(RADIATOR) RE: Reject access from specific Calling-Station-Id

William Hernandez whr at essnet.com
Fri Mar 1 12:32:07 CST 2002


Thanks for the suggestion Frank.

I'm running 2.18.2 so I'll have to schedule an upgrade to 2.19 to try
this out.

Regards,
William

-----Original Message-----
From: Frank Danielson [mailto:fdanielson at dataonair.com] 
Sent: Friday, March 01, 2002 2:02 PM
To: William Hernandez; Radiator (Radiator)
Subject: RE: (RADIATOR) RE: Reject access from specific
Calling-Station-Id


If you want to block access for all users when that combination of
Calling-Station-Id and Called-Station-Id is used, why not do it in a
handler?

<Handler Calling-Station-Id = /^555/, Called-Station-Id = /1112222/>
	<AuthBy INTERNAL>
		AuthResult	REJECT
		AcctStartResult	ACCEPT
		AcctStopResult	ACCEPT
		DefaultResult	REJECT
	</AuthBy>
	AcctLogFileName /var/log/radacct/detail
</Handler>

Just put this before your other handlers so it will match first, see
Section 6.16 in the manual for more info. 

Frank Danielson
[Infrastructure Architect]
 
wireless: 407.467.7832
wireline: 407.515.8633
 
Data On Air
301 E. Pine St. Suite 450
Orlando, Fl 32801
http://www.dataonair.com


-----Original Message-----
From: William Hernandez [mailto:whr at essnet.com]
Sent: Friday, March 01, 2002 8:28 AM
To: Radiator (Radiator)
Subject: (RADIATOR) RE: Reject access from specific Calling-Station-Id


Hello everyone,

I haven't gotten any closer on this. Does anyone have any suggestions?

Thanks in advance,
William

-----Original Message-----
From: William Hernandez [mailto:whr at essnet.com] 
Sent: Wednesday, February 20, 2002 11:34 AM
To: Radiator (Radiator)
Subject: RE: Reject access from specific Calling-Station-Id


Hello everyone,

I think I'm getting closer. I changed blockcli.prw to:
username Calling-Station-Id = /^555/, Called-Station-Id = /1112222/,
Auth-Type = "Reject: Calling station not valid for 1112222"

DEFAULT Auth-Type="Accept"

And in radius.cfg I changed ContinueWhileAccept to ContinueUntilReject.

# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=5556666
Called-Station-Id=1112222 sending Access-Request... Rejected
        Reply-Message = "Request Denied"
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
#

/var/log/radius.log:
Wed Feb 20 10:56:57 2002: INFO: Access rejected for username:  Calling
station not valid for 1112222

# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=3333333
Called-Station-Id=1112222 sending Access-Request... OK
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Compression = Van-Jacobson-TCP-IP
        Ascend-Idle-Limit = 1200
        Idle-Timeout = 1200
        Session-Timeout = 41580
        Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
        Ascend-IP-Direct = 10.10.10.10
        VPN-Neighbor = 10.10.10.10
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK

It seems to work, but it means that I have to define all my users in the
users file. Is there an easier way?

Thanks in advance,
William

-----Original Message-----
From: William Hernandez 
Sent: Monday, February 18, 2002 9:38 AM
To: Radiator (Radiator)
Subject: Reject access from specific Calling-Station-Id


Hello everyone,

We're trying to configure Radiator 2.18.2 to reject access to a specific
Called-Station-Id when the Calling-Station-Id is in a specific range
using various ideas picked up from the archives, but the following is
not working for us.

# radpwtst -trace -s www -user username -password password -auth_port
1812 -acct_port 1813 -secret secret -dictionary
/etc/raddb/dictionary.prw Calling-Station-Id=5556666
Called-Station-Id=1112222 sending Access-Request... OK
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Compression = Van-Jacobson-TCP-IP
        Ascend-Idle-Limit = 1200
        Idle-Timeout = 1200
        Session-Timeout = 49920
        Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
        Ascend-IP-Direct = 10.10.10.10
        VPN-Neighbor = 10.10.10.10
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK

Regards,
William
-------------------------- radius.cfg
----------------------------------------
...
<AuthBy FILE>
        Identifier Check-CLI
        AcceptIfMissing
        Filename /etc/raddb/blockcli.prw
</AuthBy>
...
<Handler>
        SessionDatabase prw-sessiondb

        AuthByPolicy ContinueWhileAccept
        AuthBy Check-CLI
        AuthBy Check-FILE
        AuthBy System

        PostAuthHook file:"/etc/raddb/postauthhook.prw <file:>"

        AcctLogFileName /var/log/radacct/detail
        PasswordLogFileName     /var/log/radius.log
        ExcludeFromPasswordLog  root
</Handler>
...
-------------------------- End of radius.cfg
-----------------------------

-------------------------- blockcli.prw
------------------------------------
DEFAULT Calling-Station-Id = /^555/, \
Called-Station-Id = /1112222/, \
Auth-Type = "Reject: Calling station not valid for 1112222"

