[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Martin Mersberger
martin at mersberger.de
Mon Jan 18 03:06:55 CST 2016
Am 18.01.16 um 08:15 schrieb SinTeZ Wh1te:
Hi,
Have you checked, if Authby Group may satisfy your need?
Ie.
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
# Alternatively, ContinueUntilAccept could fit better, depending on
your needs
<AuthBy RADIUS>
# Primary, which may reject
</AuthBy>
<AuthBy RADIUS>
# Secondary, which may reject, too
</AuthBy>
...
</AuthBy>
HINT: Radiator ref.pdf, Chapter 5.27 and 5.27.1 (which also incl. an
example for SQL and FILE backup)
cheers
Martin
adiator send reply to NAS
>
> Reply hook does it?
>
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine <hugh at open.com.au
> <mailto:hugh at open.com.au>>:
>
>
> Hello -
>
> The first thing to understand is that the AuthBy RADIUS clause(s)
> operate asynchronously.
>
> The hook code in your first AuthBy RADIUS clause will only execute
> when the response is received for that clause.
>
> When the hook code calls the second AuthBy RADIUS clause it will
> exit without waiting.
>
> As shown in the example, your hook code needs to alter the response.
>
> In this case you would change the response to IGNORE which will
> allow the second AuthBy RADIUS clause to execute and return its result.
>
>
> …..
>
> $op->{RadiusResult} = $main::IGNORE;
>
> …..
>
> Again note that your hook code will not see the result of the second
> AuthBy RADIUS clause.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh1te at gmail.com <mailto:sintezwh1te at gmail.com>> wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...................
> > <AuthBy RADIUS>
> > Identifier Primary
> > Host 10.0.6.151
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > ReplyHook file:"/etc/radiator/AccessReject"
> > </AuthBy>
> >
> > <AuthBy RADIUS>
> > Identifier Secondary
> > Host 10.0.6.152
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > </AuthBy>
> >
> > <Handler>
> > AuthBy Primary
> > </Handler>
> > ...................
> >
> >
> > /etc/radiator/AccessReject
> > ...................
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]}; # reply packet to NAS
> > my $op = ${$_[2]}; # original request packet
> > my $sp = ${$_[3]}; # packet sent to proxy
> >
> > my $code = $p->code;
> > &main::log($main::LOG_DEBUG, "Code = $code");
> > return unless $code eq 'Access-Reject';
> >
> > if($code eq 'Access-Reject'){
> > my $authby = Radius::AuthGeneric::find('Secondary');
> > if (defined $authby)
> > {
> > &main::log($main::LOG_DEBUG, "========= HANDLE_REQUEST===========");
> > my ($rc, $reason) = $authby->handle_request($op, $rp);
> > &main::log($main::LOG_DEBUG, "========= RC =========== $rc");
> > &main::log($main::LOG_DEBUG, "========= REASON =========== $reason");
> > if ($rc == 2)
> > {
> > &main::log($main::LOG_DEBUG, "========= ACCEPT ===========");
> > }
> > else
> > {
> > &main::log($main::LOG_DEBUG, "========= REJECT ===========");
> > }
> > }
> > return;
> > }
> > }
> > ...................
> >
> > radiator log
> > -------------------
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565 ....
> > Code: Access-Request
> > Identifier: 0
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', Identifier ''
> > Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10, 10.0.6.13, 1
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0:0 <http://0.0.0.0:0>' for sending requests
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.151 port 1812 ....
> > Code: Access-Request
> > Identifier: 1
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.151:1812 <http://10.0.6.151:1812>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.151 port 1812 ....
> > Code: Access-Reject
> > Identifier: 1
> > Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> > Attributes:
> > Reply-Message = "1"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.152 port 1812 ....
> > Code: Access-Request
> > Identifier: 1
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code: Access-Reject
> > Identifier: 0
> > Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.152:1812 <http://10.0.6.152:1812>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.152 port 1812 ....
> > Code: Access-Accept
> > Identifier: 1
> > Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> > Attributes:
> > Acct-Interim-Interval = 300
> > Framed-IP-Address = 192.168.0.203
> >
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code: Access-Reject
> > Identifier: 0
> > Authentic: <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> > Attributes:
> > Reply-Message = "Request Denied"
> > Acct-Interim-Interval = 300
> > Framed-IP-Address = 192.168.0.203
> > -------------------------------------
> >
> >
> > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <hugh at open.com.au <mailto:hugh at open.com.au>>:
> >
> > Hello -
> >
> > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh1te at gmail.com <mailto:sintezwh1te at gmail.com>> wrote:
> > >
> > > Hello!
> > >
> > > I want to do if it's possible to proxy auth request in a
> > > redundant fashion.
> > >
> > > On each requests, I want to proxy it to a primary server, if it's
> > > success then move on.
> > > If the auth fails (Access-Reject), I need to proxy Access-Request to a secondary server
> > >
> > > Is it possible?
> > >
> > > Thanks!
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au <mailto:radiator at open.com.au>
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> > --
> >
> > Hugh Irvine
> > hugh at open.com.au <mailto:hugh at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER, SIM, etc.
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> >
> >
> > --
> > С уважением,
> > Александр Якунин
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au <mailto:radiator at open.com.au>
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au <mailto:hugh at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
>
>
> --
> С уважением,
> Александр Якунин
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list