Each RADIUS request received by NavisRadius normally* must go through one or more processing steps before a response can be returned to the RADIUS client. These steps can gather information from user records, decode a realm, and other required information, determine how the request will be handled, and the final disposition to Accept, Reject, Acknowledge, and so on.
Unlike other RADIUS servers in which the flow of the request through the various processing steps and decisions is a fixed process, NavisRadius is actually a tool kit and scripting language for designing and building exactly the steps required in precisely the order needed. This flexibility is required to work in a world where is some requests require data to be looked up from a database or directory server, while others may require forwarding to remote sites, translation of called numbers to realms, logging of data, measurements of limits, and so forth. This series of actions and decisions is called a PolicyFlow. Each step in a PolicyFlow is called a NavisRadius Method, and each Method is turn is based on a NavisRadius Plug-in.
* In some cases such as duplicate requests, stale requests, unknown clients, etc., NavisRadius will automatically drop the incoming request before the PolicyFlow starts.
Plug-ins are modular Java software programs, technically called Java "class" files. Plug-ins perform the basic functions and actions required for a PolicyFlow such as reading a file, searching for a user entry, querying a database, determining the next processing step, forwarding a RADIUS request (proxy), checking resource usage, and so forth. While the Plug-in contains the programming code to perform its desired function, it must be supplied with additional information, or Properties, before it can actually be used. For example, a file name, a database server address, a user name to look up, and so on.
Each Plug-in property controls or defines some aspect of the Plug-in's operation. There are two basic types of Plug-in properties: Control Properties and Method Properties. Control properties define general aspects of a Plug-in's processing and are common to most NavisRadius Plug-ins. There are five control properties available:
Property Name Description Method Name Each NavisRadius Method must be assigned a name and is the first data element in a method definition. Method names do not actually require a control property, that is you simply enter your name for the method such as LookUp. Do not enter Method-Name = LookUp. These names can contain any printable ascii character, but commonly they have alpha and numeric characters and an underscore (_) or a hyphen (-) as separators, such as <method_name>. Method-Type The name of the specific plug-in to use for this method. The plug-in name must be selected from the list of acceptable plug-in names provided with NavisRadius. (See Plug-in Quick Reference for the list and descriptions.) Method-Next The name of the next method to execute if this method complete its task successfully. Method-On-Fail The name of the next method to execute if the previous method fails. Method-On-Error The name of the next method to execute if the method results in an error--that is cannot determine whether it was successful because of some abnormal processing. Method-Timeout How long in milliseconds to wait for the method to complete. If this time is reached, then the method specified in the Method-On-Error is executed next. Method-Disable Allows a method to be in a PolicyFlow and only initialize when needed.
A Method name and a Method-Type are required for every Method. All other
properties are optional.
An example of Method definition control properties might look like:
LookUpUser Method-Type = ReadUserFile Method-Next = CheckPass Method-On-Fail = Reject The Method Name Which Plug-in to use The Method to execute if we locate the user's profile The method to execute if we cannot find the user's profile
Each time a method executes it results in one of three status conditions:
Success The method succeeded because it accomplished its intended task and found a user profile, matched a password, wrote an accounting record, etc. Fail The method failed because it clearly did not accomplish its intended task because a user's profile was not in the file, the password did not match, or other similar reasons. Error The method was unable to determine if the task could be accomplished because of abnormal conditions or some other error such as a file not found, a remote server did not respond, the database indicated the requested table did not exist, the file system full, etc.
In addition to the Control Properties, there are other properties, called method properties, that provide information specific to the Plug-in's intended task. The information gathered might be the name of a file, a server IP Address, the column to search in a database, or the Search Key to use in an LDAP lookup, and so on.
Method Properties consist of a name and a value. For example:
ReadUserFileFilename = "users"
or
ReadDelimitedText-SearchKey = ${packet.Base-User-Name}
As is shown in these examples, Method property values can be set to fixed (constant) values or can reference NavisRadius variables which contain dynamic information received in the RADIUS packet or extracted from files, databases, and so forth. By using variables to set Method Property values data, a method can be supplied with data appropriate to each request.
When a Plug-in is provided with the Control Properties and the Method Properties to define how it should work in a given situation, the result is a NavisRadius Method .
By setting the control and method properties, a Plug-in is configured to do a specific task in a specific manner. The method properties can be set to fixed values or can refer to variables associated with the RADIUS request, including, information contained in an access-request, attributes returned by remote RADIUS servers (proxy), data read by other methods, or even a random integer.
Depending on whether a method will be used to process access (authentication) or accounting requests, the method definition will appear in either the auth_methods or the acct_methods method files. The method to start processing a RADIUS request is defined by the method_select file. After the first method has been defined, each method in the flow controls the selection of the next method, or can end processing.
A method is defined using the following format:
<method_name> Method-Type = <Plug-in_Name> [ Optional Control Properties ] Required Method Properties [ Optional Method Properties ]
A typical simple method might be defined as in the following:
UserProfileLookup Method-Type = ReadUserFile Method-Next=CheckPassword
ReadUserFile-Filename = users
ReadUserFile-SearchKey = ${request.User-Name}
Use of method control properties can create methods designed for specialized tasks. For the following example, the method named Read-file-A uses the ReadUserFile Plug-in to read users from the file users-A:
Read-file-A Method-Type=ReadUserFile Method-Next = Auth-Local ReadUserFile-FileName = /etc/radius/users-A
And the method named Read-file-B uses the ReadUserFile Plug-in to read users from the file users-B:
Read-file-B Method-Type = ReadUserFile Method-Next = Auth-Local ReadUserFile-FileName = /etc/radius/users-B
In the preceding examples, the same Plug-in, ReadUserFile, was used to create two separate methods. Each method reads a different user file and would presumably be used for a separate realm.
If we want to locate a user profile from the users-A file we would use the Method Read-file-A. If we want to locate a user whose profile is in the users-B file, we would use the Method Read-file-B.
A complete NavisRadius configuration provides a controlled flow of authentication/authorization, and accounting processes. This flow is made up of exactly the steps you require in the order you need them to accomplish your intended task—this is a PolicyFlow.
Defining Method Selector Types
The method_select File Format