Re: [RADIATOR] Which hook and how to get destination host

[Stefan Paetow via radiator]

Hi Heikki,

I tried that but apparently Radiator is not happy.

00000000 Wed Jul  3 22:12:38 2024 146691: ERR: Unknown keyword 
'VsaTranslationHook' in /etc/radiator/lin/radiator line 14171
00000000 Wed Jul  3 22:12:38 2024 146892: ERR: Unknown keyword 'VsaVendor' in 
/etc/radiator/lin/radiator line 14179
00000000 Wed Jul  3 22:12:38 2024 146970: ERR: Unknown keyword 
'VsaTranslateOut' in /etc/radiator/lin/radiator line 14180

The offending bit:

<Handler OSC-Environment-Identifier=HOST_1>
    Identifier IDENT_PROXY
    <AuthBy RADSEC>
         Secret radsec
         NoreplyTimeout 5
         UseTLS
         TLS_Protocols TLSv1.2
         ProxyAlgorithm HashBalance
         UseStatusServerForFailureDetect
         KeepaliveTimeout 180
         NoKeepaliveTimeoutForChildInstances
         ConnectOnDemand
         FailureBackoffTime 5
         [TLS options redacted]

         <Host proxy.host>
             Port 2083
             UseTLS
             TLS_Protocols TLSv1.2
             FailureBackoffTime 5
             VsaTranslationHook file:"%D/hook/loop_check_vt.pl"
         </Host>
         VsaVendor Generic
         VsaTranslateOut
    </AuthBy>
</Handler>

So, I'm guessing that the AuthBy RADSEC doesn't cover all of that in the Host 
clause. We're running 4.28 as from your repo. I've tried something else and am 
waiting to see what happens. If the Host clause in AuthByRADSEC doesn't support 
the VsaTranslationHook, could I request it be added as a feature for the next 
version? :-)

With kind regards

Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc

email/teams: stefan.pae...@jisc.ac.uk
gpg: 0x3FCE5142

For eduroam support, please contact the eduroam team via h...@jisc.ac.uk and 
mark it for eduroam’s attention.
On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London 
time (UTC in winter, UTC+0100 in summer).

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB 
Tel: 020 3697 5800.


From: radiator <radiator-boun...@lists.open.com.au> on behalf of Heikki 
Vatiainen via radiator <radiator@lists.open.com.au>
Reply to: Heikki Vatiainen <h...@open.com.au>
Date: Friday 28 June 2024 at 09:33
To: "radiator@lists.open.com.au" <radiator@lists.open.com.au>
Subject: Re: [RADIATOR] Which hook and how to get destination host


On 26.6.2024 14.09, Stefan Paetow via radiator wrote:
I am trying to fix a looping problem between two hosts that does not rely on 
attributes being added to packets.

I know I can retrieve the client address from the request as 
Radius::Util::inet_ntop($request->{RecvFromAddress}), but I'd like to do the 
same for the destination host that's been selected to proxy the request to. 
Which handler/hook would be the best to do this in? PreHandlerHook in the 
destination AuthBy? And… how do I get the IP address of the destination host 
(or the selected host if there are multiple)?


That's an interesting question. Many of the hooks run well before the next hop 
details (IP + port) are resolved, but I think I found a solution.


Or is this not possible?


It's possible. There's one hook that runs just before the request is forwarded. 
I came up with the following idea. Note that you'd need to have a <Host ...> 
clause because that's where the hook goes into. It should also work with the 
other proxy AuthBys, such as AuthBy HASHBALANCE.

Here's a config snippet and the hook:

<AuthBy RADIUS>
    VsaVendor Generic
    VsaTranslateOut
    AuthPort 1812
    AcctPort 1813

    <Host 127.0.0.1>
        Secret mysecret
        # Other host specific parameters

        # $p is the request, $is_out is set for outgoing messages
        # $fp is the request that's about to be forwarded
        VsaTranslationHook sub { my ($p, $is_out, $fp) = @_; \
          my $host = $fp->{ThisHost}; \
          my $addr = @{$host->{Address}}[$host->{roundRobinCounter} % 
@{$host->{Address}}]; \

          my $port = $fp->code eq 'Accounting-Request' \
              ? $host->{AcctPort} : $host->{AuthPort}; \
          my $ip = Radius::Util::inet_ntop($addr); \
          main::log($main::LOG_INFO, "Forwarding to IP $ip port $port\n"); }
    </Host>
</AuthBy>

The Vendor Specific Attribute (VSA) translation parameters are documented here, 
except of the hook that needs to be documented:
https://files.radiatorsoftware.com/radiator/ref/Clientxxxxxx.html#VsaTranslateIn_Client

The round robin counter is explained below. Briefly, it's for the cases where 
Host is defined with a name that resolves to multiple IP addresses:

https://files.radiatorsoftware.com/radiator/ref/AuthByRADIUS.html#Host


Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software



_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator