(RADIATOR) Denying Auth based on Part of a Called-Station-ID
Hugh Irvine
hugh at open.com.au
Wed Apr 16 03:10:41 CDT 2003
Hello Mike -
How are you going to know where the customer is calling from when you
check the Called-Station-Id? What is supposed to happen if someone from
outside the Knoxville area dials your number?
Sorry to be obtuse, but it is still not clear to me exactly what your
requirements are.
You have calls coming in from all over the place, with the usernames
containing Realm suffixes, and you want to proxy those requests to
other radius servers? Perhaps you could make a little chart showing
what is supposed to happen and also what is not supposed to happen?
regards
Hugh
On Wednesday, Apr 16, 2003, at 07:11 Australia/Melbourne, Mike Walker
wrote:
> You are close ;-).
>
> We provide proxy radius and "regular" radius authentication to many
> clients
> who use some or all of our 9 networks (like Qwest, Aleron, MegaPOP,
> etc.),
> providing access to about 15,000 phone numbers across the US. Out of
> all of
> our numbers, there are 9 numbers in the 865 area code that belong to
> those
> other major providers. However, since we are based in the 865 area,
> and we
> have lots of customers here, we installed our own equipment in a
> switchroom
> in downtown Knoxville, TN. What I want to do is force all Knoxville
> users
> (regardless of realm) to use our new 865 number in Knoxville, and NOT
> the
> other nine local numbers from those other providers. But, I still
> want the
> remaining 15,000 or so nationwide numbers that are outside of
> Knoxville to
> work just as they did before.
>
> So, to pull that off, I believe I need Radiator to base its
> authentication
> decision on Called-Station-Id, and then base it on Realm, Username, and
> Password. If anyone from anywhere dials the 865 Qwest number, for
> instance,
> they get an instant denial, because we don't want to pay $4.25 per
> month per
> user in Knoxville when we have our own equipment here.
>
> In regards to the config, out of your 2 options, I think I like the
> Handler
> idea better, but I am not sure why. ;-) Since I can't mix Handler and
> Realm
> together, can I do something like this?:
>
> <Handler Called-Station-Id=8652505555>
> <AuthBy FILE>
> Filename Deny.File
> </AuthBy>
> </Handler>
>
> <Handler Called-Station-Id=8652505556>
> <AuthBy FILE>
> Filename Deny.File
> </AuthBy>
> </Handler>
>
> (the other 7 handlers for the 9 numbers I want to deny, then...)
>
> <Handler Realm=usexpress.net>
> AuthBy Accounting
> <AuthBy RADIUS>
> Host 216.235.147.88
> Host 216.187.216.52
> Host 63.160.140.23
> AuthPort 1812
> AcctPort 1813
> Secret XXX
> StripFromRequest Proxy-State
> AddToReply Ascend-Data-Filter = "ip in forward tcp
> est",\
> Ascend-Data-Filter="ip in forward dstip
> 216.235.147.85/24",\
> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
> Ascend-Data-Filter="ip in forward"
> </AuthBy>
> </Handler>
>
> (... And the other Realms we have using Handler instead of Realm)
>
>> From the looks of the Handler section of the docs, I cant combine the
> force-deny Handlers into one like this:
>
> <Handler Called-Station-Id=8652505555,Called-Station-Id=8652505556...>
> <AuthBy FILE>
> Filename Deny.File
> </AuthBy>
> </Handler>
>
> ...since Handler wants to match ALL check items. But that's what I
> want to
> do, anyway.
>
> In regards to cascaded AuthBy's, if I use those instead, my only
> question is
> the contents of the File itself. I have never authenticated users
> based on
> a flat file before, but I do understand the example you sent:
>
> # calledstations
> DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy
> DEFAULT Auth-Type = Reject
>
> My question here is, how can I include all 9 numbers in that file? Or
> do I
> need nine separate files with nine cascading AuthBy's? And, will it
> work
> with any Realm?
