(RADIATOR) Denying Auth based on Part of a Called-Station-ID
Denis Pavani
d.pavani at cineca.it
Mon Apr 14 02:42:12 CDT 2003
I think Radiator process Realms before Handlers, no matter what's the
order you write in.
I suggest you to use <Handler Realm="....">.
Bye
Mike McCauley wrote:
>---------- Forwarded Message ----------
>
>Subject: BOUNCE radiator at open.com.au: Non-member submission from ["Mike
>Walker" <noc at usexpress.net>]
>Date: Mon, 14 Apr 2003 02:11:40 -0500
>From: owner-radiator at open.com.au
>To: radiator-approval at open.com.au
>
>From mikem at server1.open.com.au Mon Apr 14 02:11:37 2003
>Received: from qostar.net (mail.qostar.net [63.168.186.10])
> by server1.open.com.au (8.11.6/8.11.0) with ESMTP id h3E7Ba818664;
> Mon, 14 Apr 2003 02:11:37 -0500
>Received: from noc [65.120.168.1] by qostar.net with ESMTP
> (SMTPD32-7.07) id AE53394900A2; Mon, 14 Apr 2003 03:08:03 -0400
>From: "Mike Walker" <noc at usexpress.net>
>To: <hugh at open.com.au>
>Cc: <radiator at open.com.au>
>Subject: Re: (RADIATOR) Denying Auth based on Part of a Called-Station-ID
>Date: Mon, 14 Apr 2003 03:08:03 -0400
>Organization: Network Operations Center
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="US-ASCII"
>X-Mailer: Microsoft Outlook, Build 11.0.4920
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Thread-Index: AcMCVJciAdCQ7aQHRTynX/Gy9Ix17Q==
>Message-Id: <200304140308456.SM01816 at noc>
>X-RBL-Warning: OSSRC: [1] dhs-club, see http://spews.org/ask.cgi?S814
>X-RBL-Warning: DSN: Not supporting null originator (DSN)
>X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
> [4000020e]. X-Declude-Sender: noc at usexpress.net [65.120.168.1]
>X-Declude-Spoolname: D5e53394900a24f87.SMD
>X-Note: This E-mail was scanned by QoStar, Inc. for Viruses.
>X-Spam-Tests-Failed: OSSRC, DSN, SPAMHEADERS [7]
>X-Note: This E-mail was sent from noc.qostar.com ([65.120.168.1]).
>X-Note: This E-mail was scanned by QoStar, Inc. for Suspicious Activity.
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by server1.open.com.au id
> h3E7Bb818665
>
>Hugh,
>
>I am finally able to get this knocked out, but I am a bit confused about the
><AuthBy FILE> usage. I get the cascading part, but how do I do this for
>multiple Called-Station-Id's? My dilemma is this: We are wholesale dial
>providers reselling 9 networks, including one of our own. Here in
>Knoxville, there are nine phone numbers belonging to other dial providers in
>the Knoxville area, but we pay per user per month for them. We just
>completed installing our own equipment here, and do not want anyone dialing
>any other 865 number EXCEPT for our new one.
>
>So, I need to deny access from any realm to any of those 9 numbers. I
>thought about just using a Handler above the Realms like this:
>
><Handler Called-Station-Id=8652462222>
> <AuthBy FILE>
> Filename /etc/deny.file
> </AuthBy>
></Handler>
>
><Realm ...>
>...
></Realm>
>
><Realm ...>
>...
></Realm>
>
>But it doesn't work, even for that one number. However, my deny.file just
>denies anything, but even when I dial that number, its still auths. The
>configuration I have includes both proxy and standard Radius methods, and
>have included the jist of it below. My question is, if I use your method,
>how can I include all nine numbers in deny.file, or is there another way I
>can pull this off with Handlers? I do recall that mixing Handlers and
>Realms together caused some strange behavior. BTW, any of the realms should
>be able to only dial our new local number when calling to the 865 area code.
>We want to kill all nine other 865 numbers so the users are forced to dial
>the new one. Any input would be GREATLY appreciated!
>
>My Config could use a little pruning and "consolidation", as you can see I
>am not taking advantage of the newer features in 3.X yet...
>
>Current Config (greatly truncated):
>
>### Radiator Configuration
>
>### Global Parameters
>
>Trace 4
>BindAddress 000.000.000.000
>LogFile /var/log/radius/%Y%m%d
>PidFile /tmp/radiusd.pid
>UsernameCharset a-zA-Z0-9\._ at -
>AuthPort 1812
>AcctPort 1813
>
><AuthLog SQL>
> Identifier Logs
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXX
> DBAuth XXX
> LogFailure 1
> FailureQuery insert into RadLogs (Username, Password, CallerID,
>Sever
>ity, Data, Network, NasPortDNIS) values ('%n', '%P',
>'%{Calling-Station-Id}', %0
>, %1, '%{Network}', '%{Called-Station-Id}')
></AuthLog>
>
>### Client Parameters
>
><Client 216.126.204.4>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 209.209.44.17 66.81.15.139
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '1'); }
></Client>
>
><Client 216.143.197.2>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 216.143.197.130 216.143.198.2 216.142.193.146
> IdenticalClients 216.140.242.162
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '2'); }
></Client>
>
><Client 216.166.11.11>
> Secret XXX
> IgnoreAcctSignature
> IdenticalClients 216.166.61.12 216.166.61.13 216.166.61.14
> IdenticalClients 216.166.61.15 216.166.61.16 216.166.61.17
> IdenticalClients 206.127.30.138 206.127.30.139
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '0'); }
></Client>
>
><Client 208.25.44.225>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 65.120.168.251
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '11'); }
></Client>
>
>### Accounting Parameters
>
><AuthBy SQL>
> Identifier Accounting
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXXX
> DBAuth XXXX
> AccountingTable Calls
> AuthSelect
> AcctColumnDef UserName,User-Name
> AcctColumnDef CallDate,Timestamp,integer-date
> AcctColumnDef AcctStatusType,Acct-Status-Type,integer
> AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
> AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
> AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
> AcctColumnDef AcctSessionId,Acct-Session-Id
> AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
> AcctColumnDef NASPortType,NAS-Port-Type
> AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer
> AcctColumnDef NASIdentifier,NAS-IP-Address
> AcctColumnDef NASIdentifier,NAS-Identifier
> AcctColumnDef NASPort,NAS-Port,integer
> AcctColumnDef CallerID,Calling-Station-Id,integer
> AcctColumnDef FramedAddress,Framed-IP-Address
> AcctColumnDef NASPortDNIS,Called-Station-Id,integer
> AcctColumnDef ServerID,'%{Client:Name}',literal
> AcctColumnDef Network,Network,integer
> AuthSQLStatement delete from RADONLINE \
> where CALLERID='%{Calling-Station-Id}' \
> and CALLERID IS NOT NULL \
> and CALLERID <> ''
></AuthBy>
>
>### REALMS
>
><Realm DEFAULT>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 65.120.168.22
> Host 65.120.168.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
>
> Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\
>
> Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
></Realm>
>
><Realm a.net>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 65.120.168.22
> Host 65.120.168.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
> Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\
> Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
></Realm>
>
><Realm 1.com>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 216.235.147.88
> Host 216.187.216.52
> Host 63.160.140.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
> Ascend-Data-Filter="ip in forward dstip 216.235.147.85/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
></Realm>
>
><Realm 2.net>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 63.110.254.101
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
>
> Ascend-Data-Filter="ip in forward dstip 63.110.254.101/32",\
>
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
></Realm>
>
><Realm 1.us>
> AuthByPolicy Continue
> AuthBy Accounting
> <AuthBy EMERALD>
> DBSource dbi:Sybase:server=Emerald
> DBUsername proxy
> DBAuth XXX
> AuthSelect ,sa.LoginLimit
> AuthColumnDef 0,Simultaneous-Use,check
> AddATDefaults
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
> Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
> Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> AuthLog Logs
></Realm>
>
><Realm 3.net>
> AuthByPolicy Continue
> AuthBy Accounting
> <AuthBy EMERALD>
> DBSource dbi:Sybase:server=Emerald
> DBUsername proxy
> DBAuth XXX
> AuthSelect ,sa.LoginLimit
> AuthColumnDef 0,Simultaneous-Use,check
> AddATDefaults
> AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
> Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
> Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> AuthLog Logs
></Realm>
>
><SessionDatabase SQL>
> Identifier sessions
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXX
> DBAuth XXX
> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
> SERVICETYPE, CALLERID) values ('%u', '%N', 0%{NAS-Port}, \
> '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', \
> '%{NAS-Port-Type}', '%{Service-Type}', '%{Calling-Station-Id}')
></SessionDatabase>
>
>:END
>
>I tried a bunch of other "ideas" that didn't work too well. Here is a
>sample debug from an auth that looks "normal"...
