[RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

SinTeZ Wh1te sintezwh1te at gmail.com
Tue Jan 19 05:10:14 CST 2016


Hello Hugh.

I found your script in mailing list.
http://www.open.com.au/pipermail/radiator/2010-March/016160.html

It work for me.

Thank for help!


2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te <sintezwh1te at gmail.com>:

> Hello Hugh.
>
> Second AuthBy clause not send reply to NAS.
>
> radius.cfg
> -------
> <AuthBy RADIUS>
> Identifier Primary
> Host 10.0.6.151
> Secret 123456
> AuthPort 1812
> AcctPort 1813
> ReplyHook file:"/etc/radiator/AccessReject"
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier Secondary
> Host 10.0.6.152
> Secret 123456
> AuthPort 1812
> AcctPort 1813
> </AuthBy>
>
> <Handler>
> AuthBy Primary
> </Handler>
> -------
>
> /etc/radiator/AccessReject
> --------
> sub
> {
>     my $p = ${$_[0]}; # proxy reply packet
>     my $rp = ${$_[1]}; # reply packet to NAS
>     my $op = ${$_[2]}; # original request packet
>     my $sp = ${$_[3]}; # packet sent to proxy
> my $code = $p->code;
> return unless $code eq 'Access-Reject';
> if($code eq 'Access-Reject'){
> my $authby = Radius::AuthGeneric::find('Secondary');
> if (defined $authby)
> {
> my ($rc, $reason) = $authby->handle_request($op, $rp);
> if ($rc == 2)
> {
> $op->{RadiusResult} = $main::IGNORE;
> }
> }
> return;
> }
> }
> ---------
>
>
> #tshark -i eth0 port 1812 -w /opt/radius.pcap
>
> Screenshot Wireshark
>
> http://i.imgur.com/StKAJ18.png
>
> 10.0.6.13 - NAS
> 10.0.6.150 - Radiator
> 10.0.6.151 - Primary RADIUS
> 10.0.6.152 - Secondary RADIUS
>
> After 10.0.6.152 send Access-Accept - Radiator does nothing.
>
>
> 2016-01-18 13:29 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
>
>>
>> Hello -
>>
>> You don’t have to do anything - the second AuthBy RADIUS clause will send
>> the reply to the NAS.
>>
>> If you want to do more than that you will also need a ReplyHook in the
>> second AuthBy RADIUS clause.
>>
>> regards
>>
>> Hugh
>>
>>
>> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
>> >
>> > Hello Hugh!
>> >
>> > > Again note that your hook code will not see the result of the second
>> AuthBy RADIUS clause.
>> >
>> > If hook code not see result how can I check that I received in reply
>> from second RADIUS server?
>> >
>> > What is necessary my boss.
>> > 1) NAS send Access-Request to Radiator
>> > 2) Radiator re-send Access-Request to primary RADIUS server
>> > 3) If primary server reply Access-Reject with attribute Reply-Message =
>> 1, Radiator re-send Access-Request to secondary RADIUS server. If
>> Reply-Message > 1 - send Access-Reject to NAS.
>> > 4) After secondary server reply - Radiator send reply to NAS
>> >
>> > Reply hook does it?
>> >
>> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
>> >
>> > Hello -
>> >
>> > The first thing to understand is that the AuthBy RADIUS clause(s)
>> operate asynchronously.
>> >
>> > The hook code in your first AuthBy RADIUS clause will only execute when
>> the response is received for that clause.
>> >
>> > When the hook code calls the second AuthBy RADIUS clause it will exit
>> without waiting.
>> >
>> > As shown in the example, your hook code needs to alter the response.
>> >
>> > In this case you would change the response to IGNORE which will allow
>> the second AuthBy RADIUS clause to execute and return its result.
>> >
>> >
>> >                 …..
>> >
>> >                 $op->{RadiusResult} = $main::IGNORE;
>> >
>> >                 …..
>> >
>> > Again note that your hook code will not see the result of the second
>> AuthBy RADIUS clause.
>> >
>> > hope that helps
>> >
>> > regards
>> >
>> > Hugh
>> >
>> >
>> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh1te at gmail.com> wrote:
>> > >
>> > > Thank Hugh and Heikki!!!
>> > >
>> > > How can I get RADIUS reply packet from secondary server in hook
>> script???
>> > > Radiator send Access-Reject before secondary server reply.
>> > >
>> > >
>> > > radius.cfg
>> > > ...................
>> > > <AuthBy RADIUS>
>> > >       Identifier Primary
