(RADIATOR) Bug?

Hugh Irvine hugh at open.com.au
Thu Dec 12 16:59:59 CST 2002


Hello Toomas -

This is not a bug really - it is more a configuration issue.

The problem that you show below is due to the fact that the AuthBy is 
looking for the username, and you are overriding it to look for 
something else. This leads to the AuthBy continuing to look for 
DEFAULT... .

The correct way to build a configuration file to do blacklist checking 
is to use cascaded AuthBy clauses.

Something like this:

# define AuthBy clauses

<AuthBy SQL>
	Identifier CheckMACAddress
	......
</AuthBy>

<AuthBy FILE>
	Identifier CheckBlacklist
	Filename %D/blacklist
</AuthBy>

......

# define Realms or Handlers

<Realm ...>
	AuthByPolicy ContinueWhileAccept
	.....
	AuthBy CheckBlacklist
	.....
</Realm>

.....

The SQL table would contain something like this:

MACADDRESS	ACTION
nn.nn.nn.nn.nn.nn	Auth-Type = Reject
oo.oo.oo.oo.oo.oo	Auth-Type = Reject

.....

The file "blacklist" would contain this:

# blacklist

DEFAULT		Auth-Type = CheckMACAddress

DEFAULT		Auth-Type = Accept

This topic has been discussed on the list many times, so check the 
archive if you are interested.

	www.open.com.au/archives/radiator

regards

Hugh


On Thursday, Dec 12, 2002, at 21:38 Australia/Melbourne, Toomas Kärner 
wrote:

> Hi
>
> When I have config like:
>
> <Realm plah>
> AuthByPolicy ContinueUntilReject
> AuthBy Identifier_of_some_authby_that_gives_reject
> <AuthBy SQL>
>     plahplah
> </AuthBy>
> </Realm plah>
>
> This kind a conf results loop in 
> Identifier_of_some_authby_that_gives_reject
> and never goes to AuthBy SQL.
>
> debug 4 of such config (it had other problems as well but it shouldnt 
> have
> gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52061
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, 
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE 
> =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52062
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, 
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE 
> =
> 'Yes'
>
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT52063
> Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
> Service-Type expression '00-50-04-E8-B4-AF' does not match 
> 'Login-User' in
> request
> Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, 
> REPLYMESSAGE
> from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE 
> =
> 'Yes'
>
> Anyway I think it would be good idea to add a keyword RejectIfFound to
> features for blacklist buliding pruposes.
>
> Rgds.
> Toomas Kärner
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list