(RADIATOR) Users Blacklists
Rolando Riley
rriley at ayayai.com
Tue Oct 15 08:59:40 CDT 2002
Sorry to skip that one =(( . Hugh .. one last question on what of those
AuthBy I should add the line:
AddToReply Session-Timeout = 10800
to have a user disconnected after 3 hour session?
Hugh... Does Radiator have idle timeout? I wish to disconnect 1 hour
idleing connection .
cheers,
R. Riley
-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au]
Enviado el: Tuesday, October 15, 2002 12:12 AM
Para: Rolando Riley
Asunto: Re: (RADIATOR) Users Blacklists
Hello Rolando -
Thanks for sending the files.
You have incorrectly specified "AuthColumnDef" instead of
"AcctColumnDef" in your AuthBy SQL clause for accounting.
regards
Hugh
On Tuesday, October 15, 2002, at 07:10 AM, Rolando Riley wrote:
> Hugh:
> The configuration is not giving me any error but it is not
> Logging
> anything on the ACCOUNTING table.
>
>
> I am ataching my radius.cfg (radius.txt) and a trace debug 4 of the
> radius.
> What could be wrong?
>
>
> cheers,
>
>
> R. Riley
>
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: Saturday, September 28, 2002 7:55 PM
> Para: Rolando Riley
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) Users Blacklists
>
>
>
> Hello Rolando -
>
> You should do something like this:
>
> # define AuthBy clauses
>
> <AuthBy SQL>
> Identifier DoSQLAccounting
> DBSource ......
> DBUsername ......
> DBAuth ......
> AuthSelect
> AccountingTable ACCOUNTING
> AcctColumnDef .....
> ......
> </AuthBy>
>
> <AuthBy SQL>
> Identifier VE_blacklist
> DBSource ......
> DBUsername ......
> DBAuth ......
> AuthSelect select "REJECT" from BLACKLIST \
> where USERNAME='%n'
> AuthColumnDef 0, GENERIC, check
> AccountingTable
> </AuthBy>
>
> <AuthBy FILE>
> Identifier CheckUSERS
> Filename %D/Check-Users
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> Host ......
> AuthDN ......
> AuthPassword ......
> BaseDN ......
> UsernameAttr uid
> PasswordAttr userPassword
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier DoAuthentication
> AuthByPolicy ContinueWhileAccept
> AuthBy CheckUSERS
> AuthBy CheckLDAP
> </AuthBy>
>
> # define Realms
>
> <Realm>
> UsernameCharset a-zA-Z0-9\._ at -
> MaxSessions 1
> RewriteUsername tr/A-Z/a-z/
> AuthByPolicy ContinueAlways
> AuthBy DoSQLAccounting
> AuthBy DoAuthentication
> AcctLogFileName %L/detailu
> </Realm>
>
>
> regards
>
> Hugh
>
>
> On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote:
>
>> Hi Hugh:
>>
>> Sometime ago I posted this email but I am getting tired of
>> processing
>> big flat logs for reports. What should I have to add to my cfg to
>> have the
>> ACCOUNTING going to the ACCOUNTING table and hence use radcgi and
>> radwho for
>> reports?
>>
>> regards,
>>
>> Rolando
>>
>>
>> -----Mensaje original-----
>> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]En
>> nombre de Hugh Irvine
>> Enviado el: Wednesday, June 12, 2002 6:14 PM
>> Para: Rolando Riley; radiator at open.com.au
>> Asunto: Re: (RADIATOR) Users Blacklists
>>
>>
>>
>> Hello Rolando -
>>
>> You are close, but not quite there.
>>
>> Here is what to do:
>>
>> # Check-Users file
>> # ENTRADA default para chequear la tabla BLACKLIST
>>
>> DEFAULT Auth-Type = VE_blacklist
>>
>> DEFAULT Auth-Type = Accept
>>
>>
>> Your BLACKLIST SQL table should contain this:
>>
>> USERNAME REJECT
>>
>> someuser Auth-Type = "Reject: This user is on the BLACKLIST"
>>
>> anotheruser Auth-Type = "Reject: This user is on the BLACKLIST"
>>
>>
>> Here is a snippet of my radius.cfg
>>
>> ----------------------
>>
>> <AuthBy SQL>
>> Identifier VE_blacklist
>> DBSource ......
>> DBUsername ......
>> DBAuth ......
>> AuthSelect select "REJECT" from BLACKLIST \
>> where USERNAME='%n'
>> AuthColumnDef 0, GENERIC, check
>> AccountingTable
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier CheckUSERS
>> Filename %D/Check-Users
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host ......
>> AuthDN ......
>> AuthPassword ......