>> > >       Host 10.0.6.151
>> > >       Secret 123456
>> > >       AuthPort 1812
>> > >       AcctPort 1813
>> > >       ReplyHook file:"/etc/radiator/AccessReject"
>> > > </AuthBy>
>> > >
>> > > <AuthBy RADIUS>
>> > >       Identifier Secondary
>> > >       Host 10.0.6.152
>> > >       Secret 123456
>> > >       AuthPort 1812
>> > >       AcctPort 1813
>> > > </AuthBy>
>> > >
>> > > <Handler>
>> > >       AuthBy Primary
>> > > </Handler>
>> > > ...................
>> > >
>> > >
>> > > /etc/radiator/AccessReject
>> > > ...................
>> > > sub
>> > > {
>> > >     my $p = ${$_[0]}; # proxy reply packet
>> > >     my $rp = ${$_[1]};        # reply packet to NAS
>> > >     my $op = ${$_[2]};        # original request packet
>> > >     my $sp = ${$_[3]};        # packet sent to proxy
>> > >
>> > >       my $code = $p->code;
>> > >       &main::log($main::LOG_DEBUG, "Code = $code");
>> > >       return unless $code eq 'Access-Reject';
>> > >
>> > >       if($code eq 'Access-Reject'){
>> > >               my $authby = Radius::AuthGeneric::find('Secondary');
>> > >               if (defined $authby)
>> > >               {
>> > >                       &main::log($main::LOG_DEBUG, "=========
>> HANDLE_REQUEST===========");
>> > >                       my ($rc, $reason) =
>> $authby->handle_request($op, $rp);
>> > >                       &main::log($main::LOG_DEBUG, "========= RC
>> =========== $rc");
>> > >                       &main::log($main::LOG_DEBUG, "========= REASON
>> =========== $reason");
>> > >                       if ($rc == 2)
>> > >                       {
>> > >                               &main::log($main::LOG_DEBUG, "=========
>> ACCEPT ===========");
>> > >                       }
>> > >                       else
>> > >                       {
>> > >                               &main::log($main::LOG_DEBUG, "=========
>> REJECT ===========");
>> > >                       }
>> > >               }
>> > >               return;
>> > >       }
>> > > }
>> > > ...................
>> > >
>> > > radiator log
>> > > -------------------
>> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
>> > > *** Received from 10.0.6.13 port 57565 ....
>> > > Code:       Access-Request
>> > > Identifier: 0
>> > > Authentic:        1452774130
>> > > Attributes:
>> > >       User-Name = "testcoa10"
>> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
>> > >       NAS-IP-Address = 10.0.6.13
>> > >       NAS-Port = 1
>> > >       NAS-Port-Id = "123"
>> > >       Service-Type = Framed-User
>> > >       Framed-Protocol = PPP
>> > >       Acct-Session-Id = "1"
>> > >       Calling-Station-Id = "0800.2727.0575"
>> > >
>> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '',
>> Identifier ''
>> > > Thu Jan 14 15:22:08 2016: DEBUG:  Deleting session for testcoa10,
>> 10.0.6.13, 1
>> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
>> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local
>> socket '0.0.0.0:0' for sending requests
>> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
>> > > *** Sending to 10.0.6.151 port 1812 ....
>> > > Code:       Access-Request
>> > > Identifier: 1
>> > > Authentic:        1452774130
>> > > Attributes:
>> > >       User-Name = "testcoa10"
>> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
>> > >       NAS-IP-Address = 10.0.6.13
>> > >       NAS-Port = 1
>> > >       NAS-Port-Id = "123"
>> > >       Service-Type = Framed-User
>> > >       Framed-Protocol = PPP
>> > >       Acct-Session-Id = "1"
>> > >       Calling-Station-Id = "0800.2727.0575"
>> > >
>> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req
>> 1 from 10.0.6.151:1812
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
>> > > *** Received from 10.0.6.151 port 1812 ....
>> > > Code:       Access-Reject
>> > > Identifier: 1
>> > > Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
>> > > Attributes:
>> > >       Reply-Message = "1"
>> > >
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
>> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
