Re: [RADIATOR] RequestHook in AuthBy RADIUS
Hi Jose - Right - understood. In this case I would probably use separate Radiator processes as intermediates between your main server and the targets that require special AVpair processing. You would forward the original request unchanged and then deal with whatever changes are required on the intermediate Radiator instances. I tend to use this architecture quite often as it makes each individual piece much simpler and cleaner. Something like this: ….. Handler Client-Identifier=PGW, Acct-Status-Type=Start Identifier PGW_START AccountingHandled AuthBy GROUP AuthByPolicy ContinueAlways AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11812 Secret secret2 IgnoreAccountingResponse /AuthBy AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11813 Secret secret3 IgnoreAccountingResponse /AuthBy AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11814 Secret secret4 IgnoreAccountingResponse /AuthBy AuthBy RADIUS Host192.168.1.5 Secret secret5 IgnoreAccountingResponse /AuthBy AuthBy RADIUS Host192.168.1.6 Secret secret6 IgnoreAccountingResponse /AuthBy /AuthBy MaxSessions 0 /Handler BTW - I agree with you that a RequestHook would be a useful addition in any case. regards Hugh On 25 Apr 2015, at 00:35, Jose Borges Ferreira undersp...@gmail.com wrote: Hi, I have somthing similar to this: Handler Client-Identifier=PGW, Acct-Status-Type=Start Identifier PGW_START AccountingHandled AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy RADIUS Host192.168.1.2 Secret secret2 StripFromRequestAVP1__2,AVP2__2 AllowInRequest 3GPP-IMSI, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.3 Secret secret3 RequestHook sub {\ my $p = ${$_[0]};\ my $fp = ${$_[1]};\ my $imsi = $p-get_attr('3GPP-IMSI');\ if ($imsi =~ /^1234/) { \ $fp-change_attr('3GPP-RAT-Type,', 'UMTS');\ }\ } AllowInRequest 3GPP-IMSI, 3GPP-PDP-Type, 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id,NAS-Port-Type \ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.4 Secret secret3 AllowInRequest 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.5 Secret secret4 /AuthBy AuthBy RADIUS Host192.168.1.6 Secret secret5 /AuthBy /AuthBy MaxSessions 0 /Handler ( not exactly this but similar enough) I want o achieve the following: 1.Broadcast accounting to all servers. 2.Have a different set of AVPs for each destination server. 3.To one server ( and only to that one) want to have a more complex logic and be able to add,remove or change
Re: [RADIATOR] RequestHook in AuthBy RADIUS
Hi, I have somthing similar to this: Handler Client-Identifier=PGW, Acct-Status-Type=Start Identifier PGW_START AccountingHandled AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy RADIUS Host192.168.1.2 Secret secret2 StripFromRequestAVP1__2,AVP2__2 AllowInRequest 3GPP-IMSI, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.3 Secret secret3 RequestHook sub {\ my $p = ${$_[0]};\ my $fp = ${$_[1]};\ my $imsi = $p-get_attr('3GPP-IMSI');\ if ($imsi =~ /^1234/) { \ $fp-change_attr('3GPP-RAT-Type,', 'UMTS');\ }\ } AllowInRequest 3GPP-IMSI, 3GPP-PDP-Type, 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id,NAS-Port-Type \ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.4 Secret secret3 AllowInRequest 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.5 Secret secret4 /AuthBy AuthBy RADIUS Host192.168.1.6 Secret secret5 /AuthBy /AuthBy MaxSessions 0 /Handler ( not exactly this but similar enough) I want o achieve the following: 1.Broadcast accounting to all servers. 2.Have a different set of AVPs for each destination server. 3.To one server ( and only to that one) want to have a more complex logic and be able to add,remove or change AVPs In other setups I found that changing avps on one clause it will send AVP changes to the following servers, which was not intended I achieved the intended behaviour by enclosing a AuthBy RADIUS in a GROUP between a couple of INTERNALs. The first one to change the AVP and a final one to restore from original packet. I found a RequestHook very useful and more clean approach. It is the counterpart of the Reply/NoReplyHook . I thought it could be useful for other and, eventually, included in next versions. Thanks anyway, Best regards, José Borges Ferreira On Wed, Apr 22, 2015 at 7:21 AM, Hugh Irvine h...