(RADIATOR) AuthBy Radius, limiting Calling ID stations
Mike McCauley
mikem at open.com.au
Thu Jul 12 19:38:10 CDT 2001
--- Forwarded mail from owner-radiator at open.com.au
From: owner-radiator at open.com.au
Date: Wed, 11 Jul 2001 19:36:25 -0500
To: radiator-approval at open.com.au
Subject: BOUNCE radiator at open.com.au: Non-member submission from [Harrison
Ng <Harrison_Ng at hksmartone.com>]
>From mikem at server1.open.com.au Wed Jul 11 19:36:25 2001
Received: from lsm01.hksmartone.com ([202.73.249.110])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f6C0aMD08704
for <radiator at open.com.au>; Wed, 11 Jul 2001 19:36:23 -0500
Received: from exweb01.hksmartone.com ([202.73.249.57])
by lsm01.hksmartone.com (8.9.3/8.9.3) with ESMTP id KAA29442;
Thu, 12 Jul 2001 10:21:49 +0800
Received: by EXWEB01 with Internet Mail Service (5.5.2654.89)
id <3X8M8DFX>; Thu, 12 Jul 2001 10:29:34 +0800
Message-ID: <22F54FFAA006DC4F92523E90AABC944A8A25E8 at EX01>
From: Harrison Ng <Harrison_Ng at hksmartone.com>
To: "'dagocl at team.ph.inter.net'" <dagocl at team.ph.inter.net>,
"'radiator at open.com.au'" <radiator at open.com.au>
Cc: Harrison Ng <Harrison_Ng at hksmartone.com>
Subject: RE: (RADIATOR) AuthBy Radius, limiting Calling ID stations
Date: Thu, 12 Jul 2001 10:27:31 +0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2654.89)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C10A7A.33CBD9D0"
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C10A7A.33CBD9D0
Content-Type: text/plain;
charset="iso-8859-1"
Lloyd,
I guest you want radius proxy to screen out unwanted calling-station-id,
before passing auth packet to remote radius server. Am I right?
Here is my suggestion:-
1. Put all calling-station-id into a database table. My example is a mysql
db.
2. Construct <AuthBy SQL>, the SELECT statement will search and compare the
calling-station-id.
3. Put AuthByPolicy, and two AuthBy clause.
4. Do some test under trace 4, watch radiator behaviour and fine tune
radius.cfg to suit your needs.
The advantage of using a db to store the calling-station-id:-
1. Redirect loading of proxy server to db server. (assume both server are in
different boxes)
2. Make radius.cfg shorter and easier to read.
Regards,
Harrison
P.S. Anybody has better suggestion, welcome your comment.
<AuthBy RADIUS>
Identifier proxyserver
Host xxx.xxx.xxx.xxx
Secret xxx
AuthPort 1812
AcctPort 1813
</AuthBy>
<AuthBy SQL>
Identifier callfromsomewhere
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername xxx
DBAuth xxx
AuthSelect select callerid from CALLTABLE where callerid =
%{Calling-Station-Id}
AuthColumnDef 0, Calling-Station-Id, check
NoDefault
</AuthBy>
<Handler Client-Id = xxx.xxx.xxx.xxx>
AuthByPolicy ContinueWhileAccept
AuthBy callfromsomewhere
AuthBy proxyserver
</Handler>
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of lloyd
Sent: Wednesday, July 11, 2001 2:56 PM
To: radiator at open.com.au
Subject: (RADIATOR) AuthBy Radius, limiting Calling ID stations
hi there,
this is what we have right now....we have this radius that does
authentication...our radius also does proxying to other radius by AuthBy
Radius clause...our problem right now is how do we limit the users say
user01 at realm1 from dialling at Calling-Station-Id, say 1234?
the complication: if our radius finds out that the user has realm =
realm1, it proxys it to another radius server but before our radius
server proxys that particular user, we need to find out if that user is
dialling the correct Calling-Station-Id....so the question is how do we
proxy to another radius together with limiting that particular user from
dialling to a set of numbers..
does this work? or do you have any suggestions in mind?
