NAME
Net::Radius::PacketOrdered - interface to RADIUS packets with proxy
states
SYNOPSIS
use Net::Radius::PacketOrdered;
use Net::Radius::Dictionary;
my $d = new Net::Radius::Dictionary "/etc/radius/dictionary";
my $p = new Net::Radius::PacketOrdered $d, $data;
$p->dump;
if ($p->attr('User-Name' eq "lwall") {
my $resp = new Net::Radius::PacketOrdered $d;
$resp->set_code('Access-Accept');
$resp->set_identifier($p->identifier);
$resp->set_authenticator($p->authenticator);
$resp->set_attr('Reply-Message' => "Welcome, Larry!\r\n");
my $respdat = auth_resp($resp->pack, "mysecret");
...
DESCRIPTION
RADIUS (RFC2865) specifies a binary packet format which contains various
values and attributes. Net::Radius::PacketOrdered provides an interface
to turn RADIUS packets into Perl data structures and vice-versa.
Net::Radius::PacketOrdered does not provide functions for obtaining
RADIUS packets from the network. A simple network RADIUS server is
provided as an example at the end of this document.
Proxy-State, RFC specification
from RFC 2865 - ftp://ftp.rfc-editor.org/in-notes/rfc2865.txt
2. Operation
If any Proxy-State attributes were present in the Access-Request, they
MUST be copied unmodified and in order into the response packet. Other
Attributes can be placed before, after, or even between the Proxy-State
attributes.
2.3 Proxy
The forwarding server MUST treat any Proxy-State attributes already in
the packet as opaque data. Its operation MUST NOT depend on the content
of Proxy-State attributes added by previous servers.
If there are any Proxy-State attributes in the request received from the
client, the forwarding server MUST include those Proxy-State attributes
in its reply to the client. The forwarding server MAY include the
Proxy-State attributes in the access-request when it forwards the
request, or MAY omit them in the forwarded request. If the forwarding
server omits the Proxy-State attributes in the forwarded access-request,
it MUST attach them to the response before sending it to the client.
Proxy-State, Implementation
Proxy-State attributes are stored in an array, and when copied from one
Net::Radius::PacketOrdered to another - using method *new* with packet
data as attribute - they retain their order.
*attr* method always returns last attribute inserted.
*set_attr* method pushed name attribute onto the Attributes stack, or
overwrites it in specific circumnstances, as described in method
documentation.
PACKAGE METHODS
*new* Net::Radius::PacketOrdered $dictionary, $data
Returns a new Net::Radius::PacketOrdered object. $dictionary is an
optional reference to a Net::Radius::Dictionary object. If not
supplied, you must call set_dict. If $data is supplied, unpack will
be called for you to initialize the object.
OBJECT METHODS
There are actually two families of object methods. The ones described
below deal with standard RADIUS attributes. An additional set of methods
handle the Vendor-Specific attributes as defined in the RADIUS protocol.
Those methods behave in much the same way as the ones below with the
exception that the prefix *vs* must be applied before the *attr* in most
of the names. The vendor code must also be included as the first
parameter of the call.
The *vsattr* and *set_vsattr* methods, used to query and set
Vendor-Specific attributes return an array reference with the values of
each instance of the particular attribute in the packet. This difference
is required to support multiple VSAs with different parameters in the
same packet.
->*set_dict*($dictionary)
Net::Radius::PacketOrdered needs access to a Net::Radius::Dictionary
object to do packing and unpacking. set_dict must be called with an
appropriate dictionary reference (see Net::Radius::Dictionary)
before you can use ->pack or ->unpack.
->*code*
Returns the Code field as a string. As of this writing, the
following codes are defined:
Access-Request Access-Accept
Access-Reject Accounting-Request
Accounting-Response Access-Challenge
Status-Server Status-Client
-><set_code>($code)
Sets the Code field to the string supplied.
->*identifier*
Returns the one-byte Identifier used to match requests with
responses, as a character value.
->*set_identifier*
Sets the Identifier byte to the character supplied.
->*authenticator*
Returns the 16-byte Authenticator field as a character string.
->*set_authenticator*
Sets the Authenticator field to the character string supplied.
->*set_attr*($name, $val, $rewrite_flag)
Sets the named Attributes to the given value. Values should be
supplied as they would be returned from the attr method. If
rewrite_flag is set, and a single attribute with such name already
exists on the Attributes stack, its value will be overwriten with
the supplied one. In all other cases (if there are more than one
attributes with such name already on the stack, there are no
attributes with such name, rewrite_flag is omitted) name/pair array
will be pushed onto the stack.
->*attributes*
Retrieves a list of attribute names present within the packet.
->*attr*($name)
Retrieves the value of the named Attribute. If there are multiple
values for the Attribute, last one inserted will be returned. This
is behaviour is crucial for correct implementation of Proxy-State.
->*unset_attr*($name,$value)
Removes given Attribute with given value from the Attributes stack.
->*attr_slot*($integer)
Retrieves the attribute value of the given slot number from the
Attributes stack.
->*unset_attr_slot*($integer)
Removes given stack position from the Attributes stack.
->*password*($secret)
The RADIUS User-Password attribute is encoded with a shared secret.
Use this method to return the decoded version. This also works when
the attribute name is 'Password' for compatibility reasons.
