Re: [RADIATOR] ReplyHook Setting code of reply packet

Tim Jones Tue, 09 Apr 2013 04:04:16 -0700

Hugh,

Many, many thanks!!.


Tim Jones
*Technology & Quality
*
**
**
[email protected]
Skype: Tim.Jones.Fon

C/ Quintanavides 15. Edificio 2, Planta 1ª
Parque Empresarial Vía Norte, de Metrovacesa
28050 Las Tablas. Madrid


On 9 April 2013 10:18, Hugh Irvine <[email protected]> wrote:

>
> Hi Tim -
>
> Interesting problem - I'm not surprised you're perplexed - so was I for a
> while.
>
> In any case, it turns out that there is special processing for
> Change-Filter-Request in Radius/Handler.pm.
>
> So the answer is this:
>
>
> sub
> {
>     use strict;
>
>     &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
>
>     my $p = ${$_[0]};   # proxy reply packet
>     my $rp = ${$_[1]};  # reply packet to NAS
>     my $op = ${$_[2]};  # original request packet
>     my $sp = ${$_[3]};  # packet sent to proxy
>
>     if ($p->code eq 'Change-Filter-Request-ACKed')
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
>         $op->set_code('Access-Request');
>         $rp->set_code('Access-Accept');
>         $op->{RadiusResult}=$main::ACCEPT;
>     }
>     else
>     {
>         &main::log($main::LOG_DEBUG, 'CoA Rejected');
>         $rp->set_code('Access-Reject');
>         #$op->{RadiusResult}=$main::REJECT;
>     }
> }
>
>
> Here is the result, using two Radiator instances - radpwtst sends to the
> first on port 1645 which in turn proxies to the second on port 11645:
>
>
> …..
>
> Radiator-4.11 hugh$ perl radpwtst -noauth -noacct -user hugh -password
> hugh -code Change-Filter-Request -trace 4
>
> Tue Apr  9 18:09:35 2013: DEBUG: Reading dictionary file './dictionary'
> sending Change-Filter-Request...
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1645 ....
> Code:       Change-Filter-Request
> Identifier: 65
> Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 64444 ....
> Code:       Change-Filter-Request
> Identifier: 65
> Authentic:  <187><132><152>#H<161><241><242>0E<26><220>;<166><240><172>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Apr  9 18:09:35 2013: DEBUG: Handling with Radius::AuthRADIUS
> Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS creates new local socket '
> 0.0.0.0:0' for sending requests
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 11645 ....
> Code:       Change-Filter-Request
> Identifier: 1
> Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 56174 ....
> Code:       Change-Filter-Request
> Identifier: 1
> Authentic:  <161>t<223>Q]x<243>.<249>v<213><243>h<197>M<246>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Apr  9 18:09:35 2013: DEBUG: Handling with AuthINTERNAL:
> Tue Apr  9 18:09:35 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by
> DefaultResult
> Tue Apr  9 18:09:35 2013: DEBUG: Change-Filter-Request accepted
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 56174 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: Received reply in AuthRADIUS for req 1
> from 127.0.0.1:11645
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 11645 ....
> Code:       Change-Filter-Request-ACKed
> Identifier: 1
> Authentic:  <154><238><219><171>[1<173><226><180>7<30>j<29><201><225><242>
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: IN REPLYHOOK
> Tue Apr  9 18:09:35 2013: DEBUG: CoA Acknowledged
> Tue Apr  9 18:09:35 2013: DEBUG: Access accepted for
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 64444 ....
> Code:       Access-Accept
> Identifier: 65
> Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
> Attributes:
>
> Tue Apr  9 18:09:35 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1645 ....
> Code:       Access-Accept
> Identifier: 65
> Authentic:  <16>i0<249>.A<219><187><227><155> q<181><223><218>\
> Attributes:
>
> …..
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 9 Apr 2013, at 01:33, Tim Jones <[email protected]> wrote:
>
> > Hi all,
> >
> > I have a Radiator instance acting as a proxy, receiving Access-Request
> and converting it to a Change-Filter-Request before sending it on again.
> When it receives the response, it should reply to the originator with
> Access-Accept or Access-Reject, rather than the Change-Filter-ACKed or
> Change-Filter-NAKed it receives.
> >
> > In the ReplyHook, I have a very simple if statement checking the code,
> and changing it in the response. The response is then sent back to the NAS,
> but without the code I specify.
> >
> > Best regards,
> >
> > Config & trace logs
> >
> > ---- radius.cfg ----
