Greetings list.
I've been using Radiator for many odd tasks, and I'm always happy to find that
somehow there's always a radiator solution in the myriad of options.
This time though, I haven't seen the light, and found a nice solution .
what I want to accomplish:
do local auth, and in some cases, forward to other radius servers for them to
do auth.
what I have done so far:
first I do auth based on a lookup in various data. Since the bussinessrules are
rather complex, I have written my own AuthbyXXXX module, and it works as
intended
inside AuthbyXXXX, a database contains (among others):
USER, PASS, IP, MASK, NEXTRADIUS
user1, pass1, 10.0.0.1 255.255.255.255, 0
user2, pass2, 10.0.0.2 255.255.255.255, 0
user3, pass3, 10.0.0.3 255.255.255.255, 1
user4, pass4, 10.0.0.4 255.255.255.255, 2
user1 and user2 are validated final (NEXTRADIUS=0)
user3 must be validated at another radius-server1 (NEXTRADIUS=1)
user4 must be validated at another radius-server2 (NEXTRADIUS=2)
user1 and user2 is returned $main::ACCEPT or $main::REJECT
user3 and user4 is returned $main::CHALLENGE, and I add an attribute (for
example "Vendor-Specific=radX")
user5 (non existing in local) always gets REJECT since it doesn't exist in
primary
I have build this GROUP (using AuthBy FILE to simulate the AuthBy RADIUS I'll
need in production):
and AuthBy Group is set to continue if Challenge (AuthByPolicy)
conf:
<Realm>
<AuthBy GROUP>
AuthByPolicy ContinueWhileChallenge
<AuthBy XXXX>
#local auth in own module
</AuthBy>
<Handler Vendor-Specific=rad1>
<AuthBy FILE>
Filename users1
#here goes remote radius host, port, secret etc.
</AuthBy>
</Handler>
<Handler Vendor-Specific=rad2>
<AuthBy FILE>
Filename users2
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename users
</AuthBy>
</Handler>
</AuthBy>
</Realm>
but its not working the way I expected. When challenged, it DOES continue in
GROUP, but it always hits the fallback handler, never the two specific
rad1/rad2 handlers.
I guess this is because Vendor-Specific is added to the REPLY (using
$p->{rp}->add_attr()), and HANDLER looks at the REQUEST ?
SO:
any great hints on how to do "if then" groups, based on lookups in an AuthBy
XXXX module ???
If anything else fails, I'll build radius client function into AuthbyXXXX, and
do the brancing and proxying inside the perl, but I like the clairity of AuthBy
GROUP, and the fact that I can hand of the request to the remote server, and
not worry about how bad (and it's a MS Radius, so it can bed really bad) it
responds.
Thanks in advance for hints and thoughts.
/Søren
--
Søren Schrøder, Senior Architect, OSS, Core Engineering, Telenor
mailto:[email protected], tel: (+45)60503045
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
