(RADIATOR) Users Blacklists
Hugh Irvine
hugh at open.com.au
Sat Sep 28 19:54:43 CDT 2002
Hello Rolando -
You should do something like this:
# define AuthBy clauses
<AuthBy SQL>
Identifier DoSQLAccounting
DBSource ......
DBUsername ......
DBAuth ......
AuthSelect
AccountingTable ACCOUNTING
AcctColumnDef .....
......
</AuthBy>
<AuthBy SQL>
Identifier VE_blacklist
DBSource ......
DBUsername ......
DBAuth ......
AuthSelect select "REJECT" from BLACKLIST \
where USERNAME='%n'
AuthColumnDef 0, GENERIC, check
AccountingTable
</AuthBy>
<AuthBy FILE>
Identifier CheckUSERS
Filename %D/Check-Users
</AuthBy>
<AuthBy LDAP2>
Identifier CheckLDAP
Host ......
AuthDN ......
AuthPassword ......
BaseDN ......
UsernameAttr uid
PasswordAttr userPassword
</AuthBy>
<AuthBy GROUP>
Identifier DoAuthentication
AuthByPolicy ContinueWhileAccept
AuthBy CheckUSERS
AuthBy CheckLDAP
</AuthBy>
# define Realms
<Realm>
UsernameCharset a-zA-Z0-9\._ at -
MaxSessions 1
RewriteUsername tr/A-Z/a-z/
AuthByPolicy ContinueAlways
AuthBy DoSQLAccounting
AuthBy DoAuthentication
AcctLogFileName %L/detailu
</Realm>
regards
Hugh
On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote:
> Hi Hugh:
>
> Sometime ago I posted this email but I am getting tired of
> processing
> big flat logs for reports. What should I have to add to my cfg to
> have the
> ACCOUNTING going to the ACCOUNTING table and hence use radcgi and
> radwho for
> reports?
>
> regards,
>
> Rolando
>
>
> -----Mensaje original-----
> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]En
> nombre de Hugh Irvine
> Enviado el: Wednesday, June 12, 2002 6:14 PM
> Para: Rolando Riley; radiator at open.com.au
> Asunto: Re: (RADIATOR) Users Blacklists
>
>
>
> Hello Rolando -
>
> You are close, but not quite there.
>
> Here is what to do:
>
> # Check-Users file
> # ENTRADA default para chequear la tabla BLACKLIST
>
> DEFAULT Auth-Type = VE_blacklist
>
> DEFAULT Auth-Type = Accept
>
>
> Your BLACKLIST SQL table should contain this:
>
> USERNAME REJECT
>
> someuser Auth-Type = "Reject: This user is on the BLACKLIST"
>
> anotheruser Auth-Type = "Reject: This user is on the BLACKLIST"
>
>
> Here is a snippet of my radius.cfg
>
> ----------------------
>
> <AuthBy SQL>
> Identifier VE_blacklist
> DBSource ......
> DBUsername ......
> DBAuth ......
> AuthSelect select "REJECT" from BLACKLIST \
> where USERNAME='%n'
> AuthColumnDef 0, GENERIC, check
> AccountingTable
> </AuthBy>
>
> <AuthBy FILE>
> Identifier CheckUSERS
> Filename %D/Check-Users
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> Host ......
> AuthDN ......
> AuthPassword ......
> BaseDN ......
> UsernameAttr uid
> PasswordAttr userPassword
> </AuthBy>
>
>
> <Realm>
> UsernameCharset a-zA-Z0-9\._ at -
> MaxSessions 1
> RewriteUsername tr/A-Z/a-z/
> AuthByPolicy ContinueWhileAccept
> AuthBy CheckUSERS
> AuthBy CheckLDAP
> AcctLogFileName %L/detailu
> </Realm>
>
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
>
> On Thu, 13 Jun 2002 04:52, Rolando Riley wrote:
>> Hi Hugh:
>>
>> Well this time I want to configure a users blacklist and what I want
>> to
> do
>> is simple:
>> 1) Everytime I have a request this list (BLACKLIST) will be checked.
>> If
>> the user is found the request is Rejected.
>> NO further queries should be performed after the user is
>> rejected.
>> 2) If the user isn't found then the authentication should be done
> against
>> LDAP uid and userPassword attributes.
>>
>> I have searched the mailing lists and have found something very
>> similar
>> that was done against "calling stations id". For some reason the
>> user,
>> although it is being found on the BLACKLIST, radiator continue the
>> searching and auth process over LDAP. What could I have been doing
>> wrong?
>>
>>
>>
>>
>>
>> Here is the output of Check-Users file
>> ---------------------------------------------
>> # ENTRADA default para chequear la tabla BLACKLIST
>>
>> DEFAULT Auth-Type = VE_blacklist
>>
>>
>>
>> Here is a snippet of my radius.cfg
>>
>> ----------------------
>>
>> <AuthBy SQL>
>> Identifier VE_blacklist
>> DBSource ......
>> DBUsername ......
>> DBAuth ......
>> AuthSelect select "REJECT" from BLACKLIST \
>> where USERNAME='%n'
>> AccountingTable
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier CheckUSERS
>> Filename %D/Check-Users
>> # NoDefaultIfFound
>> AcceptIfMissing
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host ......
>> AuthDN ......
>> AuthPassword ......
>> BaseDN ......
>> UsernameAttr uid
>> PasswordAttr userPassword
>> </AuthBy>
>>
>>
>> <Realm>
>> UsernameCharset a-zA-Z0-9\._ at -
>> MaxSessions 1
>> RewriteUsername tr/A-Z/a-z/
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckUSERS
>> AuthBy CheckLDAP
>> AcctLogFileName %L/detailu
>> </Realm>
>>
>> ------------------------------
>>
>>
>> Here is a trace debug 4 of a test:
>>
>>
>> ---------------------
>> Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER,
>> NASPORT,
>> ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where
>> USERNAME='rriley'
>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE:
> CheckUSERS
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
>> rriley
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with
>> DEFAULT
>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL
>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL:
>> VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select
>> "REJECT"
>> from BLACKLIST where USERNAME='rriley'
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with
>> rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad
>> Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select "REJECT"
>> from
>> BLACKLIST where USERNAME='DEFAULT'
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password
>> Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
>> Wed Jun 12 04:57:24 2002: INFO: Connecting to XX.XX.XX.XX, port 389
>> Wed Jun 12 04:57:24 2002: INFO: Attempting to bind with (admin dn)
>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got result for (my dn)
>> Wed Jun 12 04:57:24 2002: DEBUG: LDAP got userPassword: xxxxxxxxxxx
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 looks for match
>> with
>> rriley
>> Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
>> Wed Jun 12 04:57:24 2002: DEBUG: Access accepted for rriley
>> Wed Jun 12 04:57:24 2002: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 32768 ....
>> Code: Access-Accept
>> Identifier: 99
>> Authentic: 1234567890123456
>> Attributes:
>> -----------------
>>
>>
>> cheers,
>>
>> -----------------------------------
>> Ing. Rolando Riley
>> Gerente de Sistemas
>> AYAYAI.COM S.A.
>> Tel: (507) 265-2424 ext. 408
>> -----------------------------------
>>
>>
>> ______________________________________________
>> Ayayai.com Ultra, tu Internet prepago LIBRE DE PUBLICIDAD
>> http://www.ayayai.com/ultra
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list