@open.com.au wrote: Hello Jose - One way to do this is with multiple Handler clauses and an AuthBy HANDLER clause in the first one. See the example in “goodies/authhandler.cfg”. See also section 5.76 AuthBy HANDLER in the manual (“doc/ref.pdf”). You can have a different PreAuthHook in each target Handler clause, and the overall configuration will be much simpler. I would also have separate configuration files for authentication and accounting (each listening only on the corresponding ports). hope that helps regards Hugh On 22 Apr 2015, at 01:26, Jose Borges Ferreira undersp...@gmail.com wrote: Hi all, I have a setup that forwards some accounting to several servers. I need to mangle some attributes before a forward to the remote server.One requirement is to have different mangling per host. I couldn't found a way to change hook some code at AuthBy RADIUS, so I implemented the attached patch. So , my question is : Is there a way to achieve what I want ? Does the patch makes sense ? Thanks in advanced, José Borges Ferreira RequestHook.patch___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
Re: [RADIATOR] RequestHook in AuthBy RADIUS
Hi again - You could also use an AuthBy MULTICAST clause instead of multiple AuthBy RADIUS clauses. regards Hugh On 25 Apr 2015, at 09:41, Hugh Irvine h...@open.com.au wrote: Hi Jose - Right - understood. In this case I would probably use separate Radiator processes as intermediates between your main server and the targets that require special AVpair processing. You would forward the original request unchanged and then deal with whatever changes are required on the intermediate Radiator instances. I tend to use this architecture quite often as it makes each individual piece much simpler and cleaner. Something like this: ….. Handler Client-Identifier=PGW, Acct-Status-Type=Start Identifier PGW_START AccountingHandled AuthBy GROUP AuthByPolicy ContinueAlways AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11812 Secret secret2 IgnoreAccountingResponse /AuthBy AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11813 Secret secret3 IgnoreAccountingResponse /AuthBy AuthBy RADIUS # Forward to intermediate instance Hostlocalhost AcctPort 11814 Secret secret4 IgnoreAccountingResponse /AuthBy AuthBy RADIUS Host192.168.1.5 Secret secret5 IgnoreAccountingResponse /AuthBy AuthBy RADIUS Host192.168.1.6 Secret secret6 IgnoreAccountingResponse /AuthBy /AuthBy MaxSessions 0 /Handler BTW - I agree with you that a RequestHook would be a useful addition in any case. regards Hugh On 25 Apr 2015, at 00:35, Jose Borges Ferreira undersp...@gmail.com wrote: Hi, I have somthing similar to this: Handler Client-Identifier=PGW, Acct-Status-Type=Start Identifier PGW_START AccountingHandled AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy RADIUS Host192.168.1.2 Secret secret2 StripFromRequestAVP1__2,AVP2__2 AllowInRequest 3GPP-IMSI, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.3 Secret secret3 RequestHook sub {\ my $p = ${$_[0]};\ my $fp = ${$_[1]};\ my $imsi = $p-get_attr('3GPP-IMSI');\ if ($imsi =~ /^1234/) { \ $fp-change_attr('3GPP-RAT-Type,', 'UMTS');\ }\ } AllowInRequest 3GPP-IMSI, 3GPP-PDP-Type, 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id,NAS-Port-Type \ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.4 Secret secret3 AllowInRequest 3GPP-RAT-Type, 3GPP-User-Location-Info, Acct-Session-Id, NAS-Port-Type\ Acct-Status-Type, Called-Station-Id, Calling-Station-Id, Event-Timestamp, Framed-IP-Address, User-Name /AuthBy AuthBy RADIUS Host192.168.1.5 Secret secret4 /AuthBy AuthBy RADIUS Host192.168.1.6 Secret secret5 /AuthBy /AuthBy MaxSessions 0 /Handler ( not exactly this but similar enough) I want o achieve the following: 1.Broadcast accounting to all