<Handler Calling-Station-Id = /123445 | 91836724912 | 913240123/ ,
Client-Id=/202.202.202.202/>
<AuthBy RADIUS>
Host ********
Secret *******
AuthPort
AcctPort
</AuthBy>
</Handler>
p.s.
follow-up: how do we bind to NO PORT...i mean how do we reject
completely a user....say for
example....NOT BINDING TO AN AUTHPORT OR NOT BINDING TO AN ACCTPORT?
that's all i guess
thank you
hope you can reply soon
Lloyd Brian V. Dagoc
Consulting Engineer
InterDotNet Philipines Incorporated
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
------_=_NextPart_001_01C10A7A.33CBD9D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: (RADIATOR) AuthBy Radius, limiting Calling ID =
stations</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Lloyd,</FONT>
</P>
<P><FONT SIZE=3D2>I guest you want radius proxy to screen out unwanted =
calling-station-id, before passing auth packet to remote radius server. =
Am I right?</FONT></P>
<P><FONT SIZE=3D2>Here is my suggestion:-</FONT>
</P>
<P><FONT SIZE=3D2>1. Put all calling-station-id into a database table. =
My example is a mysql db.</FONT>
<BR><FONT SIZE=3D2>2. Construct <AuthBy SQL>, the SELECT =
statement will search and compare the calling-station-id.</FONT>
<BR><FONT SIZE=3D2>3. Put AuthByPolicy, and two AuthBy clause.</FONT>
<BR><FONT SIZE=3D2>4. Do some test under trace 4, watch radiator =
behaviour and fine tune radius.cfg to suit your needs.</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>The advantage of using a db to store the =
calling-station-id:-</FONT>
<BR><FONT SIZE=3D2>1. Redirect loading of proxy server to db server. =
(assume both server are in different boxes)</FONT>
<BR><FONT SIZE=3D2>2. Make radius.cfg shorter and easier to =
read.</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>Regards,</FONT>
<BR><FONT SIZE=3D2>Harrison</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>P.S. Anybody has better suggestion, welcome your =
comment.</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2><AuthBy RADIUS></FONT>
<BR><FONT SIZE=3D2> =
Identifier proxyserver</FONT>
</P>
<P><FONT SIZE=3D2> Host =
xxx.xxx.xxx.xxx</FONT>
<BR><FONT SIZE=3D2> Secret =
xxx</FONT>
<BR><FONT SIZE=3D2> AuthPort =
1812</FONT>
<BR><FONT SIZE=3D2> AcctPort =
1813</FONT>
</P>
<P><FONT SIZE=3D2></AuthBy></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2><AuthBy SQL></FONT>
<BR><FONT SIZE=3D2> =
Identifier callfromsomewhere</FONT>
</P>
<P><FONT SIZE=3D2> DBSource =
dbi:mysql:radius:xxx.xxx.xxx.xxx</FONT>
<BR><FONT SIZE=3D2> =
DBUsername xxx</FONT>
<BR><FONT SIZE=3D2> DBAuth =
xxx</FONT>
</P>
<P><FONT SIZE=3D2> AuthSelect =
select callerid from CALLTABLE where callerid =3D =
%{Calling-Station-Id}</FONT>
</P>
<P><FONT SIZE=3D2> =
AuthColumnDef 0, Calling-Station-Id, check</FONT>
</P>
<P><FONT SIZE=3D2> =
NoDefault</FONT>
<BR><FONT SIZE=3D2></AuthBy></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2><Handler Client-Id =3D xxx.xxx.xxx.xxx></FONT>
</P>
<P><FONT SIZE=3D2> =
AuthByPolicy ContinueWhileAccept</FONT>
</P>
<P><FONT SIZE=3D2> AuthBy =
callfromsomewhere</FONT>
<BR><FONT SIZE=3D2> AuthBy =
proxyserver</FONT>
</P>
<P><FONT SIZE=3D2></Handler></FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: owner-radiator at open.com.au [<A =
