(RADIATOR) Users Blacklists
Hugh Irvine
hugh at open.com.au
Tue Oct 15 09:11:04 CDT 2002
Hello Rolando -
You can add both Session-Timeout and Idle-Timeout in the AuthBy GROUP:
<AuthBy GROUP>
Identifier DoAuthentication
.....
AddToReply Session-Timeout = 10800, \
Idle-Timeout = 3600
</AuthBy>
Note that the actual disconnection is performed by the NAS, which must
support these attributes.
regards
Hugh
On Tuesday, October 15, 2002, at 11:59 PM, Rolando Riley wrote:
>
> Sorry to skip that one =(( . Hugh .. one last question on what of
> those
> AuthBy I should add the line:
> AddToReply Session-Timeout = 10800
>
>
> to have a user disconnected after 3 hour session?
>
>
> Hugh... Does Radiator have idle timeout? I wish to disconnect 1 hour
> idleing connection .
>
>
> cheers,
>
>
> R. Riley
>
>
>
>
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: Tuesday, October 15, 2002 12:12 AM
> Para: Rolando Riley
> Asunto: Re: (RADIATOR) Users Blacklists
>
>
>
> Hello Rolando -
>
> Thanks for sending the files.
>
> You have incorrectly specified "AuthColumnDef" instead of
> "AcctColumnDef" in your AuthBy SQL clause for accounting.
>
> regards
>
> Hugh
>
>
> On Tuesday, October 15, 2002, at 07:10 AM, Rolando Riley wrote:
>
>> Hugh:
>> The configuration is not giving me any error but it is not
>> Logging
>> anything on the ACCOUNTING table.
>>
>>
>> I am ataching my radius.cfg (radius.txt) and a trace debug 4 of the
>> radius.
>> What could be wrong?
>>
>>
>> cheers,
>>
>>
>> R. Riley
>>
>>
>> -----Mensaje original-----
>> De: Hugh Irvine [mailto:hugh at open.com.au]
>> Enviado el: Saturday, September 28, 2002 7:55 PM
>> Para: Rolando Riley
>> CC: radiator at open.com.au
>> Asunto: Re: (RADIATOR) Users Blacklists
>>
>>
>>
>> Hello Rolando -
>>
>> You should do something like this:
>>
>> # define AuthBy clauses
>>
>> <AuthBy SQL>
>> Identifier DoSQLAccounting
>> DBSource ......
>> DBUsername ......
>> DBAuth ......
>> AuthSelect
>> AccountingTable ACCOUNTING
>> AcctColumnDef .....
>> ......
>> </AuthBy>
>>
>> <AuthBy SQL>
>> Identifier VE_blacklist
>> DBSource ......
>> DBUsername ......
>> DBAuth ......
>> AuthSelect select "REJECT" from BLACKLIST \
>> where USERNAME='%n'
>> AuthColumnDef 0, GENERIC, check
>> AccountingTable
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier CheckUSERS
>> Filename %D/Check-Users
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host ......
>> AuthDN ......
>> AuthPassword ......
>> BaseDN ......
>> UsernameAttr uid
>> PasswordAttr userPassword
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier DoAuthentication
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckUSERS
>> AuthBy CheckLDAP
>> </AuthBy>
>>
>> # define Realms
>>
>> <Realm>
>> UsernameCharset a-zA-Z0-9\._ at -
>> MaxSessions 1
>> RewriteUsername tr/A-Z/a-z/
>> AuthByPolicy ContinueAlways
>> AuthBy DoSQLAccounting
>> AuthBy DoAuthentication
>> AcctLogFileName %L/detailu
>> </Realm>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote:
>>
>>> Hi Hugh:
>>>
>>> Sometime ago I posted this email but I am getting tired of
>>> processing
>>> big flat logs for reports. What should I have to add to my cfg to
>>> have the
>>> ACCOUNTING going to the ACCOUNTING table and hence use radcgi and
>>> radwho for
>>> reports?
>>>
>>> regards,
>>>
>>> Rolando
>>>
>>>
>>> -----Mensaje original-----
>>> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]En
>>> nombre de Hugh Irvine
>>> Enviado el: Wednesday, June 12, 2002 6:14 PM
>>> Para: Rolando Riley; radiator at open.com.au
>>> Asunto: Re: (RADIATOR) Users Blacklists
>>>
>>>
>>>
>>> Hello Rolando -
>>>
>>> You are close, but not quite there.
>>>
>>> Here is what to do:
>>>
>>> # Check-Users file
>>> # ENTRADA default para chequear la tabla BLACKLIST
>>>
>>> DEFAULT Auth-Type = VE_blacklist
>>>
>>> DEFAULT Auth-Type = Accept
>>>
>>>
>>> Your BLACKLIST SQL table should contain this:
>>>
>>> USERNAME REJECT
>>>
>>> someuser Auth-Type = "Reject: This user is on the BLACKLIST"
>>>
>>> anotheruser Auth-Type = "Reject: This user is on the BLACKLIST"
>>>
>>>
>>> Here is a snippet of my radius.cfg
>>>
>>> ----------------------
>>>
>>> <AuthBy SQL>
>>> Identifier VE_blacklist
>>> DBSource ......
>>> DBUsername ......
>>> DBAuth ......
>>> AuthSelect select "REJECT" from BLACKLIST \
>>> where USERNAME='%n'
>>> AuthColumnDef 0, GENERIC, check
>>> AccountingTable
>>> </AuthBy>
>>>
>>> <AuthBy FILE>
>>> Identifier CheckUSERS
>>> Filename %D/Check-Users
>>> </AuthBy>
>>>
>>> <AuthBy LDAP2>
>>> Identifier CheckLDAP
>>> Host ......
>>> AuthDN ......
>>> AuthPassword ......
>>> BaseDN ......
>>> UsernameAttr uid
>>> PasswordAttr userPassword
>>> </AuthBy>
>>>
>>>
>>> <Realm>
>>> UsernameCharset a-zA-Z0-9\._ at -
>>> MaxSessions 1
>>> RewriteUsername tr/A-Z/a-z/
>>> AuthByPolicy ContinueWhileAccept
>>> AuthBy CheckUSERS
>>> AuthBy CheckLDAP
>>> AcctLogFileName %L/detailu
>>> </Realm>
>>>
>>>
>>> Please let me know how you get on.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On Thu, 13 Jun 2002 04:52, Rolando Riley wrote:
>>>> Hi Hugh:
>>>>
>>>> Well this time I want to configure a users blacklist and what I
>>>> want
>>>> to
>>> do
>>>> is simple:
>>>> 1) Everytime I have a request this list (BLACKLIST) will be
>>>> checked.
>>>> If
>>>> the user is found the request is Rejected.
>>>> NO further queries should be performed after the user is
>>>> rejected.
>>>> 2) If the user isn't found then the authentication should be done
>>> against
>>>> LDAP uid and userPassword attributes.
>>>>
>>>> I have searched the mailing lists and have found something very
>>>> similar
>>>> that was done against "calling stations id". For some reason the
>>>> user,
>>>> although it is being found on the BLACKLIST, radiator continue the
>>>> searching and auth process over LDAP. What could I have been doing
>>>> wrong?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Here is the output of Check-Users file
>>>> ---------------------------------------------
>>>> # ENTRADA default para chequear la tabla BLACKLIST
>>>>
>>>> DEFAULT Auth-Type = VE_blacklist
>>>>
>>>>
>>>>
>>>> Here is a snippet of my radius.cfg
>>>>
>>>> ----------------------
>>>>
>>>> <AuthBy SQL>
>>>> Identifier VE_blacklist
>>>> DBSource ......
>>>> DBUsername ......
>>>> DBAuth ......
>>>> AuthSelect select "REJECT" from BLACKLIST \
>>>> where USERNAME='%n'
>>>> AccountingTable
>>>> </AuthBy>
>>>>
>>>> <AuthBy FILE>
>>>> Identifier CheckUSERS
>>>> Filename %D/Check-Users
>>>> # NoDefaultIfFound
>>>> AcceptIfMissing
>>>> </AuthBy>
>>>>
>>>> <AuthBy LDAP2>
>>>> Identifier CheckLDAP
>>>> Host ......
>>>> AuthDN ......
>>>> AuthPassword ......
>>>> BaseDN ......
>>>> UsernameAttr uid
>>>> PasswordAttr userPassword
>>>> </AuthBy>
>>>>
>>>>
>>>> <Realm>
>>>> UsernameCharset a-zA-Z0-9\._ at -
>>>> MaxSessions 1
>>>> RewriteUsername tr/A-Z/a-z/
>>>> AuthByPolicy ContinueWhileAccept
>>>> AuthBy CheckUSERS
>>>> AuthBy CheckLDAP
>>>> AcctLogFileName %L/detailu
>>>> </Realm>
>>>>
>>>> ------------------------------
>>>>
>>>>
>>>> Here is a trace debug 4 of a test:
>>>>
>>>>
>>>> ---------------------
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER,
>>>> NASPORT,
>>>> ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where
>>>> USERNAME='rriley'
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE:
>>> CheckUSERS
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match
>>>> with
>>>> rriley
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match
>>>> with
>>>> DEFAULT
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL:
>>>> VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select
>>>> "REJECT"
>>>> from BLACKLIST where USERNAME='rriley'
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad
>>>> Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT"
>>>> from
>>>> BLACKLIST where USERNAME='DEFAULT'
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad
>>>> Password
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthLDAP2:
>>> CheckLDAP
>>>> Wed Jun 12 04:57:24 2002: INFO: Connecting to XX.XX.XX.XX, port 389
>>>> Wed Jun 12 04:57:24 2002: INFO: Attempting to bind with (admin dn)
>>>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got result for (my dn)
>>>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got userPassword: xxxxxxxxxxx
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 looks for match
>>>> with
>>>> rriley
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Access accepted for rriley
>>>> Wed Jun 12 04:57:24 2002: DEBUG: Packet dump:
>>>> *** Sending to 127.0.0.1 port 32768 ....
>>>> Code: Access-Accept
>>>> Identifier: 99
>>>> Authentic: 1234567890123456
>>>> Attributes:
>>>> -----------------
>>>>
>>>>
>>>> cheers,
>>>>
>>>> -----------------------------------
>>>> Ing. Rolando Riley
>>>> Gerente de Sistemas
>>>> AYAYAI.COM S.A.
>>>> Tel: (507) 265-2424 ext. 408
>>>> -----------------------------------
>>>>
>>>>
>>>> ______________________________________________
>>>> Ayayai.com Ultra, tu Internet prepago LIBRE DE PUBLICIDAD
>>>> http://www.ayayai.com/ultra
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>>
>>>
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> <radius.txt><log.txt>
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list