[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Heikki Vatiainen
hvn at open.com.au
Mon Jun 9 14:26:51 CDT 2014
On 06/09/2014 08:31 PM, Michael Rodrigues wrote:
> I got the non-EAP handler setup and made a handler specifically for
> Accounting Requests.
Good to hear it works.
> The only issue I can find with my config is that users can circumvent my
> UserBlacklist by changing the capitalization of their username. I'm
> surprised Active Directory allows this, but we had a similar problem
> when we were authing against LDAP.
The syntax in the link below and what you have has a small but important
bug. Try something like this (notice the comma).:
DEFAULT User-Name = /^mrodrigues$/i, Auth-Type = Reject:Blacklisted
Otherwise it should go as Hugh wrote.
> I tried implementing the solution here:
> http://www.open.com.au/pipermail/radiator/2013-February/018882.html
>
> But I can still authenticate as "Mrodrigues" when I have "DEFAULT
> User-Name = /^mrodrigues$/i Auth-Type = Reject" in the users file. I did
> also have the "DEFAULT Auth-Type = Accept" at the end. I tried changing
> the default "Accept" to "Reject":
I think it should go as in the example as soon as you have correctly
separated the reply attributes with a comma.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list