(RADIATOR) Denying Auth based on Part of a Called-Station-ID
Mike Walker
noc at usexpress.net
Mon Apr 14 02:08:03 CDT 2003
Hugh,
I am finally able to get this knocked out, but I am a bit confused about the
<AuthBy FILE> usage. I get the cascading part, but how do I do this for
multiple Called-Station-Id's? My dilemma is this: We are wholesale dial
providers reselling 9 networks, including one of our own. Here in
Knoxville, there are nine phone numbers belonging to other dial providers in
the Knoxville area, but we pay per user per month for them. We just
completed installing our own equipment here, and do not want anyone dialing
any other 865 number EXCEPT for our new one.
So, I need to deny access from any realm to any of those 9 numbers. I
thought about just using a Handler above the Realms like this:
<Handler Called-Station-Id=8652462222>
<AuthBy FILE>
Filename /etc/deny.file
</AuthBy>
</Handler>
<Realm ...>
...
</Realm>
<Realm ...>
...
</Realm>
But it doesn't work, even for that one number. However, my deny.file just
denies anything, but even when I dial that number, its still auths. The
configuration I have includes both proxy and standard Radius methods, and
have included the jist of it below. My question is, if I use your method,
how can I include all nine numbers in deny.file, or is there another way I
can pull this off with Handlers? I do recall that mixing Handlers and
Realms together caused some strange behavior. BTW, any of the realms should
be able to only dial our new local number when calling to the 865 area code.
We want to kill all nine other 865 numbers so the users are forced to dial
the new one. Any input would be GREATLY appreciated!
My Config could use a little pruning and "consolidation", as you can see I
am not taking advantage of the newer features in 3.X yet...
Current Config (greatly truncated):
### Radiator Configuration
### Global Parameters
Trace 4
BindAddress 000.000.000.000
LogFile /var/log/radius/%Y%m%d
PidFile /tmp/radiusd.pid
UsernameCharset a-zA-Z0-9\._ at -
AuthPort 1812
AcctPort 1813
<AuthLog SQL>
Identifier Logs
DBSource dbi:Sybase:server=Emerald
DBUsername XXX
DBAuth XXX
LogFailure 1
FailureQuery insert into RadLogs (Username, Password, CallerID,
Sever
ity, Data, Network, NasPortDNIS) values ('%n', '%P',
'%{Calling-Station-Id}', %0
, %1, '%{Network}', '%{Called-Station-Id}')
</AuthLog>
### Client Parameters
<Client 216.126.204.4>
Secret XXX
RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
IgnoreAcctSignature
IdenticalClients 209.209.44.17 66.81.15.139
PreHandlerHook sub { ${$_[0]}->add_attr('Network', '1'); }
</Client>
<Client 216.143.197.2>
Secret XXX
RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
IgnoreAcctSignature
IdenticalClients 216.143.197.130 216.143.198.2 216.142.193.146
IdenticalClients 216.140.242.162
PreHandlerHook sub { ${$_[0]}->add_attr('Network', '2'); }
</Client>
<Client 216.166.11.11>
Secret XXX
IgnoreAcctSignature
IdenticalClients 216.166.61.12 216.166.61.13 216.166.61.14
IdenticalClients 216.166.61.15 216.166.61.16 216.166.61.17
IdenticalClients 206.127.30.138 206.127.30.139
PreHandlerHook sub { ${$_[0]}->add_attr('Network', '0'); }
</Client>
<Client 208.25.44.225>
Secret XXX
RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
IgnoreAcctSignature
IdenticalClients 65.120.168.251
PreHandlerHook sub { ${$_[0]}->add_attr('Network', '11'); }
</Client>
### Accounting Parameters
<AuthBy SQL>
Identifier Accounting
DBSource dbi:Sybase:server=Emerald
DBUsername XXXX
DBAuth XXXX
AccountingTable Calls
AuthSelect
AcctColumnDef UserName,User-Name
AcctColumnDef CallDate,Timestamp,integer-date
AcctColumnDef AcctStatusType,Acct-Status-Type,integer
AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef AcctSessionId,Acct-Session-Id
AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef NASPortType,NAS-Port-Type
AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer
AcctColumnDef NASIdentifier,NAS-IP-Address
AcctColumnDef NASIdentifier,NAS-Identifier
AcctColumnDef NASPort,NAS-Port,integer
AcctColumnDef CallerID,Calling-Station-Id,integer
AcctColumnDef FramedAddress,Framed-IP-Address
AcctColumnDef NASPortDNIS,Called-Station-Id,integer
AcctColumnDef ServerID,'%{Client:Name}',literal
AcctColumnDef Network,Network,integer
AuthSQLStatement delete from RADONLINE \
where CALLERID='%{Calling-Station-Id}' \
and CALLERID IS NOT NULL \
and CALLERID <> ''
</AuthBy>
### REALMS
<Realm DEFAULT>
AuthByPolicy ContinueAlways
AuthBy Accounting
<AuthBy RADIUS>
Host 65.120.168.22
Host 65.120.168.23
AuthPort 1812
AcctPort 1813
Secret XXX
