(RADIATOR) Denying Auth based on Part of a Called-Station-ID

Mike Walker noc at usexpress.net
Mon Apr 14 02:08:03 CDT 2003


Hugh,

I am finally able to get this knocked out, but I am a bit confused about the
<AuthBy FILE> usage.  I get the cascading part, but how do I do this for
multiple Called-Station-Id's?  My dilemma is this:  We are wholesale dial
providers reselling 9 networks, including one of our own.  Here in
Knoxville, there are nine phone numbers belonging to other dial providers in
the Knoxville area, but we pay per user per month for them.  We just
completed installing our own equipment here, and do not want anyone dialing
any other 865 number EXCEPT for our new one.

So, I need to deny access from any realm to any of those 9 numbers.  I
thought about just using a Handler above the Realms like this:

<Handler Called-Station-Id=8652462222>
	<AuthBy FILE>
	Filename /etc/deny.file
	</AuthBy>
</Handler>

<Realm ...>
...
</Realm>

<Realm ...>
...
</Realm>

But it doesn't work, even for that one number.  However, my deny.file just
denies anything, but even when I dial that number, its still auths.  The
configuration I have includes both proxy and standard Radius methods, and
have included the jist of it below.  My question is, if I use your method,
how can I include all nine numbers in deny.file, or is there another way I
can pull this off with Handlers?  I do recall that mixing Handlers and
Realms together caused some strange behavior.  BTW, any of the realms should
be able to only dial our new local number when calling to the 865 area code.
We want to kill all nine other 865 numbers so the users are forced to dial
the new one.  Any input would be GREATLY appreciated!

My Config could use a little pruning and "consolidation", as you can see I
am not taking advantage of the newer features in 3.X yet...

Current Config (greatly truncated):

### Radiator Configuration

### Global Parameters

Trace 4
BindAddress 000.000.000.000
LogFile /var/log/radius/%Y%m%d
PidFile /tmp/radiusd.pid
UsernameCharset a-zA-Z0-9\._ at -
AuthPort 1812
AcctPort 1813

<AuthLog SQL>
        Identifier      Logs
        DBSource        dbi:Sybase:server=Emerald
        DBUsername      XXX
        DBAuth          XXX
        LogFailure      1
        FailureQuery    insert into RadLogs (Username, Password, CallerID,
Sever
ity, Data, Network, NasPortDNIS) values ('%n', '%P',
'%{Calling-Station-Id}', %0
, %1, '%{Network}', '%{Called-Station-Id}')
</AuthLog>

### Client Parameters

<Client 216.126.204.4>
        Secret XXX
        RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
        IgnoreAcctSignature
        IdenticalClients 209.209.44.17 66.81.15.139
        PreHandlerHook sub { ${$_[0]}->add_attr('Network', '1'); }
</Client>

<Client 216.143.197.2>
        Secret XXX
        RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
        IgnoreAcctSignature
        IdenticalClients 216.143.197.130 216.143.198.2 216.142.193.146
        IdenticalClients 216.140.242.162
        PreHandlerHook sub { ${$_[0]}->add_attr('Network', '2'); }
</Client>

<Client 216.166.11.11>
        Secret XXX
        IgnoreAcctSignature
        IdenticalClients 216.166.61.12 216.166.61.13 216.166.61.14
        IdenticalClients 216.166.61.15 216.166.61.16 216.166.61.17
        IdenticalClients 206.127.30.138 206.127.30.139
        PreHandlerHook sub { ${$_[0]}->add_attr('Network', '0'); }
</Client>

<Client 208.25.44.225>
        Secret XXX
        RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
        IgnoreAcctSignature
        IdenticalClients 65.120.168.251
        PreHandlerHook sub { ${$_[0]}->add_attr('Network', '11'); }
</Client>

