Here's my solution to this problem, using a generic ReplyHook (attached)
and a faux request attribute called NextAuthBy (which names the next
AuthBy to call if the first AuthBy RADIUS rejects). In my case authby2
is a different type of AuthBy, but I think it should work equally well
with a second AuthBy RADIUS (for Host host2).
<AuthBy RADIUS>
Identifier authby1
Host host1
...
# if proxy rejects, redirect to NextAuthBy
ReplyHook file:"%D/proxy_ContinueWhileReject.pl"
</AuthBy>
<AuthBy ...>
Identifier authby2
...
</AuthBy>
<Handler ...>
AddToRequest NextAuthBy="authby2"
AuthBy authby1
</Handler>
Hope this helps,
David
P.S. Radiator team: IMHO it would be a very nice improvement if AuthBy
RADIUS had built-in logic to support asynchronous continuation to
another AuthBy, perhaps like this:
<AuthBy RADIUS>
Identifier authby1
...
# if proxy rejects, redirect to authby2
AuthByPolicy ContinueWhileReject
NextAuthBy authby2
</AuthBy>
On 11/23/2011 12:00 PM, [email protected] wrote:
> Date: Wed, 23 Nov 2011 11:37:19 +1100
> From: Hugh Irvine <[email protected]>
> Subject: Re: [RADIATOR] multiple hosts
> To: Judy Angel <[email protected]>
> Cc: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
>
> Hello Judy -
>
> Due to the asynchronous nature of the AuthBy RADIUs clause its not that
> simple.
>
> You will need to use a hook with specific code to do what you want, or you
> could try the AuthBy MULTICAST clause.
>
> See "goodies/hooks.txt" and/or section 5.63 in the Radiator 4.9 reference
> manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 23 Nov 2011, at 11:01, Judy Angel wrote:
>
>> >
>> > Radius V4.2.
>> > I am looking to authenticate on two servers. If the userid is not
>> > available
>> > in host1 try host2. The config below works fine on host1 but if the return
>> > fails as the userid does not exist it does not check for the userid in
>> > host2. Should this be possible?
>> >
>> >
>> > <Handler Realm= domain.ac.uk>
>> > RewriteUsername s/^([^@]+).*/$1/
>> > <AuthBy RADIUS>
>> >
>> > <Host host1.herts.ac.uk>
>> > Secret xxxx
>> > </Host>
>> > <Host host2.herts.ac.uk>
>> > Secret xxxxx
>> > </Host>
>> > </AuthBy>
>> > # Log accounting to the detail file in LogDir
>> > AcctLogFileName %L/detail
>> > </Handler>
>> >
>> > Thanks
>> > Judy Angel
>> > University of Hertfordshire
>> >
>> > _______________________________________________
>> > radiator mailing list
>> > [email protected]
>> > http://www.open.com.au/mailman/listinfo/radiator
# ReplyHook for AuthBy RADIUS: if proxy rejects, redirect to AuthBy
# whose Identifier matches the value of (fake) request attribute
# NextAuthBy in the original request
#
# adapted from goodies/hooks.txt:AllocateIPAddressOnReplyFromProxy and
# goodies/rejectproxy.cfg
sub {
my $p = ${$_[0]}; # proxy reply packet
#my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
#my $sp = ${$_[3]}; # packet sent to proxy
#my $redirected = $_[5];
# Get the request code from the proxy reply.
my $code = $p->code;
if ($code eq 'Access-Reject') {
## Find AuthBy whose identifier matches original request attribute
## NextAuthBy
my $identifier = $op->get_attr('NextAuthBy');
unless ($identifier) {
&main::log($main::LOG_ERR, "proxy_ContinueWhileReject.pl: NextAuthBy not
set");
return;
}
my $authby = Radius::AuthGeneric::find($identifier);
unless (defined $authby) {
&main::log($main::LOG_ERR, "proxy_ContinueWhileReject.pl: no AuthBy with
Identifier $identifier");
return;
}
## remove any reply attributes copied from the proxied reject by
## AuthRADIUS.pm (like Reply-Message)
$op->{rp}->delete_attr_fn
(sub {
my ($name,$value) = @_;
my $pval = $p->get_attr($name);
return 0 unless (defined $pval and $pval eq $value);
&main::log($main::LOG_DEBUG, "proxy_ContinueWhileReject.pl: removing
reply attribute '$name=$value' from proxied Access-Reject");
return 1;
});
## handle with this AuthBy, and set result. Ignore reason, since
## unfortunately AuthRADIUS substitutes "Proxied" regardless.
&main::log($main::LOG_DEBUG, "proxy_ContinueWhileReject.pl: redirecting to
AuthBy $identifier");
my ($rc, $reason) = $authby->handle_request($op);
$op->{RadiusResult} = $rc;
}
}
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
