Hello -

Thanks for letting me know.

regards

Hugh


> On 19 Jan 2016, at 22:10, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> 
> Hello Hugh.
> 
> I found your script in mailing list.
> http://www.open.com.au/pipermail/radiator/2010-March/016160.html
> 
> It work for me.
> 
> Thank for help!
> 
> 
> 2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te <sintezwh...@gmail.com>:
> Hello Hugh.
> 
> Second AuthBy clause not send reply to NAS.
> 
> radius.cfg
> -------
> <AuthBy RADIUS>
>       Identifier Primary
>       Host 10.0.6.151
>       Secret 123456
>       AuthPort 1812
>       AcctPort 1813
>       ReplyHook file:"/etc/radiator/AccessReject"
> </AuthBy>
> 
> <AuthBy RADIUS>
>       Identifier Secondary
>       Host 10.0.6.152
>       Secret 123456
>       AuthPort 1812
>       AcctPort 1813
> </AuthBy>
> 
> <Handler>
>       AuthBy Primary
> </Handler>
> -------
> 
> /etc/radiator/AccessReject
> --------
> sub 
> {
>     my $p = ${$_[0]}; # proxy reply packet
>     my $rp = ${$_[1]};        # reply packet to NAS
>     my $op = ${$_[2]};        # original request packet
>     my $sp = ${$_[3]};        # packet sent to proxy 
>       
>       my $code = $p->code;
>       return unless $code eq 'Access-Reject';
>       
>       if($code eq 'Access-Reject'){
>               my $authby = Radius::AuthGeneric::find('Secondary');
>               if (defined $authby)
>               {
>                       my ($rc, $reason) = $authby->handle_request($op, $rp);
>                       if ($rc == 2)
>                       {
>                               $op->{RadiusResult} = $main::IGNORE;
>                       }
>               }
>               return;
>       }
> }
> ---------
> 
> 
> #tshark -i eth0 port 1812 -w /opt/radius.pcap
> 
> Screenshot Wireshark
> 
> http://i.imgur.com/StKAJ18.png
> 
> 10.0.6.13 - NAS
> 10.0.6.150 - Radiator
> 10.0.6.151 - Primary RADIUS
> 10.0.6.152 - Secondary RADIUS
> 
> After 10.0.6.152 send Access-Accept - Radiator does nothing.
> 
> 
> 2016-01-18 13:29 GMT+03:00 Hugh Irvine <h...@open.com.au>:
> 
> Hello -
> 
> You don’t have to do anything - the second AuthBy RADIUS clause will send the 
> reply to the NAS.
> 
> If you want to do more than that you will also need a ReplyHook in the second 
> AuthBy RADIUS clause.
> 
> regards
> 
> Hugh
> 
> 
> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> >
> > Hello Hugh!
> >
> > > Again note that your hook code will not see the result of the second 
> > > AuthBy RADIUS clause.
> >
> > If hook code not see result how can I check that I received in reply from 
> > second RADIUS server?
> >
> > What is necessary my boss.
> > 1) NAS send Access-Request to Radiator
> > 2) Radiator re-send Access-Request to primary RADIUS server
> > 3) If primary server reply Access-Reject with attribute Reply-Message = 1, 
> > Radiator re-send Access-Request to secondary RADIUS server. If 
> > Reply-Message > 1 - send Access-Reject to NAS.
> > 4) After secondary server reply - Radiator send reply to NAS
> >
> > Reply hook does it?
> >
> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>:
> >
> > Hello -
> >
> > The first thing to understand is that the AuthBy RADIUS clause(s) operate 
> > asynchronously.
> >
> > The hook code in your first AuthBy RADIUS clause will only execute when the 
> > response is received for that clause.
> >
> > When the hook code calls the second AuthBy RADIUS clause it will exit 
> > without waiting.
> >
> > As shown in the example, your hook code needs to alter the response.
> >
> > In this case you would change the response to IGNORE which will allow the 
> > second AuthBy RADIUS clause to execute and return its result.
> >
> >
> >                 …..
> >
> >                 $op->{RadiusResult} = $main::IGNORE;
> >
> >                 …..
> >
> > Again note that your hook code will not see the result of the second AuthBy 
> > RADIUS clause.
> >
> > hope that helps
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> > >
> > > Thank Hugh and Heikki!!!
> > >
> > > How can I get RADIUS reply packet from secondary server in hook script???
> > > Radiator send Access-Reject before secondary server reply.
> > >
> > >
> > > radius.cfg
> > > ...................
> > > <AuthBy RADIUS>
> > >       Identifier Primary
> > >       Host 10.0.6.151
> > >       Secret 123456
> > >       AuthPort 1812
> > >       AcctPort 1813
> > >       ReplyHook file:"/etc/radiator/AccessReject"
> > > </AuthBy>
> > >
> > > <AuthBy RADIUS>
> > >       Identifier Secondary
> > >       Host 10.0.6.152
> > >       Secret 123456
> > >       AuthPort 1812
> > >       AcctPort 1813
> > > </AuthBy>
> > >
> > > <Handler>
> > >       AuthBy Primary
> > > </Handler>
> > > ...................
> > >
> > >
> > > /etc/radiator/AccessReject
> > > ...................
> > > sub
> > > {
> > >     my $p = ${$_[0]}; # proxy reply packet
> > >     my $rp = ${$_[1]};        # reply packet to NAS
> > >     my $op = ${$_[2]};        # original request packet
> > >     my $sp = ${$_[3]};        # packet sent to proxy
> > >
> > >       my $code = $p->code;
> > >       &main::log($main::LOG_DEBUG, "Code = $code");
> > >       return unless $code eq 'Access-Reject';
> > >
> > >       if($code eq 'Access-Reject'){
> > >               my $authby = Radius::AuthGeneric::find('Secondary');
> > >               if (defined $authby)
> > >               {
> > >                       &main::log($main::LOG_DEBUG, "========= 
> > > HANDLE_REQUEST===========");