>
>Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>*** Received from 63.110.140.7 port 3166 ....
>Code: Access-Request
>Identifier: 80
>Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
>Attributes:
> Framed-Protocol = PPP
> User-Name = "radius at usexpress.net"
> User-Password =
>"<193><152><169><169>|<234><224>Y<241><149><234><10>v<219>?<164>"
> NAS-Port = 99
> Called-Station-Id = "8652512008"
> Calling-Station-Id = "8655841684"
> NAS-Port-Type = Async
> Service-Type = Framed-User
> NAS-IP-Address = 66.19.138.227
> Proxy-State = 197
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
>'Realm=usexpress.net'
>Mon Apr 14 02:13:13 2003: DEBUG: sessions Deleting session for
>radius at usexpress.net, 66.19.138.227, 99
>Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
>NASIDENTIFIER='66.19.138.227' and NASPORT=099
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
>Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
>CALLERID='8655841684' and CALLERID IS NOT NULL and CALLERID <> ''
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
>Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD:
>Mon Apr 14 02:13:13 2003: DEBUG: Query is: select DateAdd(Day,
>ma.extension+ma.overdue, maExpireDate),
>DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
>sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
>from masteraccounts ma, subaccounts sa
>where (sa.login = 'radius at usexpress.net' or sa.shell =
>'radius at usexpress.net')
>and ma.customerid = sa.customerid
>and sa.active <> 0
>
>Mon Apr 14 02:13:13 2003: DEBUG: Select results: , Dec 31 2020 12:00AM,
>6654, PL PPP Dialup, XXX, radius at usexpress.net, , , 1
>Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
>ra.RadVendorID,
>ra.RadVendorType,
>Data, Value, Type, RadCheck
>from RadConfigs rc, RadAttributes ra
>where ra.RadAttributeID = rc.RadAttributeID
>and ra.RadVendorID = rc.RadVendorID
>and ra.RadVendorType = rc.RadVendorType
>and rc.AccountID=6654
>
>Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
>ra.RadVendorID,
>ra.RadVendorType,
>Data, Value, Type, RadCheck
>from RadATConfigs rc, RadAttributes ra
>where ra.RadAttributeID = rc.RadAttributeID
>and ra.RadVendorID = rc.RadVendorID
>and ra.RadVendorType = rc.RadVendorType
>and rc.AccountType='PL PPP Dialup'
>
>Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD looks for match with
>radius at usexpress.net
>Mon Apr 14 02:13:13 2003: DEBUG: Expiration date converted to: 1609390800
>Mon Apr 14 02:13:13 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
>ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
>USERNAME='radius at usexpress.net'
>
>Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD ACCEPT:
>Mon Apr 14 02:13:13 2003: DEBUG: Access accepted for radius at usexpress.net
>Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>*** Sending to 63.110.140.7 port 3166 ....
>Code: Access-Accept
>Identifier: 80
>Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
>Attributes:
> Proxy-State = 197
> Service-Type = 2
> Framed-Protocol = 1
> Framed-MTU = 1500
> Session-Timeout = 21600
> Ascend-Data-Filter = ip in forward tcp est
> Ascend-Data-Filter = ip in forward dstip 63.168.186.0/24
> Ascend-Data-Filter = ip in forward dstip 65.120.168.0/24
> Ascend-Data-Filter = ip in drop tcp dstport = 25
> Ascend-Data-Filter = ip in forward
>
>Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>*** Received from 63.110.140.7 port 3172 ....
