Hi Tim - Interesting problem - I'm not surprised you're perplexed - so was I for a while.
In any case, it turns out that there is special processing for Change-Filter-Request in Radius/Handler.pm. So the answer is this: sub { use strict; &main::log($main::LOG_DEBUG, 'IN REPLYHOOK'); my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy if ($p->code eq 'Change-Filter-Request-ACKed') { &main::log($main::LOG_DEBUG, 'CoA Acknowledged'); $op->set_code('Access-Request'); $rp->set_code('Access-Accept'); $op->{RadiusResult}=$main::ACCEPT; } else { &main::log($main::LOG_DEBUG, 'CoA Rejected'); $rp->set_code('Access-Reject'); #$op->{RadiusResult}=$main::REJECT; } } Here is the result, using two Radiator instances - radpwtst sends to the first on port 1645 which in turn proxies to the second on port 11645: ….. Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh -code Change-Filter-Request -trace 4 Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary' sending Change-Filter-Request... Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1645 .... Code: Change-Filter-Request Identifier: 65 Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 64444 .... Code: Change-Filter-Request Identifier: 65 Authentic: <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0:0' for sending requests Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 11645 .... Code: Change-Filter-Request Identifier: 1 Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE, Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 56174 .... Code: Change-Filter-Request Identifier: 1 Authentic: <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 56174 .... Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:11645 Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 11645 .... Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242> Attributes: Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 64444 .... Code: Access-Accept Identifier: 65 Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\ Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1645 .... Code: Access-Accept Identifier: 65 Authentic: <16>i0<249>.A<219><187><227><155> q<181><223><218>\ Attributes: ….. hope that helps regards Hugh On 9 Apr 2013, at 01:33, Tim Jones <tim.jo...@fon.com> wrote: > Hi all, > > I have a Radiator instance acting as a proxy, receiving Access-Request and > converting it to a Change-Filter-Request before sending it on again. When it > receives the response, it should reply to the originator with Access-Accept > or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed > it receives. > > In the ReplyHook, I have a very simple if statement checking the code, and > changing it in the response. The response is then sent back to the NAS, but > without the code I specify. > > Best regards, > > Config & trace logs > > ---- radius.cfg ---- > > <Handler Request-Type=Access-Request, Client-Identifier=proxy_client> > Identifier access-request_proxy_handler > PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl" > <AuthBy RADIUS> > # Partner-router > Host x.x.x.x > AuthPort 1812 > Secret partner-secret > AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class, > Session-Timeout, Idle-Timeout > ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl" > </AuthBy> > </Handler> > > ---- preauthhook.pl ---- > > sub > { > use strict; > > &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK'); > > my $p = ${$_[0]}; > $p->set_code('Change-Filter-Request'); > } > > ---- replyhook.pl ---- > > sub > { > use strict; > > &main::log($main::LOG_DEBUG, 'IN REPLYHOOK'); > > my $p = ${$_[0]}; # proxy reply packet > my $rp = ${$_[1]}; # reply packet to NAS > my $op = ${$_[2]}; # original request packet > my $sp = ${$_[3]}; # packet sent to proxy > > if ($p->code eq 'Change-Filter-Request-ACKed') > { > &main::log($main::LOG_DEBUG, 'CoA Acknowledged'); > $rp->set_code('Access-Accept'); > $op->{RadiusResult}=$main::ACCEPT; > } > else > { > &main::log($main::LOG_DEBUG, 'CoA Rejected'); > $rp->set_code('Access-Reject'); > #$op->{RadiusResult}=$main::REJECT; > } > } > > ---- log ---- > > > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump: > *** Received from x.x.x.x port 57791 .... > Code: Access-Request > Identifier: 1 > Authentic: <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I > Attributes: > User-Name = "test" > NAS-IP-Address = n.n.n.n > NAS-Identifier = "n.n.n.n" > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-IP-Address = i.i.i.i > Calling-Station-Id = "11:11:11:11:11:11" > Class = "PartnerClassAttribute" > Session-Timeout = 600 > User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&< > > Mon Apr 8 15:30:33 2013: DEBUG: Handling request with Handler > 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier > 'access-request_proxy_handler' > Mon Apr 8 15:30:33 2013: DEBUG: Deleting session for test, n.n.n.n, > Mon Apr 8 15:30:33 2013: DEBUG: IN PREAUTHHOOK > Mon Apr 8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS > Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket > 'x.x.x.x:0' for sending requests > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump: > *** Sending to x.x.x.x port 1812 .... > Code: Change-Filter-Request > Identifier: 1 > Authentic: <238>]<170>x<219>8,<139>q<144>2|<182><192>n3 > Attributes: > User-Name = "test" > NAS-IP-Address = n.n.n.n > NAS-IP-Address = i.i.i.i > Class = "PartnerClassAttribute" > Session-Timeout = 600 > User-Password = <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8> > > Mon Apr 8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE, > Mon Apr 8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1 from > x.x.x.x:1812 > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump: > *** Received from x.x.x.x port 1812 .... > Code: Change-Filter-Request-ACKed > Identifier: 1 > Authentic: +<216><141>C<27><229>&6O<15><206><160>&<245>P^ > Attributes: > > Mon Apr 8 15:30:33 2013: DEBUG: IN REPLYHOOK > Mon Apr 8 15:30:33 2013: DEBUG: CoA Acknowledged > Mon Apr 8 15:30:33 2013: DEBUG: Change-Filter-Request accepted > Mon Apr 8 15:30:33 2013: DEBUG: Packet dump: > *** Sending to x.x.x.x port 57791 .... > Code: Change-Filter-Request-ACKed > Identifier: 1 > Authentic: <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C > Attributes: > > Tim Jones > Technology & Quality > > > tim.jo...@fon.com > Skype: Tim.Jones.Fon > > C/ Quintanavides 15. Edificio 2, Planta 1ª > Parque Empresarial Vía Norte, de Metrovacesa > 28050 Las Tablas. Madrid > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator