<div dir="ltr">Hello Hugh.<div><br></div><div>I found your script in mailing list.<br></div><div><a href="http://www.open.com.au/pipermail/radiator/2010-March/016160.html">http://www.open.com.au/pipermail/radiator/2010-March/016160.html</a><br></div><div><br></div><div>It work for me.</div><div><br></div><div>Thank for help!<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te <span dir="ltr"><<a href="mailto:sintezwh1te@gmail.com" target="_blank">sintezwh1te@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Hugh.<div><br></div><div>Second AuthBy clause not send reply to NAS.</div><div><br></div><div>radius.cfg</div><div>-------</div><span class=""><div><div><AuthBy RADIUS></div><div><span style="white-space:pre-wrap"> </span>Identifier Primary</div><div><span style="white-space:pre-wrap"> </span>Host 10.0.6.151</div><div><span style="white-space:pre-wrap"> </span>Secret 123456</div><div><span style="white-space:pre-wrap"> </span>AuthPort 1812</div><div><span style="white-space:pre-wrap"> </span>AcctPort 1813</div><div><span style="white-space:pre-wrap"> </span>ReplyHook file:"/etc/radiator/AccessReject"</div><div></AuthBy></div><div><br></div><div><AuthBy RADIUS></div><div><span style="white-space:pre-wrap"> </span>Identifier Secondary</div><div><span style="white-space:pre-wrap"> </span>Host 10.0.6.152</div><div><span style="white-space:pre-wrap"> </span>Secret 123456</div><div><span style="white-space:pre-wrap"> </span>AuthPort 1812</div><div><span style="white-space:pre-wrap"> </span>AcctPort 1813</div><div></AuthBy></div><div><br></div><div><Handler></div><div><span style="white-space:pre-wrap"> </span>AuthBy Primary</div><div></Handler></div></div></span><div>-------</div><div><br></div><div>/etc/radiator/AccessReject</div><div>--------</div><div><span class=""><div>sub </div><div>{</div><div> my $p = ${$_[0]};<span style="white-space:pre-wrap"> </span># proxy reply packet</div><div> my $rp = ${$_[1]};<span style="white-space:pre-wrap"> </span># reply packet to NAS</div><div> my $op = ${$_[2]};<span style="white-space:pre-wrap"> </span># original request packet</div><div> my $sp = ${$_[3]};<span style="white-space:pre-wrap"> </span># packet sent to proxy </div><div><span style="white-space:pre-wrap"> </span></div><div><span style="white-space:pre-wrap"> </span>my $code = $p->code;</div></span><span class=""><div><span style="white-space:pre-wrap"> </span>return unless $code eq 'Access-Reject';</div><div><span style="white-space:pre-wrap"> </span></div><div><span style="white-space:pre-wrap"> </span>if($code eq 'Access-Reject'){</div><div><span style="white-space:pre-wrap"> </span>my $authby = Radius::AuthGeneric::find('Secondary');</div><div><span style="white-space:pre-wrap"> </span>if (defined $authby)</div><div><span style="white-space:pre-wrap"> </span>{</div></span><span class=""><div><span style="white-space:pre-wrap"> </span>my ($rc, $reason) = $authby->handle_request($op, $rp);</div></span><div><span style="white-space:pre-wrap"> </span>if ($rc == 2)</div><div><span style="white-space:pre-wrap"> </span>{</div><span class=""><div><span style="white-space:pre-wrap"> </span>$op->{RadiusResult} = $main::IGNORE;</div><div><span style="white-space:pre-wrap"> </span>}</div><div><span style="white-space:pre-wrap"> </span>}</div></span><div><span style="white-space:pre-wrap"> </span>return;</div><div><span style="white-space:pre-wrap"> </span>}</div><div>}</div></div><div>---------</div><div><br></div><div><br></div><div>#tshark -i eth0 port 1812 -w /opt/radius.pcap</div><div><br></div><div>Screenshot Wireshark<br></div><div><br></div><div><a href="http://i.imgur.com/StKAJ18.png" target="_blank">http://i.imgur.com/StKAJ18.png</a><br></div><div><br></div><div>10.0.6.13 - NAS</div><div>10.0.6.150 - Radiator</div><div>10.0.6.151 - Primary RADIUS</div><div>10.0.6.152 - Secondary RADIUS</div><div><br></div><div>After 10.0.6.152 send Access-Accept - Radiator does nothing.</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-01-18 13:29 GMT+03:00 Hugh Irvine <span dir="ltr"><<a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hello -<br>