->*set_password*($passwd, $secret)
The RADIUS User-Password attribute is encoded with a shared secret.
Use this method to prepare the encoded version. Note that this
method always stores the encrypted password in the 'User-Password'
attribute. Some servers have been reported on insisting on this
attribute to be 'Password' instead.
->*show_unknown_entries($bool)*
Controls the generation of a "warn()" whenever an unknown tuple is
seen.
->*acct_request_auth*($packet, $secret)
Set request authenticator in binary packet, for accounting request
authentication.
->*acct_response_auth*($packet, $secret, request-auth)
Set reponse authenticator in binary packet, for accounting response
authentication.
->*dump*
Prints the content of the packet to STDOUT.
->*pack*
Returns a raw RADIUS packet suitable for sending to a RADIUS client
or server.
->*unpack*($data)
Given a raw RADIUS packet $data, unpacks its contents so that they
can be retrieved with the other methods (code, attr, etc.).
EXPORTED SUBROUTINES
*auth_resp*($packed_packet, $secret)
Given a (packed) RADIUS packet and a shared secret, returns a new
packet with the Authenticator field changed in accordace with RADIUS
protocol requirements.
NOTES
This document is (not yet) intended to be a complete description of how
to implement a RADIUS server. Please see the RFCs (at
ftp://ftp.livingston.com/pub/radius/) for that. The following is a brief
description of the procedure:
1. Receive a RADIUS request from the network.
2. Unpack it using this package.
3. Examine the attributes to determine the appropriate response.
4. Construct a response packet using this package.
Copy the Identifier and Authenticator fields from the request,
set the Code as appropriate, and fill in whatever Attributes
you wish to convey in to the server.
5. Call the pack method and use the auth_resp function to
authenticate it with your shared secret.
6. Send the response back over the network.
7. Lather, rinse, repeat.
EXAMPLE
#!/usr/local/bin/perl -w
use Net::Radius::Dictionary;
use Net::Radius::PacketOrdered;
use Net::Inet;
use Net::UDP;
use Fcntl;
use strict;
# This is a VERY simple RADIUS authentication server which responds
# to Access-Request packets with Access-Accept. This allows anyone
# to log in.
my $secret = "mysecret"; # Shared secret on the term server
# Parse the RADIUS dictionary file (must have dictionary in current dir)
my $dict = new Net::Radius::Dictionary "dictionary"
or die "Couldn't read dictionary: $!";
# Set up the network socket (must have radius in /etc/services)
my $s = new Net::UDP { thisservice => "radius" } or die $!;
$s->bind or die "Couldn't bind: $!";
$s->fcntl(F_SETFL, $s->fcntl(F_GETFL,0) | O_NONBLOCK)
or die "Couldn't make socket non-blocking: $!";
# Loop forever, recieving packets and replying to them
while (1) {
my ($rec, $whence);
# Wait for a packet
my $nfound = $s->select(1, 0, 1, undef);
if ($nfound > 0) {
# Get the data
$rec = $s->recv(undef, undef, $whence);
# Unpack it
my $p = new Net::Radius::PacketOrdered $dict, $rec;
if ($p->code eq 'Access-Request') {
# Print some details about the incoming request (try ->dump here)
print $p->attr('User-Name'), " logging in with password ",
$p->password($secret), "\n";
# Create a response packet
my $rp = new Net::Radius::PacketOrdered $dict;
$rp->set_code('Access-Accept');
$rp->set_identifier($p->identifier);
$rp->set_authenticator($p->authenticator);
# (No attributes are needed.. but you could set IP addr, etc. here)
# Authenticate with the secret and send to the server.
$s->sendto(auth_resp($rp->pack, $secret), $whence);
}
else {
# It's not an Access-Request
print "Unexpected packet type recieved.";
$p->dump;
}
}
}
RADIUS PROXY EXAMPLE
See README.proxy for how to setup a test consisting of radius client,
server and multiple proxies inbetween, all using this module and
FreeRadius. Scripts for all components (client/server/proxies) in the
test setup are provided in the CPAN distribution of the module.
About the stability, this code has been in very active use since early
2004 on a network with 8000+ edge devices without a single problem
encountered so far. It has been succesfully used under FreeBSD and
Linux.
AUTHOR
Christopher Masto, <chris@netmonger.net>. VSA support by Luis E. Mu�oz,
<luismunoz@cpan.org>. Fix for unpacking 3COM VSAs contributed by Ian
Smith <iansmith@ncinter.net>. Information for packing of 3Com VSAs
provided by Quan Choi <Quan_Choi@3com.com>. Some functions contributed
by Tony Mountifield <tony@mountifield.org>.
Extension of Net:Radius::Packet into Net:Radius::PacketOrdered to
include the ability to implement correctly Proxy-State by Toni Prug,
<toni@irational.org>, idea by Bill Hulley.
COPYRIGHT
Original work (c) Christopher Masto. Changes (c) 2002,2003 Luis E. Mu�oz
<luismunoz@cpan.org>. PacketOrdered changes (c) 2004 Toni Prug. All
rights reserved.
This package is free software and is provided "as is" without express or
implied warranty. It may be used, redistributed and/or modified under
the same terms as Perl itself.
See <http://www.perl.com/perl/misc/Artistic.html>
SEE ALSO
Net::Radius::Dictionary Net::Radius::Packet