(RADIATOR) Denying Auth based on Part of a Called-Station-ID
Hugh Irvine
hugh at open.com.au
Tue Apr 15 02:29:30 CDT 2003
Hello Mike -
Thanks for the addtional information.
I am still not quite clear on exactly what you need to do.
From what you are saying, you only want to accept radius requests from
your own NAS equipment - is that correct?
And if someone calls your equipment with a Realm that you accept, you
want to proxy that request to another radius server?
There are a couple of different ways to accomplish this, depending on
what else you need to do.
You can either set up your configuration file with Realms and use
cascaded AuthBy's, *or* you can use Handlers to check the
Called-Station-Id. As you have discovered, mixing the two different
approaches will not work.
regards
Hugh
On Monday, Apr 14, 2003, at 17:08 Australia/Melbourne, Mike Walker
wrote:
> Hugh,
>
> I am finally able to get this knocked out, but I am a bit confused
> about the
> <AuthBy FILE> usage. I get the cascading part, but how do I do this
> for
> multiple Called-Station-Id's? My dilemma is this: We are wholesale
> dial
> providers reselling 9 networks, including one of our own. Here in
> Knoxville, there are nine phone numbers belonging to other dial
> providers in
> the Knoxville area, but we pay per user per month for them. We just
> completed installing our own equipment here, and do not want anyone
> dialing
> any other 865 number EXCEPT for our new one.
>
> So, I need to deny access from any realm to any of those 9 numbers. I
> thought about just using a Handler above the Realms like this:
>
> <Handler Called-Station-Id=8652462222>
> <AuthBy FILE>
> Filename /etc/deny.file
> </AuthBy>
> </Handler>
>
> <Realm ...>
> ...
> </Realm>
>
> <Realm ...>
> ...
> </Realm>
>
> But it doesn't work, even for that one number. However, my deny.file
> just
> denies anything, but even when I dial that number, its still auths.
> The
> configuration I have includes both proxy and standard Radius methods,
> and
> have included the jist of it below. My question is, if I use your
> method,
> how can I include all nine numbers in deny.file, or is there another
> way I
> can pull this off with Handlers? I do recall that mixing Handlers and
> Realms together caused some strange behavior. BTW, any of the realms
> should
> be able to only dial our new local number when calling to the 865 area
> code.
> We want to kill all nine other 865 numbers so the users are forced to
> dial
> the new one. Any input would be GREATLY appreciated!
>
> My Config could use a little pruning and "consolidation", as you can
> see I
> am not taking advantage of the newer features in 3.X yet...
>
> Current Config (greatly truncated):
>
> ### Radiator Configuration
>
> ### Global Parameters
>
> Trace 4
> BindAddress 000.000.000.000
> LogFile /var/log/radius/%Y%m%d
> PidFile /tmp/radiusd.pid
> UsernameCharset a-zA-Z0-9\._ at -
> AuthPort 1812
> AcctPort 1813
>
> <AuthLog SQL>
> Identifier Logs
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXX
> DBAuth XXX
> LogFailure 1
> FailureQuery insert into RadLogs (Username, Password,
> CallerID,
> Sever
> ity, Data, Network, NasPortDNIS) values ('%n', '%P',
> '%{Calling-Station-Id}', %0
> , %1, '%{Network}', '%{Called-Station-Id}')
> </AuthLog>
>
> ### Client Parameters
>
> <Client 216.126.204.4>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 209.209.44.17 66.81.15.139
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '1'); }
> </Client>
>
> <Client 216.143.197.2>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 216.143.197.130 216.143.198.2 216.142.193.146
> IdenticalClients 216.140.242.162
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '2'); }
> </Client>
>
> <Client 216.166.11.11>
> Secret XXX
> IgnoreAcctSignature
> IdenticalClients 216.166.61.12 216.166.61.13 216.166.61.14
> IdenticalClients 216.166.61.15 216.166.61.16 216.166.61.17
> IdenticalClients 206.127.30.138 206.127.30.139
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '0'); }
> </Client>
>
> <Client 208.25.44.225>
> Secret XXX
> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
> IgnoreAcctSignature
