Hello Stefan -
The problem you have is due to the way the AuthBy RADIUS clause executes which is asynchronously - it always returns to the mainline code immediately. If you want to have an additional AuthBy clause called after the proxied request is replied to, you will need to use a ReplyHook. There is an example that you can use (with modifications of course) in the file "goodies/hooks.txt" in the Radiator distribution. regards Hugh On Thu, 20 Dec 2001 10:58, [EMAIL PROTECTED] wrote: > Hello, > > we are using a one time password generator which has a radius > interface. This one is hosted at an outsourcing provider, so I > want to maintain local profiles for the different users types. > > I proxy the authentication request to the OTP radius server and > add an additional stage for the profiles as outlined in the > examples. (see the attached config-, user- and profile-files) > > The problem is that after the successful radius proxy authenti- > cation the request returns with an Access-Accept but no further > processing of the profiles is done. > (please have a look at the trace at the end) > > Without the radius proxying everything works fine with the > profiles, so what's my mistake ? > > Do you have any ideas ? > > > Thanks in advance > Stefan Gr�ndel > > > --------------------------------------------------------------- > Stefan Gr�ndel [EMAIL PROTECTED] > IT Security > MLP Login GmbH Tel.: +49 / (0)6221 / 308-2378 > Forum 7 Fax.: +49 / (0)6221 / 308-1621 > 69126 Heidelberg > > > Radiator Configuration: > ----------------------- > Foreground > LogStdout > > Trace 4 > > # Set this to the directory where your logfile and details file are to go > LogDir /var/log/radius > > # PID File in /var/run > PidFile /var/run/radiusd.pid > > # Set this to the database directory. It should contain these files: > # users The user database > # dictionary The dictionary for your NAS > DbDir /usr/local/etc/raddb > > AuthPort 1645 > AcctPort 1646 > > <Client localhost> > Secret mysecret > DupInterval 0 > Identifier RAS > </Client> > > #---------------------- > # RADIUS_PROXY > #---------------------- > <AuthBy RADIUS> > Identifier RADIUS_PROXY > <Host y.y.y.y> > Secret xxxxxxxx > </Host> > </AuthBy> > > #---------------------- > # LOCAL_PROFILE > #---------------------- > <AuthBy GROUP> > Identifier LOCAL_PROFILE > AuthByPolicy ContinueWhileAccept > RewriteUsername s/^([^@]+).*/$1/ > <AuthBy FILE> > Filename /usr/local/etc/raddb/dynamic_users > </AuthBy> > <AuthBy FILE> > Filename /usr/local/etc/raddb/profiles > # Pseudo-Attribut Profile entfernen > StripFromReply Profile > </AuthBy> > </AuthBy> > > #---------------------- > # Handler > #---------------------- > <Handler Request-Type = Accounting-Request> > # lokales Accounting in ein File > AcctLogFileName /var/log/radius/detail > </Handler> > > <Handler> > AuthByPolicy ContinueWhileAccept > RewriteUsername s/^(.*)/$1\@MLP/ > AuthBy RADIUS_PROXY > AuthBy LOCAL_PROFILE > </Handler> > > ------------------------------------------------------------- > File profiles: > -------------- > DEFAULT Reply:Profile = RAS-Login > Service-Type = Framed-User, > Framed-Protocol = PPP, > Filter-Id = RAS-Login > > > Userfile: > --------- > sgruende Client-Identifier = RAS > Profile = RAS-Login > > ------------------------------------------------------------- > > linux:/usr/local/etc/raddb # radpwtst -s localhost -secret mysecret > -nostart -nostop -trace -user sgruende -password 59894217 > > gives: > > Thu Dec 20 00:52:14 2001: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 32843 .... > Code: Access-Request > Identifier: 178 > Authentic: 1234567890123456 > Attributes: > User-Name = "sgruende" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<204><178>g<148><155>n5<193><188>8<9><160><216>}x<153>" > > Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler Request-Type = > Accounting-Request should be used to handle this request > Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler should be used to handle > this request > Thu Dec 20 00:52:14 2001: DEBUG: Handling request with Handler '' > Thu Dec 20 00:52:14 2001: DEBUG: Rewrote user name to sgruende@MLP > Thu Dec 20 00:52:14 2001: DEBUG: Deleting session for sgruende, > 203.63.154.1, 1234 > Thu Dec 20 00:52:14 2001: DEBUG: Handling with Radius::AuthRADIUS > Thu Dec 20 00:52:14 2001: DEBUG: Packet dump: > *** Sending to 10.96.177.6 port 1645 .... > Code: Access-Request > Identifier: 1 > Authentic: 1234567890123456 > Attributes: > User-Name = "sgruende@MLP" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<167><173><207>C<242><179>@<153><182>(S<164><215>U<214>-" > > Thu Dec 20 00:52:14 2001: DEBUG: Packet dump: > *** Received from 10.96.177.6 port 1645 .... > Code: Access-Accept > Identifier: 1 > Authentic: <176>;<164><227>8/<203><174><149><176><13><146>C<195><146><152> > Attributes: > Framed-Protocol = PPP > Filter-Id = "std.in" > Framed-MTU = 1500 > Reply-Message = "geschafft" > Session-Timeout = 900 > Framed-IP-Address = 255.255.255.254 > Service-Type = Framed-User > > Thu Dec 20 00:52:14 2001: DEBUG: Received reply in AuthRADIUS for req 1 > from 10.96.177.6:1645 > Thu Dec 20 00:52:14 2001: DEBUG: Access accepted for sgruende@MLP > Thu Dec 20 00:52:14 2001: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 32843 .... > Code: Access-Accept > Identifier: 178 > Authentic: 1234567890123456 > Attributes: > Framed-Protocol = PPP > Filter-Id = "std.in" > Framed-MTU = 1500 > Reply-Message = "geschafft" > Session-Timeout = 900 > Framed-IP-Address = 255.255.255.254 > Service-Type = Framed-User > > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
