(RADIATOR) Restricting login by NAS

Fri Mar 8 23:28:59 CST 2002

At 02:57 PM 3/9/2002 +1100, Barry Andersson wrote:
>Hi,
>
>Can anyone help with the Check Item Perl expression to enable us to
>ensure that certain users cannot login via particular NAS?
>
>That is, we want some users to be able to dial in via any NAS except
>aaa.bbb.ccc.ddd and www.xxx.yyy.zzz .
>
>Barry Andersson

Hello,

I wrote a simple check script a while ago to prevent logins on a specific
phone number, but the same principle can be applied to the NAS identifier.
Just change "Called-Station-Id" to "NAS-IP-Address" and replace the phone
numbers with the evil IP addresses. Should work.

Japheth Cleaver
cleaver at rohan.sdsu.edu
------------------------------------
"Lack of documentation promotes job stability."

---- BEGIN SCRIPT
#!/usr/bin/perl

# This script will examine the incoming packet (given to us on STDIN) and
# search for the number the user has called in on (if supplied). If it
# finds it, it searches for that number in our "list of bad numbers". If
# the number is in there, it sends a "reject" message back to Radiator
# (exit 1) along with a message for the NAS to display to the user (which
# Microsoft dutifully ignores.)

# If the number is not in the bad numbers list, it will send an "Ignore"
# message to Radiator (exit 2), which will cause Radiator to move on to the
# next authentication method.

# If the number they're dialing in on isn't supplied, it sends Radiator
# an "Ignore" message and Radiator continues on.

# - Japheth Cleaver - cleaver at rohan.sdsu.edu
#

# Enter the phone numbers to reject below, one per line
$badNumbers = qq!
6198531212
6198675309
!;

# This is the message to be displayed back.
$replyMsg="Please call us at (800) xxx-xxxx to get a new number.";

##############################################
# Begin Code
##############################################

$badNumberReplyMsg=qq!\tReply-Message = "$replyMsg"\n!;

# @stdin=<STDIN>;

foreach (<STDIN>) {
    if (/Called-Station-Id/) {
         # Remove spaces and newline
         s/^.*=\s"//; s/".*//; chop;
         # Search in bad number list
         if ($badNumbers =~ /^$_$/m) {
                 # Send "reject"
                 print $badNumberReplyMsg;
                 exit 1;
         } else {
                 # Send "ignore"
                 exit 2;
         };
    };
};

----END SCRIPT

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.