(RADIATOR) Bug?

Thu Dec 12 09:28:18 CST 2002

Please do read comments two lines below the check. The point is to GET
REJECT if found (mac address in blacklist). Easiest way to do - compare it
with something that will never be the same (Service-Type) and then you can
do also some bogus in PostAuthHook that rewrites Reply-Message if it
consists "Service-Type" to something like "MAC address in blacklist".

Rgds.
Toomas

----- Original Message -----
From: <david.kramar at aliatel.cz>
To: <tomkar at estpak.ee>; <Ingvar.Berg at era.ericsson.se>;
<radiator at open.com.au>
Sent: Thursday, December 12, 2002 5:17 PM
Subject: RE: (RADIATOR) Bug?

Hi
I see first error in this part - you dont check Service-Type but MACADDRESS,
so have to use special check "GENERIC"

##
AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
   MACADDRESS like '%{Calling-Station-Id}' and \
   ACTIVE = 'Yes'

 AuthColumnDef 0, GENERIC,check
 AuthColumnDef 1, Reply-Message,reply

Hope help
David

-----Pùvodní zpráva-----
Od: Toomas Kärner [mailto:tomkar at estpak.ee]
Odesláno: 12. prosince 2002 15:52
Komu: kramar; Ingvar.Berg at era.ericsson.se; radiator at open.com.au
Pøedmìt: Re: (RADIATOR) Bug?

Hi,

It works (partly - some problems with AuthByPolicy's) if you put it into
realm.
I added some comments and also I haven't tested it (I tested earlyer version
which I already changed and this is recreation).
#################################################
<AuthBy SQL>
        Identifier      AuthBlacklistCheck

        DBSource        dbi:mysql:
        DBUsername
        DBAuth

 AuthSQLStatement UPDATE macblacklist SET \
    LASTTRY = '%Y-%m-%d %H:%M:%S', \       <- PS. HERE I CAN'T USE
'%{Timestamp}'
    LASTTRYUSERNAME = '%n', \
    LASTTRYLOCATION = '%{NAS-Port}' \
    where MACADDRESS = '%{Calling-Station-Id}' \
    and ACTIVE = 'Yes'

 AuthSelect select MACADDRESS, REPLYMESSAGE from macblacklist where \
   MACADDRESS like '%{Calling-Station-Id}' and \
   ACTIVE = 'Yes'

 AuthColumnDef 0, Service-Type,check
 AuthColumnDef 1, Reply-Message,reply
#MAC Address is compared with Service-Type to get REJECT if found.
#NoDefault
 AcceptIfMissing
</AuthBy>
#################################################

<Realm admin>
#################################################
PreAuthHook sub { \
    my $p=${$_[0]}; \
    if ((${$_[0]}->code) eq 'Access-Request') { \
        $p->add_attr('ETC-Admin-Wireless','Admin'); \
        $p->add_attr('ETC-Admin-Active','Yes'); \
 } \
    }
#################################################
        AuthLog AdminLoginFailuresLog
 RewriteUsername s/^([^@]+).*/$1/
 RejectHasReason
        AuthByPolicy ContinueUntilReject
        AuthBy AuthBlacklistCheck
#################################################
<AuthBy SQL>
        Identifier      AcctStartOnlyAdmin
        DBSource        dbi:mysql
        DBUsername
        DBAuth

        IgnoreAuthentication
        AccountingStartsOnly

        AcctSQLStatement        UPDATE XXXXXXXXX SET \
    LAST_LOGIN_TIME=from_unixtime(%{Timestamp}), \
    LAST_LOGIN_CONNECTION = '%{ETC-Network-Type}', \
    LAST_LOGIN_LOCATION = '%{NAS-Port}' \
    WHERE username='%U'
</AuthBy>
#################################################
<AuthBy SQL>
 Identifier AdminAuth
 DBSource dbi:mysql:
 DBUsername
 DBAuth

 AuthSelect select ACTIVE, WNACCESS, CHECKATTR, PASSWORD,\
   REPLYATTR \
   from XXXXXXXX where USERNAME ='%n'