> IdenticalClients 65.120.168.251
> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '11'); }
> </Client>
>
> ### Accounting Parameters
>
> <AuthBy SQL>
> Identifier Accounting
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXXX
> DBAuth XXXX
> AccountingTable Calls
> AuthSelect
> AcctColumnDef UserName,User-Name
> AcctColumnDef CallDate,Timestamp,integer-date
> AcctColumnDef AcctStatusType,Acct-Status-Type,integer
> AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
> AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
> AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
> AcctColumnDef AcctSessionId,Acct-Session-Id
> AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
> AcctColumnDef NASPortType,NAS-Port-Type
> AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,integer
> AcctColumnDef NASIdentifier,NAS-IP-Address
> AcctColumnDef NASIdentifier,NAS-Identifier
> AcctColumnDef NASPort,NAS-Port,integer
> AcctColumnDef CallerID,Calling-Station-Id,integer
> AcctColumnDef FramedAddress,Framed-IP-Address
> AcctColumnDef NASPortDNIS,Called-Station-Id,integer
> AcctColumnDef ServerID,'%{Client:Name}',literal
> AcctColumnDef Network,Network,integer
> AuthSQLStatement delete from RADONLINE \
> where CALLERID='%{Calling-Station-Id}' \
> and CALLERID IS NOT NULL \
> and CALLERID <> ''
> </AuthBy>
>
> ### REALMS
>
> <Realm DEFAULT>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 65.120.168.22
> Host 65.120.168.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
>
> Ascend-Data-Filter="ip in forward dstip
> 63.168.176.0/20",\
>
> Ascend-Data-Filter="ip in forward dstip
> 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> </Realm>
>
> <Realm a.net>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 65.120.168.22
> Host 65.120.168.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
> Ascend-Data-Filter="ip in forward dstip
> 63.168.176.0/20",\
> Ascend-Data-Filter="ip in forward dstip
> 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> </Realm>
>
> <Realm 1.com>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 216.235.147.88
> Host 216.187.216.52
> Host 63.160.140.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
> Ascend-Data-Filter="ip in forward dstip
> 216.235.147.85/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> </Realm>
>
> <Realm 2.net>
> AuthByPolicy ContinueAlways
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 63.110.254.101
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
>
> Ascend-Data-Filter="ip in forward dstip
> 63.110.254.101/32",\
>
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> </Realm>
>
> <Realm 1.us>
> AuthByPolicy Continue
> AuthBy Accounting
> <AuthBy EMERALD>
> DBSource dbi:Sybase:server=Emerald
> DBUsername proxy
> DBAuth XXX
> AuthSelect ,sa.LoginLimit
> AuthColumnDef 0,Simultaneous-Use,check
> AddATDefaults
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
> Ascend-Data-Filter="ip in forward dstip
> 63.168.186.0/24",\
> Ascend-Data-Filter="ip in forward dstip
> 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> AuthLog Logs
> </Realm>
>
> <Realm 3.net>
> AuthByPolicy Continue
> AuthBy Accounting
> <AuthBy EMERALD>
> DBSource dbi:Sybase:server=Emerald
> DBUsername proxy
> DBAuth XXX
> AuthSelect ,sa.LoginLimit
> AuthColumnDef 0,Simultaneous-Use,check
> AddATDefaults
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
> Ascend-Data-Filter="ip in forward dstip
> 63.168.186.0/24",\
> Ascend-Data-Filter="ip in forward dstip
> 65.120.168.0/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> AuthLog Logs
> </Realm>
>
> <SessionDatabase SQL>
> Identifier sessions
> DBSource dbi:Sybase:server=Emerald
> DBUsername XXX
> DBAuth XXX
> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER,
> NASPORT, \
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
> SERVICETYPE, CALLERID) values ('%u', '%N', 0%{NAS-Port}, \
> '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', \
> '%{NAS-Port-Type}', '%{Service-Type}', '%{Calling-Station-Id}')
> </SessionDatabase>
>
> :END
>
> I tried a bunch of other "ideas" that didn't work too well. Here is a
> sample debug from an auth that looks "normal"...
