(RADIATOR) Many Clients, many secrets, same Auth ...

Hugh Irvine hugh at open.com.au
Fri Dec 14 19:13:47 CST 2001


Hello Peter -

You can also include an Identifier field in your ClientListSQL table

    select NASIDENTIFIER,SECRET,NULL,NULL, \
        NULL,NULL,NULL,NULL, \
        NULL,NULL,NULL,NULL, \
        NULL,NULL,IDENTIFIER from RADCLIENTLIST

and use a query like this which will add the Identifier that you specify to 
each Client clause.

Then the Handlers that you show below will work as you wish.

regards

Hugh


On Sat, 15 Dec 2001 05:15, Peter Palmreuther wrote:
> Hello List,
>
> I've got a problem. I have a list of many clients, each with a unique
> secret. But all of them should authenticate against the same
> SQL-database. I want to avoid any other client than known to me being
> able to authenticate with my Radiator (v 2.19). Sadly I have only the
> IP addresses of that clients.
>
> If I insert them all in a DB-table and use a <ClientListSQL> statement
> like this:
>
> <ClientListSQL>
>        DBSource        dbi:mysql:<db>:<host>:<port>
>        DBUsername      <dbusername>
>        DBAuth          <dbpassword>
>        Identifier      Example
>        GetClientQuery  select NASIDENTIFIER,SECRET from RADCLIENTLIST
> </ClientListSQL>
>
> And use an <Handler> statement like this:
>
> <Handler Request-Type=Access-Request,Client-Identifier=Example>
>         MaxSessions 1
>         RejectHasReason
>         UsernameCharset a-zA-Z0-9\.-_@\#\%
>         RewriteUsername s/^([^@]+).*?/$1/
>         <AuthBy SQL>
>                 <some stuff that works>
>         </AuthBy>
> </Handler>
>
> plus a default Handler
>
> <Handler>
> </Handler>
>
> How do I bring Radiator to set 'Client-Identifier' to 'Example' if the
> NAS-IP-Address is listed in the table 'RADCLIENTLIST'???
>
> I've tested it with the 'radpwtst' tool, even in GUI variant and
> inserted an entry in the table with 'NASIDENTIFIER=127.0.0.1' and
> correct secret. 'radpwtst' is connection the Radiator at localhost.
> The Request is rejected because it is handled by the default handler.
> I don't know the NAS-Identifier-String, only the IP-Addresses.
> Is it possible to have them all handled this way or do I need to
> insert dozens of
>
> <Client 'IP-Address-01'>
>         Secret whatever
> </Client>
> <Client 'IP-Address-02'>
>         Secret somethingotherthanfirst
> </Client>
>
> and a
> <Client DEFAULT>
>         Secret  youneverguessthis
> </Client>
>
> just to be sure _only_ this clients be able to auth?
> I mean, even the 'youneverguess' secret can be guessed and this way
> additional clients could auth ...
>
> There must be a more simple way, or am I wrong?
>
> Thx for answering in advance

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
NFrom owner-radiator at open.com.au Fri Dec 14 17:46:33 2001
Received: (from majordomo at localhost)
	by server1.open.com.au (8.11.0/8.11.0) id fBENkXh23429
	for radiatorzz-list; Fri, 14 Dec 2001 17:46:33 -0600
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from entoo.connect.com.au (entoo.connect.com.au [192.189.54.8])
	by server1.open.com.au (8.11.0/8.11.0) with ESMTP id fBENkS323426
	for <radiator at open.com.au>; Fri, 14 Dec 2001 17:46:28 -0600
Received: from there (acc19-ppp110.mel.dialup.connect.net.au [210.10.138.110])
	by entoo.connect.com.au (Postfix) with SMTP
	id 8D29ADDEFF; Sat, 15 Dec 2001 12:20:44 +1100 (EST)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Hugh Irvine <hugh at open.com.au>
Reply-To: hugh at open.com.au
Organization: Open System Consultants
To: "GwangHee Yi" <gwanghee at neworbit.net>, <radiator at open.com.au>
Subject: Re: (RADIATOR) Authentication...
Date: Sat, 15 Dec 2001 12:25:26 +1100
X-Mailer: KMail [version 1.3.1]
References: <000b01c184e3$df34b2e0$0664a8c0 at neworbit.net>
In-Reply-To: <000b01c184e3$df34b2e0$0664a8c0 at neworbit.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20011215012044.8D29ADDEFF at entoo.connect.com.au>
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>


Hello GwangHee -

The standard behaviour for Radiator is to look for the exact username, then 
DEFAULT, DEFAULT1, DEFAULT2, etc. You can change this by adding NoDefault (or 
NoDefaultIfFound) to your AuthBy clause.

	<AuthBy SQL>
		......
		NoDefault
		.....
	</AuthBy>

Have a look at section 6.16.11 and 6.16.12 in the Radiator 2.19 reference 
manual ("doc/ref.html").


regards

Hugh


On Sat, 15 Dec 2001 08:11, GwangHee Yi wrote:
> Dear Hugh,
>
> I try to authenticate call number 17607614701,
> If user is not in DB, radiator try to authenticate username='DEFAULT'
> Why?
>
> Below is configuration and debug....
>
> Thanks,
>
> Configureration......
> ++++++++++++++++++++++++++++++++++++++++++
> <Realm DEFAULT>
>     <AuthBy SQL>
>         # Adjust DBSource, DBUsername, DBAuth to suit your DB
>         DBSource        dbi:mysql:radius
>         DBUsername      *****
>         DBAuth          *******
>
>         # Auth Statements
>
>         AuthSelect SELECT password,replyattr FROM subscribers WHERE
> username = '%n'
>         AuthColumnDef 0, User-Password, check
>         AuthColumnDef 1, GENERIC, reply
>   </AuthBy SQL>
> </Realm>
>
> Debug...
> ++++++++++++++++++++++++++++++++++++++++++
> Bla Bla...........
>
> Fri Dec 14 14:01:06 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Dec 14 14:01:06 2001: DEBUG: Deleting session for 17607614701, *.*.*.*,
> Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM
> subscribers WHERE username = '17607614701'
> Fri Dec 14 14:01:06 2001: DEBUG: Radius::AuthSQL looks for match with
> 17607614701
> Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM
> subscribers WHERE username = 'DEFAULT'
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
ets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list