[RADIATOR] Which hook and how to get destination host
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Mon Jul 1 21:02:04 UTC 2024
Hi Heikki,
Thank you for this! I'll have a look and implement something, and then let you know if it works 😊
With kind regards
Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc
email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142
For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam’s attention.
On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator at lists.open.com.au>
Reply to: Heikki Vatiainen <hvn at open.com.au>
Date: Friday 28 June 2024 at 09:33
To: "radiator at lists.open.com.au" <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Which hook and how to get destination host
On 26.6.2024 14.09, Stefan Paetow via radiator wrote:
I am trying to fix a looping problem between two hosts that does not rely on attributes being added to packets.
I know I can retrieve the client address from the request as Radius::Util::inet_ntop($request->{RecvFromAddress}), but I'd like to do the same for the destination host that's been selected to proxy the request to. Which handler/hook would be the best to do this in? PreHandlerHook in the destination AuthBy? And… how do I get the IP address of the destination host (or the selected host if there are multiple)?
That's an interesting question. Many of the hooks run well before the next hop details (IP + port) are resolved, but I think I found a solution.
Or is this not possible?
It's possible. There's one hook that runs just before the request is forwarded. I came up with the following idea. Note that you'd need to have a <Host ...> clause because that's where the hook goes into. It should also work with the other proxy AuthBys, such as AuthBy HASHBALANCE.
Here's a config snippet and the hook:
<AuthBy RADIUS>
VsaVendor Generic
VsaTranslateOut
AuthPort 1812
AcctPort 1813
<Host 127.0.0.1>
Secret mysecret
# Other host specific parameters
# $p is the request, $is_out is set for outgoing messages
# $fp is the request that's about to be forwarded
VsaTranslationHook sub { my ($p, $is_out, $fp) = @_; \
my $host = $fp->{ThisHost}; \
my $addr = @{$host->{Address}}[$host->{roundRobinCounter} % @{$host->{Address}}]; \
my $port = $fp->code eq 'Accounting-Request' \
? $host->{AcctPort} : $host->{AuthPort}; \
my $ip = Radius::Util::inet_ntop($addr); \
main::log($main::LOG_INFO, "Forwarding to IP $ip port $port\n"); }
</Host>
</AuthBy>
The Vendor Specific Attribute (VSA) translation parameters are documented here, except of the hook that needs to be documented:
https://files.radiatorsoftware.com/radiator/ref/Clientxxxxxx.html#VsaTranslateIn_Client
The round robin counter is explained below. Briefly, it's for the cases where Host is defined with a name that resolves to multiple IP addresses:
https://files.radiatorsoftware.com/radiator/ref/AuthByRADIUS.html#Host
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20240701/6f605a82/attachment-0001.html>
More information about the radiator
mailing list