[RADIATOR] DefaultSimultaneousUse while using AuthRADIUS

Heikki Vatiainen hvn at open.com.au
Mon Dec 23 03:23:26 CST 2013


On 12/20/2013 10:59 PM, Michael wrote:
> This ReplyHook definitely did the trick, except for not showing a proper
> error message.  it just shows 'Proxied' as the error.  Is there a way to
> change the error message?  The source kinda looks like the error message
> is hard coded to be 'Proxied' so i thought maybe this could be passed to
> another AuthBy when rejected, configured to reject with a fixed message,
> and set the redirected flag in the hook?

You could do $p->add_attr('Reply-Message', ...) to push Reply-Message
attribute in the reply received from the proxy. The Reply-Message should
be logged in AuthLog if it is present in the reply. I'd say this is the
easiest way to handle error message with the hook.

Please let us know how the simultaneous use modifications work.

Thanks,
Heikki


> 
> 
> On 19/12/13 03:28 PM, Heikki Vatiainen wrote:
>> On 12/18/2013 11:43 PM, Michael wrote:
>>> I've gotten closer using an AuthBy GROUP around AuthBy RADIUS, but it
>>> seem to:
>>>
>>> 1. receive the auth request
>>> 2. proxy it to the host
>>> 3. check the session db before the reply comes back and reject if
>>> need be.
>>> 4. send the reject to the lns device.
>>> 5. send the accept from the proxy to the lns device.
>> This comes from AuthBy GROUP first evaluating all its AuthBys and then
>> doing DefaultSimultaneousUse check. When the check is done the request
>> has already been proxied to the next hop.
>>
>> You could consider a ReplyHook that does the check. I'd think something
>> like below should work.
>>
>> sub {
>>      my $p = ${$_[0]};   # proxy reply packet
>>      my $rp = ${$_[1]};  # reply packet to NAS
>>      my $op = ${$_[2]};  # original request packet
>>      my $sp = ${$_[3]};  # packet sent to proxy
>>
>>      return unless $p->code eq 'Access-Accept';
>>
>>      my $limit = $sp->{ThisAuth}->{DefaultSimultaneousUse};
>>      if
>> (Radius::SessGeneric::find($op->{Handler}->{SessionDatabase})->exceeded(
>>          $limit, $op->{OriginalUserName}, $op))
>>      {
>>           $op->{RadiusResult} = $main::REJECT;
>>      }
>> }
>>
>> Please let us know how it works.
>>
>> Thanks,
>> Heikki
>>
>>
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list