[RADIATOR] "IgnoreIfMissing" required?

Christian Meutes christian at errxtx.net
Fri Jan 18 23:09:33 UTC 2019 

I tried the following "hack":

Created a DEFAULT user in Radmin/SQL. Tried to check on some attribute
and then tried to reply "Auth-Type=Ignore", for letting the a
non-existing user fall-through this DEFAULT user with an 'Ignore'
code.

Stumbled across the following issues:

- I used 'AddToRequest Realm=foobar' inside the handler to get some
unique identifier to use a check-item in the DEFAULT user entry in
Radmin.
  Unfortunately this didn't work out: 'AddToRequest' doesn't seem to
add the Realm attribute to the 'Access-Request' (the check does fail
and 'PacketTrace' nor 'trace 5' gives any insights about the reason).

- By leveraging a random attribute from the original packet the match
does work for the new 'DEFAULT' user finally. But then the above
reply-item ("Auth-Type=Ignore") seems to fail for unknown reason
again. The log says: "WARNING: Invalid reply item Auth-Type ignored".

Beside these issues I also wonder how to differentiate this DEFAULT
user in Radmin from any other possible DEFAULT user used for other
realms/handlers/use-cases in future. Pretty unsure if Radmin or the
SQL AuthBy module can deal with more than one in some way. OTOH it
seems to be necessary to do the DEFAULT lookup inside the Radmin/SQL
AuthBy and not inside a following 'AuthBy FILE', because in the latter
case the state about "user not found" "Accept" or "Reject" is lost and
making an distinction is not possible anymore.

On Fri, Jan 18, 2019 at 12:21 PM Christian Meutes <christian at errxtx.net> wrote:
> (1) First AuthBy/Backend (Radmin/SQL): If user found either 'Accept'
> or 'Reject' depending on check-item result. If user is not found, try
> out the second backend.
>
> (2) Second AuthBy/Backend (LDAP): If user found then 'Accept' or do
> 'Reject' if not found.
>
> Using 'AuthByPolicy ContinueWhileIgnore', while a third 'AuthBy
> INTERNAL' makes sure to 'Accept' in case the backends before failed,
> thus delivered 'Ignores' and did fall through.
>
> I wonder how to implement the first 'AuthBy', there is
> 'AcceptIfMissing', but there is no 'IgnoreIfMissing'.
>
> AuthGeneric.pm seems the place to patch this in, but I'm pretty sure
> that I just miss the right knobs or a proper policy(-design), or not?




-- 
Christian Meutes

e-mail/xmpp: christian at errxtx.net
mobile: +49 176 32370305
PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318
Toulouser Allee 21, 40211 Duesseldorf, Germany

More information about the radiator mailing list