### Accounting Parameters

<AuthBy SQL>
        Identifier      Accounting
        DBSource        dbi:Sybase:server=Emerald
        DBUsername      XXXX
        DBAuth          XXXX
        AccountingTable Calls
        AuthSelect
        AcctColumnDef   UserName,User-Name
        AcctColumnDef   CallDate,Timestamp,integer-date
        AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
        AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
        AcctColumnDef   AcctInputOctets,Acct-Input-Octets,integer
        AcctColumnDef   AcctOutputOctets,Acct-Output-Octets,integer
        AcctColumnDef   AcctSessionId,Acct-Session-Id
        AcctColumnDef   AcctSessionTime,Acct-Session-Time,integer
        AcctColumnDef   NASPortType,NAS-Port-Type
        AcctColumnDef   AcctTerminateCause,Acct-Terminate-Cause,integer
        AcctColumnDef   NASIdentifier,NAS-IP-Address
        AcctColumnDef   NASIdentifier,NAS-Identifier
        AcctColumnDef   NASPort,NAS-Port,integer
        AcctColumnDef   CallerID,Calling-Station-Id,integer
        AcctColumnDef   FramedAddress,Framed-IP-Address
        AcctColumnDef   NASPortDNIS,Called-Station-Id,integer
        AcctColumnDef   ServerID,'%{Client:Name}',literal
        AcctColumnDef   Network,Network,integer
        AuthSQLStatement delete from RADONLINE \
                where CALLERID='%{Calling-Station-Id}' \
                and CALLERID IS NOT NULL \
                and CALLERID <> ''
</AuthBy>

###  REALMS

<Realm DEFAULT>
        AuthByPolicy ContinueAlways
        AuthBy Accounting
        <AuthBy RADIUS>
                Host 65.120.168.22
                Host 65.120.168.23
                AuthPort 1812
                AcctPort 1813
                Secret XXX
                StripFromRequest Proxy-State
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\

                Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\

                Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
</Realm>

<Realm a.net>
        AuthByPolicy ContinueAlways
        AuthBy Accounting
        <AuthBy RADIUS>
                Host 65.120.168.22
                Host 65.120.168.23
                AuthPort 1812
                AcctPort 1813
                Secret XXX
                StripFromRequest Proxy-State
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
                Ascend-Data-Filter="ip in forward dstip 63.168.176.0/20",\
                Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
</Realm>

<Realm 1.com>
        AuthByPolicy ContinueAlways
        AuthBy Accounting
        <AuthBy RADIUS>
                Host 216.235.147.88
                Host 216.187.216.52
                Host 63.160.140.23
                AuthPort 1812
                AcctPort 1813
                Secret XXX
                StripFromRequest Proxy-State
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
                Ascend-Data-Filter="ip in forward dstip 216.235.147.85/24",\
                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
</Realm>

<Realm 2.net>
        AuthByPolicy ContinueAlways
        AuthBy Accounting
        <AuthBy RADIUS>
                Host 63.110.254.101
                AuthPort 1812
                AcctPort 1813
                Secret XXX
                StripFromRequest Proxy-State
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\

                Ascend-Data-Filter="ip in forward dstip 63.110.254.101/32",\

                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
</Realm>

<Realm 1.us>
        AuthByPolicy Continue
        AuthBy Accounting
        <AuthBy EMERALD>
                DBSource        dbi:Sybase:server=Emerald
                DBUsername      proxy
                DBAuth          XXX
                AuthSelect ,sa.LoginLimit
                AuthColumnDef 0,Simultaneous-Use,check
                AddATDefaults
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
                Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
                Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
        AuthLog Logs
</Realm>

