(RADIATOR) How to reject users in a file

Forbes Mike Mike.Forbes at Colorado.EDU
Wed Nov 26 11:11:27 CST 2003


What version did you test under?  I am using it under 3.1.  I also use a
handler not a realm.  I am wondering if this is a version issue with
radiator. My continue until rejects works without the first authby file.
The first authby file is the file with the auth-type reject in it.

Mike

My config is this:

Note: I have commented and uncommented AuthyBy GROUP out, I have stopped
and restarted radius with the init script.  The trace 4 is below.
<Handler Realm=MODEMS,NAS-Port-Type=Virtual>
        RewriteUsername s/^([^@]+).*/$1/
       <AuthBy GROUP>
                AuthByPolicy ContinueUntilReject
               <AuthBy FILE>
                         Filename %D/reject_modem.users
                         AcceptIfMissing
                </AuthBy>
                <AuthBy FILE>
                        Filename %D/backbone_users
                </AuthBy>
                <AuthBy PAM>
                        Fork
                        Service radiusd
                </AuthBy>
       </AuthBy>
        AuthLog Backbone_Login_Failures
        # Log accounting to a detail file
        AcctLogFileName %L/modems_backbone_users.log
</Handler>

Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Virtual'
Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username
Wed Nov 26 09:57:44 2003: DEBUG:  Deleting session for username,
192.168.x.x, 98
Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT:
Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd
Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password'
Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB
Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:


Now to simplify this even more I took out all the authby's execpt the file
with the reject in it.  I was still able to log on, the debug is below



Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Virtual'
Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username
Wed Nov 26 10:05:57 2003: DEBUG:  Deleting session for username,
192.168.x.xB, 98
Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username

On Wed, 26 Nov 2003, Hugh Irvine wrote:

