[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

SinTeZ Wh1te sintezwh1te at gmail.com
Mon Jan 18 07:33:29 CST 2016


Hello Hugh.

Second AuthBy clause not send reply to NAS.

radius.cfg
-------
<AuthBy RADIUS>
Identifier Primary
Host 10.0.6.151
Secret 123456
AuthPort 1812
AcctPort 1813
ReplyHook file:"/etc/radiator/AccessReject"
</AuthBy>

<AuthBy RADIUS>
Identifier Secondary
Host 10.0.6.152
Secret 123456
AuthPort 1812
AcctPort 1813
</AuthBy>

<Handler>
AuthBy Primary
</Handler>
-------

/etc/radiator/AccessReject
--------
sub
{
    my $p = ${$_[0]}; # proxy reply packet
    my $rp = ${$_[1]}; # reply packet to NAS
    my $op = ${$_[2]}; # original request packet
    my $sp = ${$_[3]}; # packet sent to proxy
my $code = $p->code;
return unless $code eq 'Access-Reject';
if($code eq 'Access-Reject'){
my $authby = Radius::AuthGeneric::find('Secondary');
if (defined $authby)
{
my ($rc, $reason) = $authby->handle_request($op, $rp);
if ($rc == 2)
{
$op->{RadiusResult} = $main::IGNORE;
}
}
return;
}
}
---------


#tshark -i eth0 port 1812 -w /opt/radius.pcap

Screenshot Wireshark

http://i.imgur.com/StKAJ18.png

10.0.6.13 - NAS
10.0.6.150 - Radiator
10.0.6.151 - Primary RADIUS
10.0.6.152 - Secondary RADIUS

After 10.0.6.152 send Access-Accept - Radiator does nothing.


2016-01-18 13:29 GMT+03:00 Hugh Irvine <hugh at open.com.au>:

