<Handler>
clause.
When using the <Handler>
clause, all requests
with a specific set of attributes are handled in the same way. You can
configure one or more <Handler>
clauses into
your server, possibly with a different AuthBy authentication methods for
each.<Handler>
and <Realm>
is that
<Handler>
groups together requests based on the
value of any attributes in the request, not just the user's realm as
<Realm>
does. That makes
<Handler>
clauses more powerful but they are
not required as often. A common situation is that you need to distinguish
between authentication methods based on the user's realm. Use
<Handler>
instead of
<Realm>
if you need to choose authentication
methods based on other attribute than Realm
, such as
Called-Station-Id
, Request-Type
,
or some other attribute in the incoming RADIUS request.<Handler checklist>
the checklist expression is
a list of request attributes that must all match before
<Handler>
is used to handle the request. The
format is similar as a list of check items in a user file: a list of
attribute=value
pairs, separated by commas. For more
information, see Section 7.1. Check items.<Handler>
line, the clause matches all requests.<Handler>
to match an incoming request, it
searches each <Handler>
clause in the order in
which they appear in your configuration file. It continues searching until
<Handler>
is found where every check item in
the expression matches the request. If any check item does not match, it
continues onto the next <Handler>
until all the
Handlers are exhausted. If none of the
<Handler>
clauses match, Access-Request is
rejected and Accounting-Request is accepted.<Realm>
or
<Handler>
to handle each request:<Realm DEFAULT>
.<Handler>
and <Realm>
clauses in the same configuration
file but it is not recommended. Using them together may lead to
complicated handler selections and behaviour.<AuthBy SQL>
Called-Station-Id
is 662543
and
Service-Type
is
Framed-User
.<AuthBy DBM>
Called-Station-Id
is 678771
and
Realm
is open.com.au
.<AuthBy RADIUS>
<Handler Called-Station-Id=662543,Service-Type=Framed-User> <AuthBy SQL> ...... </AuthBy> </Handler> <Handler Called-Station-Id=678771,Realm=open.com.au> <AuthBy DBM> ..... </AuthBy> </Handler> # Handles anything that was not handled above: <Handler> <AuthBy RADIUS> ....... </AuthBy> </Handler>
# Request has attributes in a following order: # OSC-Group-Identifier=A # OSC-Group-Identifier=B # Does match <Handler OSC-Group-Identifier=B> .... </Handler>
# Request has attributes in a following order: # OSC-Group-Identifier=A # OSC-Group-Identifier=B # Does not match <Handler OSC-Group-Identifier=B,OSC-Group-Identifier=C> .... </Handler> # Does match <Handler OSC-Group-Identifier=B,OSC-Group-Identifier=A> .... </Handler>
# Strip out NULs, trailing realms, translate to # lower case and remove single quotes RewriteFunction sub { my($a) = shift; $a =~ s/[\000]//g; $a =~ s/^([^@]+).*/$1/; $a =~ tr/[A-Z]/[a-z]/; $a =~ s/'//g; $a; }
# Pipe to my-log-prog AcctLogFileName |/usr/local/bin/my-log-prog
# Log all accounting to a single log file in LogDir AcctLogFileName %L/details
AcctLogFileFormat %{Timestamp} %{Acct-Session-Id}\ %{User-Name}
goodies/logformat.cfg
for a sample configuration file
with JSON format.Cpanel::JSON::XS
or JSON::XS
for
higher performance JSON encoding.# My AuthBy SQL ignores accounting AccountingHandled
# Fake a new attribute into the request, so its logged in the # accounting log file PreProcessingHook sub { ${$_[0]}->add_attr('My-Realm', \ 'some.realm.com');}
# Fake a new attribute into the reply PostProcessingHook sub { ${$_[1]}->add_attr('Class', \ 'billing rate 1');}
# Fake a new attribute into the request PreAuthHook sub { ${$_[0]}->add_attr('test-attr', \ 'test-value');}
PostAuthHook
is called for each request after it has been passed to all the
AuthBy
clauses. A reference to the current request is
passed as the first argument, and a reference to the reply packet
currently being constructed is passed as the second argument. The third
argument is a reference to the result of the authentication
($main::ACCEPT
, $main::REJECT
and so on). The fourth argument is a reference to a string variable
holding the reason for a reject, or undefined if none is available. To
change the type of reply, set the reference to third argument.PostAuthHook
can be an arbitrarily
complicated Perl function, that might run external processes, consult
databases, change the contents of the current request or many other
things.# Add some reply attributes to the reply message # if it is a REJECT and there is 1 or fewer there already PostAuthHook sub { ${$_[1]}->add_attr('test-attr', \ 'test-value') \ if ${$_[2]} == $main::REJECT \ && ${$_[1]}->attr_count() <= 1; }
<AuthBy xxxxxx> Identifier myidentifier </AuthBy> <Realm xxxxxx> # This authenticates through the AuthBy defined above AuthBy myidentifier </Realm>
# Remove any NAS-IP-Address,NAS-Port attributes StripFromRequest NAS-IP-Address,NAS-Port
# Append a Filter-ID and host name AddToRequest Calling-Station-Id=1,Login-IP-Host=%h
# Append a Filter-ID and host name if they are not there already AddToRequestIfNotExist Calling-Station-Id=1,Login-IP-Host=%h
<Realm xxxxxx> <AuthBy xxxxxx> .... </AuthBy> .... </Realm>
<AuthBy xxxxxx> Identifier myidentifier ..... </AuthBy> <Realm xxxxxx> # This authenticates through the AuthBy defined above AuthBy myidentifier .... </Realm>
UsernameCharset
is available as
a global and Handler level parameter. The character set checks are done
for both User-Name attribute and EAP identity.UsernameCharset