>
> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
> *** Received from 63.110.140.7 port 3166 ....
> Code: Access-Request
> Identifier: 80
> Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
> Attributes:
> Framed-Protocol = PPP
> User-Name = "radius at usexpress.net"
> User-Password =
> "<193><152><169><169>|<234><224>Y<241><149><234><10>v<219>?<164>"
> NAS-Port = 99
> Called-Station-Id = "8652512008"
> Calling-Station-Id = "8655841684"
> NAS-Port-Type = Async
> Service-Type = Framed-User
> NAS-IP-Address = 66.19.138.227
> Proxy-State = 197
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
> 'Realm=usexpress.net'
> Mon Apr 14 02:13:13 2003: DEBUG: sessions Deleting session for
> radius at usexpress.net, 66.19.138.227, 99
> Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE
> where
> NASIDENTIFIER='66.19.138.227' and NASPORT=099
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE
> where
> CALLERID='8655841684' and CALLERID IS NOT NULL and CALLERID <> ''
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD:
> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'radius at usexpress.net' or sa.shell =
> 'radius at usexpress.net')
> and ma.customerid = sa.customerid
> and sa.active <> 0
>
> Mon Apr 14 02:13:13 2003: DEBUG: Select results: , Dec 31 2020 12:00AM,
> 6654, PL PPP Dialup, XXX, radius at usexpress.net, , , 1
> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
> ra.RadVendorID,
> ra.RadVendorType,
> Data, Value, Type, RadCheck
> from RadConfigs rc, RadAttributes ra
> where ra.RadAttributeID = rc.RadAttributeID
> and ra.RadVendorID = rc.RadVendorID
> and ra.RadVendorType = rc.RadVendorType
> and rc.AccountID=6654
>
> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
> ra.RadVendorID,
> ra.RadVendorType,
> Data, Value, Type, RadCheck
> from RadATConfigs rc, RadAttributes ra
> where ra.RadAttributeID = rc.RadAttributeID
> and ra.RadVendorID = rc.RadVendorID
> and ra.RadVendorType = rc.RadVendorType
> and rc.AccountType='PL PPP Dialup'
>
> Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD looks for match
> with
> radius at usexpress.net
> Mon Apr 14 02:13:13 2003: DEBUG: Expiration date converted to:
> 1609390800
> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select NASIDENTIFIER,
> NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='radius at usexpress.net'
>
> Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD ACCEPT:
> Mon Apr 14 02:13:13 2003: DEBUG: Access accepted for
> radius at usexpress.net
> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
> *** Sending to 63.110.140.7 port 3166 ....
> Code: Access-Accept
> Identifier: 80
> Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
> Attributes:
> Proxy-State = 197
> Service-Type = 2
> Framed-Protocol = 1
> Framed-MTU = 1500
> Session-Timeout = 21600
> Ascend-Data-Filter = ip in forward tcp est
> Ascend-Data-Filter = ip in forward dstip 63.168.186.0/24
> Ascend-Data-Filter = ip in forward dstip 65.120.168.0/24
> Ascend-Data-Filter = ip in drop tcp dstport = 25
> Ascend-Data-Filter = ip in forward
>
> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
> *** Received from 63.110.140.7 port 3172 ....
