[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

Hugh Irvine hugh at open.com.au
Mon Jan 18 04:29:01 CST 2016


Hello -

You don’t have to do anything - the second AuthBy RADIUS clause will send the reply to the NAS.

If you want to do more than that you will also need a ReplyHook in the second AuthBy RADIUS clause.

regards

Hugh


> On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> 
> Hello Hugh!
> 
> > Again note that your hook code will not see the result of the second AuthBy RADIUS clause.
> 
> If hook code not see result how can I check that I received in reply from second RADIUS server?
> 
> What is necessary my boss.
> 1) NAS send Access-Request to Radiator
> 2) Radiator re-send Access-Request to primary RADIUS server
> 3) If primary server reply Access-Reject with attribute Reply-Message = 1, Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message > 1 - send Access-Reject to NAS. 
> 4) After secondary server reply - Radiator send reply to NAS
> 
> Reply hook does it?
> 
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
> 
> Hello -
> 
> The first thing to understand is that the AuthBy RADIUS clause(s) operate asynchronously.
> 
> The hook code in your first AuthBy RADIUS clause will only execute when the response is received for that clause.
> 
> When the hook code calls the second AuthBy RADIUS clause it will exit without waiting.
> 
> As shown in the example, your hook code needs to alter the response.
> 
> In this case you would change the response to IGNORE which will allow the second AuthBy RADIUS clause to execute and return its result.
> 
> 
>                 …..
> 
>                 $op->{RadiusResult} = $main::IGNORE;
> 
>                 …..
> 
> Again note that your hook code will not see the result of the second AuthBy RADIUS clause.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...................
> > <AuthBy RADIUS>
> >       Identifier Primary
> >       Host 10.0.6.151
> >       Secret 123456
> >       AuthPort 1812
> >       AcctPort 1813
> >       ReplyHook file:"/etc/radiator/AccessReject"
> > </AuthBy>
> >
> > <AuthBy RADIUS>
> >       Identifier Secondary
> >       Host 10.0.6.152
> >       Secret 123456
> >       AuthPort 1812
> >       AcctPort 1813
> > </AuthBy>
> >
> > <Handler>
> >       AuthBy Primary
> > </Handler>
> > ...................
> >
> >
> > /etc/radiator/AccessReject
> > ...................
> > sub
> > {
> >     my $p = ${$_[0]}; # proxy reply packet
> >     my $rp = ${$_[1]};        # reply packet to NAS
> >     my $op = ${$_[2]};        # original request packet
> >     my $sp = ${$_[3]};        # packet sent to proxy
> >
> >       my $code = $p->code;
> >       &main::log($main::LOG_DEBUG, "Code = $code");
> >       return unless $code eq 'Access-Reject';
> >
> >       if($code eq 'Access-Reject'){
> >               my $authby = Radius::AuthGeneric::find('Secondary');
> >               if (defined $authby)
> >               {
> >                       &main::log($main::LOG_DEBUG, "========= HANDLE_REQUEST===========");
> >                       my ($rc, $reason) = $authby->handle_request($op, $rp);
> >                       &main::log($main::LOG_DEBUG, "========= RC =========== $rc");
> >                       &main::log($main::LOG_DEBUG, "========= REASON =========== $reason");
> >                       if ($rc == 2)
> >                       {
> >                               &main::log($main::LOG_DEBUG, "========= ACCEPT ===========");
> >                       }
> >                       else
> >                       {
> >                               &main::log($main::LOG_DEBUG, "========= REJECT ===========");
> >                       }
> >               }
> >               return;
> >       }
> > }
> > ...................
> >
> > radiator log
> > -------------------
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565 ....
> > Code:       Access-Request
> > Identifier: 0
> > Authentic:        1452774130
> > Attributes:
> >       User-Name = "testcoa10"
> >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> >       NAS-IP-Address = 10.0.6.13
> >       NAS-Port = 1
> >       NAS-Port-Id = "123"
> >       Service-Type = Framed-User
> >       Framed-Protocol = PPP
> >       Acct-Session-Id = "1"
> >       Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', Identifier ''
> > Thu Jan 14 15:22:08 2016: DEBUG:  Deleting session for testcoa10, 10.0.6.13, 1
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0:0' for sending requests
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.151 port 1812 ....
> > Code:       Access-Request
> > Identifier: 1
> > Authentic:        1452774130
> > Attributes:
> >       User-Name = "testcoa10"
> >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> >       NAS-IP-Address = 10.0.6.13
> >       NAS-Port = 1
> >       NAS-Port-Id = "123"
> >       Service-Type = Framed-User
> >       Framed-Protocol = PPP
> >       Acct-Session-Id = "1"
> >       Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.151:1812
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.151 port 1812 ....
> > Code:       Access-Reject
> > Identifier: 1
> > Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> > Attributes:
> >       Reply-Message = "1"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.152 port 1812 ....
> > Code:       Access-Request
> > Identifier: 1
> > Authentic:        1452774130
> > Attributes:
> >       User-Name = "testcoa10"
> >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> >       NAS-IP-Address = 10.0.6.13
> >       NAS-Port = 1
> >       NAS-Port-Id = "123"
> >       Service-Type = Framed-User
> >       Framed-Protocol = PPP
> >       Acct-Session-Id = "1"
> >       Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code:       Access-Reject
> > Identifier: 0
> > Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> > Attributes:
> >       Reply-Message = "Request Denied"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 10.0.6.152:1812
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.152 port 1812 ....
> > Code:       Access-Accept
> > Identifier: 1
> > Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> > Attributes:
> >       Acct-Interim-Interval = 300
> >       Framed-IP-Address = 192.168.0.203
> >
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code:       Access-Reject
> > Identifier: 0
> > Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> > Attributes:
> >       Reply-Message = "Request Denied"
> >       Acct-Interim-Interval = 300
> >       Framed-IP-Address = 192.168.0.203
> > -------------------------------------
> >
> >
> > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
> >
> > Hello -
> >
> > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> > >
> > > Hello!
> > >
> > > I want to do if it's possible to proxy auth request in a
> > > redundant fashion.
> > >
> > > On each requests, I want to proxy it to a primary server, if it's
> > > success then move on.
> > > If the auth fails (Access-Reject), I need to proxy Access-Request to a secondary server
> > >
> > > Is it possible?
> > >
> > > Thanks!
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> > --
> >
> > Hugh Irvine
> > hugh at open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER, SIM, etc.
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> >
> >
> > --
> > С уважением,
> > Александр Якунин
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> 
> 
> -- 
> С уважением,
> Александр Якунин


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list