checks. When an
EAP-Response/Identity message is handled by an AuthBy, the EAP identity
must pass both global and per Handler UsernameCharset
checks. The Handler is the last Handler that processed the request before
it was passed to the AuthBy.UsernameCharset a-zA-Z0-9._@-
# Show any rejection reason to the end user (maybe) RejectHasReason
SessionDatabaseOptions
is available for
changing how a Handler uses its session database. For more information,
see Section 3.31.22. SessionDatabaseOptions.SessionDatabaseUseRewrittenName
and
SessionDatabaseOptions
.<Handler xxxxxx> # If this was not here, we would default to # myspecialsessiondb2 (the last one in the config file) SessionDatabase myspecialsessiondb1 ..... </Handler> <SessionDatabase SQL> Identifier myspecialsessiondb1 .... </SessionDatabase> <SessionDatabase SQL> Identifier myspecialsessiondb2 .... </SessionDatabase>
NoDeleteBeforeAuthentication
suppresses the call
to delete a session from session database when Access-Request is
received. Calling delete is useful, for example, when a NAS port can
only have a single active session. An Access-Request indicates that a
new session is starting and calling delete allows to clear the old
session if its accounting Stop was lost.AddBeforeAuthentication
causes this Handler to
add a new session before passing the Access-Request to AuthBysAddAfterAuthentication
causes this Handler to add
a new session after successful authentication without waiting for
Accounting StartUseRewrittenName
tells the Handler to use
rewritten user name with session database. If the option is set, the
rewritten user name (as rewritten by RewriteUsername etc) is used.
Otherwise the original User-Name attribute from the request is
used.NoDeleteOnSessionStop
replaces a call to delete a
session from session database with a call to update a session when an
accounting stop is received. This allows the session database to hold
records of ended sessions.SessionDatabaseOptions NoDeleteBeforeAuthentication
<AuthLog xxxxxx> Identifier myidentifier .... </AuthLog> <Realm xxxxxx> # This logs through the AuthLog defined above AuthLog myidentifier </Realm>
<Realm xxxx> <AuthLog xxxxxx> .... </AuthLog> .... </Realm>
<AuthLog xxxxxx> Identifier myidentifier </AuthLog> <Realm xxxxxx> # This log through the AuthLog defined above AuthLog myidentifier </Realm>
PacketTrace
set off or
0
.PacketTrace
is available
for the following clauses:Client
Handler
Realm
AuthBy
ServerDIAMETER
ServerRADSEC
ServerTACACSPLUS
PacketTrace
:# Debug any packets that pass through here PacketTrace
StripFromReply
does never remove any attributes added
by DefaultReply
. Value is a list of comma separated
attribute value pairs all on one line, exactly as for any reply item. You
can use any of the special % formats in the attribute values. There is no
default.<AuthBy UNIX>
and <AuthBy SYSTEM>
, which do not have a way of
specifying per-user reply items. In other AuthBy methods you can also very
easily set up a standard set of reply items for all users, yet you can
still override reply items on a per-user basis.# If the user had no reply items set some DefaultReply Service-Type=Framed,Framed-Protocol=PPP
# Remove dangerous attributes from the reply StripFromReply Framed-IP-Netmask,Framed-Compression
StripFromReply
: It specifies the only attributes that
are permitted in an Access-Accept. It is useful, for example, to limit the
attributes that are passed back to the NAS from a proxy server. This way
you can prevent downstream customer RADIUS servers from sending back
illegal or troublesome attributes to your NAS.# Only permit a limited set of reply attributes. AllowInReply Session-Timeout, Framed-IP-Address
# Append some necessary attributes for our pops AddToReply cisco-avpair="ip:addr_pool=mypool"
<AuthBy INTERNAL>
rejects a
request. The enclosing Realm or Handler must also have
RejectHasReason
enabled.RejectReason
:RejectReason Your account has been disabled
<AuthBy whatever> ...... UseAddressHint DynamicReply USR-IP-Input-Filter </AuthBy>
DEFAULT User-Password = "UNIX" Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, USR-IP-Input-Filter = "1 REJECT src-addr != %a;", Service-Type = Framed-User
Dynamic
. That name is still recognised as a
synonym for DynamicReply
.radpwtst
utility or by configuring Radiator to query the NAS directly. For more
information, see Section 6.1. radpwtst and Section 3.14.34. NasType.# Limit all users in this realm to max of 1 session MaxSessions 1
# Turn on global LogTraceId LogTraceId # Generate a Class attribute that NAS will echo back <Handler ...> ...... AutoClass </Handler>
uuid
and formatted
which add a
hex value UUID or Radiator formatted string. The format is specified after
a whitespace, see below for an example. The default is not to do further
formatting.# Add a v3 UUID to Class AutoClass uuid
uuid
parameter.# Add the farm instance to Class AutoClass formatted %O
last
on a wtmp
file produced by Radiator, you will need to use the -o
flag (which specifies lib5c format).# Work out the users IP address from the first # FramedGroupBaseAddress specified in out client FramedGroup 0
# Help desk want to see all password attempts PasswordLogFileName %L/password.log
# Pipe to my-log-prog PasswordLogFileName |/usr/local/bin/my-log-prog
# Do not log password from our sysadmin or root ExcludeFromPasswordLog root admin ceo nocboss
# Do not log password from anyone that begins with root ExcludeRegexFromPasswordLog ^root
# handle Ascend-Access-Event-Request messages HandleAscendAccessEventRequest