<Realm 3.net>
        AuthByPolicy Continue
        AuthBy Accounting
        <AuthBy EMERALD>
                DBSource        dbi:Sybase:server=Emerald
                DBUsername      proxy
                DBAuth          XXX
                AuthSelect ,sa.LoginLimit
                AuthColumnDef 0,Simultaneous-Use,check
                AddATDefaults
                AddToReply Ascend-Data-Filter = "ip in forward tcp est",\
                Ascend-Data-Filter="ip in forward dstip 63.168.186.0/24",\
                Ascend-Data-Filter="ip in forward dstip 65.120.168.0/24",\
                Ascend-Data-Filter="ip in drop tcp dstport = 25",\
                Ascend-Data-Filter="ip in forward"
        </AuthBy>
        AuthLog Logs
</Realm>

<SessionDatabase SQL>
        Identifier      sessions
        DBSource        dbi:Sybase:server=Emerald
        DBUsername      XXX
        DBAuth          XXX
        AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, \
        ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
        SERVICETYPE, CALLERID) values ('%u', '%N', 0%{NAS-Port}, \
        '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', \
        '%{NAS-Port-Type}', '%{Service-Type}', '%{Calling-Station-Id}')
</SessionDatabase>

:END

I tried a bunch of other "ideas" that didn't work too well.  Here is a
sample debug from an auth that looks "normal"...

Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Received from 63.110.140.7 port 3166 ....
Code:       Access-Request
Identifier: 80
Authentic:  e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
Attributes:
        Framed-Protocol = PPP
        User-Name = "radius at usexpress.net"
        User-Password =
"<193><152><169><169>|<234><224>Y<241><149><234><10>v<219>?<164>"
        NAS-Port = 99
        Called-Station-Id = "8652512008"
        Calling-Station-Id = "8655841684"
        NAS-Port-Type = Async
        Service-Type = Framed-User
        NAS-IP-Address = 66.19.138.227
        Proxy-State = 197

Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
'Realm=usexpress.net'
Mon Apr 14 02:13:13 2003: DEBUG: sessions Deleting session for
radius at usexpress.net, 66.19.138.227, 99
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='66.19.138.227' and NASPORT=099

Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
CALLERID='8655841684' and CALLERID IS NOT NULL and CALLERID <> ''

Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD:
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'radius at usexpress.net' or sa.shell =
'radius at usexpress.net')
and ma.customerid = sa.customerid
and sa.active <> 0

Mon Apr 14 02:13:13 2003: DEBUG: Select results: , Dec 31 2020 12:00AM,
6654, PL PPP Dialup, XXX, radius at usexpress.net, , , 1
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
ra.RadVendorID,
ra.RadVendorType,
Data, Value, Type, RadCheck
from RadConfigs rc, RadAttributes ra
where ra.RadAttributeID = rc.RadAttributeID
and ra.RadVendorID = rc.RadVendorID
and ra.RadVendorType = rc.RadVendorType
and rc.AccountID=6654

Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
ra.RadVendorID,
ra.RadVendorType,
Data, Value, Type, RadCheck
from RadATConfigs rc, RadAttributes ra
where ra.RadAttributeID = rc.RadAttributeID
and ra.RadVendorID = rc.RadVendorID
and ra.RadVendorType = rc.RadVendorType
and rc.AccountType='PL PPP Dialup'

Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD looks for match with
radius at usexpress.net
Mon Apr 14 02:13:13 2003: DEBUG: Expiration date converted to: 1609390800
Mon Apr 14 02:13:13 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='radius at usexpress.net'

Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD ACCEPT:
Mon Apr 14 02:13:13 2003: DEBUG: Access accepted for radius at usexpress.net
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Sending to 63.110.140.7 port 3166 ....
Code:       Access-Accept
Identifier: 80
Authentic:  e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
Attributes:
        Proxy-State = 197
        Service-Type = 2
        Framed-Protocol = 1
        Framed-MTU = 1500
        Session-Timeout = 21600
        Ascend-Data-Filter = ip in forward tcp est
        Ascend-Data-Filter = ip in forward dstip 63.168.186.0/24
        Ascend-Data-Filter = ip in forward dstip 65.120.168.0/24
        Ascend-Data-Filter = ip in drop tcp dstport = 25
        Ascend-Data-Filter = ip in forward

Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Received from 63.110.140.7 port 3172 ....
Code:       Accounting-Request
Identifier: 84
Authentic:  <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
Attributes:
        Acct-Session-Id = "0000CDA8"
        Framed-Protocol = PPP
        Framed-IP-Address = 66.19.137.64
        Connect-Info = "30666/24000 V90/V42bis/LAPM (45333/24000)"
        Ascend-Connect-Progress = prLanSessionUp
        Acct-Authentic = RADIUS
        User-Name = "radius at usexpress.net"
        Acct-Status-Type = Start
        NAS-Port = 99
        Called-Station-Id = "8652512008"
        Calling-Station-Id = "8655841684"
        NAS-Port-Type = Async
        Service-Type = Framed-User
        NAS-IP-Address = 66.19.138.227
        Event-Timestamp = 1050301337
        Acct-Delay-Time = 0
        Proxy-State = 171
        Timestamp = 1050301317

Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
'Realm=usexpress.net'
Mon Apr 14 02:13:13 2003: DEBUG: sessions Adding session for
radius at usexpress.net, 66.19.138.227, 99
Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='66.19.138.227' and NASPORT=099

Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, CALLERID) values
('radius at usexpress.net', '66.19.138.227', 099, '0000CDA8', 1050301317,
'66.19.137.64', 'Async', 'Framed-User', '8655841684')

Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with Radius::AuthSQL
Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into Calls
(CallerID,UserName,AcctStatusType,ServerID,NASIdentifier,NASPort,NASPortType
,Network,AcctSessionId,NASPortDNIS,FramedAddress,AcctDelayTime,CallDate)
values
(8655841684,'radius at usexpress.net',1,'63.110.140.7','66.19.138.227',99,'Asyn
c',8,'0000CDA8',8652512008,'66.19.137.64',0,'Apr 14, 2003 02:21')

Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with
Radius::AuthEMERALD
Mon Apr 14 02:13:13 2003: DEBUG: Accounting accepted
Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
*** Sending to 63.110.140.7 port 3172 ....
Code:       Accounting-Response
Identifier: 84
Authentic:  <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
Attributes:
        Proxy-State = 171


Thanks for your help once again, Hugh.


-Mike Walker
US Express.net, Inc.


------------------------------------------------

Hello Mike -

There are two ways to do this (at least :-)).

The first and simplest is to use cascaded AuthBy's.

# define AuthBy clauses

<AuthBy FILE>
	Identifier CheckCalledStationId
	Filename %D/calledstations
</AuthBy>

<AuthBy ...>
	Identifier YourNormalAuthBy
	.....
</AuthBy>

.....

# define Realms

<Realm ....>
	AuthBy CheckCalledStationId
	....
</Realm>

.......


The file "%D/calledstations" would contain this:

# calledstations

DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy

DEFAULT Auth-Type = Reject


 From your description below I am not sure whether the above will work?

I suspect I may need to see your existing configuration file (no
secrets) and a bit more detail on exactly what you want to do with the
Called-Station-Id's.

regards

Hugh


On Wednesday, Feb 19, 2003, at 20:09 Australia/Melbourne, Mike Walker

wrote:
> This is what I am trying to do:
>
> I need to deny authentication to any number in the 865 area code 'other
> than' 865-999-9999.
>
> My current configuration does not include any <Handler>'s yet, but this
> seems to me like a good place for one.  Problem is, I want it based on
> a
> 'piece' of the Called-Station-ID (area code), and not the whole thing.
> Basically I just want all subscribers, regardless of realm, not to be
> able to connect to any other 865 POP but the one number we give them.
>
> Please let me know if I am going in the right direction with this, and
> possibly how to get around the 'part of the Called-Station-ID' issue.
> Much thanks in advance for the clues!
>
>
> -Mike Walker
> US Express.net, Inc.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list