>
> Sorry about the confusion, we just don't want local Knoxville users
> dialing
> any other number except 251-1014 which is our own. Thanks!
>
>
> -Mike Walker
> US Express.net, Inc.
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, April 15, 2003 3:30 AM
> To: Mike Walker
> Cc: radiator at open.com.au
>
>
> Hello Mike -
>
> Thanks for the addtional information.
>
> I am still not quite clear on exactly what you need to do.
>
> From what you are saying, you only want to accept radius requests
> from your
> own NAS equipment - is that correct?
>
> And if someone calls your equipment with a Realm that you accept, you
> want
> to proxy that request to another radius server?
>
> There are a couple of different ways to accomplish this, depending on
> what
> else you need to do.
>
> You can either set up your configuration file with Realms and use
> cascaded
> AuthBy's, *or* you can use Handlers to check the Called-Station-Id. As
> you
> have discovered, mixing the two different approaches will not work.
>
> regards
>
> Hugh
>
>
> On Monday, Apr 14, 2003, at 17:08 Australia/Melbourne, Mike Walker
> wrote:
>
>> Hugh,
>>
>> I am finally able to get this knocked out, but I am a bit confused
>> about the <AuthBy FILE> usage. I get the cascading part, but how do I
>> do this for multiple Called-Station-Id's? My dilemma is this: We are
>> wholesale dial providers reselling 9 networks, including one of our
>> own. Here in Knoxville, there are nine phone numbers belonging to
>> other dial providers in the Knoxville area, but we pay per user per
>> month for them. We just completed installing our own equipment here,
>> and do not want anyone dialing any other 865 number EXCEPT for our new
>> one.
>>
>> So, I need to deny access from any realm to any of those 9 numbers. I
>> thought about just using a Handler above the Realms like this:
>>
>> <Handler Called-Station-Id=8652462222>
>> <AuthBy FILE>
>> Filename /etc/deny.file
>> </AuthBy>
>> </Handler>
>>
>> <Realm ...>
>> ...
>> </Realm>
>>
>> <Realm ...>
>> ...
>> </Realm>
>>
>> But it doesn't work, even for that one number. However, my deny.file
>> just
>> denies anything, but even when I dial that number, its still auths.
>> The
>> configuration I have includes both proxy and standard Radius methods,
>> and have included the jist of it below. My question is, if I use your
>> method, how can I include all nine numbers in deny.file, or is there
>> another way I can pull this off with Handlers? I do recall that
>> mixing Handlers and Realms together caused some strange behavior.
>> BTW, any of the realms should be able to only dial our new local
>> number when calling to the 865 area code.
>> We want to kill all nine other 865 numbers so the users are forced to
>> dial the new one. Any input would be GREATLY appreciated!
>>
>> My Config could use a little pruning and "consolidation", as you can
>> see I am not taking advantage of the newer features in 3.X yet...
