(RADIATOR) Problem: AuthByPolicy
Hugh Irvine
hugh at open.com.au
Fri Jul 19 01:50:32 CDT 2002
Hello Jaafar -
Please send me a copy of the configuration file that produced the trace.
thanks
Hugh
At 10:58 +0800 19/7/02, Jaafar Bin Sarim wrote:
>Hello Hugh,
>
>user test004 which is in the deny file still get authenticated against
>the /etc/passwd.
>pls see attached for the logs.
>
>Pls advise.
>
>Thank you.
>
>
>Best Regards
>Jaafar Sarim
>SingNet
>
>On Fri, 19 Jul 2002, Hugh Irvine wrote:
>
>>
>> Hello Jaafar -
>>
>> You will need to use AuthBy GROUP's for the different AuthBy policies.
>>
>> # define AuthBy clauses
>>
>> <AuthBy UNIX>
>> Identifier System
>> Filename /etc/shadow
>> </AuthBy>
>>
>> <AuthBy SQL>
>> Identifier CheckSQL
>> DBSource dbi:Oracle:ahimsa
>> DBUsername xxxxxx
>> DBAuth xxxxxx
>>
>> DBSource dbi:Oracle:parthenon
>> DBUsername xxxxxx
>> DBAuth xxxxxx
>>
>> AuthSelect SELECT passwd FROM subscribers \
>> WHERE name = '%n' \
>> AND roam = 'T' \
>> AND status = 'T'
>>
>> AuthColumnDef 0, Encrypted-Password, check
>> AuthColumnDef 1, GENERIC, check
>> AuthColumnDef 2, GENERIC, check
>> AuthColumnDef 3, GENERIC, reply
>> AuthColumnDef 4, GENERIC, reply
>>
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier CheckDenyFile
>> Filename %D/deny
>> AcceptIfMissing
>> NoDefault
>> </AuthBy>
>>
>> <AuthBy Group>
>> Identifier CheckSystemThenSQL
>> AuthByPolicy ContinueUntilAccept
>> AuthBy System
>> AuthBy CheckSQL
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier CheckUsers
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckDenyFile
>> AuthBy CheckSystemThenSQL
>> AddToReply Service-Type = Framed-User, \
>> Framed-Protocol = PPP, \
>> Framed-IP-Netmask = 255.255.255.255
>> </AuthBy>
>>
>> # define Handlers
>>
>> <Handler Realm=/.*\.sg/>
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthBy CheckUsers
>> AcctLogFileName /radacct/%C/detail
>> </Handler>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> At 8:53 +0800 19/7/02, Jaafar Bin Sarim wrote:
>> >Hello Hugh
>> >
>> >I'm unable to establish a policy that I want to achieve as described
>> >below:
>> >
>> >1. user access if found in the deny file will be rejected and nothing
>> > else.
>> >
>> >2. user access if not found in the deny file will be checked against the
>> > /etc/passwd file
>> > if not found in the /etc/passwd then check with the oracle database
>> >
>> >Here's my radius configuration:
>> >-----------------------------------------------------
>> >LogDir /var/log/radius/test
>> >DbDir /usr/local/etc/raddb
>> >AuthPort 2112
>> >AcctPort 2113
>> >
>> >Trace 4
>> >
>> ><Log FILE>
>> > Filename %L/logfile
>> > Trace 4
>> ></Log>
> > >
> > >
> > ><Client 165.21.81.35>
> > > Secret xxxxxx
> > ></Client>
> > >
> > ><Client localhost>
> > > Secret xxxxxx
> > ></Client>
> > >
> > ><Client 165.21.100.15>
> > > Secret xxxxxx
> > ></Client>
>> >
>> ><Client 165.21.100.18>
>> > Secret xxxxxx
>> ></Client>
>> >
>> ><AuthBy UNIX>
>> > Identifier System
>> > Filename /etc/shadow
>> ></AuthBy>
>> >
>> ><AuthBy SQL>
>> > Identifier CheckSQL
>> > DBSource dbi:Oracle:ahimsa
>> > DBUsername xxxxxx
>> > DBAuth xxxxxx
>> >
>> > DBSource dbi:Oracle:parthenon
>> > DBUsername xxxxxx
>> > DBAuth xxxxxx
>> >
>> > AuthSelect SELECT passwd FROM subscribers \
>> > WHERE name = '%n' \
>> > AND roam = 'T' \
>> > AND status = 'T'
>> >
>> > AuthColumnDef 0, Encrypted-Password, check
>> > AuthColumnDef 1, GENERIC, check
>> > AuthColumnDef 2, GENERIC, check
>> > AuthColumnDef 3, GENERIC, reply
> > > AuthColumnDef 4, GENERIC, reply
>> >
>> ></AuthBy>
>> >
>> >
>> ><Handler Realm=/.*\.sg/>
>> > RewriteUsername s/^([^@]+).*/$1/
>> > AuthByPolicy ContinueWhileReject
>> > <AuthBy FILE>
>> > Filename %D/deny
>> > </AuthBy>
>> > <AuthBy FILE>
>> > Filename %D/users
>> > </AuthBy>
>> > AuthBy CheckSQL
>> > AcctLogFileName /radacct/%C/detail
>> ></Handler>
>> >
>> >-------------------------------------------------------------
>> >
>> >Here's my deny file:
>> >--------------------------------
>> >jaafar Auth-Type = Reject
>> >
>> >--------------------------------
>> >
>> >Here's my users file:
>> >------------------------------------------
>> >DEFAULT Auth-Type = System
>> > Service-Type = Framed-User,
>> > Framed-Protocol = PPP,
>> > Framed-IP-Netmask = 255.255.255.255
>> >-------------------------------------------
>> >
>> >
>> >
>> >Thank you.
>> >
>> >
>> >Best Regards
>> >Jaafar Sarim
>> >SingNet
>> >
>> >===
>> >Archive at http://www.open.com.au/archives/radiator/
>> >Announcements on radiator-announce at open.com.au
>> >To unsubscribe, email 'majordomo at open.com.au' with
>> >'unsubscribe radiator' in the body of the message.
>>
>> --
>>
>> NB: I am travelling this week, so there may be delays in our correspondence.
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
>> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>>
>
>Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="hugh.txt"
>Content-ID: <Pine.OSF.4.10.10207191057050.5986 at singapura.singnet.com.sg>
>Content-Description:
>Content-Disposition: ATTACHMENT; FILENAME="hugh.txt"
>
>Attachment converted: Macintosh HD:hugh.txt (TEXT/ttxt) (0002F517)
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list