Hello -
The first thing to understand is that the AuthBy RADIUS clause(s) operate
asynchronously.
The hook code in your first AuthBy RADIUS clause will only execute when the
response is received for that clause.
When the hook code calls the second AuthBy RADIUS clause it will exit without
waiting.
As shown in the example, your hook code needs to alter the response.
In this case you would change the response to IGNORE which will allow the
second AuthBy RADIUS clause to execute and return its result.
…..
$op->{RadiusResult} = $main::IGNORE;
…..
Again note that your hook code will not see the result of the second AuthBy
RADIUS clause.
hope that helps
regards
Hugh
> On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
>
> Thank Hugh and Heikki!!!
>
> How can I get RADIUS reply packet from secondary server in hook script???
> Radiator send Access-Reject before secondary server reply.
>
>
> radius.cfg
> ...................
> <AuthBy RADIUS>
> Identifier Primary
> Host 10.0.6.151
> Secret 123456
> AuthPort 1812
> AcctPort 1813
> ReplyHook file:"/etc/radiator/AccessReject"
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier Secondary
> Host 10.0.6.152
> Secret 123456
> AuthPort 1812
> AcctPort 1813
> </AuthBy>
>
> <Handler>
> AuthBy Primary
> </Handler>
> ...................
>
>
> /etc/radiator/AccessReject
> ...................
> sub
> {
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]}; # reply packet to NAS
> my $op = ${$_[2]}; # original request packet
> my $sp = ${$_[3]}; # packet sent to proxy
>
> my $code = $p->code;
> &main::log($main::LOG_DEBUG, "Code = $code");
> return unless $code eq 'Access-Reject';
>
> if($code eq 'Access-Reject'){
> my $authby = Radius::AuthGeneric::find('Secondary');
> if (defined $authby)
> {
> &main::log($main::LOG_DEBUG, "=========
> HANDLE_REQUEST===========");
> my ($rc, $reason) = $authby->handle_request($op, $rp);
> &main::log($main::LOG_DEBUG, "========= RC ===========
> $rc");
> &main::log($main::LOG_DEBUG, "========= REASON
> =========== $reason");
> if ($rc == 2)
> {
> &main::log($main::LOG_DEBUG, "========= ACCEPT
> ===========");
> }
> else
> {
> &main::log($main::LOG_DEBUG, "========= REJECT
> ===========");
> }
> }
> return;
> }
> }
> ...................
>
> radiator log
> -------------------
> Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> *** Received from 10.0.6.13 port 57565 ....
> Code: Access-Request
> Identifier: 0
> Authentic: 1452774130
> Attributes:
> User-Name = "testcoa10"
> User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> NAS-IP-Address = 10.0.6.13
> NAS-Port = 1
> NAS-Port-Id = "123"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Session-Id = "1"
> Calling-Station-Id = "0800.2727.0575"
>
> Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', Identifier
> ''
> Thu Jan 14 15:22:08 2016: DEBUG: Deleting session for testcoa10, 10.0.6.13, 1
> Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket
> '0.0.0.0:0' for sending requests
> Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.151 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic: 1452774130
> Attributes:
> User-Name = "testcoa10"
> User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> NAS-IP-Address = 10.0.6.13
> NAS-Port = 1
> NAS-Port-Id = "123"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Session-Id = "1"
> Calling-Station-Id = "0800.2727.0575"
>
> Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from
> 10.0.6.151:1812
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Received from 10.0.6.151 port 1812 ....
> Code: Access-Reject
> Identifier: 1
> Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> Attributes:
> Reply-Message = "1"
>
> Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.152 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic: 1452774130
> Attributes:
> User-Name = "testcoa10"
> User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> NAS-IP-Address = 10.0.6.13
> NAS-Port = 1
> NAS-Port-Id = "123"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Session-Id = "1"
> Calling-Station-Id = "0800.2727.0575"
>
> Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.13 port 57565 ....
> Code: Access-Reject
> Identifier: 0
> Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> Attributes:
> Reply-Message = "Request Denied"
>
> Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from
> 10.0.6.152:1812
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Received from 10.0.6.152 port 1812 ....
> Code: Access-Accept
> Identifier: 1
> Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> Attributes:
> Acct-Interim-Interval = 300
> Framed-IP-Address = 192.168.0.203
>
> Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.13 port 57565 ....
> Code: Access-Reject
> Identifier: 0
> Authentic: <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> Attributes:
> Reply-Message = "Request Denied"
> Acct-Interim-Interval = 300
> Framed-IP-Address = 192.168.0.203
> -------------------------------------
>
>
> 2016-01-13 1:18 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>
> Hello -
>
> See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
>
> regards
>
> Hugh
>
>
> > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> >
> > Hello!
> >
> > I want to do if it's possible to proxy auth request in a
> > redundant fashion.
> >
> > On each requests, I want to proxy it to a primary server, if it's
> > success then move on.
> > If the auth fails (Access-Reject), I need to proxy Access-Request to a
> > secondary server
> >
> > Is it possible?
> >
> > Thanks!
> > _______________________________________________
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> h...@open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
>
>
> --
> С уважением,
> Александр Якунин
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