>
> Hello Mike -
>
> I have done some testing here (as has Mike) and neither of us has this
> problem.
>
> Here is my configuration file (which also works with
> ContinueUntilReject):
>
> <Realm DEFAULT>
>          AuthByPolicy ContinueWhileAccept
>          <AuthBy FILE>
>                  Filename ./users.reject
>                  AcceptIfMissing
>          </AuthBy>
>          <AuthBy FILE>
>                  Filename ./users
>          </AuthBy>
>          <AuthBy FILE>
>                  Filename ./users
>          </AuthBy>
>          # Log accounting to a detail file
>          AcctLogFileName ./detail-%G
> </Realm>
>
>
> Here is the "users.reject" file:
>
> username Auth-Type = Reject
>
>
> And here is the trace 4:
>
> perl radpwtst -user username -noacct
> sending Access-Request...
> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 49663 ....
> Code:       Access-Request
> Identifier: 196
> Authentic:  1234567890123456
> Attributes:
>          User-Name = "username"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Port = 1234
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          NAS-Port-Type = Async
>          User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Nov 26 18:17:01 2003: DEBUG:  Deleting session for username,
> 203.63.154.1, 1234
> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
> explicitly by Auth-Type=Reject
> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 49663 ....
> Code:       Access-Reject
> Identifier: 196
> Authentic:  1234567890123456
> Attributes:
>          Reply-Message = "Request Denied"
>
>
> I can only suggest you try setting up a simple test configuration to
> try it first.
>
> Perhaps you are not editing the correct file(s) and/or you have not
> restarted "radiusd"?
>
> regards
>
> Hugh
>
>
> On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
>
> >
> > I get the following trace 4 with ContinueWhileAccept
> >
> > Mike
> >
> >
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
> > 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
> > Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
> > Tue Nov 25 11:36:11 2003: DEBUG:  Deleting session for username,
> > 192.168.x.x, 9
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
> > Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
> > Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
> > Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
> >
> > Code:       Access-Accept
> >
> >
> > On Tue, 25 Nov 2003, Hugh Irvine wrote:
> >
> >>
> >> Hello Mike -
> >>
> >> Thanks for your mail - how curious!
> >>
> >> I wonder if you could try to change the configuration to:
> >>
> >> 		AuthByPolicy ContinueWhileAccept
> >>
> >> and see what happens.
> >>
> >> I'll also forward your mail to Mike.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
> >>
> >>>
> >>> Hi Hugh,
> >>>
> >>> It would seem the continue until reject is not functioning correctly
> >>> in
> >>> this case. The debug show the reject but continues on.
> >>>
> >>> I tried the following:
> >>>
> >>>        RewriteUsername s/^([^@]+).*/$1/
> >>>         <AuthBy GROUP>
> >>>                 AuthByPolicy ContinueUntilReject
> >>>                 <AuthBy FILE>
> >>>                          Filename %D/reject_modem.users
> >>>                          AcceptIfMissing
> >>>                  </AuthBy>
> >>>
> >>>                 <AuthBy FILE>
> >>>                         Filename %D/backbone_users
> >>>                 </AuthBy>
> >>>                 <AuthBy PAM>
> >>>                         Fork
> >>>                         Service radiusd
> >>>                 </AuthBy>
> >>>         </AuthBy>
> >>>         AuthLog Modem_Login_Failures
> >>>         # Log accounting to a detail file
> >>>         AcctLogFileName %L/modem_pool_backbone_users.log
> >>>
> >>>
> >>> with the reject_modem.users containing
> >>> username Auth-Type=Reject
> >>>
> >>> The user can still get on.  The debug is below:
> >>>  Radiator 3.1
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> >>> Mon Nov 24 11:43:05 2003: DEBUG:  Deleting session for username,
> >>> 192.168.x.x, 53
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> >>> Rejected explicitly by Auth-Type=Reject
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> >>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
> >>>
> >>>
> >>>
> >>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
> >>>
> >>>>
> >>>> Hello Mike -
> >>>>
> >>>> Yes this is quite simple to acheive.
> >>>>
> >>>> <Handler Realm=MODEMS>
> >>>>          RewriteUsername s/^([^@]+).*/$1/
> >>>>          <AuthBy GROUP>
> >>>>                  AuthByPolicy ContinueUntilReject
> >>>>
> >>>>                  <AuthBy FILE>
> >>>>                          Filename %D/reject.users
> >>>>                          AcceptIfMissing
> >>>>                  </AuthBy>
> >>>>
> >>>>                  <AuthBy PAM>
> >>>>                          Fork
> >>>>                          Service radiusd
> >>>>                  </AuthBy>
> >>>>
> >>>>          </AuthBy>
> >>>>          AuthLog Modem_Login_Failures
> >>>>           AcctLogFileName %L/Modems.log
> >>>> </Handler>
> >>>>
> >>>>
> >>>> The file "%D/reject.users" would contain something like this:
> >>>>
> >>>> # reject.users
> >>>>
> >>>> username1	Auth-Type = Reject
> >>>>
> >>>> username2	Auth-Type = Reject
> >>>>
> >>>> .......
> >>>>
> >>>>
> >>>> If you have any other questions, please contact me.
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>>
> >>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
> >>>> wrote:
> >>>>
> >>>>>
> >>>>> I have a request to block certain users access to our modem pool.
> >>>>>
> >>>>> Users are first authenticated by kerb via PAM.  What I would like
> >>>>> to
> >>>>> do is
> >>>>> have radius then check to see if they are listed in a file and
> >>>>> reject
> >>>>> them
> >>>>> only if they are listed.  If they are not in the file they can
> >>>>> logon.
> >>>>>
> >>>>> I saw the username authtype example in the manual, is there a way
> >>>>> to
> >>>>> do
> >>>>> this in a file for a larger number?
> >>>>>
> >>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
> >>>>> before
> >>>>> my
> >>>>> authbypam below?
> >>>>>
> >>>>> My handler is below.
> >>>>>
> >>>>> Mike Forbes
> >>>>>
> >>>>>
> >>>>> <Handler Realm=MODEMS>
> >>>>>         RewriteUsername s/^([^@]+).*/$1/
> >>>>>         <AuthBy GROUP>
> >>>>>                 AuthByPolicy ContinueUntilReject
> >>>>>                 <AuthBy PAM>
> >>>>>                         Fork
> >>>>>                         Service radiusd
> >>>>>                 </AuthBy>
> >>>>>         </AuthBy>
> >>>>>         AuthLog Modem_Login_Failures
> >>>>>          AcctLogFileName %L/Modems.log
> >>>>> </Handler>
> >>>>>
> >>>>>
> >>>>> ===
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>>
> >>>>
> >>>> NB: have you included a copy of your configuration file (no
> >>>> secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>> flexible with hardware, software, platform and database
> >>>> independence.
> >>>>
> >>>> ===
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list