> Code: Accounting-Request
> Identifier: 84
> Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
> Attributes:
> Acct-Session-Id = "0000CDA8"
> Framed-Protocol = PPP
> Framed-IP-Address = 66.19.137.64
> Connect-Info = "30666/24000 V90/V42bis/LAPM (45333/24000)"
> Ascend-Connect-Progress = prLanSessionUp
> Acct-Authentic = RADIUS
> User-Name = "radius at usexpress.net"
> Acct-Status-Type = Start
> NAS-Port = 99
> Called-Station-Id = "8652512008"
> Calling-Station-Id = "8655841684"
> NAS-Port-Type = Async
> Service-Type = Framed-User
> NAS-IP-Address = 66.19.138.227
> Event-Timestamp = 1050301337
> Acct-Delay-Time = 0
> Proxy-State = 171
> Timestamp = 1050301317
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
> 'Realm=usexpress.net'
> Mon Apr 14 02:13:13 2003: DEBUG: sessions Adding session for
> radius at usexpress.net, 66.19.138.227, 99
> Mon Apr 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE
> where
> NASIDENTIFIER='66.19.138.227' and NASPORT=099
>
> Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into RADONLINE
> (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, CALLERID) values
> ('radius at usexpress.net', '66.19.138.227', 099, '0000CDA8', 1050301317,
> '66.19.137.64', 'Async', 'Framed-User', '8655841684')
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with
> Radius::AuthSQL
> Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into Calls
> (CallerID,UserName,AcctStatusType,ServerID,NASIdentifier,NASPort,NASPor
> tType
> ,Network,AcctSessionId,NASPortDNIS,FramedAddress,AcctDelayTime,CallDate
> )
> values
> (8655841684,'radius at usexpress.net',1,'63.110.140.7','66.19.138.227',99,
> 'Asyn
> c',8,'0000CDA8',8652512008,'66.19.137.64',0,'Apr 14, 2003 02:21')
>
> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD
> Mon Apr 14 02:13:13 2003: DEBUG: Handling accounting with
> Radius::AuthEMERALD
> Mon Apr 14 02:13:13 2003: DEBUG: Accounting accepted
> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
> *** Sending to 63.110.140.7 port 3172 ....
> Code: Accounting-Response
> Identifier: 84
> Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
> Attributes:
> Proxy-State = 171
>
>
> Thanks for your help once again, Hugh.
>
>
> -Mike Walker
> US Express.net, Inc.
>
>
> ------------------------------------------------
>
> Hello Mike -
>
> There are two ways to do this (at least :-)).
>
> The first and simplest is to use cascaded AuthBy's.
>
> # define AuthBy clauses
>
> <AuthBy FILE>
> Identifier CheckCalledStationId
> Filename %D/calledstations
> </AuthBy>
>
> <AuthBy ...>
> Identifier YourNormalAuthBy
> .....
> </AuthBy>
>
> .....
>
> # define Realms
>
> <Realm ....>
> AuthBy CheckCalledStationId
> ....
> </Realm>
>
> .......
>
>
> The file "%D/calledstations" would contain this:
>
> # calledstations
>
> DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy
>
> DEFAULT Auth-Type = Reject
>
>
> From your description below I am not sure whether the above will work?
>
> I suspect I may need to see your existing configuration file (no
> secrets) and a bit more detail on exactly what you want to do with the
> Called-Station-Id's.
>
> regards
>
> Hugh
>
>
> On Wednesday, Feb 19, 2003, at 20:09 Australia/Melbourne, Mike Walker
> wrote:
>
>> This is what I am trying to do:
>>
>> I need to deny authentication to any number in the 865 area code
>> 'other
>> than' 865-999-9999.
>>
>> My current configuration does not include any <Handler>'s yet, but
>> this
>> seems to me like a good place for one. Problem is, I want it based on
>> a
>> 'piece' of the Called-Station-ID (area code), and not the whole thing.
>> Basically I just want all subscribers, regardless of realm, not to be
>> able to connect to any other 865 POP but the one number we give them.
>>
>> Please let me know if I am going in the right direction with this, and
>> possibly how to get around the 'part of the Called-Station-ID' issue.
>> Much thanks in advance for the clues!
>>
>>
>> -Mike Walker
>> US Express.net, Inc.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list