>> BaseDN ......
>> UsernameAttr uid
>> PasswordAttr userPassword
>> </AuthBy>
>>
>>
>> <Realm>
>> UsernameCharset a-zA-Z0-9\._ at -
>> MaxSessions 1
>> RewriteUsername tr/A-Z/a-z/
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckUSERS
>> AuthBy CheckLDAP
>> AcctLogFileName %L/detailu
>> </Realm>
>>
>>
>> Please let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Thu, 13 Jun 2002 04:52, Rolando Riley wrote:
>>> Hi Hugh:
>>>
>>> Well this time I want to configure a users blacklist and what I want
>>> to
>> do
>>> is simple:
>>> 1) Everytime I have a request this list (BLACKLIST) will be checked.
>>> If
>>> the user is found the request is Rejected.
>>> NO further queries should be performed after the user is
>>> rejected.
>>> 2) If the user isn't found then the authentication should be done
>> against
>>> LDAP uid and userPassword attributes.
>>>
>>> I have searched the mailing lists and have found something very
>>> similar
>>> that was done against "calling stations id". For some reason the
>>> user,
>>> although it is being found on the BLACKLIST, radiator continue the
>>> searching and auth process over LDAP. What could I have been doing
>>> wrong?
>>>
>>>
>>>
>>>
>>>
>>> Here is the output of Check-Users file
>>> ---------------------------------------------
>>> # ENTRADA default para chequear la tabla BLACKLIST
>>>
>>> DEFAULT Auth-Type = VE_blacklist
>>>
>>>
>>>
>>> Here is a snippet of my radius.cfg
>>>
>>> ----------------------
>>>
>>> <AuthBy SQL>
>>> Identifier VE_blacklist
>>> DBSource ......
>>> DBUsername ......
>>> DBAuth ......
>>> AuthSelect select "REJECT" from BLACKLIST \
>>> where USERNAME='%n'
>>> AccountingTable
>>> </AuthBy>
>>>
>>> <AuthBy FILE>
>>> Identifier CheckUSERS
>>> Filename %D/Check-Users
>>> # NoDefaultIfFound
>>> AcceptIfMissing
>>> </AuthBy>
>>>
>>> <AuthBy LDAP2>
>>> Identifier CheckLDAP
>>> Host ......
>>> AuthDN ......
>>> AuthPassword ......
>>> BaseDN ......
>>> UsernameAttr uid
>>> PasswordAttr userPassword
>>> </AuthBy>
>>>
>>>
>>> <Realm>
>>> UsernameCharset a-zA-Z0-9\._ at -
>>> MaxSessions 1
>>> RewriteUsername tr/A-Z/a-z/
>>> AuthByPolicy ContinueWhileAccept
>>> AuthBy CheckUSERS
>>> AuthBy CheckLDAP
>>> AcctLogFileName %L/detailu
>>> </Realm>
>>>
>>> ------------------------------
>>>
>>>
>>> Here is a trace debug 4 of a test:
>>>
>>>
>>> ---------------------
>>> Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER,
>>> NASPORT,
>>> ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where
>>> USERNAME='rriley'
>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE:
>> CheckUSERS
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> rriley
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> DEFAULT
>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL
>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL:
>>> VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select
>>> "REJECT"
>>> from BLACKLIST where USERNAME='rriley'
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with
>>> rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad
>>> Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT"
>>> from
>>> BLACKLIST where USERNAME='DEFAULT'
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad
>>> Password
>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthLDAP2:
>> CheckLDAP
>>> Wed Jun 12 04:57:24 2002: INFO: Connecting to XX.XX.XX.XX, port 389
>>> Wed Jun 12 04:57:24 2002: INFO: Attempting to bind with (admin dn)
>>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got result for (my dn)
>>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got userPassword: xxxxxxxxxxx
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 looks for match
>>> with
>>> rriley
>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>> Wed Jun 12 04:57:24 2002: DEBUG: Access accepted for rriley
>>> Wed Jun 12 04:57:24 2002: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 32768 ....
>>> Code: Access-Accept
>>> Identifier: 99
>>> Authentic: 1234567890123456
>>> Attributes:
>>> -----------------
>>>
>>>
>>> cheers,
>>>
>>> -----------------------------------
>>> Ing. Rolando Riley
>>> Gerente de Sistemas
>>> AYAYAI.COM S.A.
>>> Tel: (507) 265-2424 ext. 408
>>> -----------------------------------
>>>
>>>
>>> ______________________________________________
>>> Ayayai.com Ultra, tu Internet prepago LIBRE DE PUBLICIDAD
>>> http://www.ayayai.com/ultra
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> <radius.txt><log.txt>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list