(RADIATOR) Radius

Hugh Irvine hugh at open.com.au
Sun Apr 21 03:59:37 CDT 2002


Hello Barrett -

I suspect you will find that your configuration will work properly with 
Client xxx.xxx.xxx.xxx, but not yyy.yyy.yyy.yyy or zzz.zzz.zzz.zzz. If you 
want to use the "Identifier theirclients", you will have to specify seperate 
Client clauses.

# define Clients

<Client xxx.xxx.xxx.xxx>
         Secret XXXXXXXXXXXX
         Identifier theirclients
</Client>

<Client >yyy.yyy.yyy.yyy
         Secret XXXXXXXXXXXX
         Identifier theirclients
</Client>

<Client zzz.zzz.zzz.zzz>
         Secret XXXXXXXXXXXX
         Identifier theirclients
</Client>

You should also check a trace 4 debug from Radiator to verify the format of 
the Called-Station-Id you are receiving from the NAS to make sure it matches 
the Handler specification.

regards

Hugh


On Sun, 21 Apr 2002 09:07, Barrett W Clark wrote:
> Hugh,
>
> I have tried to follow the example below but customers can still dial in on
> that number.
>
> Any suggestions as to what I am doing wrong would be helpful!!  Also on
> improving the radius.cfg file would be greatly appreciated!
>
> regards
>
> bwc
>
> ------Begin radius.cfg-----------
>
> #Foreground
> LogStdout
> LogDir          /usr/local/radius/log
> DbDir           /usr/local/etc/raddb
> # User a lower trace level in production systems:
> Trace           3
> AuthPort 1645
> AcctPort 1646
>
> #strip realm
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/%//g
>
> <Client localhost>
>          Secret  XXXXXXXX
>          DupInterval 0
> </Client>
>
> # All of our clients are listed here
> <Client host.domain.com>
>          Secret XXXXXXXXXXXX
>          Identifier ourclients
>
>          IdenticalClients host2.domain.com host3.domain.com \
>          host4.domain.com host5.domain.com host6.domain.com \
>          host7.domain.com host8.domain.com
> </Client>
>
> <Client xxx.xxx.xxx.xxx>
>          Secret XXXXXXXXXXXX
>          Identifier theirclients
>
>          IdenticalClients yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz
> </Client>
>
> <Handler Client-Identifier=theirclients,Called-Station-Id="##########">
>          <AuthBy INTERNAL>
>                  DefaultResult REJECT
>          </AuthBy>
> </Handler>
>
> <Handler>
>          <AuthBy DBFILE>
>                  Filename %D/users
>          </AuthBy>
>          AcctLogFileName %L/cd-%Y%m%d
> </Handler>
>
> <Realm DEFAULT>
>          <AuthBy DBFILE>
>                  Filename %D/users
>          </AuthBy>
>          AcctLogFileName %L/cd-%Y%m%d
> </Realm>
>
> <SessionDatabase DBM>
>          # The name of the DBM file. Defaults on %D/online
>          Filename %D/online
> </SessionDatabase>
>
> -----Example of the cd-20020419-------
>
> Sat Apr 20 06:47:59 2002
>          NAS-IP-Address = xxx.xxx.xxx.xxx
>          NAS-Port = $$$$
>          NAS-Port-Type = Async
>          Called-Station-Id = "##########"
>          Calling-Station-Id = "**********"
>          Acct-Status-Type = Start
>          Acct-Authentic = RADIUS
>          Service-Type = Framed-User
>          Acct-Session-Id = "000DDF72"
>          Framed-Protocol = PPP
>          Acct-Link-Count = 1
>          Ascend-Num-In-Multilink = 1
>          Acct-Multi-Session-Id = "156668"
>          Framed-IP-Address = ooo.ooo.ooo.ooo
>          Ascend-Multilink-ID = 156668
>          Acct-Delay-Time = 0
>          User-Name = "username"
>
> At 08:15 AM 4/17/2002 +1000, Hugh Irvine wrote:
> >Hello Barrett -
> >
> >In my example below, you would reject all calls to a particular
> >Called-Station-Id on the Clients with "Identifier somewhere".
> >
> >Ie. "######" is the number you want to deny.
> >
> ><Handler Client-Identifier = somewhere, Called-Station-Id = 12345>
> >
> >You could also use regular expressions in the <Handler ....>.
> >
> >regards
> >
> >Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list