(RADIATOR) Many Clients, many secrets, same Auth ...

Peter Palmreuther lists at pitpalme.de
Fri Dec 14 12:15:51 CST 2001


Hello List,

I've got a problem. I have a list of many clients, each with a unique
secret. But all of them should authenticate against the same
SQL-database. I want to avoid any other client than known to me being
able to authenticate with my Radiator (v 2.19). Sadly I have only the
IP addresses of that clients.

If I insert them all in a DB-table and use a <ClientListSQL> statement
like this:

<ClientListSQL>
       DBSource        dbi:mysql:<db>:<host>:<port>
       DBUsername      <dbusername>
       DBAuth          <dbpassword>
       Identifier      Example
       GetClientQuery  select NASIDENTIFIER,SECRET from RADCLIENTLIST
</ClientListSQL>

And use an <Handler> statement like this:

<Handler Request-Type=Access-Request,Client-Identifier=Example>
        MaxSessions 1
        RejectHasReason
        UsernameCharset a-zA-Z0-9\.-_@\#\%
        RewriteUsername s/^([^@]+).*?/$1/
        <AuthBy SQL>
                <some stuff that works>
        </AuthBy>
</Handler>

plus a default Handler

<Handler>
</Handler>

How do I bring Radiator to set 'Client-Identifier' to 'Example' if the
NAS-IP-Address is listed in the table 'RADCLIENTLIST'???

I've tested it with the 'radpwtst' tool, even in GUI variant and
inserted an entry in the table with 'NASIDENTIFIER=127.0.0.1' and
correct secret. 'radpwtst' is connection the Radiator at localhost.
The Request is rejected because it is handled by the default handler.
I don't know the NAS-Identifier-String, only the IP-Addresses.
Is it possible to have them all handled this way or do I need to
insert dozens of

<Client 'IP-Address-01'>
        Secret whatever
</Client>
<Client 'IP-Address-02'>
        Secret somethingotherthanfirst
</Client>

and a
<Client DEFAULT>
        Secret  youneverguessthis
</Client>

just to be sure _only_ this clients be able to auth?
I mean, even the 'youneverguess' secret can be guessed and this way
additional clients could auth ...

There must be a more simple way, or am I wrong?

Thx for answering in advance
-- 
Best regards,
 Peter                          mailto:lists at pitpalme.de

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list