(RADIATOR) AuthByPolicy Question: ContinueUntilAccept

Hugh Irvine hugh at open.com.au
Mon Jan 20 22:21:42 CST 2003 

Hello Jon -

If there is no AuthBy clause that "Accept"'s in your sequence, then the  
overall result will be "Reject" (you don't have to do anything special).

What is the last AuthBy in your sequence doing? If it is just doing  
accounting, that may be your problem.

regards

Hugh


On Tuesday, Jan 21, 2003, at 09:47 Australia/Melbourne, Jon Lindbo  
wrote:

> Hi,
>         I am having a little bit of trouble with some complex AuthBy  
> handling I am doing.  I have customers in various states of conversion  
> to some new dialup settings and I am having to jump through 15  
> different hoops when authenticating them.  The problem I am having is  
> when I set my AuthByPolicy to ContinueUntilAccept, I have no way of  
> sending a REJECT to the NAS if none of the AuthBy clauses ACCEPT the  
> user.  Is there a way to send a reject if the request was not accepted  
> that I am not thinking of?
>
> Below is a trimmed copy of the config.
>
> Thanks
> Jonathon Lindbo
>
> <AuthBy SQL>
>         Identifier      niiVispAuthClear
>
>         DBSource        dbi:mysql:service:x.x.x.x
>         DBUsername      xxxxxx
>         DBAuth          xxxxxx
>
>         AuthSelect      select  
> clear_pass,`Simultaneous-Use`,service_number,`Session-Timeout`,`Idle- 
> Timeout` \
>                         from dial_auth \
>                         where `User-Name`='%n' and network='%{network}'
>
>         AuthColumnDef   0,User-Password,check
>         AuthColumnDef   1,Simultaneous-Use,check
>         AuthColumnDef   2,Class,reply
>         AuthColumnDef   3,Session-Timeout,reply
>         AuthColumnDef   4,Idle-Timeout,reply
>          
> NoDefault                                                               
>  # Don't try select for DEFAULT
>
>         IgnoreAccounting
>
>         AddToReply      Ascend-Data-Filter = "ip in forward tcp est",\
>                         Ascend-Data-Filter = "ip in forward dstip  
> 63.240.133.32/28",\
>                         Ascend-Data-Filter = "ip in drop tcp dstport =  
> 25",\
>                         Ascend-Data-Filter = "ip in forward 0",\
>                         Service-Type = Framed-User,\
>                         Framed-Protocol = PPP
> </AuthBy>
> <AuthBy SQL>
>         Identifier      niiVispAuthCrypt
>
>         DBSource        dbi:mysql:service:x.x.x.x
>         DBUsername      xxxxxx
>         DBAuth          xxxxxx
>
>         AuthSelect      select  
> encr_pass,`Simultaneous-Use`,service_number,`Session-Timeout`,`Idle- 
> Timeout` \
>                         from dial_auth \
>                         where `User-Name`='%n' and network='%{network}'
>
>         AuthColumnDef   0,Encrypted-Password,check
>         AuthColumnDef   1,Simultaneous-Use,check
>         AuthColumnDef   2,Class,reply
>         AuthColumnDef   3,Session-Timeout,reply
>         AuthColumnDef   4,Idle-Timeout,reply
>          
> NoDefault                                                               
>  # Don't try select for DEFAULT
>
>         IgnoreAccounting
>
>         AddToReply      Ascend-Data-Filter = "ip in forward tcp est",\
>                         Ascend-Data-Filter = "ip in forward dstip  
> 63.240.133.32/28",\
>                         Ascend-Data-Filter = "ip in drop tcp dstport =  
> 25",\
>                         Ascend-Data-Filter = "ip in forward 0",\
>                         Service-Type = Framed-User,\
>                         Framed-Protocol = PPP
> </AuthBy>
> <AuthBy SQL>
>         Identifier      niiInternalAuthClear
>
>         DBSource        dbi:mysql:service:x.x.x.x
>         DBUsername      xxxxx
>         DBAuth          xxxxx
>
>         AuthSelect      select  
> clear_pass,`Simultaneous-Use`,service_number,`Session-Timeout`,`Idle- 
> Timeout` \
>                         from dial_auth \
>                         where `User-Name`='%n'
>
>         AuthColumnDef   0,User-Password,check
>         AuthColumnDef   1,Simultaneous-Use,check
>         AuthColumnDef   2,Class,reply
>         AuthColumnDef   3,Session-Timeout,reply
>         AuthColumnDef   4,Idle-Timeout,reply
>         NoDefault                                                #  
> Don't try select for DEFAULT
>
>         IgnoreAccounting
>
>         AddToReply      Ascend-Data-Filter = "ip in forward tcp est",\
>                         Ascend-Data-Filter = "ip in forward dstip  
> 63.240.133.32/28",\
>                         Ascend-Data-Filter = "ip in drop tcp dstport =  
> 25",\
>                         Ascend-Data-Filter = "ip in forward 0",\
>                         Service-Type = Framed-User,\
>                         Framed-Protocol = PPP
> </AuthBy>
>
> ..... Just more of the same, I am going to cut to the handlers
>
> <Handler network = internal>
>         PasswordLogFileName %L/internal.password.log
>         AuthByPolicy ContinueUntilAccept
>
>         AuthBy  niiInternalAuthCrypt
>         AuthBy  niiInternalAuthClear
>         AuthBy  niiSystemAuthCrypt
>         AuthBy  niiSystemAuthClear
>         AuthBy  niiAcct
> </Handler>
> <Handler Realm = bluebuzz.net>
>         PasswordLogFileName %L/%R.password.log
>         AuthByPolicy ContinueUntilAccept
>
>         AuthBy  niiVispAuthClear
>         AuthBy  niiVispAuthCrypt
>         AuthBy  niiSystemAuthClear
>         AuthBy  niiSystemAuthCrypt
>         AuthBy  niiAcct
> </Handler>
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list