(RADIATOR) Radius

Hugh Irvine hugh at open.com.au
Fri Apr 26 19:27:07 CDT 2002


Hello Barrett -

As mentioned previously, you will need to verify a trace 4 debug from 
Radiator to see exactly what you are receiving in the requests you want to 
deny and then construct the appropriate Handler in consequence.

You could try something like this:

<Handler NAS-Identifier=/...|...|.../,Called-Station-Id="##########">
         <AuthBy INTERNAL>
                 DefaultResult REJECT
         </AuthBy>
</Handler>

where ...|...|... are the three NAS-Identifiers in question.

regards

Hugh


On Sat, 27 Apr 2002 00:15, Barrett W Clark wrote:
> Hugh,
>
> After making the changes, I am still not able to stop the incoming calls.
>
> I have been informed the leased Clients (xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
> and zzz.zzz.zzz.zzz) are not the IPs of their NASes but of their radius
> servers.
>
> In the logs, I show them (customers dialing the number I want to deny) to
> be on 3 different NAS-Identifiers.
>
> The 3 NAS-Identifiers are not in the radius.cfg.
>
> Any suggestions?
>
> bwc
>
> At 06:59 PM 4/21/2002 +1000, Hugh Irvine wrote:
> >Hello Barrett -
> >
> >I suspect you will find that your configuration will work properly with
> >Client xxx.xxx.xxx.xxx, but not yyy.yyy.yyy.yyy or zzz.zzz.zzz.zzz. If you
> >want to use the "Identifier theirclients", you will have to specify
> > seperate Client clauses.
> >
> ># define Clients
> >
> ><Client xxx.xxx.xxx.xxx>
> >          Secret XXXXXXXXXXXX
> >          Identifier theirclients
> ></Client>
> >
> ><Client >yyy.yyy.yyy.yyy
> >          Secret XXXXXXXXXXXX
> >          Identifier theirclients
> ></Client>
> >
> ><Client zzz.zzz.zzz.zzz>
> >          Secret XXXXXXXXXXXX
> >          Identifier theirclients
> ></Client>
> >
> >You should also check a trace 4 debug from Radiator to verify the format
> > of the Called-Station-Id you are receiving from the NAS to make sure it
> > matches the Handler specification.
> >
> >regards
> >
> >Hugh
> >
> >On Sun, 21 Apr 2002 09:07, Barrett W Clark wrote:
> > > Hugh,
> > >
> > > I have tried to follow the example below but customers can still dial
> > > in on that number.
> > >
> > > Any suggestions as to what I am doing wrong would be helpful!!  Also on
> > > improving the radius.cfg file would be greatly appreciated!
> > >
> > > regards
> > >
> > > bwc
> > >
> > > ------Begin radius.cfg-----------
> > >
> > > #Foreground
> > > LogStdout
> > > LogDir          /usr/local/radius/log
> > > DbDir           /usr/local/etc/raddb
> > > # User a lower trace level in production systems:
> > > Trace           3
> > > AuthPort 1645
> > > AcctPort 1646
> > >
> > > #strip realm
> > > RewriteUsername s/^([^@]+).*/$1/
> > > RewriteUsername s/%//g
> > >
> > > <Client localhost>
> > >          Secret  XXXXXXXX
> > >          DupInterval 0
> > > </Client>
> > >
> > > # All of our clients are listed here
> > > <Client host.domain.com>
> > >          Secret XXXXXXXXXXXX
> > >          Identifier ourclients
> > >
> > >          IdenticalClients host2.domain.com host3.domain.com \
> > >          host4.domain.com host5.domain.com host6.domain.com \
> > >          host7.domain.com host8.domain.com
> > > </Client>
> > >
> > > <Client xxx.xxx.xxx.xxx>
> > >          Secret XXXXXXXXXXXX
> > >          Identifier theirclients
> > >
> > >          IdenticalClients yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz
> > > </Client>
> > >
> > > <Handler Client-Identifier=theirclients,Called-Station-Id="##########">
> > >          <AuthBy INTERNAL>
> > >                  DefaultResult REJECT
> > >          </AuthBy>
> > > </Handler>
> > >
> > > <Handler>
> > >          <AuthBy DBFILE>
> > >                  Filename %D/users
> > >          </AuthBy>
> > >          AcctLogFileName %L/cd-%Y%m%d
> > > </Handler>
> > >
> > > <Realm DEFAULT>
> > >          <AuthBy DBFILE>
> > >                  Filename %D/users
> > >          </AuthBy>
> > >          AcctLogFileName %L/cd-%Y%m%d
> > > </Realm>
> > >
> > > <SessionDatabase DBM>
> > >          # The name of the DBM file. Defaults on %D/online
> > >          Filename %D/online
> > > </SessionDatabase>
> > >
> > > -----Example of the cd-20020419-------
> > >
> > > Sat Apr 20 06:47:59 2002
> > >          NAS-IP-Address = xxx.xxx.xxx.xxx
> > >          NAS-Port = $$$$
> > >          NAS-Port-Type = Async
> > >          Called-Station-Id = "##########"
> > >          Calling-Station-Id = "**********"
> > >          Acct-Status-Type = Start
> > >          Acct-Authentic = RADIUS
> > >          Service-Type = Framed-User
> > >          Acct-Session-Id = "000DDF72"
> > >          Framed-Protocol = PPP
> > >          Acct-Link-Count = 1
> > >          Ascend-Num-In-Multilink = 1
> > >          Acct-Multi-Session-Id = "156668"
> > >          Framed-IP-Address = ooo.ooo.ooo.ooo
> > >          Ascend-Multilink-ID = 156668
> > >          Acct-Delay-Time = 0
> > >          User-Name = "username"
> > >
> > > At 08:15 AM 4/17/2002 +1000, Hugh Irvine wrote:
> > > >Hello Barrett -
> > > >
> > > >In my example below, you would reject all calls to a particular
> > > >Called-Station-Id on the Clients with "Identifier somewhere".
> > > >
> > > >Ie. "######" is the number you want to deny.
> > > >
> > > ><Handler Client-Identifier = somewhere, Called-Station-Id = 12345>
> > > >
> > > >You could also use regular expressions in the <Handler ....>.
> > > >
> > > >regards
> > > >
> > > >Hugh
> >
> >--
> >Radiator: the most portable, flexible and configurable RADIUS server
> >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >-
> >Nets: internetwork inventory and management - graphical, extensible,
> >flexible with hardware, software, platform and database independence.
> >===
> >Archive at http://www.open.com.au/archives/radiator/
> >Announcements on radiator-announce at open.com.au
> >To unsubscribe, email 'majordomo at open.com.au' with
> >'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list