[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

SinTeZ Wh1te sintezwh1te at gmail.com
Thu Jan 14 06:34:35 CST 2016 

Thank Hugh and Heikki!!!

How can I get RADIUS reply packet from secondary server in hook script???
Radiator send Access-Reject before secondary server reply.


radius.cfg
...................
<AuthBy RADIUS>
Identifier Primary
Host 10.0.6.151
Secret 123456
AuthPort 1812
AcctPort 1813
ReplyHook file:"/etc/radiator/AccessReject"
</AuthBy>

<AuthBy RADIUS>
Identifier Secondary
Host 10.0.6.152
Secret 123456
AuthPort 1812
AcctPort 1813
</AuthBy>

<Handler>
AuthBy Primary
</Handler>
...................


/etc/radiator/AccessReject
...................
sub
{
    my $p = ${$_[0]}; # proxy reply packet
    my $rp = ${$_[1]}; # reply packet to NAS
    my $op = ${$_[2]}; # original request packet
    my $sp = ${$_[3]}; # packet sent to proxy
my $code = $p->code;
&main::log($main::LOG_DEBUG, "Code = $code");
return unless $code eq 'Access-Reject';
if($code eq 'Access-Reject'){
my $authby = Radius::AuthGeneric::find('Secondary');
if (defined $authby)
{
&main::log($main::LOG_DEBUG, "========= HANDLE_REQUEST===========");
my ($rc, $reason) = $authby->handle_request($op, $rp);
&main::log($main::LOG_DEBUG, "========= RC =========== $rc");
&main::log($main::LOG_DEBUG, "========= REASON =========== $reason");
if ($rc == 2)
{
&main::log($main::LOG_DEBUG, "========= ACCEPT ===========");
}
else
{
&main::log($main::LOG_DEBUG, "========= REJECT ===========");
}
}
return;
}
}
...................

radiator log
-------------------
Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
*** Received from 10.0.6.13 port 57565 ....
Code:       Access-Request
Identifier: 0
Authentic:        1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"

Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '',
Identifier ''
Thu Jan 14 15:22:08 2016: DEBUG:  Deleting session for testcoa10,
10.0.6.13, 1
Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket '
0.0.0.0:0' for sending requests
Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.151 port 1812 ....
Code:       Access-Request
Identifier: 1
Authentic:        1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"

Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
from 10.0.6.151:1812
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Received from 10.0.6.151 port 1812 ....
Code:       Access-Reject
Identifier: 1
Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
Attributes:
Reply-Message = "1"

Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.152 port 1812 ....
Code:       Access-Request
Identifier: 1
Authentic:        1452774130
Attributes:
User-Name = "testcoa10"
User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
NAS-IP-Address = 10.0.6.13
NAS-Port = 1
NAS-Port-Id = "123"
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "1"
Calling-Station-Id = "0800.2727.0575"

Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.13 port 57565 ....
Code:       Access-Reject
Identifier: 0
Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
Attributes:
Reply-Message = "Request Denied"

Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
from 10.0.6.152:1812
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Received from 10.0.6.152 port 1812 ....
Code:       Access-Accept
Identifier: 1
Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
Attributes:
Acct-Interim-Interval = 300
Framed-IP-Address = 192.168.0.203

Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
*** Sending to 10.0.6.13 port 57565 ....
Code:       Access-Reject
Identifier: 0
Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
Attributes:
Reply-Message = "Request Denied"
Acct-Interim-Interval = 300
Framed-IP-Address = 192.168.0.203
-------------------------------------


2016-01-13 1:18 GMT+03:00 Hugh Irvine <hugh at open.com.au>:

>
> Hello -
>
> See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
>
> regards
>
> Hugh
>
>
> > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> >
> > Hello!
> >
> > I want to do if it's possible to proxy auth request in a
> > redundant fashion.
> >
> > On each requests, I want to proxy it to a primary server, if it's
> > success then move on.
> > If the auth fails (Access-Reject), I need to proxy Access-Request to a
> secondary server
> >
> > Is it possible?
> >
> > Thanks!
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>


-- 
С уважением,
Александр Якунин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20160114/703c1b59/attachment.html

More information about the radiator mailing list