(RADIATOR) Bug?
david.kramar at aliatel.cz
david.kramar at aliatel.cz
Thu Dec 12 09:17:47 CST 2002
Hi
I see first error in this part - you dont check Service-Type but MACADDRESS, so have to use special check "GENERIC"
##
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, GENERIC,check
AuthColumnDef 1, Reply-Message,reply
Hope help
David
-----Pùvodní zpráva-----
Od: Toomas Kärner [mailto:tomkar at estpak.ee]
Odesláno: 12. prosince 2002 15:52
Komu: kramar; Ingvar.Berg at era.ericsson.se; radiator at open.com.au
Pøedmìt: Re: (RADIATOR) Bug?
Hi,
It works (partly - some problems with AuthByPolicy's) if you put it into
realm.
I added some comments and also I haven't tested it (I tested earlyer version
which I already changed and this is recreation).
#################################################
<AuthBy SQL>
Identifier AuthBlacklistCheck
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSQLStatement UPDATE macblacklist SET \
LASTTRY = '%Y-%m-%d %H:%M:%S', \ <- PS. HERE I CAN'T USE
'%{Timestamp}'
LASTTRYUSERNAME = '%n', \
LASTTRYLOCATION = '%{NAS-Port}' \
where MACADDRESS = '%{Calling-Station-Id}' \
and ACTIVE = 'Yes'
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
MACADDRESS like '%{Calling-Station-Id}' and \
ACTIVE = 'Yes'
AuthColumnDef 0, Service-Type,check
AuthColumnDef 1, Reply-Message,reply
#MAC Address is compared with Service-Type to get REJECT if found.
#NoDefault
AcceptIfMissing
</AuthBy>
#################################################
<Realm admin>
#################################################
PreAuthHook sub { \
my $p=${$_[0]}; \
if ((${$_[0]}->code) eq 'Access-Request') { \
$p->add_attr('ETC-Admin-Wireless','Admin'); \
$p->add_attr('ETC-Admin-Active','Yes'); \
} \
}
#################################################
AuthLog AdminLoginFailuresLog
RewriteUsername s/^([^@]+).*/$1/
RejectHasReason
AuthByPolicy ContinueUntilReject
AuthBy AuthBlacklistCheck
#################################################
<AuthBy SQL>
Identifier AcctStartOnlyAdmin
DBSource dbi:mysql
DBUsername
DBAuth
IgnoreAuthentication
AccountingStartsOnly
AcctSQLStatement UPDATE XXXXXXXXX SET \
LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \
LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \
LAST_LOGIN_LOCATION = '%{NAS-Port}' \
WHERE username='%U'
</AuthBy>
#################################################
<AuthBy SQL>
Identifier AdminAuth
DBSource dbi:mysql:
DBUsername
DBAuth
AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
REPLYATTR \
from XXXXXXXX where USERNAME ='%n'
AuthColumnDef 0, ETC-Admin-Active, check
AuthColumnDef 1, ETC-Admin-Wireless, check
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, User-Password, check
AuthColumnDef 4, GENERIC, reply
DefaultSimultaneousUse 1
NoDefault
RejectEmptyPassword
AccountingTable XXXXXXXXXXX
AcctColumnDef DATE,Timestamp ,formatted-date,'%Y-%m-%d'
AcctColumnDef TIME,Timestamp ,formatted-date,'%H:%M:%S'
AcctColumnDef TIMESTAMP,Timestamp
AcctColumnDef USERNAME,User-Name
AcctColumnDef REALM,ETC-Realm
AcctColumnDef CONNECTION,ETC-Network-Type
AcctColumnDef LOCATION, NAS-Port
AcctColumnDef MAC_ADDRESS,Calling-Station-Id
AcctColumnDef SESSION_ID,Acct-Session-Id
AcctColumnDef BRAS,NAS-IP-Address
AcctColumnDef FRAMED_IP,Framed-IP-Address
AcctColumnDef TYPE,Acct-Status-Type
AcctColumnDef DURATION,Acct-Session-Time,integer
AcctColumnDef IN_OCTETS,Acct-Input-Octets,integer
AcctColumnDef OUT_OCTETS,Acct-Output-Octets,integer
AcctColumnDef ERR_CODE,Session-Error-Code
AcctColumnDef ERR_MSG,Acct-Terminate-Cause
AcctFailedLogFileName %L/SQLacct-Admin-radius-%Y-%m-%d
AddToReplyIfNotExist
Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600
</AuthBy>
PostAuthHook file:"...../wn/AdminPostAuthHook.pl"
</Realm admin>
#################################################
----- Original Message -----
From: <david.kramar at aliatel.cz>
To: <tomkar at estpak.ee>; <Ingvar.Berg at era.ericsson.se>;
<radiator at open.com.au>
Sent: Thursday, December 12, 2002 4:12 PM
Subject: RE: (RADIATOR) Bug?
Hi,
I think you should show important part
<AuthBy SQL>
plahplah
</AuthBy>
with complet "plahplah" ( without secret pw,db,user,IP....)
David
-----Puvodní zpráva-----
Od: Toomas Kärner [mailto:tomkar at estpak.ee]
Odesláno: 12. prosince 2002 12:43
Komu: Ingvar Berg (EAB); radiator at open.com.au
Predmet: Re: (RADIATOR) Bug?
Yes, I know but as you can see it finds the account and then the NoDefault
shouldn't be affective at all. NoDefault is useful ONLY if Select gives back
Empty Set. So ... this is another issue ...
----- Original Message -----
From: "Ingvar Berg (EAB)" <Ingvar.Berg at era.ericsson.se>
To: <radiator at open.com.au>
Sent: Thursday, December 12, 2002 1:23 PM
Subject: RE: (RADIATOR) Bug?
> There is some NoDefault parameter you could use in the looping AuthBy
>
> /Ingvar
>
> -----Original Message-----
> From: Toomas Kärner [mailto:tomkar at estpak.ee]
> Sent: den 12 december 2002 11:39
> To: radiator at open.com.au
> Subject: (RADIATOR) Bug?
>
>
> Hi
>
> When I have config like:
>
> <Realm plah>
> AuthByPolicy ContinueUntilReject
> AuthBy Identifier_of_some_authby_that_gives_reject
> <AuthBy SQL>
> plahplah
> </AuthBy>
> </Realm plah>
>
> This kind a conf results loop in
Identifier_of_some_authby_that_gives_reject
> and never goes to AuthBy SQL.
>
> debug 4 of such config (it had other problems as well but it shouldnt have
> gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52061
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52062
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52063
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Anyway I think it would be good idea to add a keyword RejectIfFound to
> features for blacklist buliding pruposes.
>
> Rgds.
> Toomas Kärner
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list