StripFromRequest Proxy-State
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\
Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
</Realm>
<Realm a.net>
AuthByPolicy ContinueAlways
AuthBy Accounting
<AuthBy RADIUS>
Host 65.120.168.22
Host 65.120.168.23
AuthPort 1812
AcctPort 1813
Secret XXX
StripFromRequest Proxy-State
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\
Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
</Realm>
<Realm 1.com>
AuthByPolicy ContinueAlways
AuthBy Accounting
<AuthBy RADIUS>
Host 216.235.147.88
Host 216.187.216.52
Host 63.160.140.23
AuthPort 1812
AcctPort 1813
Secret XXX
StripFromRequest Proxy-State
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 216.235.147.85/24",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
</Realm>
<Realm 2.net>
AuthByPolicy ContinueAlways
AuthBy Accounting
<AuthBy RADIUS>
Host 63.110.254.101
AuthPort 1812
AcctPort 1813
Secret XXX
StripFromRequest Proxy-State
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 63.110.254.101/32",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
</Realm>
<Realm 1.us>
AuthByPolicy Continue
AuthBy Accounting
<AuthBy EMERALD>
DBSource dbi:Sybase:server=Emerald
DBUsername proxy
DBAuth XXX
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
AddATDefaults
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
AuthLog Logs
</Realm>
<Realm 3.net>
AuthByPolicy Continue
AuthBy Accounting
<AuthBy EMERALD>
DBSource dbi:Sybase:server=Emerald
DBUsername proxy
DBAuth XXX
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check
AddATDefaults
AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
Ascend-Data-Filter="ip in drop tcp dstport = 25",\
Ascend-Data-Filter="ip in forward"
</AuthBy>
AuthLog Logs
</Realm>
<SessionDatabase SQL>
Identifier sessions
DBSource dbi:Sybase:server=Emerald
DBUsername XXX
DBAuth XXX
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
SERVICETYPE, CALLERID) values ('%u', '%N', 0%{NAS-Port}, \
'%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', \
'%{NAS-Port-Type}', '%{Service-Type}', '%{Calling-Station-Id}')
</SessionDatabase>
:END
I tried a bunch of other "ideas" that didn't work too well. Here is a
sample debug from an auth that looks "normal"...
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Received from 63.110.140.7 port 3166 ....
Code: Access-Request
Identifier: 80
Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
Attributes:
Framed-Protocol = PPP
User-Name = "radius at usexpress.net"
User-Password =
"<193><152><169><169>|<234><224>Y<241><149><234><10>v<219>?<164>"
NAS-Port = 99
Called-Station-Id = "8652512008"
Calling-Station-Id = "8655841684"
NAS-Port-Type = Async
Service-Type = Framed-User
NAS-IP-Address = 66.19.138.227
Proxy-State = 197
Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
'Realm=usexpress.net'
Mon Apr 14 02:13:13 2003: DEBUG: sessions Deleting session for
radius at usexpress.net, 66.19.138.227, 99
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='66.19.138.227' and NASPORT=099
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
CALLERID='8655841684' and CALLERID IS NOT NULL and CALLERID <> ''
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD:
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'radius at usexpress.net' or sa.shell =
'radius at usexpress.net')
and ma.customerid = sa.customerid
and sa.active <> 0
Mon Apr 14 02:13:13 2003: DEBUG: Select results: , Dec 31 2020 12:00AM,
6654, PL PPP Dialup, XXX, radius at usexpress.net, , , 1
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
ra.RadVendorID,
ra.RadVendorType,
Data, Value, Type, RadCheck
from RadConfigs rc, RadAttributes ra
where ra.RadAttributeID = rc.RadAttributeID
and ra.RadVendorID = rc.RadVendorID
and ra.RadVendorType = rc.RadVendorType
and rc.AccountID=6654
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
ra.RadVendorID,
ra.RadVendorType,
Data, Value, Type, RadCheck
from RadATConfigs rc, RadAttributes ra
where ra.RadAttributeID = rc.RadAttributeID
and ra.RadVendorID = rc.RadVendorID
and ra.RadVendorType = rc.RadVendorType
and rc.AccountType='PL PPP Dialup'
Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD looks for match with
radius at usexpress.net
Mon Apr 14 02:13:13 2003: DEBUG: Expiration date converted to: 1609390800
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='radius at usexpress.net'
Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD ACCEPT:
Mon Apr 14 02:13:13 2003: DEBUG: Access accepted for radius at usexpress.net
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Sending to 63.110.140.7 port 3166 ....