>>
>> Current Config (greatly truncated):
>>
>> ### Radiator Configuration
>>
>> ### Global Parameters
>>
>> Trace 4
>> BindAddress 000.000.000.000
>> LogFile /var/log/radius/%Y%m%d
>> PidFile /tmp/radiusd.pid
>> UsernameCharset a-zA-Z0-9\._ at -
>> AuthPort 1812
>> AcctPort 1813
>>
>> <AuthLog SQL>
>> Identifier Logs
>> DBSource dbi:Sybase:server=Emerald
>> DBUsername XXX
>> DBAuth XXX
>> LogFailure 1
>> FailureQuery insert into RadLogs (Username, Password,
>> CallerID,
>> Sever
>> ity, Data, Network, NasPortDNIS) values ('%n', '%P',
>> '%{Calling-Station-Id}', %0 , %1, '%{Network}',
>> '%{Called-Station-Id}') </AuthLog>
>>
>> ### Client Parameters
>>
>> <Client 216.126.204.4>
>> Secret XXX
>> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
>> IgnoreAcctSignature
>> IdenticalClients 209.209.44.17 66.81.15.139
>> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '1'); }
>> </Client>
>>
>> <Client 216.143.197.2>
>> Secret XXX
>> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
>> IgnoreAcctSignature
>> IdenticalClients 216.143.197.130 216.143.198.2 216.142.193.146
>> IdenticalClients 216.140.242.162
>> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '2'); }
>> </Client>
>>
>> <Client 216.166.11.11>
>> Secret XXX
>> IgnoreAcctSignature
>> IdenticalClients 216.166.61.12 216.166.61.13 216.166.61.14
>> IdenticalClients 216.166.61.15 216.166.61.16 216.166.61.17
>> IdenticalClients 206.127.30.138 206.127.30.139
>> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '0'); }
>> </Client>
>>
>> <Client 208.25.44.225>
>> Secret XXX
>> RewriteUsername s/^(.*)\.os\@isp\.us/$1\@onestarcom\.net/
>> IgnoreAcctSignature
>> IdenticalClients 65.120.168.251
>> PreHandlerHook sub { ${$_[0]}->add_attr('Network', '11'); }
>> </Client>
>>
>> ### Accounting Parameters
>>
>> <AuthBy SQL>
>> Identifier Accounting
>> DBSource dbi:Sybase:server=Emerald
>> DBUsername XXXX
>> DBAuth XXXX
>> AccountingTable Calls
>> AuthSelect
>> AcctColumnDef UserName,User-Name
>> AcctColumnDef CallDate,Timestamp,integer-date
>> AcctColumnDef AcctStatusType,Acct-Status-Type,integer
>> AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
>> AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
>> AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
>> AcctColumnDef AcctSessionId,Acct-Session-Id
>> AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
>> AcctColumnDef NASPortType,NAS-Port-Type
>> AcctColumnDef
>> AcctTerminateCause,Acct-Terminate-Cause,integer
>> AcctColumnDef NASIdentifier,NAS-IP-Address
>> AcctColumnDef NASIdentifier,NAS-Identifier
>> AcctColumnDef NASPort,NAS-Port,integer
>> AcctColumnDef CallerID,Calling-Station-Id,integer
>> AcctColumnDef FramedAddress,Framed-IP-Address
>> AcctColumnDef NASPortDNIS,Called-Station-Id,integer
>> AcctColumnDef ServerID,'%{Client:Name}',literal
>> AcctColumnDef Network,Network,integer
>> AuthSQLStatement delete from RADONLINE \
>> where CALLERID='%{Calling-Station-Id}' \
>> and CALLERID IS NOT NULL \
>> and CALLERID <> ''
>> </AuthBy>
>>
>> ### REALMS
>>
>> <Realm DEFAULT>
>> AuthByPolicy ContinueAlways
>> AuthBy Accounting
>> <AuthBy RADIUS>
>> Host 65.120.168.22
>> Host 65.120.168.23
>> AuthPort 1812
>> AcctPort 1813
>> Secret XXX
>> StripFromRequest Proxy-State
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>>