HREF=3D"mailto:owner-radiator at open.com.au">mailto:owner-radiator at open.co=
m.au</A>]On</FONT>
<BR><FONT SIZE=3D2>Behalf Of lloyd</FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, July 11, 2001 2:56 PM</FONT>
<BR><FONT SIZE=3D2>To: radiator at open.com.au</FONT>
<BR><FONT SIZE=3D2>Subject: (RADIATOR) AuthBy Radius, limiting Calling =
ID stations</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>hi there,</FONT>
<BR><FONT SIZE=3D2>this is what we have right now....we have this =
radius that does</FONT>
<BR><FONT SIZE=3D2>authentication...our radius also does proxying to =
other radius by AuthBy</FONT>
<BR><FONT SIZE=3D2>Radius clause...our problem right now is how do we =
limit the users say</FONT>
<BR><FONT SIZE=3D2>user01 at realm1 from dialling at Calling-Station-Id, =
say 1234?</FONT>
</P>
<P><FONT SIZE=3D2>the complication: if our radius finds out that the =
user has realm =3D</FONT>
<BR><FONT SIZE=3D2>realm1, it proxys it to another radius server but =
before our radius</FONT>
<BR><FONT SIZE=3D2>server proxys that particular user, we need to =
find out if that user is</FONT>
<BR><FONT SIZE=3D2>dialling the correct Calling-Station-Id....so the =
question is how do we</FONT>
<BR><FONT SIZE=3D2>proxy to another radius together with limiting that =
particular user from</FONT>
<BR><FONT SIZE=3D2>dialling to a set of numbers..</FONT>
</P>
<P><FONT SIZE=3D2>does this work? or do you have any suggestions in =
mind?</FONT>
</P>
<P><FONT SIZE=3D2><Handler Calling-Station-Id =3D /123445 | =
91836724912 | 913240123/ ,</FONT>
<BR><FONT SIZE=3D2>Client-Id=3D/202.202.202.202/></FONT>
<BR><FONT SIZE=3D2> <AuthBy RADIUS></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; Host ********</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; Secret *******</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; AuthPort</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; AcctPort</FONT>
<BR><FONT SIZE=3D2> </AuthBy></FONT>
<BR><FONT SIZE=3D2></Handler></FONT>
</P>
<P><FONT SIZE=3D2>p.s.</FONT>
<BR><FONT SIZE=3D2>follow-up: how do we bind to NO PORT...i mean how do =
we reject</FONT>
<BR><FONT SIZE=3D2>completely a user....say for</FONT>
<BR><FONT SIZE=3D2>example....NOT BINDING TO AN AUTHPORT OR NOT BINDING =
TO AN ACCTPORT?</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>that's all i guess</FONT>
<BR><FONT SIZE=3D2>thank you</FONT>
<BR><FONT SIZE=3D2>hope you can reply soon</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Lloyd Brian V. Dagoc</FONT>
<BR><FONT SIZE=3D2>Consulting Engineer</FONT>
<BR><FONT SIZE=3D2>InterDotNet Philipines Incorporated</FONT>
</P>
<P><FONT SIZE=3D2>=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>Archive at <A =
HREF=3D"http://www.open.com.au/archives/radiator/" =
TARGET=3D"_blank">http://www.open.com.au/archives/radiator/</A></FONT>
<BR><FONT SIZE=3D2>Announcements on =
radiator-announce at open.com.au</FONT>
<BR><FONT SIZE=3D2>To unsubscribe, email 'majordomo at open.com.au' =
with</FONT>
<BR><FONT SIZE=3D2>'unsubscribe radiator' in the body of the =
message.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C10A7A.33CBD9D0--
---End of forwarded mail from owner-radiator at open.com.au
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list