Code: Access-Accept
Identifier: 80
Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
Attributes:
Proxy-State = 197
Service-Type = 2
Framed-Protocol = 1
Framed-MTU = 1500
Session-Timeout = 21600
Ascend-Data-Filter = ip in forward tcp est
Ascend-Data-Filter = ip in forward dstip 63.168.186.0/24
Ascend-Data-Filter = ip in forward dstip 65.120.168.0/24
Ascend-Data-Filter = ip in drop tcp dstport = 25
Ascend-Data-Filter = ip in forward
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Received from 63.110.140.7 port 3172 ....
Code: Accounting-Request
Identifier: 84
Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
Attributes:
Acct-Session-Id = "0000CDA8"
Framed-Protocol = PPP
Framed-IP-Address = 66.19.137.64
Connect-Info = "30666/24000 V90/V42bis/LAPM (45333/24000)"
Ascend-Connect-Progress = prLanSessionUp
Acct-Authentic = RADIUS
User-Name = "radius at usexpress.net"
Acct-Status-Type = Start
NAS-Port = 99
Called-Station-Id = "8652512008"
Calling-Station-Id = "8655841684"
NAS-Port-Type = Async
Service-Type = Framed-User
NAS-IP-Address = 66.19.138.227
Event-Timestamp = 1050301337
Acct-Delay-Time = 0
Proxy-State = 171
Timestamp = 1050301317
Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
'Realm=usexpress.net'
Mon Apr 14 02:13:13 2003: DEBUG: sessions Adding session for
radius at usexpress.net, 66.19.138.227, 99
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='66.19.138.227' and NASPORT=099
Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, CALLERID) values
('radius at usexpress.net', '66.19.138.227', 099, '0000CDA8', 1050301317,
'66.19.137.64', 'Async', 'Framed-User', '8655841684')
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into Calls
(CallerID,UserName,AcctStatusType,ServerID,NASIdentifier,NASPort,NASPortType
,Network,AcctSessionId,NASPortDNIS,FramedAddress,AcctDelayTime,CallDate)
values
(8655841684,'radius at usexpress.net',1,'63.110.140.7','66.19.138.227',99,'Asyn
c',8,'0000CDA8',8652512008,'66.19.137.64',0,'Apr 14, 2003 02:21')
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with
Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Accounting accepted
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Sending to 63.110.140.7 port 3172 ....
Code: Accounting-Response
Identifier: 84
Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
Attributes:
Proxy-State = 171
Thanks for your help once again, Hugh.
-Mike Walker
US Express.net, Inc.
------------------------------------------------
Hello Mike -
There are two ways to do this (at least :-)).
The first and simplest is to use cascaded AuthBy's.
# define AuthBy clauses
<AuthBy FILE>
Identifier CheckCalledStationId
Filename %D/calledstations
</AuthBy>
<AuthBy ...>
Identifier YourNormalAuthBy
.....
</AuthBy>
.....
# define Realms
<Realm ....>
AuthBy CheckCalledStationId
....
</Realm>
.......
The file "%D/calledstations" would contain this:
# calledstations
DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy
DEFAULT Auth-Type = Reject
From your description below I am not sure whether the above will work?
I suspect I may need to see your existing configuration file (no
secrets) and a bit more detail on exactly what you want to do with the
Called-Station-Id's.
regards
Hugh
On Wednesday, Feb 19, 2003, at 20:09 Australia/Melbourne, Mike Walker
wrote:
> This is what I am trying to do:
>
> I need to deny authentication to any number in the 865 area code 'other
> than' 865-999-9999.
>
> My current configuration does not include any <Handler>'s yet, but this
> seems to me like a good place for one. Problem is, I want it based on
> a
> 'piece' of the Called-Station-ID (area code), and not the whole thing.
> Basically I just want all subscribers, regardless of realm, not to be
> able to connect to any other 865 POP but the one number we give them.
>
> Please let me know if I am going in the right direction with this, and
> possibly how to get around the 'part of the Called-Station-ID' issue.
> Much thanks in advance for the clues!
>
>
> -Mike Walker
> US Express.net, Inc.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------------------------------------------------
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list