler'
> Mon Apr  8 15:30:33 2013: DEBUG:  Deleting session for test, n.n.n.n, 
> Mon Apr  8 15:30:33 2013: DEBUG: IN PREAUTHHOOK
> Mon Apr  8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS
> Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket 'x.x.x.x:0' for sending requests
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 1812 ....
> Code:       Change-Filter-Request
> Identifier: 1
> Authentic:  <238>]<170>x<219>8,<139>q<144>2|<182><192>n3
> Attributes:
>     User-Name = "test"
>     NAS-IP-Address = n.n.n.n
>     NAS-IP-Address = i.i.i.i
>     Class = "PartnerClassAttribute"
>     Session-Timeout = 600
>     User-Password = <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8>
> 
> Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE, 
> Mon Apr  8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1 from x.x.x.x:1812
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 1812 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  +<216><141>C<27><229>&6O<15><206><160>&<245>P^
> Attributes:
> 
> Mon Apr  8 15:30:33 2013: DEBUG: IN REPLYHOOK
> Mon Apr  8 15:30:33 2013: DEBUG: CoA Acknowledged
> Mon Apr  8 15:30:33 2013: DEBUG: Change-Filter-Request accepted
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 57791 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C
> Attributes:
> 
> Tim Jones
> Technology & Quality
> 
>  
> tim.jones at fon.com
> Skype: Tim.Jones.Fon
>  
> C/ Quintanavides 15. Edificio 2, Planta 1ª
> Parque Empresarial Vía Norte, de Metrovacesa
> 28050 Las Tablas. Madrid
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list