Hi Tim -
Interesting problem - I'm not surprised you're perplexed - so was I for a while.
In any case, it turns out that there is special processing for
Change-Filter-Request in Radius/Handler.pm.
So the answer is this:
sub
{
use strict;
&main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
if ($p->code eq 'Change-Filter-Request-ACKed')
{
&main::log($main::LOG_DEBUG, 'CoA Acknowledged');
$op->set_code('Access-Request');
$rp->set_code('Access-Accept');
$op->{RadiusResult}=$main::ACCEPT;
}
else
{
&main::log($main::LOG_DEBUG, 'CoA Rejected');
$rp->set_code('Access-Reject');
#$op->{RadiusResult}=$main::REJECT;
}
}
Here is the result, using two Radiator instances - radpwtst sends to the first
on port 1645 which in turn proxies to the second on port 11645:
…..
Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh
-code Change-Filter-Request -trace 4
Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
sending Change-Filter-Request...
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code: Change-Filter-Request
Identifier: 65
Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 64444 ....
Code: Change-Filter-Request
Identifier: 65
Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket
'0.0.0.0:0' for sending requests
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11645 ....
Code: Change-Filter-Request
Identifier: 1
Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE,
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56174 ....
Code: Change-Filter-Request
Identifier: 1
Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
DefaultResult
Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56174 ....
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from
127.0.0.1:11645
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 11645 ....
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK
Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged
Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 64444 ....
Code: Access-Accept
Identifier: 65
Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code: Access-Accept
Identifier: 65
Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:
…..
hope that helps
regards
Hugh
On 9 Apr 2013, at 01:33, Tim Jones <tim.jo...@fon.com> wrote:
> Hi all,
>
> I have a Radiator instance acting as a proxy, receiving Access-Request and
> converting it to a Change-Filter-Request before sending it on again. When it
> receives the response, it should reply to the originator with Access-Accept
> or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed
> it receives.
>
> In the ReplyHook, I have a very simple if statement checking the code, and
> changing it in the response. The response is then sent back to the NAS, but
> without the code I specify.
>
> Best regards,
>
> Config & trace logs
>
> ---- radius.cfg ----
>
> <Handler Request-Type=Access-Request, Client-Identifier=proxy_client>
> Identifier access-request_proxy_handler
> PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl"
> <AuthBy RADIUS>
> # Partner-router
> Host x.x.x.x
> AuthPort 1812
> Secret partner-secret
> AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class,
> Session-Timeout, Idle-Timeout
> ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl"
> </AuthBy>
> </Handler>
>
> ---- preauthhook.pl ----
>
> sub
> {
> use strict;
>
> &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK');
>
> my $p = ${$_[0]};
> $p->set_code('Change-Filter-Request');
> }
>
> ---- replyhook.pl ----
>
> sub
> {
> use strict;
>
> &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
>
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]}; # reply packet to NAS
> my $op = ${$_[2]}; # original request packet
> my $sp = ${$_[3]}; # packet sent to proxy
>
> if ($p->code eq 'Change-Filter-Request-ACKed')
> {
> &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
> $rp->set_code('Access-Accept');
> $op->{RadiusResult}=$main::ACCEPT;
> }
> else
> {
> &main::log($main::LOG_DEBUG, 'CoA Rejected');
> $rp->set_code('Access-Reject');
> #$op->{RadiusResult}=$main::REJECT;
> }
> }
>
> ---- log ----
>
>
> Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 57791 ....
> Code: Access-Request
> Identifier: 1
> Authentic: <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I
> Attributes:
> User-Name = "test"
> NAS-IP-Address = n.n.n.n
> NAS-Identifier = "n.n.n.n"
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-IP-Address = i.i.i.i
> Calling-Station-Id = "11:11:11:11:11:11"
> Class = "PartnerClassAttribute"
> Session-Timeout = 600
> User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&<
>
> Mon Apr 8 15:30:33 2013: DEBUG: Handling request with Handler
> 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier
> 'access-request_proxy_handler'
> Mon Apr 8 15:30:33 2013: DEBUG: Deleting session for test, n.n.n.n,
> Mon Apr 8 15:30:33 2013: DEBUG: IN PREAUTHHOOK
> Mon Apr 8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS
> Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket
> 'x.x.x.x:0' for sending requests
> Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 1812 ....
> Code: Change-Filter-Request
> Identifier: 1
> Authentic: <238>]<170>x<219>8,<139>q<144>2|<182><192>n3
> Attributes:
> User-Name = "test"
> NAS-IP-Address = n.n.n.n
> NAS-IP-Address = i.i.i.i
> Class = "PartnerClassAttribute"
> Session-Timeout = 600
> User-Password = <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8>
>
> Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> Mon Apr 8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1 from
> x.x.x.x:1812
> Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 1812 ....
> Code: Change-Filter-Request-ACKed
> Identifier: 1
> Authentic: +<216><141>C<27><229>&6O<15><206><160>&<245>P^
> Attributes:
>
> Mon Apr 8 15:30:33 2013: DEBUG: IN REPLYHOOK
> Mon Apr 8 15:30:33 2013: DEBUG: CoA Acknowledged
> Mon Apr 8 15:30:33 2013: DEBUG: Change-Filter-Request accepted
> Mon Apr 8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 57791 ....
> Code: Change-Filter-Request-ACKed
> Identifier: 1
> Authentic: <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C
> Attributes:
>
> Tim Jones
> Technology & Quality
>
>
> tim.jo...@fon.com
> Skype: Tim.Jones.Fon
>
> C/ Quintanavides 15. Edificio 2, Planta 1ª
> Parque Empresarial Vía Norte, de Metrovacesa
> 28050 Las Tablas. Madrid
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
