(RADIATOR) Users Blacklists

Rolando Riley rriley at ayayai.com
Fri Sep 27 16:45:55 CDT 2002 

Hi Hugh:

     Sometime ago I posted this email but I am getting tired of processing
big flat logs for reports.  What should I have to add to my cfg to have the
ACCOUNTING going to the ACCOUNTING table and hence use radcgi and radwho for
reports?

regards,

Rolando


-----Mensaje original-----
De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]En
nombre de Hugh Irvine
Enviado el: Wednesday, June 12, 2002 6:14 PM
Para: Rolando Riley; radiator at open.com.au
Asunto: Re: (RADIATOR) Users Blacklists



Hello Rolando -

You are close, but not quite there.

Here is what to do:

# Check-Users file
# ENTRADA default para chequear la tabla BLACKLIST

DEFAULT         Auth-Type = VE_blacklist

DEFAULT	Auth-Type = Accept


Your BLACKLIST SQL table should contain this:

USERNAME	REJECT

someuser	Auth-Type = "Reject: This user is on the BLACKLIST"

anotheruser	Auth-Type = "Reject: This user is on the BLACKLIST"


Here is a snippet of my radius.cfg

----------------------

<AuthBy SQL>
        Identifier VE_blacklist
        DBSource        ......
        DBUsername    ......
        DBAuth          ......
        AuthSelect select "REJECT" from BLACKLIST \
                   where USERNAME='%n'
        AuthColumnDef 0, GENERIC, check
        AccountingTable
</AuthBy>

<AuthBy FILE>
   Identifier CheckUSERS
   Filename     %D/Check-Users
</AuthBy>

<AuthBy LDAP2>
                Identifier      CheckLDAP
                Host            ......
                AuthDN          ......
                AuthPassword   ......
                BaseDN          ......
                UsernameAttr    uid
                PasswordAttr    userPassword
</AuthBy>


<Realm>
        UsernameCharset a-zA-Z0-9\._ at -
        MaxSessions 1
        RewriteUsername tr/A-Z/a-z/
        AuthByPolicy    ContinueWhileAccept
        AuthBy CheckUSERS
        AuthBy CheckLDAP
        AcctLogFileName %L/detailu
</Realm>


Please let me know how you get on.

regards

Hugh


On Thu, 13 Jun 2002 04:52, Rolando Riley wrote:
> Hi Hugh:
>
> 	Well this time I want to configure a users blacklist and what I want to
do
> is simple:
> 	1) Everytime I have a request this list (BLACKLIST) will be checked. If
> the user is found the request is Rejected.
>             NO further queries should be performed after the user is
> rejected.
> 	2) If the  user isn't found then the authentication should be done
against
> LDAP uid and userPassword attributes.
>
> 	I have searched the mailing lists and have found something very similar
> that was done against "calling stations id".  For some reason the user,
> although it is being found on the BLACKLIST, radiator continue the
> searching and auth process over LDAP.  What could I have been doing wrong?
>
>
>
>
>
> Here is the output of Check-Users file
> ---------------------------------------------
> # ENTRADA default para chequear la tabla BLACKLIST
>
> DEFAULT		Auth-Type = VE_blacklist
>
>
>
> Here is a snippet of my radius.cfg
>
> ----------------------
>
> <AuthBy SQL>
> 	Identifier VE_blacklist
>         DBSource        ......
>         DBUsername    ......
>         DBAuth          ......
> 	AuthSelect select "REJECT" from BLACKLIST \
> 		   where USERNAME='%n'
> 	AccountingTable
> </AuthBy>
>
> <AuthBy FILE>
>    Identifier CheckUSERS
>    Filename 	%D/Check-Users
> #   NoDefaultIfFound
>    AcceptIfMissing
> </AuthBy>
>
> <AuthBy LDAP2>
> 		Identifier	CheckLDAP
>                 Host            ......
>                 AuthDN          ......
>                 AuthPassword   ......
>                 BaseDN          ......
>                 UsernameAttr    uid
>                 PasswordAttr    userPassword
> </AuthBy>
>
>
> <Realm>
> 	UsernameCharset a-zA-Z0-9\._ at -
> 	MaxSessions 1
> 	RewriteUsername tr/A-Z/a-z/
> 	AuthByPolicy	ContinueWhileAccept
> 	AuthBy CheckUSERS
> 	AuthBy CheckLDAP
> 	AcctLogFileName %L/detailu
> </Realm>
>
> ------------------------------
>
>
> Here is a trace debug 4 of a test:
>
>
> ---------------------
> Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> ACCTSE         SSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='rriley'
> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE:
CheckUSERS
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
> rriley
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL
> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL:
> VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT"
> from BLACKLIST where USERNAME='rriley'
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with
> rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT" from
> BLACKLIST where USERNAME='DEFAULT'
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthLDAP2:
CheckLDAP
> Wed Jun 12 04:57:24 2002: INFO: Connecting to XX.XX.XX.XX, port 389
> Wed Jun 12 04:57:24 2002: INFO: Attempting to bind with (admin dn)
> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got result for (my dn)
> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got userPassword: xxxxxxxxxxx
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> rriley
> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jun 12 04:57:24 2002: DEBUG: Access accepted for rriley
> Wed Jun 12 04:57:24 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32768 ....
> Code:       Access-Accept
> Identifier: 99
> Authentic:  1234567890123456
> Attributes:
> -----------------
>
>
> cheers,
>
> -----------------------------------
> Ing. Rolando Riley
> Gerente de Sistemas
> AYAYAI.COM S.A.
> Tel: (507) 265-2424 ext. 408
> -----------------------------------
>
>
> ______________________________________________
> Ayayai.com Ultra, tu Internet prepago LIBRE DE PUBLICIDAD
> http://www.ayayai.com/ultra
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list