>> Ascend-Data-Filter="ip in forward dstip
>> 63.168.176.0/20",\
>>
>> Ascend-Data-Filter="ip in forward dstip
>> 65.120.168.0/24",\
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> </Realm>
>>
>> <Realm a.net>
>> AuthByPolicy ContinueAlways
>> AuthBy Accounting
>> <AuthBy RADIUS>
>> Host 65.120.168.22
>> Host 65.120.168.23
>> AuthPort 1812
>> AcctPort 1813
>> Secret XXX
>> StripFromRequest Proxy-State
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>> Ascend-Data-Filter="ip in forward dstip
>> 63.168.176.0/20",\
>> Ascend-Data-Filter="ip in forward dstip
>> 65.120.168.0/24",\
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> </Realm>
>>
>> <Realm 1.com>
>> AuthByPolicy ContinueAlways
>> AuthBy Accounting
>> <AuthBy RADIUS>
>> Host 216.235.147.88
>> Host 216.187.216.52
>> Host 63.160.140.23
>> AuthPort 1812
>> AcctPort 1813
>> Secret XXX
>> StripFromRequest Proxy-State
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>> Ascend-Data-Filter="ip in forward dstip
>> 216.235.147.85/24",\
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> </Realm>
>>
>> <Realm 2.net>
>> AuthByPolicy ContinueAlways
>> AuthBy Accounting
>> <AuthBy RADIUS>
>> Host 63.110.254.101
>> AuthPort 1812
>> AcctPort 1813
>> Secret XXX
>> StripFromRequest Proxy-State
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>>
>> Ascend-Data-Filter="ip in forward dstip
>> 63.110.254.101/32",\
>>
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> </Realm>
>>
>> <Realm 1.us>
>> AuthByPolicy Continue
>> AuthBy Accounting
>> <AuthBy EMERALD>
>> DBSource dbi:Sybase:server=Emerald
>> DBUsername proxy
>> DBAuth XXX
>> AuthSelect ,sa.LoginLimit
>> AuthColumnDef 0,Simultaneous-Use,check
>> AddATDefaults
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>> Ascend-Data-Filter="ip in forward dstip
>> 63.168.186.0/24",\
>> Ascend-Data-Filter="ip in forward dstip
>> 65.120.168.0/24",\
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> AuthLog Logs
>> </Realm>
>>
>> <Realm 3.net>
>> AuthByPolicy Continue
>> AuthBy Accounting
>> <AuthBy EMERALD>
>> DBSource dbi:Sybase:server=Emerald
>> DBUsername proxy
>> DBAuth XXX
>> AuthSelect ,sa.LoginLimit
>> AuthColumnDef 0,Simultaneous-Use,check
>> AddATDefaults
>> AddToReply Ascend-Data-Filter = "ip in forward tcp
>> est",\
>> Ascend-Data-Filter="ip in forward dstip
>> 63.168.186.0/24",\
>> Ascend-Data-Filter="ip in forward dstip
>> 65.120.168.0/24",\
>> Ascend-Data-Filter="ip in drop tcp dstport = 25",\
>> Ascend-Data-Filter="ip in forward"
>> </AuthBy>
>> AuthLog Logs
>> </Realm>
>>
>> <SessionDatabase SQL>
>> Identifier sessions
>> DBSource dbi:Sybase:server=Emerald
>> DBUsername XXX
>> DBAuth XXX
>> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER,
>> NASPORT, \
>> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, \
>> SERVICETYPE, CALLERID) values ('%u', '%N', 0%{NAS-Port}, \
>> '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', \
>> '%{NAS-Port-Type}', '%{Service-Type}',
>> '%{Calling-Station-Id}') </SessionDatabase>
>>
>> :END
>>
>> I tried a bunch of other "ideas" that didn't work too well. Here is a
>> sample debug from an auth that looks "normal"...
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>> *** Received from 63.110.140.7 port 3166 ....