-------------------------- End of blockcli.prw
--------------------------
-------------------------- radius.log
----------------------------------------
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code:       Access-Request
Identifier: 126
Authentic:  1234567890123456
Attributes:
        User-Name = "username"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        User-Password =
"<146><208><238><158><247><22><144><5><164><133><228><17
4><1>H<30>x"
        Calling-Station-Id = "5556666"
        Called-Station-Id = "1112222"

Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler  should be used to handle this  request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Deleting session for username, 203.63. 154.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234

Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with username
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT: Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18 09:08:36
2002: DEBUG: Radius::AuthFILE looks for match with username Mon Feb 18
09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon
Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18
09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username Mon
Feb 18 09:08:36 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='username'

Mon Feb 18 09:08:36 2002: Login OK: [username] (www)
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX ACCEPT:
Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT:
Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb
18 09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username
Mon Feb 18 09:08:36 2002: Login OK: [username] (www) Mon Feb 18 09:08:36
2002: DEBUG: Radius::AuthUNIX ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG:
Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36 2002: DEBUG:
prwpostauthhook: username is: username Mon Feb 18 09:08:36 2002: DEBUG:
prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18 09:08:36 2002:
DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of  xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Access accepted for username
Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code:       Access-Accept
Identifier: 126
Authentic:  1234567890123456
Attributes:
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Compression = Van-Jacobson-TCP-IP
        Ascend-Idle-Limit = 1200
        Idle-Timeout = 1200
        Session-Timeout = 49920
        Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
        Ascend-IP-Direct = 10.10.10.10
        VPN-Neighbor = 10.10.10.10

Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code:       Accounting-Request
Identifier: 127
Authentic:  j<203><22><236><3><238><23><202><3>e<183><153>Qw<182><183>
Attributes:
        User-Name = "username"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Calling-Station-Id = "5556666"
        Called-Station-Id = "1112222"

Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler  should be used to handle this  request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Adding session for username, 203.63.15 4.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234

Mon Feb 18 09:08:36 2002: DEBUG: do query is: insert into RADONLINE
(USERNAME, N ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('username', '203.63.154.1', 01234, '00001234',
1014037716, '', ' Async', 'Framed-User')

Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36
2002: DEBUG: Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: username is: username Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18
09:08:36 2002: DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of  xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Accounting accepted Mon Feb
18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code:       Accounting-Response
Identifier: 127
Authentic:  j<203><22><236><3><238><23><202><3>e<183><153>Qw<182><183>
Attributes:
        Session-Timeout = 49920
        Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
        Ascend-IP-Direct = 10.10.10.10
        VPN-Neighbor = 10.10.10.10

Mon Feb 18 09:08:36 2002: DEBUG: Packet dump:
*** Received from 10.10.10.3 port 41637 ....
Code:       Accounting-Request
Identifier: 128
Authentic:  <251>*y<148>4<144><251>1<247>M<251><240>l<168>N<211>
Attributes:
        User-Name = "username"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Stop
        Acct-Delay-Time = 0
        Acct-Session-Time = 1000
        Acct-Input-Octets = 20000
        Acct-Output-Octets = 30000
        Calling-Station-Id = "5556666"
        Called-Station-Id = "1112222"

Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for
Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=surfea.net should be use d to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed
to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler
Realm=prdigital.com should be used to handle this request Mon Feb 18
09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld
be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if
Handler  should be used to handle this  request Mon Feb 18 09:08:36
2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002:
DEBUG: prw-sessiondb Deleting session for username, 203.63. 154.1, 1234
Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE
where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234

Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb
18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18
09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36
2002: DEBUG: Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: username is: username Mon Feb 18 09:08:36
2002: DEBUG: prwpostauthhook: Called-Station-Id is: 1112222 Mon Feb 18
09:08:36 2002: DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18
09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0
700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for username
Mon Feb 18 09:08:36 2002: DEBUG: User username has timeblock
Su0700-2300,Mo0700-2300,
Tu0700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 and timeouts
in 4992 0 seconds Mon Feb 18 09:08:36 2002: DEBUG: Xstop using
Ascend-IP-Direct=10.10.10.10 and VPN-Neighbor=10.10.10.10 Mon Feb 18
09:08:36 2002: DEBUG: User username has content controls of  xstop: A, R
A NAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Mon Feb 18
09:08:36 2002: DEBUG: HiperNASIpAttr: 10.10.10.11~10.10.10.12~208
.249.78.13 Mon Feb 18 09:08:36 2002: DEBUG: Accounting accepted Mon Feb
18 09:08:36 2002: DEBUG: Packet dump:
*** Sending to 10.10.10.3 port 41637 ....
Code:       Accounting-Response
Identifier: 128
Authentic:  <251>*y<148>4<144><251>1<247>M<251><240>l<168>N<211>
Attributes:
        Session-Timeout = 49920
        Class = "xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN
RRATED I, 1"
        Ascend-IP-Direct = 10.10.10.10
        VPN-Neighbor = 10.10.10.10
----------------------End of radius.log ------------------------------


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list