(RADIATOR) Bug?
Hugh Irvine
hugh at open.com.au
Thu Dec 12 16:59:59 CST 2002
Hello Toomas -
This is not a bug really - it is more a configuration issue.
The problem that you show below is due to the fact that the AuthBy is
looking for the username, and you are overriding it to look for
something else. This leads to the AuthBy continuing to look for
DEFAULT... .
The correct way to build a configuration file to do blacklist checking
is to use cascaded AuthBy clauses.
Something like this:
# define AuthBy clauses
<AuthBy SQL>
Identifier CheckMACAddress
......
</AuthBy>
<AuthBy FILE>
Identifier CheckBlacklist
Filename %D/blacklist
</AuthBy>
......
# define Realms or Handlers
<Realm ...>
AuthByPolicy ContinueWhileAccept
.....
AuthBy CheckBlacklist
.....
</Realm>
.....
The SQL table would contain something like this:
MACADDRESS ACTION
nn.nn.nn.nn.nn.nn Auth-Type = Reject
oo.oo.oo.oo.oo.oo Auth-Type = Reject
.....
The file "blacklist" would contain this:
# blacklist
DEFAULT Auth-Type = CheckMACAddress
DEFAULT Auth-Type = Accept
This topic has been discussed on the list many times, so check the
archive if you are interested.
www.open.com.au/archives/radiator
regards
Hugh
On Thursday, Dec 12, 2002, at 21:38 Australia/Melbourne, Toomas Kärner
wrote:
> Hi
>
> When I have config like:
>
> <Realm plah>
> AuthByPolicy ContinueUntilReject
> AuthBy Identifier_of_some_authby_that_gives_reject
> <AuthBy SQL>
> plahplah
> </AuthBy>
> </Realm plah>
>
> This kind a conf results loop in
> Identifier_of_some_authby_that_gives_reject
> and never goes to AuthBy SQL.
>
> debug 4 of such config (it had other problems as well but it shouldnt
> have
> gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52061
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS,
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE
> =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52062
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS,
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE
> =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52063
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS,
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE
> =
> 'Yes'
>
> Anyway I think it would be good idea to add a keyword RejectIfFound to
> features for blacklist buliding pruposes.
>
> Rgds.
> Toomas Kärner
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list