Re: [RADIATOR] ReplyHook Setting code of reply packet
Hi Tim -
Interesting problem - I'm not surprised you're perplexed - so was I for a while.
In any case, it turns out that there is special processing for
Change-Filter-Request in Radius/Handler.pm.
So the answer is this:
sub
{
use strict;
main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
if ($p-code eq 'Change-Filter-Request-ACKed')
{
main::log($main::LOG_DEBUG, 'CoA Acknowledged');
$op-set_code('Access-Request');
$rp-set_code('Access-Accept');
$op-{RadiusResult}=$main::ACCEPT;
}
else
{
main::log($main::LOG_DEBUG, 'CoA Rejected');
$rp-set_code('Access-Reject');
#$op-{RadiusResult}=$main::REJECT;
}
}
Here is the result, using two Radiator instances - radpwtst sends to the first
on port 1645 which in turn proxies to the second on port 11645:
…..
Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh
-code Change-Filter-Request -trace 4
Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
sending Change-Filter-Request...
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645
Code: Change-Filter-Request
Identifier: 65
Authentic: 187132152#H1612412420E26220;166240172
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 6
Code: Change-Filter-Request
Identifier: 65
Authentic: 187132152#H1612412420E26220;166240172
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket
'0.0.0.0:0' for sending requests
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11645
Code: Change-Filter-Request
Identifier: 1
Authentic: 161t223Q]x243.249v213243h197M246
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE,
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56174
Code: Change-Filter-Request
Identifier: 1
Authentic: 161t223Q]x243.249v213243h197M246
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
DefaultResult
Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56174
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: 154238219171[1173226180730j29201225242
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from
127.0.0.1:11645
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 11645
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: 154238219171[1173226180730j29201225242
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK
Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged
Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 6
Code: Access-Accept
Identifier: 65
Authentic: 16i0249.A219187227155 q181223218\
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645
Code: Access-Accept
Identifier: 65
Authentic: 16i0249.A219187227155 q181223218\
Attributes:
…..
hope that helps
regards
Hugh
On 9 Apr 2013, at 01:33, Tim Jones tim.jo...@fon.com wrote:
Hi all,
I have a Radiator instance acting as a proxy, receiving Access-Request and
converting it to a Change-Filter-Request before sending it on again. When it
receives the response, it should reply to the originator with Access-Accept
or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed
it receives.
In the ReplyHook, I have a very simple if statement checking the code, and
changing it in the response. The response is then sent back to the NAS, but
without the code I specify.
Best regards,
Config trace logs
radius.cfg
Handler Request-Type=Access-Request, Client-Identifier=proxy_client
Identifier access-request_proxy_handler
PreAuthHook file:%{GlobalVar:config_dir}/hooks/preauthhook.pl
AuthBy RADIUS
# Partner-router
Host x.x.x.x
AuthPort 1812
Secret partner-secret
AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class,
Session-Timeout, Idle-Timeout
ReplyHook file:%{GlobalVar:config_dir}/hooks/replyhook.pl
/AuthBy
/Handler
preauthhook.pl
sub
{
use strict;
main::log($main::LOG_DEBUG, 'IN
[RADIATOR] AddToReply with condition
Hello everyone, After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Best regards, Nuno Marques Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS AuthBy BlackList AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ReplyHook Setting code of reply packet
Hugh,
Many, many thanks!!.
Tim Jones
*Technology Quality
*
**
**
tim.jo...@fon.com
Skype: Tim.Jones.Fon
C/ Quintanavides 15. Edificio 2, Planta 1ª
Parque Empresarial Vía Norte, de Metrovacesa
28050 Las Tablas. Madrid
On 9 April 2013 10:18, Hugh Irvine h...@open.com.au wrote:
Hi Tim -
Interesting problem - I'm not surprised you're perplexed - so was I for a
while.
In any case, it turns out that there is special processing for
Change-Filter-Request in Radius/Handler.pm.
