NAME
Net::Radius::Packet - Object-oriented Perl interface to RADIUS packets
SYNOPSIS
use Net::Radius::Packet;
use Net::Radius::Dictionary;
my $d = new Net::Radius::Dictionary "/etc/radius/dictionary";
my $p = new Net::Radius::Packet $d, $data;
$p->dump;
if ($p->attr('User-Name' eq "lwall") {
my $resp = new Net::Radius::Packet $d;
$resp->set_code('Access-Accept');
$resp->set_identifier($p->identifier);
$resp->set_authenticator($p->authenticator);
$resp->set_attr('Reply-Message' => "Welcome, Larry!\r\n");
my $respdat = auth_resp($resp->pack, "mysecret");
...
DESCRIPTION
RADIUS (RFC2138) specifies a binary packet format which contains various values and attributes. Net::Radius::Packet provides an interface to turn RADIUS packets into Perl data structures and vice-versa.
Net::Radius::Packet does not provide functions for obtaining RADIUS packets from the network. A simple network RADIUS server is provided as an example at the end of this document.
PACKAGE METHODS
- new Net::Radius::Packet $dictionary, $data
-
Returns a new Net::Radius::Packet object.
$dictionary
is an optional reference to a Net::Radius::Dictionary object. If not supplied, you must call set_dict.If
$data
is supplied, unpack will be called for you to initialize the object.
OBJECT METHODS
There are actually two families of object methods. The ones described below deal with standard RADIUS attributes. An additional set of methods handle the Vendor-Specific attributes as defined in the RADIUS protocol. Those methods behave in much the same way as the ones below with the exception that the prefix vs must be applied before the attr in most of the names. The vendor code must also be included as the first parameter of the call.
The vsattr and set_vsattr methods, used to query and set Vendor-Specific attributes return an array reference with the values of each instance of the particular attribute in the packet. This difference is required to support multiple VSAs with different parameters in the same packet.
- ->set_dict($dictionary)
-
Net::Radius::Packet needs access to a Net::Radius::Dictionary object to do packing and unpacking. set_dict must be called with an appropriate dictionary reference (see Net::Radius::Dictionary) before you can use ->pack or ->unpack.
- ->unpack($data)
-
Given a raw RADIUS packet $data, unpacks its contents so that they can be retrieved with the other methods (code, attr, etc.).
- ->pack
-
Returns a raw RADIUS packet suitable for sending to a RADIUS client or server.
- ->code
-
Returns the Code field as a string. As of this writing, the following codes are defined:
Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge Status-Server Status-Client
- ->set_code($code)
-
Sets the Code field to the string supplied.
- ->identifier()
-
Returns the one-byte Identifier used to match requests with responses, as a character value.
- ->set_identifier($id)
-
Sets the Identifier byte to the character supplied.
- ->authenticator()
-
Returns the 16-byte Authenticator field as a character string.
- ->set_authenticator($authenticator)
-
Sets the Authenticator field to the character string supplied.
- ->attr($name)
-
Retrieves the value of the named Attribute. Attributes will be converted automatically based on their dictionary type:
STRING Returned as a string. INTEGER Returned as a Perl integer. IPADDR Returned as a string (a.b.c.d) TIME Returned as an integer
- ->set_attr($name, $val)
-
Sets the named Attribute to the given value. Values should be supplied as they would be returned from the attr method.
- ->unset_attr($name)
-
Sets the named Attribute to the given value. Values should be supplied as they would be returned from the attr method.
- ->password($secret)
-
The RADIUS User-Password attribute is encoded with a shared secret. Use this method to return the decoded version. This also works when the attribute name is 'Password' for compatibility reasons.
- ->set_password($passwd, $secret)
-
The RADIUS User-Password attribute is encoded with a shared secret. Use this method to prepare the encoded version. Note that this method always stores the encrypted password in the 'User-Password' attribute. Some servers have been reported on insisting on this attribute to be 'Password' instead.
- ->dump()
-
Prints the content of the packet to STDOUT.
- ->show_unknown_entries($bool)
-
Controls the generation of a
warn()
whenever an unknown tuple is seen.
EXPORTED SUBROUTINES
- auth_resp($packed_packet, $secret)
-
Given a (packed) RADIUS packet and a shared secret, returns a new packet with the Authenticator field changed in accordace with RADIUS protocol requirements.
NOTES
This document is (not yet) intended to be a complete description of how to implement a RADIUS server. Please see the RFCs for that. The following is a brief description of the procedure:
1. Receive a RADIUS request from the network.
2. Unpack it using this package.
3. Examine the attributes to determine the appropriate response.
4. Construct a response packet using this package.
Copy the Identifier and Authenticator fields from the request,
set the Code as appropriate, and fill in whatever Attributes
you wish to convey in to the server.
5. Call the pack method and use the auth_resp function to
authenticate it with your shared secret.
6. Send the response back over the network.
7. Lather, rinse, repeat.
EXAMPLE
#!/usr/local/bin/perl -w
use Net::Radius::Dictionary;
use Net::Radius::Packet;
use Net::Inet;
use Net::UDP;
use Fcntl;
use strict;
# This is a VERY simple RADIUS authentication server which responds
# to Access-Request packets with Access-Accept. This allows anyone
# to log in.
my $secret = "mysecret"; # Shared secret on the term server
# Parse the RADIUS dictionary file (must have dictionary in current dir)
my $dict = new Net::Radius::Dictionary "dictionary"
or die "Couldn't read dictionary: $!";
# Set up the network socket (must have radius in /etc/services)
my $s = new Net::UDP { thisservice => "radius" } or die $!;
$s->bind or die "Couldn't bind: $!";
$s->fcntl(F_SETFL, $s->fcntl(F_GETFL,0) | O_NONBLOCK)
or die "Couldn't make socket non-blocking: $!";
# Loop forever, recieving packets and replying to them
while (1) {
my ($rec, $whence);
# Wait for a packet
my $nfound = $s->select(1, 0, 1, undef);
if ($nfound > 0) {
# Get the data
$rec = $s->recv(undef, undef, $whence);
# Unpack it
my $p = new Net::Radius::Packet $dict, $rec;
if ($p->code eq 'Access-Request') {
# Print some details about the incoming request (try ->dump here)
print $p->attr('User-Name'), " logging in with password ",
$p->password($secret), "\n";
# Create a response packet
my $rp = new Net::Radius::Packet $dict;
$rp->set_code('Access-Accept');
$rp->set_identifier($p->identifier);
$rp->set_authenticator($p->authenticator);
# (No attributes are needed.. but you could set IP addr, etc. here)
# Authenticate with the secret and send to the server.
$s->sendto(auth_resp($rp->pack, $secret), $whence);
}
else {
# It's not an Access-Request
print "Unexpected packet type recieved.";
$p->dump;
}
}
}
AUTHOR
Christopher Masto, <chris@netmonger.net>. VSA support by Luis E. Muñoz, <luismunoz@cpan.org>. Fix for unpacking 3COM VSAs contributed by Ian Smith <iansmith@ncinter.net>. Information for packing of 3Com VSAs provided by Quan Choi <Quan_Choi@3com.com>. Some functions contributed by Tony Mountifield <tony@mountifield.org>.
SEE ALSO
Net::Radius::Dictionary
1 POD Error
The following errors were encountered while parsing the POD:
- Around line 628:
Non-ASCII character seen before =encoding in 'Muñoz,'. Assuming UTF-8