[RADIATOR] ReplyHook Setting code of reply packet
Tim Jones
tim.jones at fon.com
Tue Apr 9 06:01:45 CDT 2013
Hugh,
Many, many thanks!!.
Tim Jones
*Technology & Quality
*
**
**
tim.jones at fon.com
Skype: Tim.Jones.Fon
C/ Quintanavides 15. Edificio 2, Planta 1ª
Parque Empresarial Vía Norte, de Metrovacesa
28050 Las Tablas. Madrid
On 9 April 2013 10:18, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hi Tim -
>
> Interesting problem - I'm not surprised you're perplexed - so was I for a
> while.
>
> In any case, it turns out that there is special processing for
> Change-Filter-Request in Radius/Handler.pm.
>
> So the answer is this:
>
>
> sub
> {
> use strict;
>
> &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
>
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]}; # reply packet to NAS
> my $op = ${$_[2]}; # original request packet
> my $sp = ${$_[3]}; # packet sent to proxy
>
> if ($p->code eq 'Change-Filter-Request-ACKed')
> {
> &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
> $op->set_code('Access-Request');
> $rp->set_code('Access-Accept');
> $op->{RadiusResult}=$main::ACCEPT;
> }
> else
> {
> &main::log($main::LOG_DEBUG, 'CoA Rejected');
> $rp->set_code('Access-Reject');
> #$op->{RadiusResult}=$main::REJECT;
> }
> }
>
>
> Here is the result, using two Radiator instances - radpwtst sends to the
> first on port 1645 which in turn proxies to the second on port 11645:
>
>
> …..
>
> Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password
> hugh -code Change-Filter-Request -trace 4
>
> Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
> sending Change-Filter-Request...
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1645 ....
> Code: Change-Filter-Request
> Identifier: 65
> Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 64444 ....
> Code: Change-Filter-Request
> Identifier: 65
> Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
> Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '
> 0.0.0.0:0' for sending requests
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 11645 ....
> Code: Change-Filter-Request
> Identifier: 1
> Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 56174 ....
> Code: Change-Filter-Request
> Identifier: 1
> Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL:
> Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
> DefaultResult
> Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 56174 ....
> Code: Change-Filter-Request-ACKed
> Identifier: 1
> Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1
> from 127.0.0.1:11645
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 11645 ....
> Code: Change-Filter-Request-ACKed
> Identifier: 1
> Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK
> Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged
> Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 64444 ....
> Code: Access-Accept
> Identifier: 65
> Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\
> Attributes:
>
> Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1645 ....
> Code: Access-Accept
> Identifier: 65
> Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\
> Attributes:
>
> …..
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 9 Apr 2013, at 01:33, Tim Jones <tim.jones at fon.com> wrote:
>
> > Hi all,
> >
> > I have a Radiator instance acting as a proxy, receiving Access-Request
> and converting it to a Change-Filter-Request before sending it on again.
> When it receives the response, it should reply to the originator with
> Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or
> Change-Filter-NAKed it receives.
> >
> > In the ReplyHook, I have a very simple if statement checking the code,
> and changing it in the response. The response is then sent back to the NAS,
> but without the code I specify.
> >
> > Best regards,
> >
> > Config & trace logs
> >
> > ---- radius.cfg ----
> >
> > <Handler Request-Type=Access-Request, Client-Identifier=proxy_client>
> > Identifier access-request_proxy_handler
> > PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl"
> > <AuthBy RADIUS>
> > # Partner-router
> > Host x.x.x.x
> > AuthPort 1812
> > Secret partner-secret
> > AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str,
> Class, Session-Timeout, Idle-Timeout
> > ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl"
> > </AuthBy>
> > </Handler>
> >
> > ---- preauthhook.pl ----
> >
> > sub
> > {
> > use strict;
> >
> > &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK');
> >
> > my $p = ${$_[0]};
> > $p->set_code('Change-Filter-Request');
> > }
> >
> > ---- replyhook.pl ----
> >
> > sub
> > {
> > use strict;
> >
> > &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
> >
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]}; # reply packet to NAS
> > my $op = ${$_[2]}; # original request packet
> > my $sp = ${$_[3]}; # packet sent to proxy
> >
> > if ($p->code eq 'Change-Filter-Request-ACKed')
> > {
> > &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
> > $rp->set_code('Access-Accept');
> > $op->{RadiusResult}=$main::ACCEPT;
> > }
> > else
> > {
> > &main::log($main::LOG_DEBUG, 'CoA Rejected');
> > $rp->set_code('Access-Reject');
> > #$op->{RadiusResult}=$main::REJECT;
> > }
> > }
> >
> > ---- log ----
> >
> >
> > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> > *** Received from x.x.x.x port 57791 ....
> > Code: Access-Request
> > Identifier: 1
> > Authentic:
> <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I
> > Attributes:
> > User-Name = "test"
> > NAS-IP-Address = n.n.n.n
> > NAS-Identifier = "n.n.n.n"
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-IP-Address = i.i.i.i
> > Calling-Station-Id = "11:11:11:11:11:11"
> > Class = "PartnerClassAttribute"
> > Session-Timeout = 600
> > User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&<
> >
> > Mon Apr 8 15:30:33 2013: DEBUG: Handling request with Handler
> 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier
> 'access-request_proxy_handler'
> > Mon Apr 8 15:30:33 2013: DEBUG: Deleting session for test, n.n.n.n,
> > Mon Apr 8 15:30:33 2013: DEBUG: IN PREAUTHHOOK
> > Mon Apr 8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS
> > Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket
> 'x.x.x.x:0' for sending requests
> > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> > *** Sending to x.x.x.x port 1812 ....
> > Code: Change-Filter-Request
> > Identifier: 1
> > Authentic: <238>]<170>x<219>8,<139>q<144>2|<182><192>n3
> > Attributes:
> > User-Name = "test"
> > NAS-IP-Address = n.n.n.n
> > NAS-IP-Address = i.i.i.i
> > Class = "PartnerClassAttribute"
> > Session-Timeout = 600
> > User-Password =
> <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8>
> >
> > Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> > Mon Apr 8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1
> from x.x.x.x:1812
> > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> > *** Received from x.x.x.x port 1812 ....
> > Code: Change-Filter-Request-ACKed
> > Identifier: 1
> > Authentic: +<216><141>C<27><229>&6O<15><206><160>&<245>P^
> > Attributes:
> >
> > Mon Apr 8 15:30:33 2013: DEBUG: IN REPLYHOOK
> > Mon Apr 8 15:30:33 2013: DEBUG: CoA Acknowledged
> > Mon Apr 8 15:30:33 2013: DEBUG: Change-Filter-Request accepted
> > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> > *** Sending to x.x.x.x port 57791 ....
> > Code: Change-Filter-Request-ACKed
> > Identifier: 1
> > Authentic: <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C
> > Attributes:
> >
> > Tim Jones
> > Technology & Quality
> >
> >
> > tim.jones at fon.com
> > Skype: Tim.Jones.Fon
> >
> > C/ Quintanavides 15. Edificio 2, Planta 1ª
> > Parque Empresarial Vía Norte, de Metrovacesa
> > 28050 Las Tablas. Madrid
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130409/54fe7ca9/attachment-0001.html
More information about the radiator
mailing list