So the answer is this:
sub
{
use strict;
main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
if ($p-code eq 'Change-Filter-Request-ACKed')
{
main::log($main::LOG_DEBUG, 'CoA Acknowledged');
$op-set_code('Access-Request');
$rp-set_code('Access-Accept');
$op-{RadiusResult}=$main::ACCEPT;
}
else
{
main::log($main::LOG_DEBUG, 'CoA Rejected');
$rp-set_code('Access-Reject');
#$op-{RadiusResult}=$main::REJECT;
}
}
Here is the result, using two Radiator instances - radpwtst sends to the
first on port 1645 which in turn proxies to the second on port 11645:
…..
Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password
hugh -code Change-Filter-Request -trace 4
Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
sending Change-Filter-Request...
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645
Code: Change-Filter-Request
Identifier: 65
Authentic: 187132152#H1612412420E26220;166240172
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 6
Code: Change-Filter-Request
Identifier: 65
Authentic: 187132152#H1612412420E26220;166240172
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '',
Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '
0.0.0.0:0' for sending requests
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11645
Code: Change-Filter-Request
Identifier: 1
Authentic: 161t223Q]x243.249v213243h197M246
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE,
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56174
Code: Change-Filter-Request
Identifier: 1
Authentic: 161t223Q]x243.249v213243h197M246
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '',
Identifier ''
Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL:
Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
DefaultResult
Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56174
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: 154238219171[1173226180730j29201225242
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1
from 127.0.0.1:11645
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 11645
Code: Change-Filter-Request-ACKed
Identifier: 1
Authentic: 154238219171[1173226180730j29201225242
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK
Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged
Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 6
Code: Access-Accept
Identifier: 65
Authentic: 16i0249.A219187227155 q181223218\
Attributes:
Tue Apr 9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645
Code: Access-Accept
Identifier: 65
Authentic: 16i0249.A219187227155 q181223218\
Attributes:
…..
hope that helps
regards
Hugh
On 9 Apr 2013, at 01:33, Tim Jones tim.jo...@fon.com wrote:
Hi all,
I have a Radiator instance acting as a proxy, receiving Access-Request
and converting it to a Change-Filter-Request before sending it on again.
When it receives the response, it should reply to the originator with
Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or
Change-Filter-NAKed it receives.
In the ReplyHook, I have a very simple if statement checking the code,
and changing it in the response. The response is then sent back to the NAS,
but without the code I specify.
Best regards,
Config trace logs
radius.cfg
Handler Request-Type=Access-Request, Client-Identifier=proxy_client
Identifier access-request_proxy_handler
PreAuthHook file:%{GlobalVar:config_dir}/hooks/preauthhook.pl
AuthBy RADIUS
# Partner-router
[RADIATOR] Support for PCRF Diameter messages
Hello, Can Radiator (acting as a diameter server) handle PCRF Diameter messages? Regards Vangelis Kyriakakis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply with condition
On 04/09/2013 08:49 PM, Nuno Marques wrote: After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Try this: create AuthBy GROUP with Identifier BlackList. The group would have two AuthBys and AuthByPolicy ContinueUntilAccept. The first AuthBy is AuthBy SQL with AuthSelect that does lookup in SQL and has AddToReply with the VLAN attributes. In other words, this AuthBy adds the attributes if there's a match. The second AuthBy is of type INTERNAL. It should ACCEPT all requests since the policy will evaluate it only when there was no match in the blacklist SQL. The outcome from the GROUP is an accept from the first or the second AuthBy depending on if the user was blacklisted or not. Please let us know how it goes. Thanks, Heikki Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS * * *AuthBy BlackList* AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 *If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then* AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Support for PCRF Diameter messages
On 04/09/2013 10:24 PM, Vangelis Kyriakakis wrote: Can Radiator (acting as a diameter server) handle PCRF Diameter messages? Since the messages are carried over Diameter, Radiator can receive and decode them for you. You may need to add any missing Diameter attributes into the local dictionary if Radiator log shows some are missing. You could then utilise Diameter to Radius and Radius to Diameter conversion hooks to process the PCRF requests and replies as required. See goodies/diameter-server.cfg for more information about the hooks. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
