(RADIATOR) Problem: AuthByPolicy
Jaafar Bin Sarim
jrsm at staff.singnet.com.sg
Thu Jul 18 21:58:22 CDT 2002
Hello Hugh,
user test004 which is in the deny file still get authenticated against
the /etc/passwd.
pls see attached for the logs.
Pls advise.
Thank you.
Best Regards
Jaafar Sarim
SingNet
On Fri, 19 Jul 2002, Hugh Irvine wrote:
>
> Hello Jaafar -
>
> You will need to use AuthBy GROUP's for the different AuthBy policies.
>
> # define AuthBy clauses
>
> <AuthBy UNIX>
> Identifier System
> Filename /etc/shadow
> </AuthBy>
>
> <AuthBy SQL>
> Identifier CheckSQL
> DBSource dbi:Oracle:ahimsa
> DBUsername xxxxxx
> DBAuth xxxxxx
>
> DBSource dbi:Oracle:parthenon
> DBUsername xxxxxx
> DBAuth xxxxxx
>
> AuthSelect SELECT passwd FROM subscribers \
> WHERE name = '%n' \
> AND roam = 'T' \
> AND status = 'T'
>
> AuthColumnDef 0, Encrypted-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, check
> AuthColumnDef 3, GENERIC, reply
> AuthColumnDef 4, GENERIC, reply
>
> </AuthBy>
>
> <AuthBy FILE>
> Identifier CheckDenyFile
> Filename %D/deny
> AcceptIfMissing
> NoDefault
> </AuthBy>
>
> <AuthBy Group>
> Identifier CheckSystemThenSQL
> AuthByPolicy ContinueUntilAccept
> AuthBy System
> AuthBy CheckSQL
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier CheckUsers
> AuthByPolicy ContinueWhileAccept
> AuthBy CheckDenyFile
> AuthBy CheckSystemThenSQL
> AddToReply Service-Type = Framed-User, \
> Framed-Protocol = PPP, \
> Framed-IP-Netmask = 255.255.255.255
> </AuthBy>
>
> # define Handlers
>
> <Handler Realm=/.*\.sg/>
> RewriteUsername s/^([^@]+).*/$1/
> AuthBy CheckUsers
> AcctLogFileName /radacct/%C/detail
> </Handler>
>
>
> regards
>
> Hugh
>
>
> At 8:53 +0800 19/7/02, Jaafar Bin Sarim wrote:
> >Hello Hugh
> >
> >I'm unable to establish a policy that I want to achieve as described
> >below:
> >
> >1. user access if found in the deny file will be rejected and nothing
> > else.
> >
> >2. user access if not found in the deny file will be checked against the
> > /etc/passwd file
> > if not found in the /etc/passwd then check with the oracle database
> >
> >Here's my radius configuration:
> >-----------------------------------------------------
> >LogDir /var/log/radius/test
> >DbDir /usr/local/etc/raddb
> >AuthPort 2112
> >AcctPort 2113
> >
> >Trace 4
> >
> ><Log FILE>
> > Filename %L/logfile
> > Trace 4
> ></Log>
> >
> >
> ><Client 165.21.81.35>
> > Secret xxxxxx
> ></Client>
> >
> ><Client localhost>
> > Secret xxxxxx
> ></Client>
> >
> ><Client 165.21.100.15>
> > Secret xxxxxx
> ></Client>
> >
> ><Client 165.21.100.18>
> > Secret xxxxxx
> ></Client>
> >
> ><AuthBy UNIX>
> > Identifier System
> > Filename /etc/shadow
> ></AuthBy>
> >
> ><AuthBy SQL>
> > Identifier CheckSQL
> > DBSource dbi:Oracle:ahimsa
> > DBUsername xxxxxx
> > DBAuth xxxxxx
> >
> > DBSource dbi:Oracle:parthenon
> > DBUsername xxxxxx
> > DBAuth xxxxxx
> >
> > AuthSelect SELECT passwd FROM subscribers \
> > WHERE name = '%n' \
> > AND roam = 'T' \
> > AND status = 'T'
> >
> > AuthColumnDef 0, Encrypted-Password, check
> > AuthColumnDef 1, GENERIC, check
> > AuthColumnDef 2, GENERIC, check
> > AuthColumnDef 3, GENERIC, reply
> > AuthColumnDef 4, GENERIC, reply
> >
> ></AuthBy>
> >
> >
> ><Handler Realm=/.*\.sg/>
> > RewriteUsername s/^([^@]+).*/$1/
> > AuthByPolicy ContinueWhileReject
> > <AuthBy FILE>
> > Filename %D/deny
> > </AuthBy>
> > <AuthBy FILE>
> > Filename %D/users
> > </AuthBy>
> > AuthBy CheckSQL
> > AcctLogFileName /radacct/%C/detail
> ></Handler>
> >
> >-------------------------------------------------------------
> >
> >Here's my deny file:
> >--------------------------------
> >jaafar Auth-Type = Reject
> >
> >--------------------------------
> >
> >Here's my users file:
> >------------------------------------------
> >DEFAULT Auth-Type = System
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Netmask = 255.255.255.255
> >-------------------------------------------
> >
> >
> >
> >Thank you.