> >
> > <Handler Request-Type=Access-Request, Client-Identifier=proxy_client>
> >     Identifier access-request_proxy_handler
> >     PreAuthHook file:"%{GlobalVar:config_dir}/hooks/preauthhook.pl"
> >     <AuthBy RADIUS>
> >         # Partner-router
> >         Host x.x.x.x
> >         AuthPort 1812
> >         Secret partner-secret
> >         AllowInRequest User-Name, NAS-IP-Address, Alc-Subsc-ID-Str,
> Class, Session-Timeout, Idle-Timeout
> >         ReplyHook file:"%{GlobalVar:config_dir}/hooks/replyhook.pl"
> >     </AuthBy>
> > </Handler>
> >
> > ---- preauthhook.pl ----
> >
> > sub
> > {
> >     use strict;
> >
> >     &main::log($main::LOG_DEBUG, 'IN PREAUTHHOOK');
> >
> >     my $p = ${$_[0]};
> >     $p->set_code('Change-Filter-Request');
> > }
> >
> > ---- replyhook.pl ----
> >
> > sub
> > {
> >     use strict;
> >
> >     &main::log($main::LOG_DEBUG, 'IN REPLYHOOK');
> >
> >     my $p = ${$_[0]};   # proxy reply packet
> >     my $rp = ${$_[1]};  # reply packet to NAS
> >     my $op = ${$_[2]};  # original request packet
> >     my $sp = ${$_[3]};  # packet sent to proxy
> >
> >     if ($p->code eq 'Change-Filter-Request-ACKed')
> >     {
> >         &main::log($main::LOG_DEBUG, 'CoA Acknowledged');
> >         $rp->set_code('Access-Accept');
> >         $op->{RadiusResult}=$main::ACCEPT;
> >     }
> >     else
> >     {
> >         &main::log($main::LOG_DEBUG, 'CoA Rejected');
> >         $rp->set_code('Access-Reject');
> >         #$op->{RadiusResult}=$main::REJECT;
> >     }
> > }
> >
> > ---- log ----
> >
> >
> > Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> > *** Received from x.x.x.x port 57791 ....
> > Code:       Access-Request
> > Identifier: 1
> > Authentic:
>  <206><173><20><176><255><230><129><180>W<149><208><130>1<152><10>I
> > Attributes:
> >     User-Name = "test"
> >     NAS-IP-Address = n.n.n.n
> >     NAS-Identifier = "n.n.n.n"
> >     Called-Station-Id = "123456789"
> >     Calling-Station-Id = "987654321"
> >     NAS-IP-Address = i.i.i.i
> >     Calling-Station-Id = "11:11:11:11:11:11"
> >     Class = "PartnerClassAttribute"
> >     Session-Timeout = 600
> >     User-Password = <129><235><165><144>d<216><152>DPx<168>+<226><221>&<
> >
> > Mon Apr  8 15:30:33 2013: DEBUG: Handling request with Handler
> 'Request-Type=Access-Request, Client-Identifier=proxy_client', Identifier
> 'access-request_proxy_handler'
> > Mon Apr  8 15:30:33 2013: DEBUG:  Deleting session for test, n.n.n.n,
> > Mon Apr  8 15:30:33 2013: DEBUG: IN PREAUTHHOOK
> > Mon Apr  8 15:30:33 2013: DEBUG: Handling with Radius::AuthRADIUS
> > Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS creates new local socket
> 'x.x.x.x:0' for sending requests
> > Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> > *** Sending to x.x.x.x port 1812 ....
> > Code:       Change-Filter-Request
> > Identifier: 1
> > Authentic:  <238>]<170>x<219>8,<139>q<144>2|<182><192>n3
> > Attributes:
> >     User-Name = "test"
> >     NAS-IP-Address = n.n.n.n
> >     NAS-IP-Address = i.i.i.i
> >     Class = "PartnerClassAttribute"
> >     Session-Timeout = 600
> >     User-Password =
> <223><179><13><26><150><161><7>!<140>0M<190><130><135>7<8>
> >
> > Mon Apr  8 15:30:33 2013: DEBUG: AuthBy RADIUS result: IGNORE,
> > Mon Apr  8 15:30:33 2013: DEBUG: Received reply in AuthRADIUS for req 1
> from x.x.x.x:1812
> > Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> > *** Received from x.x.x.x port 1812 ....
> > Code:       Change-Filter-Request-ACKed
> > Identifier: 1
> > Authentic:  +<216><141>C<27><229>&6O<15><206><160>&<245>P^
> > Attributes:
> >
> > Mon Apr  8 15:30:33 2013: DEBUG: IN REPLYHOOK
> > Mon Apr  8 15:30:33 2013: DEBUG: CoA Acknowledged
> > Mon Apr  8 15:30:33 2013: DEBUG: Change-Filter-Request accepted
> > Mon Apr  8 15:30:33 2013: DEBUG: Packet dump:
> > *** Sending to x.x.x.x port 57791 ....
> > Code:       Change-Filter-Request-ACKed
> > Identifier: 1
> > Authentic:  <174>~b<229><234><6>Y<10>3<30><230>VD<28><215>C
> > Attributes:
> >
> > Tim Jones
> > Technology & Quality
> >
> >
> > [email protected]
> > Skype: Tim.Jones.Fon
> >
> > C/ Quintanavides 15. Edificio 2, Planta 1ª
> > Parque Empresarial Vía Norte, de Metrovacesa
> > 28050 Las Tablas. Madrid
> > _______________________________________________
> > radiator mailing list
> > [email protected]
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> [email protected]
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ReplyHook Setting code of reply packet

Reply via email to