>Code: Accounting-Request
>Identifier: 84
>Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
>Attributes:
> Acct-Session-Id = "0000CDA8"
> Framed-Protocol = PPP
> Framed-IP-Address = 66.19.137.64
> Connect-Info = "30666/24000 V90/V42bis/LAPM (45333/24000)"
> Ascend-Connect-Progress = prLanSessionUp
> Acct-Authentic = RADIUS
> User-Name = "radius at usexpress.net"
> Acct-Status-Type = Start
> NAS-Port = 99
> Called-Station-Id = "8652512008"
> Calling-Station-Id = "8655841684"
> NAS-Port-Type = Async
> Service-Type = Framed-User
> NAS-IP-Address = 66.19.138.227
> Event-Timestamp = 1050301337
> Acct-Delay-Time = 0
> Proxy-State = 171
> Timestamp = 1050301317
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
>'Realm=usexpress.net'
>Mon Apr 14 02:13:13 2003: DEBUG: sessions Adding session for
>radius at usexpress.net, 66.19.138.227, 99
>Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
>NASIDENTIFIER='66.19.138.227' and NASPORT=099
>
>Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into RADONLINE
>(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
>FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, CALLERID) values
>('radius at usexpress.net', '66.19.138.227', 099, '0000CDA8', 1050301317,
>'66.19.137.64', 'Async', 'Framed-User', '8655841684')
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
>Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with Radius::AuthSQL
>Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into Calls
>(CallerID,UserName,AcctStatusType,ServerID,NASIdentifier,NASPort,NASPortType
>,Network,AcctSessionId,NASPortDNIS,FramedAddress,AcctDelayTime,CallDate)
>values
>(8655841684,'radius at usexpress.net',1,'63.110.140.7','66.19.138.227',99,'Asyn
>c',8,'0000CDA8',8652512008,'66.19.137.64',0,'Apr 14, 2003 02:21')
>
>Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
>Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with
>Radius::AuthEMERALD
>Mon Apr 14 02:13:13 2003: DEBUG: Accounting accepted
>Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>*** Sending to 63.110.140.7 port 3172 ....
>Code: Accounting-Response
>Identifier: 84
>Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
>Attributes:
> Proxy-State = 171
>
>
>Thanks for your help once again, Hugh.
>
>
>-Mike Walker
>US Express.net, Inc.
>
>
>------------------------------------------------
>
>Hello Mike -
>
>There are two ways to do this (at least :-)).
>
>The first and simplest is to use cascaded AuthBy's.
>
># define AuthBy clauses
>
><AuthBy FILE>
> Identifier CheckCalledStationId
> Filename %D/calledstations
></AuthBy>
>
><AuthBy ...>
> Identifier YourNormalAuthBy
> .....
></AuthBy>
>
>.....
>
># define Realms
>
><Realm ....>
> AuthBy CheckCalledStationId
> ....
></Realm>
>
>.......
>
>
>The file "%D/calledstations" would contain this:
>
># calledstations
>
>DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy
>
>DEFAULT Auth-Type = Reject
>
>
> From your description below I am not sure whether the above will work?
>
>I suspect I may need to see your existing configuration file (no
>secrets) and a bit more detail on exactly what you want to do with the
>Called-Station-Id's.
>
>regards
>
>Hugh
>
>
>On Wednesday, Feb 19, 2003, at 20:09 Australia/Melbourne, Mike Walker
>
>wrote:
>
>
>>This is what I am trying to do:
>>
>>I need to deny authentication to any number in the 865 area code 'other
>>than' 865-999-9999.
>>
>>My current configuration does not include any <Handler>'s yet, but this
>>seems to me like a good place for one. Problem is, I want it based on
>>a
>>'piece' of the Called-Station-ID (area code), and not the whole thing.
>>Basically I just want all subscribers, regardless of realm, not to be
>>able to connect to any other 865 POP but the one number we give them.
>>
>>Please let me know if I am going in the right direction with this, and
>>possibly how to get around the 'part of the Called-Station-ID' issue.
>>Much thanks in advance for the clues!
>>
>>
>>-Mike Walker
>>US Express.net, Inc.
>>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
>>
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
>
>-------------------------------------------------------
>
>
>
--
************************************************************************
Denis Pavani
CINECA - Comunicazioni e Sistemi Distribuiti
NOC - Network Operation Center
phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it
************************************************************************
"Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
-- Gunny Highway
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list