> >
> >
> >Best Regards
> >Jaafar Sarim
> >SingNet
> >
> >===
> >Archive at http://www.open.com.au/archives/radiator/
> >Announcements on radiator-announce at open.com.au
> >To unsubscribe, email 'majordomo at open.com.au' with
> >'unsubscribe radiator' in the body of the message.
>
> --
>
> NB: I am travelling this week, so there may be delays in our correspondence.
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
-------------- next part --------------
Fri Jul 19 10:48:31 2002: INFO: Server started: Radiator 3.1 on voyage
Fri Jul 19 10:48:57 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 35515 ....
Code: Access-Request
Identifier: 12
Authentic: 1234567890123456
Attributes:
User-Name = "wtl190 at voyage.singnet.com.sg"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "%<216><137><16><*{.!<25>#U<160><247>;<202>"
Fri Jul 19 10:48:57 2002: DEBUG: Handling request with Handler 'Realm=/.*\.sg/'
Fri Jul 19 10:48:57 2002: DEBUG: Rewrote user name to wtl190
Fri Jul 19 10:48:57 2002: DEBUG: Deleting session for wtl190 at voyage.singnet.com.sg, 203.63.154.1, 1234
Fri Jul 19 10:48:57 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:48:57 2002: DEBUG: Handling with Radius::AuthFILE: CheckDenyFile
Fri Jul 19 10:48:57 2002: DEBUG: Radius::AuthFILE looks for match with wtl190
Fri Jul 19 10:48:57 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:48:57 2002: DEBUG: Handling with Radius::AuthUNIX: System
Fri Jul 19 10:48:57 2002: DEBUG: Radius::AuthUNIX looks for match with wtl190
Fri Jul 19 10:48:57 2002: DEBUG: Radius::AuthUNIX ACCEPT:
Fri Jul 19 10:48:57 2002: DEBUG: Access accepted for wtl190
Fri Jul 19 10:48:57 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 35515 ....
Code: Access-Accept
Identifier: 12
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Fri Jul 19 10:48:59 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 35516 ....
Code: Access-Request
Identifier: 13
Authentic: 1234567890123456
Attributes:
User-Name = "teststar at voyage.singnet.com.sg"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "&<201><150>U4(H.!<25>#U<160><247>;<202>"
Fri Jul 19 10:48:59 2002: DEBUG: Handling request with Handler 'Realm=/.*\.sg/'
Fri Jul 19 10:48:59 2002: DEBUG: Rewrote user name to teststar
Fri Jul 19 10:48:59 2002: DEBUG: Deleting session for teststar at voyage.singnet.com.sg, 203.63.154.1, 1234
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthFILE: CheckDenyFile
Fri Jul 19 10:48:59 2002: DEBUG: Radius::AuthFILE looks for match with teststar
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthUNIX: System
Fri Jul 19 10:48:59 2002: DEBUG: Radius::AuthUNIX looks for match with teststar
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthSQL
Fri Jul 19 10:48:59 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL
Fri Jul 19 10:48:59 2002: DEBUG: Query is: SELECT passwd FROM subscribers WHERE name = 'teststar' AND roam = 'T' AND status = 'T'
Fri Jul 19 10:48:59 2002: DEBUG: Radius::AuthSQL looks for match with teststar
Fri Jul 19 10:48:59 2002: DEBUG: Radius::AuthSQL ACCEPT:
Fri Jul 19 10:48:59 2002: DEBUG: Access accepted for teststar
Fri Jul 19 10:48:59 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 35516 ....
Code: Access-Accept
Identifier: 13
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Fri Jul 19 10:49:00 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 35517 ....
Code: Access-Request
Identifier: 15
Authentic: 1234567890123456
Attributes:
User-Name = "test004 at voyage.singnet.com.sg"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "?<205><136>Cdt<28><31><19>*#U<160><247>;<202>"
Fri Jul 19 10:49:00 2002: DEBUG: Handling request with Handler 'Realm=/.*\.sg/'
Fri Jul 19 10:49:00 2002: DEBUG: Rewrote user name to test004
Fri Jul 19 10:49:00 2002: DEBUG: Deleting session for test004 at voyage.singnet.com.sg, 203.63.154.1, 1234
Fri Jul 19 10:49:00 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:49:00 2002: DEBUG: Handling with Radius::AuthFILE: CheckDenyFile
Fri Jul 19 10:49:00 2002: DEBUG: Radius::AuthFILE looks for match with test004
Fri Jul 19 10:49:00 2002: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject
Fri Jul 19 10:49:00 2002: DEBUG: Handling with Radius::AuthGROUP
Fri Jul 19 10:49:00 2002: DEBUG: Handling with Radius::AuthUNIX: System
Fri Jul 19 10:49:00 2002: DEBUG: Radius::AuthUNIX looks for match with test004
Fri Jul 19 10:49:00 2002: DEBUG: Radius::AuthUNIX ACCEPT:
Fri Jul 19 10:49:00 2002: DEBUG: Access accepted for test004
Fri Jul 19 10:49:00 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 35517 ....
Code: Access-Accept
Identifier: 15
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
More information about the radiator
mailing list