I am putting together a Proof-Of-Concept in which a Change-Filter-Request is submitted to a CISCO ASR when we successfully authenticate via another RADIUS server.
The flow should be: 1. Tunnel opens 2. 'user' (radpwtst) submits Access-Request to server 3. server forwards Access-Request to another radiator server (auth-user) 4. If server receives an Access-Reject, return immediately to user with Access-Reject 5. Otherwise, submit a Change-Filter-Request to the ASR 6. If server receives Change-Filter-ACKed, return the original Access-Accept to user, else return Access-Reject with Reply-Message of the Change-Filter-NAKed response. I have this working currently with an AuthBy EXTERNAL and having radpwtst sending the Change-Filter-Request, but I have been asked to find a non-blocking method. So far, I have it working up to the last step, but can't seem to 'find' the reply packet coming back from the ASR and act on it. The tracelog shows that we send the Change-Filter-Request and receive the response, but neither of the ReplyHooks are called to receive and process the reply. Many thanks for any advice, tracelog below, with config files & hooks after. ---- server.log ---- Wed Apr 3 10:22:21 2013: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Wed Apr 3 10:22:21 2013: DEBUG: Reading dictionary file '/usr/local/radius/dictionary' Wed Apr 3 10:22:21 2013: DEBUG: Creating authentication port x.x.x.x:1812 Wed Apr 3 10:22:21 2013: DEBUG: Creating accounting port x.x.x.x:1813 Wed Apr 3 10:22:21 2013: NOTICE: Server started: Radiator 4.10 on debian Wed Apr 3 10:22:32 2013: DEBUG: Packet dump: *** Received from u.u.u.u port 41205 .... Code: Access-Request Identifier: 91 Authentic: <20><127><202><23><161><161>L l<244><217><206>6j<5>D Attributes: User-Name = "test" Service-Type = Framed-User NAS-IP-Address = a.a.a.a NAS-Identifier = "a.a.a.a" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = y<168><233>GX<232><231><170>7<219>h<210>F<135>@<207> Acct-Session-Id = "0000035E" Wed Apr 3 10:22:32 2013: DEBUG: Handling request with Handler '', Identifier 'server-default' Wed Apr 3 10:22:32 2013: DEBUG: Deleting session for test, a.a.a.a, 1234 Wed Apr 3 10:22:32 2013: DEBUG: Handling with Radius::AuthRADIUS Wed Apr 3 10:22:32 2013: DEBUG: AuthBy RADIUS creates new local socket 'x.x.x.x:0' for sending requests Wed Apr 3 10:22:32 2013: DEBUG: Packet dump: *** Sending to y.y.y.y port 1645 .... Code: Access-Request Identifier: 1 Authentic: <20><127><202><23><161><161>L l<244><217><206>6j<5>D Attributes: User-Name = "test" Service-Type = Framed-User NAS-IP-Address = a.a.a.a NAS-Identifier = "a.a.a.a" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = <22><195>5<151><9G<208><130><231>}<239><137><11>Q( Acct-Session-Id = "0000035E" Wed Apr 3 10:22:32 2013: DEBUG: AuthBy RADIUS result: IGNORE, Wed Apr 3 10:22:32 2013: DEBUG: Received reply in AuthRADIUS for req 1 from y.y.y.y:1645 Wed Apr 3 10:22:32 2013: DEBUG: Packet dump: *** Received from y.y.y.y port 1645 .... Code: Access-Accept Identifier: 1 Authentic: <247><4><168><241><231><176><247><195>M<206><199><3><244>J<15><188> Attributes: Wed Apr 3 10:22:32 2013: DEBUG: IN REPLYHOOK COA Wed Apr 3 10:22:32 2013: DEBUG: Recieved: Access-Accept Wed Apr 3 10:22:32 2013: DEBUG: Auth Sucess Wed Apr 3 10:22:32 2013: DEBUG: Launching CoA Wed Apr 3 10:22:32 2013: DEBUG: Handling with Radius::AuthRADIUS Wed Apr 3 10:22:32 2013: DEBUG: Packet dump: *** Sending to z.z.z.z port 1650 .... Code: Change-Filter-Request Identifier: 1 Authentic: <223><0><22>j<178><153><8><169><13><12><169><201><200><234><28>l Attributes: Acct-Session-Id = "0000035E" cisco-avpair = "qos-policy-out=add-class(sub,(class-default),police(30000))" Wed Apr 3 10:22:32 2013: DEBUG: Received reply in AuthRADIUS for req 1 from z.z.z.z:1650 Wed Apr 3 10:22:32 2013: DEBUG: Packet dump: *** Received from z.z.z.z port 1650 .... Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: #'<232><204>h<149><222><15>-<5><140><152><207><29><196><28> Attributes: Cisco-Account-Info = "St.t.t.t" Cisco-Account-Info = "$IVirtual-Access2.1" ---- radiator.cfg ---- LogDir /var/log/radiator/ DictionaryFile /usr/local/radius/dictionary PidFile /var/run/radius/server.pid DbDir /etc/radiator/ BindAddress x.x.x.x AuthPort 1812 AcctPort 1813 <Log FILE> Filename %L/server.log Trace 4 </Log> <Client DEFAULT> Secret coa DupInterval 0 </Client> <AuthLog FILE> Identifier defaultlog Filename /var/log/radiator/server-auth.log LogSuccess 1 LogFailure 1 SuccessFormat %l %n -> OK FailureFormat %l %n -> FAIL </AuthLog> <AuthBy RADIUS> Identifier auth-user Host y.y.y.y Secret prx AuthPort 1645 AcctPort 1646 ReplyHook file:"/usr/local/radius/replyhook-authuser.pl" </AuthBy> <AuthBy RADIUS> Identifier lns-coa Host z.z.z.z Secret poc AuthPort 1650 AcctPort 1650 NoForwardAccounting ReplyHook file:"/usr/local/radius/replyhook-lns-coa.pl" </AuthBy> ---- replyhook-authuser.pl ---- sub { use strict; &main::log($main::LOG_DEBUG, 'IN REPLYHOOK AUTH-USER'); my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy # Just dump the code to see what it is... my $code = $p->code; &main::log($main::LOG_DEBUG, "Recieved: $code"); if ($p->code eq 'Access-Accept') { &main::log($main::LOG_DEBUG, 'Auth Sucess'); my $authby_identifier="lns-coa"; my $coa_authby; if ($coa_authby = Radius::AuthGeneric::find($authby_identifier)) { &main::log($main::LOG_DEBUG, 'Launching CoA'); my $coa_p = new Radius::Radius $main::dictionary; $coa_p->set_code('Change-Filter-Request'); $coa_p->set_authenticator("\000" x 16); $coa_p->add_attr('Acct-Session-Id', $op->get_attr('Acct-Session-Id')); $coa_p->add_attr('cisco-avpair', 'qos-policy-out=add-class(sub,(class-default),police(30000))'); my ($rc, $reason) = $coa_authby->handle_request($coa_p); $p->{RadiusResult} = $main::IGNORE; } else { &main::log($main::LOG_ERR, "No AuthBy with Identifier $authby_identifier"); $p->set_code('Access-Reject'); $p->{RadiusResult} = $main::REJECT; } } } ---- replyhook-lns-coa.pl ---- sub { use strict; &main::log($main::LOG_DEBUG, 'IN REPLYHOOK LNS-COA'); } Tim Jones *Technology & Quality * ** ** tim.jo...@fon.com Skype: Tim.Jones.Fon C/ Quintanavides 15. Edificio 2, Planta 1ª Parque Empresarial Vía Norte, de Metrovacesa 28050 Las Tablas. Madrid
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator