[RADIATOR] AuthRADIUS reject reason
David Zych
dmrz at illinois.edu
Mon Jan 14 18:36:07 CST 2013
I'm trying to rework my Radiator configuration to use multiple instances
as suggested e.g. in
http://www.open.com.au/pipermail/radiator/2012-November/018728.html.
In the event of an Access-Reject, I would like for the front-end
server's reason string (i.e. %1 in FailureFormat) to reflect the true
reason provided by the back-end instance in the Reply-Message attribute,
e.g.
Mon Jan 14 17:46:51 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 12345 ....
Code: Access-Reject
Identifier: 1
Authentic: [SNIP]
Attributes:
Reply-Message = "AuthBy NTLM Password check failed"
Unfortunately this doesn't seem to be possible, because
AuthRADIUS::handleReply insists on passing 'Proxied' back to the Handler
as its reason string no matter what:
# Send this new reply packet back to wherever the
# original packet came from
$op->{Handler}->handlerResult
($op, $op->{RadiusResult}, 'Proxied')
unless ( ($self->{IgnoreReject}
&& $p->code eq 'Access-Reject')
|| ($self->{IgnoreAccountingResponse}
&& $p->code eq 'Accounting-Response'));
Is there any possibility of changing AuthRADIUS (and presumably also
AuthRADSEC, though I haven't looked into it deeply yet) to use the
existing Reply-Message value from the back end when it's available?
Or at least to make it possible for me to set the reason value in a
hook? (ReplyHook doesn't give me any means to do this AFAICT, and
PostAuthHook doesn't apply to asynchronous proxy replies)
Thanks,
David
More information about the radiator
mailing list