<br>
You don’t have to do anything - the second AuthBy RADIUS clause will send the reply to the NAS.<br>
<br>
If you want to do more than that you will also need a ReplyHook in the second AuthBy RADIUS clause.<br>
<br>
regards<br>
<span><font color="#888888"><br>
Hugh<br>
</font></span><div><div><br>
<br>
> On 18 Jan 2016, at 18:15, SinTeZ Wh1te <<a href="mailto:sintezwh1te@gmail.com" target="_blank">sintezwh1te@gmail.com</a>> wrote:<br>
><br>
> Hello Hugh!<br>
><br>
> > Again note that your hook code will not see the result of the second AuthBy RADIUS clause.<br>
><br>
> If hook code not see result how can I check that I received in reply from second RADIUS server?<br>
><br>
> What is necessary my boss.<br>
> 1) NAS send Access-Request to Radiator<br>
> 2) Radiator re-send Access-Request to primary RADIUS server<br>
> 3) If primary server reply Access-Reject with attribute Reply-Message = 1, Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message > 1 - send Access-Reject to NAS.<br>
> 4) After secondary server reply - Radiator send reply to NAS<br>
><br>
> Reply hook does it?<br>
><br>
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine <<a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a>>:<br>
><br>
> Hello -<br>
><br>
> The first thing to understand is that the AuthBy RADIUS clause(s) operate asynchronously.<br>
><br>
> The hook code in your first AuthBy RADIUS clause will only execute when the response is received for that clause.<br>
><br>
> When the hook code calls the second AuthBy RADIUS clause it will exit without waiting.<br>
><br>
> As shown in the example, your hook code needs to alter the response.<br>
><br>
> In this case you would change the response to IGNORE which will allow the second AuthBy RADIUS clause to execute and return its result.<br>
><br>
><br>
> …..<br>
><br>
> $op->{RadiusResult} = $main::IGNORE;<br>
><br>
> …..<br>
><br>
> Again note that your hook code will not see the result of the second AuthBy RADIUS clause.<br>
><br>
> hope that helps<br>
><br>
> regards<br>
><br>
> Hugh<br>
><br>
><br>
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <<a href="mailto:sintezwh1te@gmail.com" target="_blank">sintezwh1te@gmail.com</a>> wrote:<br>
> ><br>
> > Thank Hugh and Heikki!!!<br>
> ><br>
> > How can I get RADIUS reply packet from secondary server in hook script???<br>
> > Radiator send Access-Reject before secondary server reply.<br>
> ><br>
> ><br>
> > radius.cfg<br>
> > ...................<br>
> > <AuthBy RADIUS><br>
> > Identifier Primary<br>
> > Host 10.0.6.151<br>
> > Secret 123456<br>
> > AuthPort 1812<br>
> > AcctPort 1813<br>
> > ReplyHook file:"/etc/radiator/AccessReject"<br>
> > </AuthBy><br>
> ><br>
> > <AuthBy RADIUS><br>
> > Identifier Secondary<br>
> > Host 10.0.6.152<br>
> > Secret 123456<br>
> > AuthPort 1812<br>
> > AcctPort 1813<br>
> > </AuthBy><br>
> ><br>
> > <Handler><br>
> > AuthBy Primary<br>
> > </Handler><br>
> > ...................<br>
> ><br>
> ><br>
> > /etc/radiator/AccessReject<br>
> > ...................<br>
> > sub<br>
> > {<br>
> > my $p = ${$_[0]}; # proxy reply packet<br>
> > my $rp = ${$_[1]}; # reply packet to NAS<br>
> > my $op = ${$_[2]}; # original request packet<br>
> > my $sp = ${$_[3]}; # packet sent to proxy<br>
> ><br>
> > my $code = $p->code;<br>
> > &main::log($main::LOG_DEBUG, "Code = $code");<br>
> > return unless $code eq 'Access-Reject';<br>
> ><br>
> > if($code eq 'Access-Reject'){<br>
