(RADIATOR) Users Blacklists

Hugh Irvine hugh at open.com.au
Thu Jun 13 18:59:39 CDT 2002 

Hi Rolando -

Sorry about that - I just cut and pasted your original text and I missed the 
quotes - my apologies.

regards

Hugh


On Fri, 14 Jun 2002 07:53, Rolando Riley wrote:
> Looking good so far !!! .  Just one observation though;
>
> AuthSelect select "REJECT" from BLACKLIST \
>                    where USERNAME='%n'
>
> I had to remove the double quotes on "REJECT"  to make it work like this:
>
> AuthSelect select REJECT from BLACKLIST \
>                    where USERNAME='%n'
>
> What happened is that Mysql used "REJECT" as a constant and not as a field.
> Hence that query returned
> just  REJECT  and returning the error "Bad attribute=value pair"
>
>
>
> cheers,
>
> R. Riley
>
>
>
>
> -----Mensaje original-----
> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]En
> nombre de Hugh Irvine
> Enviado el: Wednesday, June 12, 2002 6:14 PM
> Para: Rolando Riley; radiator at open.com.au
> Asunto: Re: (RADIATOR) Users Blacklists
>
>
>
> Hello Rolando -
>
> You are close, but not quite there.
>
> Here is what to do:
>
> # Check-Users file
> # ENTRADA default para chequear la tabla BLACKLIST
>
> DEFAULT         Auth-Type = VE_blacklist
>
> DEFAULT	Auth-Type = Accept
>
>
> Your BLACKLIST SQL table should contain this:
>
> USERNAME	REJECT
>
> someuser	Auth-Type = "Reject: This user is on the BLACKLIST"
>
> anotheruser	Auth-Type = "Reject: This user is on the BLACKLIST"
>
>
> Here is a snippet of my radius.cfg
>
> ----------------------
>
> <AuthBy SQL>
>         Identifier VE_blacklist
>         DBSource        ......
>         DBUsername    ......
>         DBAuth          ......
>         AuthSelect select "REJECT" from BLACKLIST \
>                    where USERNAME='%n'
>         AuthColumnDef 0, GENERIC, check
>         AccountingTable
> </AuthBy>
>
> <AuthBy FILE>
>    Identifier CheckUSERS
>    Filename     %D/Check-Users
> </AuthBy>
>
> <AuthBy LDAP2>
>                 Identifier      CheckLDAP
>                 Host            ......
>                 AuthDN          ......
>                 AuthPassword   ......
>                 BaseDN          ......
>                 UsernameAttr    uid
>                 PasswordAttr    userPassword
> </AuthBy>
>
>
> <Realm>
>         UsernameCharset a-zA-Z0-9\._ at -
>         MaxSessions 1
>         RewriteUsername tr/A-Z/a-z/
>         AuthByPolicy    ContinueWhileAccept
>         AuthBy CheckUSERS
>         AuthBy CheckLDAP
>         AcctLogFileName %L/detailu
> </Realm>
>
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
> On Thu, 13 Jun 2002 04:52, Rolando Riley wrote:
> > Hi Hugh:
> >
> > 	Well this time I want to configure a users blacklist and what I want to
>
> do
>
> > is simple:
> > 	1) Everytime I have a request this list (BLACKLIST) will be checked. If
> > the user is found the request is Rejected.
> >             NO further queries should be performed after the user is
> > rejected.
> > 	2) If the  user isn't found then the authentication should be done
>
> against
>
> > LDAP uid and userPassword attributes.
> >
> > 	I have searched the mailing lists and have found something very similar
> > that was done against "calling stations id".  For some reason the user,
> > although it is being found on the BLACKLIST, radiator continue the
> > searching and auth process over LDAP.  What could I have been doing
> > wrong?
> >
> >
> >
> >
> >
> > Here is the output of Check-Users file
> > ---------------------------------------------
> > # ENTRADA default para chequear la tabla BLACKLIST
> >
> > DEFAULT		Auth-Type = VE_blacklist
> >
> >
> >
> > Here is a snippet of my radius.cfg
> >
> > ----------------------
> >
> > <AuthBy SQL>
> > 	Identifier VE_blacklist
> >         DBSource        ......
> >         DBUsername    ......
> >         DBAuth          ......
> > 	AuthSelect select "REJECT" from BLACKLIST \
> > 		   where USERNAME='%n'
> > 	AccountingTable
> > </AuthBy>
> >
> > <AuthBy FILE>
> >    Identifier CheckUSERS
> >    Filename 	%D/Check-Users
> > #   NoDefaultIfFound
> >    AcceptIfMissing
> > </AuthBy>
> >
> > <AuthBy LDAP2>
> > 		Identifier	CheckLDAP
> >                 Host            ......
> >                 AuthDN          ......
> >                 AuthPassword   ......
> >                 BaseDN          ......
> >                 UsernameAttr    uid
> >                 PasswordAttr    userPassword
> > </AuthBy>
> >
> >
> > <Realm>
> > 	UsernameCharset a-zA-Z0-9\._ at -
> > 	MaxSessions 1
> > 	RewriteUsername tr/A-Z/a-z/
> > 	AuthByPolicy	ContinueWhileAccept
> > 	AuthBy CheckUSERS
> > 	AuthBy CheckLDAP
> > 	AcctLogFileName %L/detailu
> > </Realm>
> >
> > ------------------------------
> >
> >
> > Here is a trace debug 4 of a test:
> >
> >
> > ---------------------
> > Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> > ACCTSE         SSIONID, FRAMEDIPADDRESS from RADONLINE where
> > USERNAME='rriley'
> > Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE:
>
> CheckUSERS
>
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
> > rriley
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
> > DEFAULT
> > Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL
> > Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL:
> > VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT"
> > from BLACKLIST where USERNAME='rriley'
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with
> > rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT" from
> > BLACKLIST where USERNAME='DEFAULT'
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password
> > Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthLDAP2:
>
> CheckLDAP
>
> > Wed Jun 12 04:57:24 2002: INFO: Connecting to XX.XX.XX.XX, port 389
> > Wed Jun 12 04:57:24 2002: INFO: Attempting to bind with (admin dn)
> > Wed Jun 12 04:57:24 2002: DEBUG: LDAP got result for (my dn)
> > Wed Jun 12 04:57:24 2002: DEBUG: LDAP got userPassword: xxxxxxxxxxx
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> > rriley
> > Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> > Wed Jun 12 04:57:24 2002: DEBUG: Access accepted for rriley
> > Wed Jun 12 04:57:24 2002: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 32768 ....
> > Code:       Access-Accept
> > Identifier: 99
> > Authentic:  1234567890123456
> > Attributes:
> > -----------------
> >
> >
> > cheers,
> >
> > -----------------------------------
> > Ing. Rolando Riley
> > Gerente de Sistemas
> > AYAYAI.COM S.A.
> > Tel: (507) 265-2424 ext. 408
> > -----------------------------------
> >
> >
> > ______________________________________________
> > Ayayai.com Ultra, tu Internet prepago LIBRE DE PUBLICIDAD
> > http://www.ayayai.com/ultra
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list