Re: [RADIATOR] ReplyHook Setting code of reply packet
Hi Tim - Interesting problem - I'm not surprised you're perplexed - so was I for a while. In any case, it turns out that there is special processing for Change-Filter-Request in Radius/Handler.pm. So the answer is this: sub { use strict; main::log($main::LOG_DEBUG, 'IN REPLYHOOK'); my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy if ($p-code eq 'Change-Filter-Request-ACKed') { main::log($main::LOG_DEBUG, 'CoA Acknowledged'); $op-set_code('Access-Request'); $rp-set_code('Access-Accept'); $op-{RadiusResult}=$main::ACCEPT; } else { main::log($main::LOG_DEBUG, 'CoA Rejected'); $rp-set_code('Access-Reject'); #$op-{RadiusResult}=$main::REJECT; } } Here is the result, using two Radiator instances - radpwtst sends to the first on port 1645 which in turn proxies to the second on port 11645: ….. Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh -code Change-Filter-Request -trace 4 Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary' sending Change-Filter-Request... Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1645 Code: Change-Filter-Request Identifier: 65 Authentic: 187132152#H1612412420E26220;166240172 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 6 Code: Change-Filter-Request Identifier: 65 Authentic: 187132152#H1612412420E26220;166240172 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0:0' for sending requests Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 11645 Code: Change-Filter-Request Identifier: 1 Authentic: 161t223Q]x243.249v213243h197M246 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE, Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 56174 Code: Change-Filter-Request Identifier: 1 Authentic: 161t223Q]x243.249v213243h197M246 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 56174 Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: 154238219171[1173226180730j29201225242 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:11645 Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 11645 Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: 154238219171[1173226180730j29201225242 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 6 Code: Access-Accept Identifier: 65 Authentic: 16i0249.A219187227155 q181223218\ Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1645 Code: Access-Accept Identifier: 65 Authentic: 16i0249.A219187227155 q181223218\ Attributes: ….. hope that helps regards Hugh On 9 Apr 2013, at 01:33, Tim Jones tim.jo...@fon.com wrote: Hi all, I have a Radiator instance acting as a proxy, receiving Access-Request and converting it to a Change-Filter-Request before sending it on again. When it receives the response, it should reply to the originator with Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed it receives. In the ReplyHook, I have a very simple if statement checking the code, and changing it in the response. The response is then sent back to the NAS, but without the code I specify. Best regards, Config trace logs radius.cfg Handler Request-Type=Access-Request, Client-Identifier=proxy_client Identifier access-request_proxy_handler PreAuthHook file:%{GlobalVar:config_dir}/hooks/preauthhook.pl AuthBy RADIUS # Partner-router Host x.x.x.x AuthPort 1812 Secret partner-secret AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class, Session-Timeout, Idle-Timeout ReplyHook file:%{GlobalVar:config_dir}/hooks/replyhook.pl /AuthBy /Handler preauthhook.pl sub { use strict; main::log($main::LOG_DEBUG, 'IN
[RADIATOR] AddToReply with condition
Hello everyone, After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Best regards, Nuno Marques Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS AuthBy BlackList AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ReplyHook Setting code of reply packet
Hugh, Many, many thanks!!. Tim Jones *Technology Quality * ** ** tim.jo...@fon.com Skype: Tim.Jones.Fon C/ Quintanavides 15. Edificio 2, Planta 1ª Parque Empresarial Vía Norte, de Metrovacesa 28050 Las Tablas. Madrid On 9 April 2013 10:18, Hugh Irvine h...@open.com.au wrote: Hi Tim - Interesting problem - I'm not surprised you're perplexed - so was I for a while. In any case, it turns out that there is special processing for Change-Filter-Request in Radius/Handler.pm. So the answer is this: sub { use strict; main::log($main::LOG_DEBUG, 'IN REPLYHOOK'); my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy if ($p-code eq 'Change-Filter-Request-ACKed') { main::log($main::LOG_DEBUG, 'CoA Acknowledged'); $op-set_code('Access-Request'); $rp-set_code('Access-Accept'); $op-{RadiusResult}=$main::ACCEPT; } else { main::log($main::LOG_DEBUG, 'CoA Rejected'); $rp-set_code('Access-Reject'); #$op-{RadiusResult}=$main::REJECT; } } Here is the result, using two Radiator instances - radpwtst sends to the first on port 1645 which in turn proxies to the second on port 11645: ….. Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh -code Change-Filter-Request -trace 4 Tue Apr 9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary' sending Change-Filter-Request... Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1645 Code: Change-Filter-Request Identifier: 65 Authentic: 187132152#H1612412420E26220;166240172 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 6 Code: Change-Filter-Request Identifier: 65 Authentic: 187132152#H1612412420E26220;166240172 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket ' 0.0.0.0:0' for sending requests Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 11645 Code: Change-Filter-Request Identifier: 1 Authentic: 161t223Q]x243.249v213243h197M246 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE, Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 56174 Code: Change-Filter-Request Identifier: 1 Authentic: 161t223Q]x243.249v213243h197M246 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier '' Tue Apr 9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL: Tue Apr 9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult Tue Apr 9 18:09:35 2013: DEBUG: Change-Filter-Request accepted Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 56174 Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: 154238219171[1173226180730j29201225242 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 127.0.0.1:11645 Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 11645 Code: Change-Filter-Request-ACKed Identifier: 1 Authentic: 154238219171[1173226180730j29201225242 Attributes: Tue Apr 9 18:09:35 2013: DEBUG: IN REPLYHOOK Tue Apr 9 18:09:35 2013: DEBUG: CoA Acknowledged Tue Apr 9 18:09:35 2013: DEBUG: Access accepted for Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 6 Code: Access-Accept Identifier: 65 Authentic: 16i0249.A219187227155 q181223218\ Attributes: Tue Apr 9 18:09:35 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1645 Code: Access-Accept Identifier: 65 Authentic: 16i0249.A219187227155 q181223218\ Attributes: ….. hope that helps regards Hugh On 9 Apr 2013, at 01:33, Tim Jones tim.jo...@fon.com wrote: Hi all, I have a Radiator instance acting as a proxy, receiving Access-Request and converting it to a Change-Filter-Request before sending it on again. When it receives the response, it should reply to the originator with Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed it receives. In the ReplyHook, I have a very simple if statement checking the code, and changing it in the response. The response is then sent back to the NAS, but without the code I specify. Best regards, Config trace logs radius.cfg Handler Request-Type=Access-Request, Client-Identifier=proxy_client Identifier access-request_proxy_handler PreAuthHook file:%{GlobalVar:config_dir}/hooks/preauthhook.pl AuthBy RADIUS # Partner-router
[RADIATOR] Support for PCRF Diameter messages
Hello, Can Radiator (acting as a diameter server) handle PCRF Diameter messages? Regards Vangelis Kyriakakis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply with condition
On 04/09/2013 08:49 PM, Nuno Marques wrote: After good authentication I want to check if the the user exists in a DB (BlackList) and, if yes, put him in a specific VLAN. Made some research and the Handler , , , seemed to be the solution but it doesn’t support attributes that are queries to DB, am I correct?. Can you aid me on this? Thanks in advance. Try this: create AuthBy GROUP with Identifier BlackList. The group would have two AuthBys and AuthByPolicy ContinueUntilAccept. The first AuthBy is AuthBy SQL with AuthSelect that does lookup in SQL and has AddToReply with the VLAN attributes. In other words, this AuthBy adds the attributes if there's a match. The second AuthBy is of type INTERNAL. It should ACCEPT all requests since the policy will evaluate it only when there was no match in the blacklist SQL. The outcome from the GROUP is an accept from the first or the second AuthBy depending on if the user was blacklisted or not. Please let us know how it goes. Thanks, Heikki Handler Realm=/^ubi.pt$/i AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthBy PEAP_IAS * * *AuthBy BlackList* AuthLog localusers /Handler Authby SQL Identifier BlackList DBSource dbi:mysql:BLACKLIST DBUsername xxx DBAuth xxx Timeout 600 SQLRetries 4 FailureBackoffTime 10 *If (AuthSelect SELECT username from BLACKLIST where username=%0) != NULL then* AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=3002 /AuthBy UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Support for PCRF Diameter messages
On 04/09/2013 10:24 PM, Vangelis Kyriakakis wrote: Can Radiator (acting as a diameter server) handle PCRF Diameter messages? Since the messages are carried over Diameter, Radiator can receive and decode them for you. You may need to add any missing Diameter attributes into the local dictionary if Radiator log shows some are missing. You could then utilise Diameter to Radius and Radius to Diameter conversion hooks to process the PCRF requests and replies as required. See goodies/diameter-server.cfg for more information about the hooks. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator