(RADIATOR) RE: Reject access from specific Calling-Station-Id
William Hernandez
whr at essnet.com
Fri Mar 1 12:32:07 CST 2002
Thanks for the suggestion Frank.
I'm running 2.18.2 so I'll have to schedule an upgrade to 2.19 to try
this out.
Regards,
William
-----Original Message-----
From: Frank Danielson [mailto:fdanielson at dataonair.com]
Sent: Friday, March 01, 2002 2:02 PM
To: William Hernandez; Radiator (Radiator)
Subject: RE: (RADIATOR) RE: Reject access from specific
Calling-Station-Id
If you want to block access for all users when that combination of
Calling-Station-Id and Called-Station-Id is used, why not do it in a
handler?
<Handler Calling-Station-Id = /^555/, Called-Station-Id = /1112222/>
<AuthBy INTERNAL>
AuthResult REJECT
AcctStartResult ACCEPT
AcctStopResult ACCEPT
DefaultResult REJECT
</AuthBy>
AcctLogFileName /var/log/radacct/detail
</Handler>
Just put this before your other handlers so it will match first, see
Section 6.16 in the manual for more info.
Frank Danielson
[Infrastructure Architect]
wireless: 407.467.7832
wireline: 407.515.8633
Data On Air
301 E. Pine St. Suite 450
Orlando, Fl 32801
http://www.dataonair.com
-----Original Message-----
From: William Hernandez [mailto:whr at essnet.com]
Sent: Friday, March 01, 2002 8:28 AM
To: Radiator (Radiator)
Subject: (RADIATOR) RE: Reject access from specific Calling-Station-Id
Hello everyone,
I haven't gotten any closer on this. Does anyone have any suggestions?
Thanks in advance,
William
-----Original Message-----
From: William Hernandez [mailto:whr at essnet.com]
Sent: Wednesday, February 20, 2002 11:34 AM
To: Radiator (Radiator)
Subject: RE: Reject access from specific Calling-Station-Id
Hello everyone,
I think I'm getting closer. I changed blockcli.prw to:
username Calling-Station-Id = /^555/, Called-Station-Id = /1112222/,
Auth-Type = "Reject: Calling station not valid for 1112222"
DEFAULT Auth-Type="Accept"
And in radius.cfg I changed ContinueWhileAccept to ContinueUntilReject.
# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=5556666
Called-Station-Id=1112222 sending Access-Request... Rejected
Reply-Message = "Request Denied"
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
#
/var/log/radius.log:
Wed Feb 20 10:56:57 2002: INFO: Access rejected for username: Calling
station not valid for 1112222
# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=3333333
Called-Station-Id=1112222 sending Access-Request... OK
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Idle-Limit = 1200
Idle-Timeout = 1200
Session-Timeout = 41580
Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
Ascend-IP-Direct = 10.10.10.10
VPN-Neighbor = 10.10.10.10
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
It seems to work, but it means that I have to define all my users in the
users file. Is there an easier way?
Thanks in advance,
William
-----Original Message-----
From: William Hernandez
Sent: Monday, February 18, 2002 9:38 AM
To: Radiator (Radiator)
Subject: Reject access from specific Calling-Station-Id
Hello everyone,
We're trying to configure Radiator 2.18.2 to reject access to a specific
Called-Station-Id when the Calling-Station-Id is in a specific range
using various ideas picked up from the archives, but the following is
not working for us.
# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=5556666
Called-Station-Id=1112222 sending Access-Request... OK
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Idle-Limit = 1200
Idle-Timeout = 1200
Session-Timeout = 49920
Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
Ascend-IP-Direct = 10.10.10.10
VPN-Neighbor = 10.10.10.10
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
Regards,
William
-------------------------- radius.cfg
----------------------------------------
...
<AuthBy FILE>
Identifier Check-CLI
AcceptIfMissing
Filename /etc/raddb/blockcli.prw
</AuthBy>
...
<Handler>
SessionDatabase prw-sessiondb
AuthByPolicy ContinueWhileAccept
AuthBy Check-CLI
AuthBy Check-FILE
AuthBy System
PostAuthHook file:"/etc/raddb/postauthhook.prw <file:>"
AcctLogFileName /var/log/radacct/detail
PasswordLogFileName /var/log/radius.log
ExcludeFromPasswordLog root
</Handler>
...
-------------------------- End of radius.cfg
-----------------------------
-------------------------- blockcli.prw
------------------------------------
DEFAULT Calling-Station-Id = /^555/, \
Called-Station-Id = /1112222/, \
Auth-Type = "Reject: Calling station not valid for 1112222"
-------------------------- End of blockcli.prw
--------------------------
-------------------------- radius.log
----------------------------------------
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code: Access-Request
Identifier: 126
Authentic: 1234567890123456
Attributes:
User-Name = "username"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password =
"<146><208><238><158><247><22><144><5><164><133><228><17
4><1>H<30>x"
Calling-Station-Id = "5556666"
Called-Station-Id = "1112222"
Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler should be used to handle this request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Deleting session for username, 203.63. 154.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234
Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with username
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT: Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18 09:08:36
2002: DEBUG: Radius::AuthFILE looks for match with username Mon Feb 18
09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon
Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18
09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username Mon
Feb 18 09:08:36 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='username'
Mon Feb 18 09:08:36 2002: Login OK: [username] (www)
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX ACCEPT:
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT:
Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb
18 09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username
Mon Feb 18 09:08:36 2002: Login OK: [username] (www) Mon Feb 18 09:08:36
2002: DEBUG: Radius::AuthUNIX ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG:
Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36 2002: DEBUG:
prwpostauthhook: username is: username Mon Feb 18 09:08:36 2002: DEBUG:
prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18 09:08:36 2002:
DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Access accepted for username
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code: Access-Accept
Identifier: 126
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Idle-Limit = 1200
Idle-Timeout = 1200
Session-Timeout = 49920
Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
Ascend-IP-Direct = 10.10.10.10
VPN-Neighbor = 10.10.10.10
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code: Accounting-Request
Identifier: 127
Authentic: j<203><22><236><3><238><23><202><3>e<183><153>Qw<182><183>
Attributes:
User-Name = "username"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Calling-Station-Id = "5556666"
Called-Station-Id = "1112222"
Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler should be used to handle this request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Adding session for username, 203.63.15 4.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: insert into RADONLINE
(USERNAME, N ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('username', '203.63.154.1', 01234, '00001234',
1014037716, '', ' Async', 'Framed-User')
Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36
2002: DEBUG: Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: username is: username Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18
09:08:36 2002: DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Accounting accepted Mon Feb
18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code: Accounting-Response
Identifier: 127
Authentic: j<203><22><236><3><238><23><202><3>e<183><153>Qw<182><183>
Attributes:
Session-Timeout = 49920
Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
Ascend-IP-Direct = 10.10.10.10
VPN-Neighbor = 10.10.10.10
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code: Accounting-Request
Identifier: 128
Authentic: <251>*y<148>4<144><251>1<247>M<251><240>l<168>N<211>
Attributes:
User-Name = "username"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Calling-Station-Id = "5556666"
Called-Station-Id = "1112222"
Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler should be used to handle this request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Deleting session for username, 203.63. 154.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234
Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36
2002: DEBUG: Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: username is: username Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18
09:08:36 2002: DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Accounting accepted Mon Feb
18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code: Accounting-Response
Identifier: 128
Authentic: <251>*y<148>4<144><251>1<247>M<251><240>l<168>N<211>
Attributes:
Session-Timeout = 49920
Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
Ascend-IP-Direct = 10.10.10.10
VPN-Neighbor = 10.10.10.10
----------------------End of radius.log ------------------------------
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list