Re: (RADIATOR) PreHandlerHook Doesn't work Properly

Khurram Shahzad Mon, 17 Apr 2000 00:30:18 -0700

Hi Hugh,

I am using Radiator 2.15 ( all patches applied) on Sun Ultra-1 with Solaris 2.6. My NAS is Cisco 7507 with IOS 12.03(T3).
All the required files are pasted below.

My Configuration File
-------------------------- radius.conf ---------------------------
# Shaheer Dialup Accounts
Foreground
LogStdout
Trace 4
AuthPort 1812
AcctPort 1813

LogDir /usr/local/etc/raddb
DbDir /usr/local/etc/raddb

LogFile %L/logfile.%Y%m%d

<Client c1.shaheer.net.sa>
        Secret xxx
</Client>
<Client c2.shaheer.net.sa>
        PreHandlerHook sub { my $p = ${$_[0]}; \
                my $username = $p->get_attr('User-Name'); \
                my ($name,$passwd,$uid,$gid,$quota,$comments,$gcos,$dir,$shell) = getpwnam($username); \
                if ($gid == "10") { \
                $p->add_attr('Group-Name', 'staff'); } \
                }
        Secret yyy
</Client>
<Client c3.shaheer.net.sa>
        Secret zzz
</Client>
<Client c4.shaheer.net.sa>
        Secret xyz
</Client>

<Handler Group=staff>
<AuthBy FILE>
                Filename %D/StaffUsers
</AuthBy>
</Handler>
<Realm>
#RewriteUsername s/^([^@]+).*/$1/
#MaxSessions 1
#<AuthBy GROUP>
#       AuthByPolicy ContinueUntilAccept
        <AuthBy FILE>
                # The filename defaults to %D/users
        </AuthBy>
#       <AuthBy FILE>
#               Filename %D/StaffUsers
#        </AuthBy>
#</AuthBy>
AcctLogFileFormat %l '%{User-Name}' %{Acct-Session-Time} %{Acct-Status-Type} \
%{Acct-Session-Id} %{Acct-Terminate-Cause} %{NAS-Port-Type} %{NAS-IP-Address} %{NAS-Port} \
%{Framed-IP-Address} %{Framed-Protocol}
AcctLogFileName %L/logfile.%Y%m%d
</Realm>
<AuthBy SYSTEM>
Identifier      System
UseGetspnam
</AuthBy>
-------------------------- radius.conf ---------------------------
-------------------------- %D/StaffUsers ---------------------------
DEFAULT         Auth-Type = System, Group = staff
                Service-Type = Framed-User,
                Framed-Protocol = PPP
-------------------------- %D/StaffUsers ---------------------------
-------------------------- %D/users ---------------------------
DEFAULT         Auth-Type = System, Group = special
                Service-Type = Framed-User,
                Framed-Protocol = PPP,
                Vendor-Specific = cisco-avpair,
                cisco-avpair = "ip:addr-pool=test"
DEFAULT         Auth-Type = System, Group = public
                Service-Type = Framed-User,
                Framed-Protocol = PPP,
DEFAULT         Auth-Type = System, Group = demo
                Service-Type = Framed-User,
                Framed-Protocol = PPP
-------------------------- %D/users ---------------------------

The Output of DEBUG i.,e Trace 4 is as below for one of my staff user nadeem.