>> Code: Access-Request
>> Identifier: 80
>> Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
>> Attributes:
>> Framed-Protocol = PPP
>> User-Name = "radius at usexpress.net"
>> User-Password =
>> "<193><152><169><169>|<234><224>Y<241><149><234><10>v<219>?<164>"
>> NAS-Port = 99
>> Called-Station-Id = "8652512008"
>> Calling-Station-Id = "8655841684"
>> NAS-Port-Type = Async
>> Service-Type = Framed-User
>> NAS-IP-Address = 66.19.138.227
>> Proxy-State = 197
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
>> 'Realm=usexpress.net'
>> Mon Apr 14 02:13:13 2003: DEBUG: sessions Deleting session for
>> radius at usexpress.net, 66.19.138.227, 99 Mon Apr 14 02:13:13 2003:
>> DEBUG: do query is: delete from RADONLINE where
>> NASIDENTIFIER='66.19.138.227' and NASPORT=099
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL Mon Apr
>> 14 02:13:13 2003: DEBUG: do query is: delete from RADONLINE where
>> CALLERID='8655841684' and CALLERID IS NOT NULL and CALLERID <> ''
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD Mon
>> Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD:
>> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select DateAdd(Day,
>> ma.extension+ma.overdue, maExpireDate), DateAdd(Day, sa.extension,
>> saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login,
>> sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma,
>> subaccounts sa where (sa.login = 'radius at usexpress.net' or sa.shell =
>> 'radius at usexpress.net')
>> and ma.customerid = sa.customerid
>> and sa.active <> 0
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Select results: , Dec 31 2020
>> 12:00AM, 6654, PL PPP Dialup, XXX, radius at usexpress.net, , , 1 Mon Apr
>> 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
>> ra.RadVendorID, ra.RadVendorType, Data, Value, Type, RadCheck from
>> RadConfigs rc, RadAttributes ra where ra.RadAttributeID =
>> rc.RadAttributeID and ra.RadVendorID = rc.RadVendorID and
>> ra.RadVendorType = rc.RadVendorType and rc.AccountID=6654
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select ra.RadAttributeID,
>> ra.RadVendorID, ra.RadVendorType, Data, Value, Type, RadCheck from
>> RadATConfigs rc, RadAttributes ra where ra.RadAttributeID =
>> rc.RadAttributeID and ra.RadVendorID = rc.RadVendorID and
>> ra.RadVendorType = rc.RadVendorType and rc.AccountType='PL PPP Dialup'
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD looks for match
>> with radius at usexpress.net Mon Apr 14 02:13:13 2003: DEBUG: Expiration
>> date converted to:
>> 1609390800
>> Mon Apr 14 02:13:13 2003: DEBUG: Query is: select NASIDENTIFIER,
>> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
>> USERNAME='radius at usexpress.net'
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Radius::AuthEMERALD ACCEPT:
>> Mon Apr 14 02:13:13 2003: DEBUG: Access accepted for
>> radius at usexpress.net Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>> *** Sending to 63.110.140.7 port 3166 ....
>> Code: Access-Accept
>> Identifier: 80
>> Authentic: e<239><180><135><18><234>GG<146>@6<199><139><179>8<205>
>> Attributes:
>> Proxy-State = 197
>> Service-Type = 2
>> Framed-Protocol = 1
>> Framed-MTU = 1500
>> Session-Timeout = 21600
>> Ascend-Data-Filter = ip in forward tcp est
>> Ascend-Data-Filter = ip in forward dstip 63.168.186.0/24
>> Ascend-Data-Filter = ip in forward dstip 65.120.168.0/24
>> Ascend-Data-Filter = ip in drop tcp dstport = 25
>> Ascend-Data-Filter = ip in forward
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>> *** Received from 63.110.140.7 port 3172 ....
>> Code: Accounting-Request
>> Identifier: 84
>> Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
>> Attributes:
>> Acct-Session-Id = "0000CDA8"
>> Framed-Protocol = PPP
>> Framed-IP-Address = 66.19.137.64
>> Connect-Info = "30666/24000 V90/V42bis/LAPM (45333/24000)"
>> Ascend-Connect-Progress = prLanSessionUp
>> Acct-Authentic = RADIUS
>> User-Name = "radius at usexpress.net"
>> Acct-Status-Type = Start
>> NAS-Port = 99
>> Called-Station-Id = "8652512008"
>> Calling-Station-Id = "8655841684"
>> NAS-Port-Type = Async
>> Service-Type = Framed-User