>> > > *** Sending to 10.0.6.152 port 1812 ....
>> > > Code:       Access-Request
>> > > Identifier: 1
>> > > Authentic:        1452774130
>> > > Attributes:
>> > >       User-Name = "testcoa10"
>> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
>> > >       NAS-IP-Address = 10.0.6.13
>> > >       NAS-Port = 1
>> > >       NAS-Port-Id = "123"
>> > >       Service-Type = Framed-User
>> > >       Framed-Protocol = PPP
>> > >       Acct-Session-Id = "1"
>> > >       Calling-Station-Id = "0800.2727.0575"
>> > >
>> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
>> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
>> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
>> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
>> > > *** Sending to 10.0.6.13 port 57565 ....
>> > > Code:       Access-Reject
>> > > Identifier: 0
>> > > Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
>> > > Attributes:
>> > >       Reply-Message = "Request Denied"
>> > >
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req
>> 1 from 10.0.6.152:1812
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
>> > > *** Received from 10.0.6.152 port 1812 ....
>> > > Code:       Access-Accept
>> > > Identifier: 1
>> > > Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
>> > > Attributes:
>> > >       Acct-Interim-Interval = 300
>> > >       Framed-IP-Address = 192.168.0.203
>> > >
>> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
>> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
>> > > *** Sending to 10.0.6.13 port 57565 ....
>> > > Code:       Access-Reject
>> > > Identifier: 0
>> > > Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
>> > > Attributes:
>> > >       Reply-Message = "Request Denied"
>> > >       Acct-Interim-Interval = 300
>> > >       Framed-IP-Address = 192.168.0.203
>> > > -------------------------------------
>> > >
>> > >
>> > > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <hugh at open.com.au>:
>> > >
>> > > Hello -
>> > >
>> > > See the example in “goodies/hooks.txt” in the Radiator 4.15
>> distribution.
>> > >
>> > > regards
>> > >
>> > > Hugh
>> > >
>> > >
>> > > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh1te at gmail.com>
>> wrote:
>> > > >
>> > > > Hello!
>> > > >
>> > > > I want to do if it's possible to proxy auth request in a
>> > > > redundant fashion.
>> > > >
>> > > > On each requests, I want to proxy it to a primary server, if it's
>> > > > success then move on.
>> > > > If the auth fails (Access-Reject), I need to proxy Access-Request
>> to a secondary server
>> > > >
>> > > > Is it possible?
>> > > >
>> > > > Thanks!
>> > > > _______________________________________________
>> > > > radiator mailing list
>> > > > radiator at open.com.au
>> > > > http://www.open.com.au/mailman/listinfo/radiator
>> > >
>> > >
>> > > --
>> > >
>> > > Hugh Irvine
>> > > hugh at open.com.au
>> > >
>> > > Radiator: the most portable, flexible and configurable RADIUS server
>> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>> TLS,
>> > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> > > DIAMETER, SIM, etc.
>> > > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare
>> etc.
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > С уважением,
>> > > Александр Якунин
>> > > _______________________________________________
>> > > radiator mailing list
>> > > radiator at open.com.au
>> > > http://www.open.com.au/mailman/listinfo/radiator
>> >
>> >
>> > --
>> >
>> > Hugh Irvine
>> > hugh at open.com.au
>> >
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> > DIAMETER, SIM, etc.
>> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> >
>> >
>> >
>> >
>> > --
>> > С уважением,
>> > Александр Якунин
>>
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc.
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>>
>
>
> --
> С уважением,
> Александр Якунин
>



-- 
With regards,
Alexander Yakunin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20160119/cd54fb9d/attachment-0001.html 


More information about the radiator mailing list