--------------------- DEBUG - Trace 4 --------------------------
Mon Apr 17 09:27:53 2000: DEBUG: Packet dump:
*** Received from 212.64.128.19 port 45647 ....
Code:       Access-Request
Identifier: 245
Authentic: <244>D[<181>$<140><139>2<8><176><129>(baH<210>
Attributes:
        NAS-IP-Address = 212.64.128.2
        NAS-Port = 153
        NAS-Port-Type = Virtual
        User-Name = "nadeem"
        User-Password = "<17>e<186>j<178><176>V<14><136><161><164><245><166><3><176><251>"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Mon Apr 17 09:27:53 2000: DEBUG: Handling request with Handler 'Realm='
Mon Apr 17 09:27:53 2000: DEBUG: Rewrote user name to nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Deleting session for nadeem, 212.64.128.2, 153
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthFILE
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE looks for match with nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthSYSTEM
Mon Apr 17 09:27:53 2000: DEBUG: getpwnam got nadeem, t54emF6Cn2W16, 3800, 10, , Nadeem Ikram, Nadeem Ikram, /export/home/nadeem, /bin/tcsh
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM looks for match with nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM REJECT: User nadeem is not in Group public
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE REJECT: User nadeem is not in Group public
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthSYSTEM
Mon Apr 17 09:27:53 2000: DEBUG: getpwnam got nadeem, t54emF6Cn2W16, 3800, 10, , Nadeem Ikram, Nadeem Ikram, /export/home/nadeem, /bin/tcsh
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM looks for match with nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM REJECT: User nadeem is not in Group special
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE REJECT: User nadeem is not in Group special
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthSYSTEM
Mon Apr 17 09:27:53 2000: DEBUG: getpwnam got nadeem, t54emF6Cn2W16, 3800, 10, , Nadeem Ikram, Nadeem Ikram, /export/home/nadeem, /bin/tcsh
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM looks for match with nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM REJECT: User nadeem is not in Group public
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE REJECT: User nadeem is not in Group public
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE looks for match with DEFAULT2
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthSYSTEM
Mon Apr 17 09:27:53 2000: DEBUG: getpwnam got nadeem, t54emF6Cn2W16, 3800, 10, , Nadeem Ikram, Nadeem Ikram, /export/home/nadeem, /bin/tcsh
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM looks for match with nadeem
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthSYSTEM REJECT: User nadeem is not in Group demo
Mon Apr 17 09:27:53 2000: DEBUG: Radius::AuthFILE REJECT: User nadeem is not in Group demo
Mon Apr 17 09:27:53 2000: INFO: Access rejected for nadeem: User nadeem is not in Group demo
Mon Apr 17 09:27:53 2000: DEBUG: Packet dump:
*** Sending to 212.64.128.19 port 45647 ....
Code: Access-Reject
Identifier: 245
Authentic: <244>D[<181>$<140><139>2<8><176><129>(baH<210>
Attributes:
Reply-Message = "Request Denied"

Mon Apr 17 09:27:53 2000: DEBUG: Packet dump:
*** Received from 212.64.128.19 port 45647 ....
Code:       Accounting-Request
Identifier: 246
Authentic: <241>Q2(<234><15>E<140><252><129><234><197><146><216>1<219>
Attributes:
        NAS-IP-Address = 212.64.128.2
        NAS-Port = 153
        NAS-Port-Type = Virtual
        User-Name = "nadeem"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        Acct-Session-Id = "00009155"
        Acct-Input-Packets = 0
        Acct-Output-Packets = 0
        Acct-Session-Time = 0
        Acct-Delay-Time = 0
        Timestamp = 955974538

Mon Apr 17 09:27:53 2000: DEBUG: Handling request with Handler 'Realm='
Mon Apr 17 09:27:53 2000: DEBUG: Rewrote user name to nadeem
Mon Apr 17 09:27:53 2000 'nadeem' 0 Stop 00009155 Virtual 212.64.128.2 153 Virtual
Mon Apr 17 09:27:53 2000: DEBUG: Deleting session for nadeem, 212.64.128.2, 153
Mon Apr 17 09:27:53 2000: DEBUG: Handling with Radius::AuthFILE
Mon Apr 17 09:27:53 2000: DEBUG: Accounting accepted
Mon Apr 17 09:27:53 2000: DEBUG: Packet dump:
*** Sending to 212.64.128.19 port 45647 ....
Code: Accounting-Response
Identifier: 246
Authentic: <241>Q2(<234><15>E<140><252><129><234><197><146><216>1<219>
Attributes:
--------------------- DEBUG - Trace 4 --------------------------

Regards

Khurram

Hugh Irvine wrote:

Hello Khurram -
On Sun, 16 Apr 2000, Khurram Shahzad wrote:
> Hi all,
>
> I am trying to use "PreHandlerHook" to check whether the user in request
> belongs to a certain group on the system (unix) and then get this user
> to be authenticated by Handler with check item Group="UserGroup".
> My PreHandlerHook is working perfectly , it is giving theUserGroup
> accordingly , but requests are always handle by the default Realm /
> Handler.
>
> Getting user's groupname and then handle it with handler having check
> item Group="UserGroup" is required?
>
Please send me a copy of your configuration file together with a trace 4 debug
showing what is happening. I will also need your hardware and software
platforms and the Radiator version number.
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.

--
----------------------------------------------------------------------
* Khurram Shahzad                      System Administrator
* Shaheer Technics Inc.                4th Floor, Office No. 414
* Olaya Street - P.O. Box 67073        Riyadh 11596, Saudi Arabia
*
* Phone:- 9661-460-1409 (Ext. 107)     Fax: 9661-460-1911
* E mailto:[EMAIL PROTECTED]       Web: http://www.shaheer.net.sa
----------------------------------------------------------------------

Re: (RADIATOR) PreHandlerHook Doesn't work Properly

Reply via email to