Hi Heikki,
So if I have three AuthBys in the outer Handler (INTERNAL first for
renaming, then two FILEs for checking MAC address and Username) am I
correct in assuming that the two AuthBy FILEs will be operating on the
request as altered by the initial AuthBy INTERNAL?
I made the suggested modification to the hook and it appears to execute,
however, it seems to be replacing the username with a blank string ("")
during Access-Challeng, and the subsequent AuthBy FILE sections are
still using the "anonymous outer identity" when checking against the
blacklist files I have.
I've included some sample output, the User-Name I expect to see (at
least after GetInnerUsername runs) is "mrodrigues", but only the
"anonymous outer identity" ( gagagagagagagagagag) is visible. I also
never manage to get an Access-Accept, which I do get if I comment out
the GetInnerUsername Authby.
Code: Access-Request
Identifier: 42
Authentic: ]'<227><149><18>8)"j-<175>-<25><4><182>]
Attributes:
User-Name = "gagagagagagagagagag"
NAS-IP-Address = 10.99.1.250
NAS-Port = 66
Framed-MTU = 1400
Called-Station-Id = "00:04:96:3a:da:eb"
Calling-Station-Id = "78:d6:f0:97:f7:d3"
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Identifier = "AD-Auth-Dev"
EAP-Message = <2><0><0><24><1>gagagagagagagagagag
Message-Authenticator =
<220><31>A/!6^<185><203>n<224><168>(<230>l<208>
Mon Apr 21 12:56:42 2014: DEBUG: Handling request with Handler '',
Identifier ''
Mon Apr 21 12:56:42 2014: DEBUG: Deleting session for
gagagagagagagagagag, 10.99.1.250, 66
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthGROUP:
Mon Apr 21 12:56:42 2014: DEBUG: Handling with AuthINTERNAL:
GetInnerUsername
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: GetInnerUsername
result: ACCEPT, testing the hook
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthFILE:
CheckMacAddressBlacklist
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE looks for match with
78:d6:f0:97:f7:d3 [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE REJECT: No such user:
78:d6:f0:97:f7:d3 [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP:
CheckMacAddressBlacklist result: ACCEPT,
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthFILE:
CheckUserBlacklist
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE looks for match with
gagagagagagagagagag [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE REJECT: No such user:
gagagagagagagagagag [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: CheckUserBlacklist
result: ACCEPT,
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthNTLM:
Mon Apr 21 12:56:42 2014: DEBUG: Handling with EAP: code 2, 0, 24, 1
Mon Apr 21 12:56:42 2014: DEBUG: Response type 1
Mon Apr 21 12:56:42 2014: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: result: CHALLENGE,
EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP
PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Access challenged for
gagagagagagagagagag: EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Packet dump:
*** Sending to 10.99.1.250 port 51888 ....
Packet length = 48
0b 2a 00 30 2a 6f 55 9b 22 ba 50 16 82 c7 f0 aa
47 92 22 b9 01 02 4f 08 01 01 00 06 19 20 50 12
bd c9 eb a2 b2 cd 56 77 df 9a 3b 5a e1 d9 e7 0b
Code: Access-Challenge
Identifier: 42
Authentic: *oU<155>"<186>P<22><130><199><240><170>G<146>"<185>
Attributes:
User-Name = ""
EAP-Message = <1><1><0><6><25>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
On 4/21/2014 10:25 AM, Heikki Vatiainen wrote:
> On 04/18/2014 07:31 PM, Michael Rodrigues wrote:
>
>> I tried adding an AuthBy INTERNAL to the outer handler, using the perl
>> snippet you had suggested with RequestHook. I get a hook error whenever
>> it is called. I'm not a perl guru but I tried changing "${$_[1]}" to
>> just "$_[1]" and got rid of the SCALAR error, but I was still getting a
>> "Hook error" with no specific information.
> Hello Michael,
>
> your hook needs a couple of small changes. Try this.
>
> RequestHook sub { my $rp = $_[1];
> $rp->changeUserName($rp->{inner_identity}); return $main::ACCEPT;}
>
> The hook parameter types depend on the hook. With RequestHook the Hook
> gets passed a reference, not a reference to a reference like it does for
> some Hooks. Also, you need to return a suitable return value because
> AuthBy INTERNAL checks what the hook returns.
>
> Thanks,
> Heikki
>
--
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
h...@education.ucsb.edu
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
