3.98. <AuthBy DYNAUTH>

<AuthBy DYNAUTH> builds RFC 5716 Disconnect-Request and CoA-Request messages and dispatches them to Handlers. The dispatched dynauth requests can be matched with <Handler DynAuthRequest=1>. This Handler typically uses <AuthBy RADIUSBYATTR> for forwarding the newly built dynauth requests to the NAS based on the dynauth request contents. The dynauth responses will be handled by <AuthBy DYNAUTH>.
<AuthBy DYNAUTH> can optionally register itself with Gossip to receive requests from, for example, remote management to send dynauth messages pertaining to the online users. <AuthBy DYNAUTH> works with <SessionDatabase REDIS> to share session information between Radiator instances and user management. For more information about Gossip and <SessionDatabase REDIS>, see Section 11. Using Gossip framework and Section 3.19. <SessionDatabase REDIS>.
<AuthBy DYNAUTH> is currently experimental and will be documented later.

3.98.1. NasAddrAttribute

This is a list of attributes in request that contains NAS IP address to which dynauth Radius requests are sent. Value of last present attribute is used. Special formatting characters are supported when configured as NasAddrAttribute value, formatted with %0 replaced by NAS IP address.
# NAS-IP-Address can be used to reach our NASes for dynauth
NasAddrAttribute NAS-IP-Address

3.98.2. SessionCheck

This is a list of session attributes to check. The format is: SessionCheck sessionattribute,comparator,value[,formatted]. Supported comparators are eq, ne, ge, and le.
# See that the user still has quota
SessionCheck user_quota,ne,0

3.98.3. PreHandlerHook

This optional parameter allows you to define a Perl function that is called during packet processing. It can be configured within several types of clauses for which its functionality is slightly different:
  • Client clause
    PreHandlerHook is called for each request after per-Client user name rewriting and duplicate rejection, and before the request is passed to a Realm or Handler clause.
  • AuthBy clause
    The functionality depends on the used EAP authentication type:
    • PEAP, EAP-TTLS, EAP-FAST
      PreHandlerHook specifies a Perl hook to be called before the inner request is re-dispatched to a matching Realm or Handler.
    • LEAP
      If EAP_LEAP_MSCHAP_Convert flag is set, PreHandlerHook specifies a Perl hook to be called before the converted request is re-dispatched to a matching Realm or Handler.
    • EAP-MSCHAPv2
      If EAP_PEAP_MSCHAP_Convert flag is set, PreHandlerHook specifies a Perl hook to be called before the converted request is re-dispatched to a matching Realm or Handler.
    • EAP-GTC
      If EAP_GTC_PAP_Convert flag is set, PreHandlerHook specifies a Perl hook to be called before the converted request is re-dispatched to a matching Realm or Handler.
  • AuthBy DYNAUTH clause
    PreHandlerHook is called for each request created by the clause before the request is passed to a Realm or Handler clause.
  • ServerRADSEC clause
    PreHandlerHook is called for each request after global and per-ServerRADSEC user name rewriting and before the request is passed to a Realm or Handler clause.
  • ServerDIAMETER clause
    PreHandlerHook is called for each request received by ServerDIAMETER before the request is passed to a Realm or Handler clause.
  • ServerTACACSPLUS clause
    PreHandlerHook is called for each request before it is passed to a Realm or Handler clause. If a Client is found for the request, Client's PrehandlerHook is run before ServerTACASPLUS's PreHandlerHook. Global and per-Client user name rewriting and other processing is done before the hooks are run.
A reference to the request is passed as the only argument.
The hook code is compiled by Perl when Radiator starts up. Compilation errors in your hook code are reported to the log file at start-up time. Runtime errors in your hook are also reported to the log file when your hook executes. Multiline hooks with trailing backslashes (\) are parsed by Radiator into one long line. Therefore, do not use trailing comments in your hook.
PreHandlerHook can be an arbitrarily complicated Perl function, that might run external processes, consult databases, change the contents of the current request or many other things. Here is an example of using PreHandlerHook:
# Fake a new attribute into the request
PreHandlerHook sub { ${$_[0]}->add_attr('test-attr', \
      'test-value');}