> > >                       my ($rc, $reason) = $authby->handle_request($op, 
> > > $rp);
> > >                       &main::log($main::LOG_DEBUG, "========= RC 
> > > =========== $rc");
> > >                       &main::log($main::LOG_DEBUG, "========= REASON 
> > > =========== $reason");
> > >                       if ($rc == 2)
> > >                       {
> > >                               &main::log($main::LOG_DEBUG, "========= 
> > > ACCEPT ===========");
> > >                       }
> > >                       else
> > >                       {
> > >                               &main::log($main::LOG_DEBUG, "========= 
> > > REJECT ===========");
> > >                       }
> > >               }
> > >               return;
> > >       }
> > > }
> > > ...................
> > >
> > > radiator log
> > > -------------------
> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.13 port 57565 ....
> > > Code:       Access-Request
> > > Identifier: 0
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling request with Handler '', 
> > > Identifier ''
> > > Thu Jan 14 15:22:08 2016: DEBUG:  Deleting session for testcoa10, 
> > > 10.0.6.13, 1
> > > Thu Jan 14 15:22:08 2016: DEBUG: Handling with Radius::AuthRADIUS
> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS creates new local socket 
> > > '0.0.0.0:0' for sending requests
> > > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.151 port 1812 ....
> > > Code:       Access-Request
> > > Identifier: 1
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:08 2016: DEBUG: AuthBy RADIUS result: IGNORE,
> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 
> > > from 10.0.6.151:1812
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.151 port 1812 ....
> > > Code:       Access-Reject
> > > Identifier: 1
> > > Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> > > Attributes:
> > >       Reply-Message = "1"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= HANDLE_REQUEST===========
> > > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.152 port 1812 ....
> > > Code:       Access-Request
> > > Identifier: 1
> > > Authentic:        1452774130
> > > Attributes:
> > >       User-Name = "testcoa10"
> > >       User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
> > >       NAS-IP-Address = 10.0.6.13
> > >       NAS-Port = 1
> > >       NAS-Port-Id = "123"
> > >       Service-Type = Framed-User
> > >       Framed-Protocol = PPP
> > >       Acct-Session-Id = "1"
> > >       Calling-Station-Id = "0800.2727.0575"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= RC =========== 2
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= REASON ===========
> > > Thu Jan 14 15:22:09 2016: DEBUG: ========= ACCEPT ===========
> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.13 port 57565 ....
> > > Code:       Access-Reject
> > > Identifier: 0
> > > Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> > > Attributes:
> > >       Reply-Message = "Request Denied"
> > >
> > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 
> > > from 10.0.6.152:1812
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Received from 10.0.6.152 port 1812 ....
> > > Code:       Access-Accept
> > > Identifier: 1
> > > Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> > > Attributes:
> > >       Acct-Interim-Interval = 300
> > >       Framed-IP-Address = 192.168.0.203
> > >
> > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> > > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> > > *** Sending to 10.0.6.13 port 57565 ....
> > > Code:       Access-Reject
> > > Identifier: 0
> > > Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> > > Attributes:
> > >       Reply-Message = "Request Denied"
> > >       Acct-Interim-Interval = 300
> > >       Framed-IP-Address = 192.168.0.203
> > > -------------------------------------
> > >
> > >
> > > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <h...@open.com.au>:
> > >
> > > Hello -
> > >
> > > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > >
> > > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> > > >
> > > > Hello!
> > > >
> > > > I want to do if it's possible to proxy auth request in a
> > > > redundant fashion.
> > > >
> > > > On each requests, I want to proxy it to a primary server, if it's
> > > > success then move on.
> > > > If the auth fails (Access-Reject), I need to proxy Access-Request to a 
> > > > secondary server
> > > >
> > > > Is it possible?
> > > >
> > > > Thanks!
> > > > _______________________________________________
> > > > radiator mailing list
> > > > radiator@open.com.au
> > > > http://www.open.com.au/mailman/listinfo/radiator
> > >
> > >
> > > --
> > >
> > > Hugh Irvine
> > > h...@open.com.au
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > > DIAMETER, SIM, etc.
> > > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> > >
> > >
> > >
> > >
> > > --
> > > С уважением,
> > > Александр Якунин
> > > _______________________________________________
> > > radiator mailing list
> > > radiator@open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> > --
> >
> > Hugh Irvine
> > h...@open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER, SIM, etc.
> > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
> >
> >
> >
> > --
> > С уважением,
> > Александр Якунин
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> 
> 
> -- 
> С уважением,
> Александр Якунин
> 
> 
> 
> -- 
> With regards,
> Alexander Yakunin


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to