Hello -
You don’t have to do anything - the second AuthBy RADIUS clause will send the
reply to the NAS.
If you want to do more than that you will also need a ReplyHook in the second
AuthBy RADIUS clause.
regards
Hugh
> On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
>
> Hello Hugh!
>
> > Again note that your hook code will not see the result of the second AuthBy
> > RADIUS clause.
>
> If hook code not see result how can I check that I received in reply from
> second RADIUS server?
>
> What is necessary my boss.
> 1) NAS send Access-Request to Radiator
> 2) Radiator re-send Access-Request to primary RADIUS server
> 3) If primary server reply Access-Reject with attribute Reply-Message = 1,
> Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message
> > 1 - send Access-Reject to NAS.
> 4) After secondary server reply - Radiator send reply to NAS
>
> Reply hook does it?
>
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>
> Hello -
>
> The first thing to understand is that the AuthBy RADIUS clause(s) operate
> asynchronously.
>
> The hook code in your first AuthBy RADIUS clause will only execute when the
> response is received for that clause.
>
> When the hook code calls the second AuthBy RADIUS clause it will exit without
> waiting.
>
> As shown in the example, your hook code needs to alter the response.
>
> In this case you would change the response to IGNORE which will allow the
> second AuthBy RADIUS clause to execute and return its result.
>
>
> …..
>
> $op->{RadiusResult} = $main::IGNORE;
>
> …..
>
> Again note that your hook code will not see the result of the second AuthBy
> RADIUS clause.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...................
> > <AuthBy RADIUS>
> > Identifier Primary
> > Host 10.0.6.151
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > ReplyHook file:"/etc/radiator/AccessReject"
> > </AuthBy>
> >
> > <AuthBy RADIUS>
> > Identifier Secondary
> > Host 10.0.6.152
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > </AuthBy>
> >
> > <Handler>
> > AuthBy Primary
> > </Handler>
> > ...................
> >
> >
> > /etc/radiator/AccessReject
> > ...................
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]}; # reply packet to NAS
> > my $op = ${$_[2]}; # original request packet
> > my $sp = ${$_[3]}; # packet sent to proxy
> >
> > my $code = $p->code;
> > &main::log($main::LOG_DEBUG, "Code = $code");
> > return unless $code eq 'Access-Reject';
> >
> > if($code eq 'Access-Reject'){
> > my $authby = Radius::AuthGeneric::find('Secondary');
> > if (defined $authby)
> > {
> > &main::log($main::LOG_DEBUG, "=========
> > HANDLE_REQUEST===========");
> > my ($rc, $reason) = $authby->handle_request($op, $rp);
> > &main::log($main::LOG_DEBUG, "========= RC
> > =========== $rc");
> > &main::log($main::LOG_DEBUG, "========= REASON
> > =========== $reason");
> > if ($rc == 2)
> > {
> > &main::log($main::LOG_DEBUG, "=========
> > ACCEPT ===========");
> > }
> > else
> > {
> > &main::log($main::LOG_DEBUG, "=========
> > REJECT ===========");
> > }
> > }
> > return;
> > }
> > }
> > ...................
> >
> > radiator log
> > -------------------
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565 ....
> > Code: Access-Request
> > Identifier: 0
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '',
> > Identifier ''
> > Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10,
> > 10.0.6.13, 1
> > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket
> > '0.0.0.0:0' for sending requests
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.151 port 1812 ....
> > Code: Access-Request
> > Identifier: 1
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
> > from 10.0.6.151:1812
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.151 port 1812 ....
> > Code: Access-Reject
> > Identifier: 1
> > Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> > Attributes:
> > Reply-Message = "1"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.152 port 1812 ....
> > Code: Access-Request
> > Identifier: 1
> > Authentic: 1452774130
> > Attributes:
> > User-Name = "testcoa10"
> > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > NAS-IP-Address = 10.0.6.13
> > NAS-Port = 1
> > NAS-Port-Id = "123"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Acct-Session-Id = "1"
> > Calling-Station-Id = "0800.2727.0575"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code: Access-Reject
> > Identifier: 0
> > Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1
> > from 10.0.6.152:1812
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.152 port 1812 ....
> > Code: Access-Accept
> > Identifier: 1
> > Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> > Attributes:
> > Acct-Interim-Interval = 300
> > Framed-IP-Address = 192.168.0.203
> >
> > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > *** Sending to 10.0.6.13 port 57565 ....
> > Code: Access-Reject
> > Identifier: 0
> > Authentic: <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> > Attributes:
> > Reply-Message = "Request Denied"
> > Acct-Interim-Interval = 300
> > Framed-IP-Address = 192.168.0.203
> > -------------------------------------
> >
> >
> > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <h...@open.com.au>:
> >
> > Hello -
> >
> > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> > >
> > > Hello!
> > >
> > > I want to do if it's possible to proxy auth request in a
> > > redundant fashion.
> > >
> > > On each requests, I want to proxy it to a primary server, if it's
> > > success then move on.
> > > If the auth fails (Access-Reject), I need to proxy Access-Request to a
> > > secondary server
> > >
> > > Is it possible?
> > >
> > > Thanks!
> > > _______________________________________________
> > > radiator mailing list
> > > radiator@open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> > --
> >
> > Hugh Irvine
> > h...@open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER, SIM, etc.
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> >
> >
> > --
> > С уважением,
> > Александр Якунин
> > _______________________________________________
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> h...@open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
>
>
> --
> С уважением,
> Александр Якунин
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
