Re: [RADIATOR] ReplyHook Setting code of reply packet

Hugh Irvine Tue, 09 Apr 2013 01:18:31 -0700

Hi Tim -

Interesting problem - I'm not surprised you're perplexed - so was I for a while.


In any case, it turns out that there is special processing for 
Change-Filter-Request in Radius/Handler.pm.

So the answer is this:


sub
{
    use strict;
    
    &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
    
    my $p = ${$_[0]};   # proxy reply packet
    my $rp = ${$_[1]};  # reply packet to NAS
    my $op = ${$_[2]};  # original request packet
    my $sp = ${$_[3]};  # packet sent to proxy
    
    if ($p->code eq 'Change-Filter-Request-ACKed')
    {
        &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
        $op->set_code('Access-Request');
        $rp->set_code('Access-Accept');
        $op->{RadiusResult}=$main::ACCEPT;
    }
    else
    {
        &main::log($main::LOG_DEBUG, 'CoA Rejected');
        $rp->set_code('Access-Reject');
        #$op->{RadiusResult}=$main::REJECT;
    }
}


Here is the result, using two Radiator instances - radpwtst sends to the first 
on port 1645 which in turn proxies to the second on port 11645:


…..

Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password hugh 
-code Change-Filter-Request -trace 4

Tue Apr  9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
sending Change-Filter-Request...
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Change-Filter-Request
Identifier: 65
Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 64444 ....
Code:       Change-Filter-Request
Identifier: 65
Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr  9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket 
'0.0.0.0:0' for sending requests
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11645 ....
Code:       Change-Filter-Request
Identifier: 1
Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE, 
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56174 ....
Code:       Change-Filter-Request
Identifier: 1
Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '', Identifier ''
Tue Apr  9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL: 
Tue Apr  9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by 
DefaultResult
Tue Apr  9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56174 ....
Code:       Change-Filter-Request-ACKed
Identifier: 1
Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 
127.0.0.1:11645
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 11645 ....
Code:       Change-Filter-Request-ACKed
Identifier: 1
Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: IN REPLYHOOK
Tue Apr  9 18:09:35 2013: DEBUG: CoA Acknowledged
Tue Apr  9 18:09:35 2013: DEBUG: Access accepted for 
Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 64444 ....
Code:       Access-Accept
Identifier: 65
Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:

Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Accept
Identifier: 65
Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
Attributes:

…..


hope that helps

regards

Hugh


On 9 Apr 2013, at 01:33, Tim Jones <[email protected]> wrote:

> Hi all,
> 
> I have a Radiator instance acting as a proxy, receiving Access-Request and 
> converting it to a Change-Filter-Request before sending it on again. When it 
> receives the response, it should reply to the originator with Access-Accept 
> or Access-Reject, rather than the Change-Filter-ACKed or Change-Filter-NAKed 
> it receives.
> 
> In the ReplyHook, I have a very simple if statement checking the code, and 
> changing it in the response. The response is then sent back to the NAS, but 
> without the code I specify.
> 
> Best regards,
> 
> Config & trace logs
> 
> ---- radius.cfg ----
> 
> <Handler Request-Type=Access-Request, Client-Identifier=proxy_client>
>     Identifier access-request_proxy_handler
>     PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl"
>     <AuthBy RADIUS>
>         # Partner-router
>         Host x.x.x.x
>         AuthPort 1812
>         Secret partner-secret
>         AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str, Class, 
> Session-Timeout, Idle-Timeout
>         ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl"
>     </AuthBy>
> </Handler>
> 
> ---- preauthhook.pl ----
> 
> sub
> {
>     use strict;
>     
>     &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK');
>     
>     my $p = ${$_[0]};
>     $p->set_code('Change-Filter-Request');
> }
> 
> ---- replyhook.pl ----
> 
> sub
> {
>     use strict;
>     
>     &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
>     
>     my $p = ${$_[0]};   # proxy reply packet
>     my $rp = ${$_[1]};  # reply packet to NAS
>     my $op = ${$_[2]};  # original request packet
>     my $sp = ${$_[3]};  # packet sent to proxy
>     
>     if ($p->code eq 'Change-Filter-Request-ACKed')
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
>         $rp->set_code('Access-Accept');
>         $op->{RadiusResult}=$main::ACCEPT;
>     }
>     else
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Rejected');
>         $rp->set_code('Access-Reject');
>         #$op->{RadiusResult}=$main::REJECT;
>     }
> }
> 
> ---- log ----
> 
> 
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 57791 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I
> Attributes:
>     User-Name = "test"
>     NAS-IP-Address = n.n.n.n
>     NAS-Identifier = "n.n.n.n"
>     Called-Station-Id = "123456789"
>     Calling-Station-Id = "987654321"
>     NAS-IP-Address = i.i.i.i
>     Calling-Station-Id = "11:11:11:11:11:11"
>     Class = "PartnerClassAttribute"
>     Session-Timeout = 600
>     User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&<
> 
> Mon Apr  8 15:30:33 2013: DEBUG: Handling request with Handler 
> 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier 
> 'access-request_proxy_handler'
> Mon Apr  8 15:30:33 2013: DEBUG:  Deleting session for test, n.n.n.n, 
> Mon Apr  8 15:30:33 2013: DEBUG: IN PREAUTHHOOK
> Mon Apr  8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS
> Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket 
> 'x.x.x.x:0' for sending requests
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 1812 ....
> Code:       Change-Filter-Request
> Identifier: 1
> Authentic:  <238>]<170>x<219>8,<139>q<144>2|<182><192>n3
> Attributes:
>     User-Name = "test"
>     NAS-IP-Address = n.n.n.n
>     NAS-IP-Address = i.i.i.i
>     Class = "PartnerClassAttribute"
>     Session-Timeout = 600
>     User-Password = <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8>
> 
> Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE, 
> Mon Apr  8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1 from 
> x.x.x.x:1812
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Received from x.x.x.x port 1812 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  +<216><141>C<27><229>&6O<15><206><160>&<245>P^
> Attributes:
> 
> Mon Apr  8 15:30:33 2013: DEBUG: IN REPLYHOOK
> Mon Apr  8 15:30:33 2013: DEBUG: CoA Acknowledged
> Mon Apr  8 15:30:33 2013: DEBUG: Change-Filter-Request accepted
> Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 57791 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C
> Attributes:
> 
> Tim Jones
> Technology & Quality
> 
>  
> [email protected]
> Skype: Tim.Jones.Fon
>  
> C/ Quintanavides 15. Edificio 2, Planta 1ª
> Parque Empresarial Vía Norte, de Metrovacesa
> 28050 Las Tablas. Madrid
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
[email protected]

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ReplyHook Setting code of reply packet

Reply via email to