>
> Hello -
>
> You don’t have to do anything - the second AuthBy RADIUS clause will send
> the reply to the NAS.
>
> If you want to do more than that you will also need a ReplyHook in the
> second AuthBy RADIUS clause.
>
> regards
>
> Hugh
>
>
> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> >
> > Hello Hugh!
> >
> > > Again note that your hook code will not see the result of the second
> AuthBy RADIUS clause.
> >
> > If hook code not see result how can I check that I received in reply
> from second RADIUS server?
> >
> > What is necessary my boss.
> > 1) NAS send Access-Request to Radiator
> > 2) Radiator re-send Access-Request to primary RADIUS server
> > 3) If primary server reply Access-Reject with attribute Reply-Message =
> 1, Radiator re-send Access-Request to secondary RADIUS server. If
> Reply-Message > 1 - send Access-Reject to NAS.
> > 4) After secondary server reply - Radiator send reply to NAS
> >
> > Reply hook does it?
> >
> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
> >
> > Hello -
> >
> > The first thing to understand is that the AuthBy RADIUS clause(s)
> operate asynchronously.
> >
> > The hook code in your first AuthBy RADIUS clause will only execute when
> the response is received for that clause.
> >
> > When the hook code calls the second AuthBy RADIUS clause it will exit
> without waiting.
> >
> > As shown in the example, your hook code needs to alter the response.
> >
> > In this case you would change the response to IGNORE which will allow
> the second AuthBy RADIUS clause to execute and return its result.
> >
> >
> >                 …..
> >
> >                 $op->{RadiusResult} = $main::IGNORE;
> >
> >                 …..
> >
> > Again note that your hook code will not see the result of the second
> AuthBy RADIUS clause.
> >
> > hope that helps
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
> > >
> > > Thank Hugh and Heikki!!!
> > >
> > > How can I get RADIUS reply packet from secondary server in hook
> script???
> > > Radiator send Access-Reject before secondary server reply.
> > >
> > >
> > > radius.cfg
> > > ...................
> > > <AuthBy RADIUS>
> > >       Identifier Primary
> > >       Host 10.0.6.151
> > >       Secret 123456
> > >       AuthPort 1812
> > >       AcctPort 1813
> > >       ReplyHook file:"/etc/radiator/AccessReject"
> > > </AuthBy>
> > >
> > > <AuthBy RADIUS>
> > >       Identifier Secondary
> > >       Host 10.0.6.152
> > >       Secret 123456
> > >       AuthPort 1812
> > >       AcctPort 1813
> > > </AuthBy>
> > >
> > > <Handler>
> > >       AuthBy Primary
> > > </Handler>
> > > ...................
> > >
> > >
> > > /etc/radiator/AccessReject
> > > ...................
> > > sub
> > > {
> > >     my $p = ${$_[0]}; # proxy reply packet
> > >     my $rp = ${$_[1]};        # reply packet to NAS
> > >     my $op = ${$_[2]};        # original request packet
> > >     my $sp = ${$_[3]};        # packet sent to proxy
> > >
> > >       my $code = $p->code;
> > >       &main::log($main::LOG_DEBUG, "Code = $code");
> > >       return unless $code eq 'Access-Reject';
> > >
> > >       if($code eq 'Access-Reject'){
> > >               my $authby = Radius::AuthGeneric::find('Secondary');
> > >               if (defined $authby)
> > >               {
> > >                       &main::log($main::LOG_DEBUG, "=========
> HANDLE_REQUEST===========");
> > >                       my ($rc, $reason) = $authby->handle_request($op,
> $rp);
> > >                       &main::log($main::LOG_DEBUG, "========= RC
> =========== $rc");
> > >                       &main::log($main::LOG_DEBUG, "========= REASON
> =========== $reason");
> > >                       if ($rc == 2)
> > >                       {
> > >                               &main::log($main::LOG_DEBUG, "=========
> ACCEPT ===========");
> > >                       }
> > >                       else
> > >                       {
> > >                               &main::log($main::LOG_DEBUG, "=========
> REJECT ===========");
> > >                       }
> > >               }
> > >               return;
> > >       }
> > > }
> > > ...................
> > >
> > > radiator log
> > > -------------------
> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.13 port 57565 ....
> > > Code:       Access-Request
> > > Identifier: 0
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '',
> Identifier ''
> > > Thu Jan 14 15:22:08 2016: DEBUG:  Deleting session for testcoa10,
> 10.0.6.13, 1
> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local
> socket '0.0.0.0:0' for sending requests
> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.151 port 1812 ....
> > > Code:       Access-Request
> > > Identifier: 1
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req
> 1 from 10.0.6.151:1812
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.151 port 1812 ....
> > > Code:       Access-Reject
> > > Identifier: 1
> > > Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> > > Attributes:
> > >       Reply-Message = "1"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> > > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.152 port 1812 ....
> > > Code:       Access-Request
> > > Identifier: 1
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.13 port 57565 ....
> > > Code:       Access-Reject
> > > Identifier: 0
> > > Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> > > Attributes:
> > >       Reply-Message = "Request Denied"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req
> 1 from 10.0.6.152:1812
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.152 port 1812 ....
> > > Code:       Access-Accept
> > > Identifier: 1
> > > Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> > > Attributes:
> > >       Acct-Interim-Interval = 300
> > >       Framed-IP-Address = 192.168.0.203
> > >
> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.13 port 57565 ....
> > > Code:       Access-Reject
> > > Identifier: 0
> > > Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> > > Attributes:
> > >       Reply-Message = "Request Denied"
> > >       Acct-Interim-Interval = 300
> > >       Framed-IP-Address = 192.168.0.203
> > > -------------------------------------
> > >
> > >
> > > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
> > >
> > > Hello -
> > >
> > > See the example in “goodies/hooks.txt” in the Radiator 4.15
> distribution.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > >
> > > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh1te at gmail.com>
> wrote:
> > > >
> > > > Hello!
> > > >
> > > > I want to do if it's possible to proxy auth request in a
> > > > redundant fashion.
> > > >
> > > > On each requests, I want to proxy it to a primary server, if it's
> > > > success then move on.
> > > > If the auth fails (Access-Reject), I need to proxy Access-Request to
> a secondary server
> > > >
> > > > Is it possible?
> > > >
> > > > Thanks!
> > > > _______________________________________________
> > > > radiator mailing list
> > > > radiator at open.com.au
> > > > http://www.open.com.au/mailman/listinfo/radiator
> > >
> > >
> > > --
> > >
> > > Hugh Irvine
> > > hugh at open.com.au
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > > DIAMETER, SIM, etc.
> > > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> > >
> > >
> > >
> > >
> > > --
> > > С уважением,
> > > Александр Якунин
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> > --
> >
> > Hugh Irvine
> > hugh at open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER, SIM, etc.
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> >
> >
> > --
> > С уважением,
> > Александр Якунин
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>


-- 
С уважением,
Александр Якунин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20160118/00bc9f0d/attachment-0001.html 


More information about the radiator mailing list