> > my $authby = Radius::AuthGeneric::find('Secondary');<br>
> > if (defined $authby)<br>
> > {<br>
> > &main::log($main::LOG_DEBUG, "========= HANDLE_REQUEST===========");<br>
> > my ($rc, $reason) = $authby->handle_request($op, $rp);<br>
> > &main::log($main::LOG_DEBUG, "========= RC =========== $rc");<br>
> > &main::log($main::LOG_DEBUG, "========= REASON =========== $reason");<br>
> > if ($rc == 2)<br>
> > {<br>
> > &main::log($main::LOG_DEBUG, "========= ACCEPT ===========");<br>
> > }<br>
> > else<br>
> > {<br>
> > &main::log($main::LOG_DEBUG, "========= REJECT ===========");<br>
> > }<br>
> > }<br>
> > return;<br>
> > }<br>
> > }<br>
> > ...................<br>
> ><br>
> > radiator log<br>
> > -------------------<br>
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:<br>
> > *** Received from 10.0.6.13 port 57565 ....<br>
> > Code: Access-Request<br>
> > Identifier: 0<br>
> > Authentic: 1452774130<br>
> > Attributes:<br>
> > User-Name = "testcoa10"<br>
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3<br>
> > NAS-IP-Address = 10.0.6.13<br>
> > NAS-Port = 1<br>
> > NAS-Port-Id = "123"<br>
> > Service-Type = Framed-User<br>
> > Framed-Protocol = PPP<br>
> > Acct-Session-Id = "1"<br>
> > Calling-Station-Id = "0800.2727.0575"<br>
> ><br>
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', Identifier ''<br>
> > Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10, 10.0.6.13, 1<br>
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS<br>
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket '<a href="http://0.0.0.0:0" rel="noreferrer" target="_blank">0.0.0.0:0</a>' for sending requests<br>
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:<br>
> > *** Sending to 10.0.6.151 port 1812 ....<br>
> > Code: Access-Request<br>
> > Identifier: 1<br>
> > Authentic: 1452774130<br>
> > Attributes:<br>
> > User-Name = "testcoa10"<br>
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3<br>
> > NAS-IP-Address = 10.0.6.13<br>
> > NAS-Port = 1<br>
> > NAS-Port-Id = "123"<br>
> > Service-Type = Framed-User<br>
> > Framed-Protocol = PPP<br>
> > Acct-Session-Id = "1"<br>
> > Calling-Station-Id = "0800.2727.0575"<br>
> ><br>
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from <a href="http://10.0.6.151:1812" rel="noreferrer" target="_blank">10.0.6.151:1812</a><br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:<br>
> > *** Received from 10.0.6.151 port 1812 ....<br>
> > Code: Access-Reject<br>
> > Identifier: 1<br>
> > Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194><br>
> > Attributes:<br>
> > Reply-Message = "1"<br>
> ><br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:<br>
> > *** Sending to 10.0.6.152 port 1812 ....<br>
> > Code: Access-Request<br>
> > Identifier: 1<br>
> > Authentic: 1452774130<br>
> > Attributes:<br>
> > User-Name = "testcoa10"<br>
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3<br>
> > NAS-IP-Address = 10.0.6.13<br>
> > NAS-Port = 1<br>
> > NAS-Port-Id = "123"<br>
> > Service-Type = Framed-User<br>
> > Framed-Protocol = PPP<br>
> > Acct-Session-Id = "1"<br>
> > Calling-Station-Id = "0800.2727.0575"<br>
> ><br>
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========<br>
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:<br>
> > *** Sending to 10.0.6.13 port 57565 ....<br>
> > Code: Access-Reject<br>
> > Identifier: 0<br>
> > Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3><br>
> > Attributes:<br>
> > Reply-Message = "Request Denied"<br>
> ><br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from <a href="http://10.0.6.152:1812" rel="noreferrer" target="_blank">10.0.6.152:1812</a><br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:<br>
> > *** Received from 10.0.6.152 port 1812 ....<br>
> > Code: Access-Accept<br>
> > Identifier: 1<br>
> > Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127><br>
> > Attributes:<br>
> > Acct-Interim-Interval = 300<br>
> > Framed-IP-Address = 192.168.0.203<br>
> ><br>
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied<br>
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:<br>
> > *** Sending to 10.0.6.13 port 57565 ....<br>
> > Code: Access-Reject<br>
> > Identifier: 0<br>
> > Authentic: <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl<br>
> > Attributes:<br>
> > Reply-Message = "Request Denied"<br>
> > Acct-Interim-Interval = 300<br>
> > Framed-IP-Address = 192.168.0.203<br>
> > -------------------------------------<br>
> ><br>
> ><br>
> > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <<a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a>>:<br>
> ><br>
> > Hello -<br>
> ><br>
> > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.<br>
> ><br>
> > regards<br>
> ><br>
> > Hugh<br>
> ><br>
> ><br>
> > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <<a href="mailto:sintezwh1te@gmail.com" target="_blank">sintezwh1te@gmail.com</a>> wrote:<br>
> > ><br>
> > > Hello!<br>
> > ><br>
> > > I want to do if it's possible to proxy auth request in a<br>
> > > redundant fashion.<br>
> > ><br>
> > > On each requests, I want to proxy it to a primary server, if it's<br>
> > > success then move on.<br>
> > > If the auth fails (Access-Reject), I need to proxy Access-Request to a secondary server<br>
> > ><br>
> > > Is it possible?<br>
> > ><br>
> > > Thanks!<br>
> > > _______________________________________________<br>
> > > radiator mailing list<br>
> > > <a href="mailto:radiator@open.com.au" target="_blank">radiator@open.com.au</a><br>
> > > <a href="http://www.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">http://www.open.com.au/mailman/listinfo/radiator</a><br>
> ><br>
> ><br>
> > --<br>
> ><br>
> > Hugh Irvine<br>
> > <a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a><br>
> ><br>
> > Radiator: the most portable, flexible and configurable RADIUS server<br>
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,<br>
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,<br>
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,<br>
> > DIAMETER, SIM, etc.<br>
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > С уважением,<br>
> > Александр Якунин<br>
> > _______________________________________________<br>
> > radiator mailing list<br>
> > <a href="mailto:radiator@open.com.au" target="_blank">radiator@open.com.au</a><br>
> > <a href="http://www.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">http://www.open.com.au/mailman/listinfo/radiator</a><br>
><br>
><br>
> --<br>
><br>
> Hugh Irvine<br>
> <a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a><br>
><br>
> Radiator: the most portable, flexible and configurable RADIUS server<br>
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,<br>
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,<br>
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,<br>
> DIAMETER, SIM, etc.<br>
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.<br>
><br>
><br>
><br>
><br>
> --<br>
> С уважением,<br>
> Александр Якунин<br>
<br>
<br>
--<br>
<br>
Hugh Irvine<br>
<a href="mailto:hugh@open.com.au" target="_blank">hugh@open.com.au</a><br>
<br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,<br>
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,<br>
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,<br>
DIAMETER, SIM, etc.<br>
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.<br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div>С уважением,<br>Александр Якунин<br></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div class="gmail_signature"><div dir="ltr"><div>With regards,</div><div>Alexander Yakunin</div></div></div></div></div>
</div>