>> NAS-IP-Address = 66.19.138.227
>> Event-Timestamp = 1050301337
>> Acct-Delay-Time = 0
>> Proxy-State = 171
>> Timestamp = 1050301317
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling request with Handler
>> 'Realm=usexpress.net'
>> Mon Apr 14 02:13:13 2003: DEBUG: sessions Adding session for
>> radius at usexpress.net, 66.19.138.227, 99 Mon Apr 14 02:13:13 2003:
>> DEBUG: do query is: delete from RADONLINE where
>> NASIDENTIFIER='66.19.138.227' and NASPORT=099
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: do query is: insert into RADONLINE
>> (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
>> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, CALLERID) values
>> ('radius at usexpress.net', '66.19.138.227', 099, '0000CDA8', 1050301317,
>> '66.19.137.64', 'Async', 'Framed-User', '8655841684')
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthSQL Mon Apr
>> 14 02:13:13 2003: DEBUG: Handling accounting with Radius::AuthSQL Mon
>> Apr 14 02:13:13 2003: DEBUG: do query is: insert into Calls
>> (CallerID,UserName,AcctStatusType,ServerID,NASIdentifier,NASPort,NASPo
>> r
>> tType
>> ,Network,AcctSessionId,NASPortDNIS,FramedAddress,AcctDelayTime,CallDat
>> e
>> )
>> values
>> (8655841684,'radius at usexpress.net',1,'63.110.140.7','66.19.138.227',99
>> ,
>> 'Asyn
>> c',8,'0000CDA8',8652512008,'66.19.137.64',0,'Apr 14, 2003 02:21')
>>
>> Mon Apr 14 02:13:13 2003: DEBUG: Handling with Radius::AuthEMERALD Mon
>> Apr 14 02:13:13 2003: DEBUG: Handling accounting with
>> Radius::AuthEMERALD Mon Apr 14 02:13:13 2003: DEBUG: Accounting
>> accepted Mon Apr 14 02:13:13 2003: DEBUG: Packet dump:
>> *** Sending to 63.110.140.7 port 3172 ....
>> Code: Accounting-Response
>> Identifier: 84
>> Authentic: <222><182><220><31>e<200>/^Z<196><172><145>q<150>y<19>
>> Attributes:
>> Proxy-State = 171
>>
>>
>> Thanks for your help once again, Hugh.
>>
>>
>> -Mike Walker
>> US Express.net, Inc.
>>
>>
>> ------------------------------------------------
>>
>> Hello Mike -
>>
>> There are two ways to do this (at least :-)).
>>
>> The first and simplest is to use cascaded AuthBy's.
>>
>> # define AuthBy clauses
>>
>> <AuthBy FILE>
>> Identifier CheckCalledStationId
>> Filename %D/calledstations
>> </AuthBy>
>>
>> <AuthBy ...>
>> Identifier YourNormalAuthBy
>> .....
>> </AuthBy>
>>
>> .....
>>
>> # define Realms
>>
>> <Realm ....>
>> AuthBy CheckCalledStationId
>> ....
>> </Realm>
>>
>> .......
>>
>>
>> The file "%D/calledstations" would contain this:
>>
>> # calledstations
>>
>> DEFAULT Called-Station-Id = 8659999999, Auth-Type = YourNormalAuthBy
>>
>> DEFAULT Auth-Type = Reject
>>
>>
>> From your description below I am not sure whether the above will
>> work?
>>
>> I suspect I may need to see your existing configuration file (no
>> secrets) and a bit more detail on exactly what you want to do with the
>> Called-Station-Id's.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Wednesday, Feb 19, 2003, at 20:09 Australia/Melbourne, Mike Walker
>> wrote:
>>
>>> This is what I am trying to do:
>>>
>>> I need to deny authentication to any number in the 865 area code
>>> 'other than' 865-999-9999.
>>>
>>> My current configuration does not include any <Handler>'s yet, but
>>> this seems to me like a good place for one. Problem is, I want it
>>> based on a 'piece' of the Called-Station-ID (area code), and not the
>>> whole thing.
>>> Basically I just want all subscribers, regardless of realm, not to be
>>> able to connect to any other 865 POP but the one number we give them.
>>>
>>> Please let me know if I am going in the right direction with this,
>>> and possibly how to get around the 'part of the Called-Station-ID'
>>> issue.
>>> Much thanks in advance for the clues!
>>>
>>>
>>> -Mike Walker
>>> US Express.net, Inc.
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au To unsubscribe, email
>>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of
>>> the message.
>>>
>>>
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au To unsubscribe, email
>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
>> message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list