[RADIATOR] Which hook and how to get destination host

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Wed Jul 3 22:36:54 UTC 2024


Hi Heikki,

I tried that but apparently Radiator is not happy.

00000000 Wed Jul  3 22:12:38 2024 146691: ERR: Unknown keyword 'VsaTranslationHook' in /etc/radiator/lin/radiator line 14171
00000000 Wed Jul  3 22:12:38 2024 146892: ERR: Unknown keyword 'VsaVendor' in /etc/radiator/lin/radiator line 14179
00000000 Wed Jul  3 22:12:38 2024 146970: ERR: Unknown keyword 'VsaTranslateOut' in /etc/radiator/lin/radiator line 14180

The offending bit:

<Handler OSC-Environment-Identifier=HOST_1>
    Identifier IDENT_PROXY
    <AuthBy RADSEC>
         Secret radsec
         NoreplyTimeout 5
         UseTLS
         TLS_Protocols TLSv1.2
         ProxyAlgorithm HashBalance
         UseStatusServerForFailureDetect
         KeepaliveTimeout 180
         NoKeepaliveTimeoutForChildInstances
         ConnectOnDemand
         FailureBackoffTime 5
         [TLS options redacted]

         <Host proxy.host>
             Port 2083
             UseTLS
             TLS_Protocols TLSv1.2
             FailureBackoffTime 5
             VsaTranslationHook file:"%D/hook/loop_check_vt.pl"
         </Host>
         VsaVendor Generic
         VsaTranslateOut
    </AuthBy>
</Handler>

So, I'm guessing that the AuthBy RADSEC doesn't cover all of that in the Host clause. We're running 4.28 as from your repo. I've tried something else and am waiting to see what happens. If the Host clause in AuthByRADSEC doesn't support the VsaTranslationHook, could I request it be added as a feature for the next version? :-)

With kind regards

Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc

email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142

For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam’s attention.
On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.


From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator at lists.open.com.au>
Reply to: Heikki Vatiainen <hvn at open.com.au>
Date: Friday 28 June 2024 at 09:33
To: "radiator at lists.open.com.au" <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Which hook and how to get destination host


On 26.6.2024 14.09, Stefan Paetow via radiator wrote:
I am trying to fix a looping problem between two hosts that does not rely on attributes being added to packets.

I know I can retrieve the client address from the request as Radius::Util::inet_ntop($request->{RecvFromAddress}), but I'd like to do the same for the destination host that's been selected to proxy the request to. Which handler/hook would be the best to do this in? PreHandlerHook in the destination AuthBy? And… how do I get the IP address of the destination host (or the selected host if there are multiple)?


That's an interesting question. Many of the hooks run well before the next hop details (IP + port) are resolved, but I think I found a solution.


Or is this not possible?


It's possible. There's one hook that runs just before the request is forwarded. I came up with the following idea. Note that you'd need to have a <Host ...> clause because that's where the hook goes into. It should also work with the other proxy AuthBys, such as AuthBy HASHBALANCE.

Here's a config snippet and the hook:

<AuthBy RADIUS>
    VsaVendor Generic
    VsaTranslateOut
    AuthPort 1812
    AcctPort 1813

    <Host 127.0.0.1>
        Secret mysecret
        # Other host specific parameters

        # $p is the request, $is_out is set for outgoing messages
        # $fp is the request that's about to be forwarded
        VsaTranslationHook sub { my ($p, $is_out, $fp) = @_; \
          my $host = $fp->{ThisHost}; \
          my $addr = @{$host->{Address}}[$host->{roundRobinCounter} % @{$host->{Address}}]; \

          my $port = $fp->code eq 'Accounting-Request' \
              ? $host->{AcctPort} : $host->{AuthPort}; \
          my $ip = Radius::Util::inet_ntop($addr); \
          main::log($main::LOG_INFO, "Forwarding to IP $ip port $port\n"); }
    </Host>
</AuthBy>

The Vendor Specific Attribute (VSA) translation parameters are documented here, except of the hook that needs to be documented:
https://files.radiatorsoftware.com/radiator/ref/Clientxxxxxx.html#VsaTranslateIn_Client

The round robin counter is explained below. Briefly, it's for the cases where Host is defined with a name that resolves to multiple IP addresses:

https://files.radiatorsoftware.com/radiator/ref/AuthByRADIUS.html#Host


Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20240703/1ae2e773/attachment-0001.html>


More information about the radiator mailing list