 AuthColumnDef 0, ETC-Admin-Active, check
 AuthColumnDef 1, ETC-Admin-Wireless, check
 AuthColumnDef 2, GENERIC, check
 AuthColumnDef 3, User-Password, check
 AuthColumnDef 4, GENERIC, reply

 DefaultSimultaneousUse 1
 NoDefault
 RejectEmptyPassword

AccountingTable XXXXXXXXXXX
        AcctColumnDef   DATE,Timestamp ,formatted-date,'%Y-%m-%d'
        AcctColumnDef   TIME,Timestamp ,formatted-date,'%H:%M:%S'
        AcctColumnDef   TIMESTAMP,Timestamp
        AcctColumnDef   USERNAME,User-Name
        AcctColumnDef   REALM,ETC-Realm
        AcctColumnDef   CONNECTION,ETC-Network-Type
        AcctColumnDef   LOCATION, NAS-Port
        AcctColumnDef   MAC_ADDRESS,Calling-Station-Id
        AcctColumnDef   SESSION_ID,Acct-Session-Id
        AcctColumnDef   BRAS,NAS-IP-Address
        AcctColumnDef   FRAMED_IP,Framed-IP-Address
        AcctColumnDef   TYPE,Acct-Status-Type
        AcctColumnDef   DURATION,Acct-Session-Time,integer
        AcctColumnDef   IN_OCTETS,Acct-Input-Octets,integer
        AcctColumnDef   OUT_OCTETS,Acct-Output-Octets,integer
        AcctColumnDef   ERR_CODE,Session-Error-Code
        AcctColumnDef   ERR_MSG,Acct-Terminate-Cause

        AcctFailedLogFileName   %L/SQLacct-Admin-radius-%Y-%m-%d

 AddToReplyIfNotExist
Nomadix-Bw-Down=8000,Nomadix-Bw-Up=8000,Idle-Timeout=3600

</AuthBy>
PostAuthHook file:"...../wn/AdminPostAuthHook.pl"
</Realm admin>
#################################################

----- Original Message -----
From: <david.kramar at aliatel.cz>
To: <tomkar at estpak.ee>; <Ingvar.Berg at era.ericsson.se>;
<radiator at open.com.au>
Sent: Thursday, December 12, 2002 4:12 PM
Subject: RE: (RADIATOR) Bug?

Hi,
I think you should show important part

<AuthBy SQL>
     plahplah
</AuthBy>
with complet "plahplah" ( without secret pw,db,user,IP....)

David

-----Puvodní zpráva-----
Od: Toomas Kärner [mailto:tomkar at estpak.ee]
Odesláno: 12. prosince 2002 12:43
Komu: Ingvar Berg (EAB); radiator at open.com.au
Predmet: Re: (RADIATOR) Bug?

Yes, I know but as you can see it finds the account and then the NoDefault
shouldn't be affective at all. NoDefault is useful ONLY if Select gives back
Empty Set. So ... this is another issue ...

----- Original Message -----
From: "Ingvar Berg (EAB)" <Ingvar.Berg at era.ericsson.se>
To: <radiator at open.com.au>
Sent: Thursday, December 12, 2002 1:23 PM
Subject: RE: (RADIATOR) Bug?

> There is some NoDefault parameter you could use in the looping AuthBy
>
> /Ingvar
>
> -----Original Message-----
> From: Toomas Kärner [mailto:tomkar at estpak.ee]
> Sent: den 12 december 2002 11:39
> To: radiator at open.com.au
> Subject: (RADIATOR) Bug?
>
>
> Hi
>
> When I have config like:
>
> <Realm plah>
> AuthByPolicy ContinueUntilReject
> AuthBy Identifier_of_some_authby_that_gives_reject
> <AuthBy SQL>
>     plahplah
> </AuthBy>
> </Realm plah>
>
> This kind a conf results loop in
Identifier_of_some_authby_that_gives_reject
> and never goes to AuthBy SQL.
>
> debug 4 of such config (it had other problems as well but it shouldnt have
> gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52061
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52062
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52063
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
> 'Yes'
>
> Anyway I think it would be good idea to add a keyword RejectIfFound to
> features for blacklist buliding pruposes.
>
> Rgds.
> Toomas Kärner
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.