(RADIATOR) AuthBy SQL - Accounting Only (no auth)

Matthew Trout MatthewTrout at businessserve.co.uk
Wed May 14 04:02:17 CDT 2003 

You might also find that it's easier to have separate AuthBy clauses that
run for Auth and Acct packets - e.g.

<Handler Client-Identifier = /clientID/,Acct-Status-Type=/.+/>

	*** AuthBy SQL clauses to log Start/Stop packets here for accounting
***

</Handler>

<Handler Client-Identifier = /clientID/>

	*** This clause will get all other (i.e. Auth) packets, so put your
authentication configs here ***

</Handler>

This will also make it significantly easier to split your config files into
an auth and acct config if you wish to run a radiusd for each later as your
load increases.

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: 14 May 2003 05:45
To: Motley, Mark
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) AuthBy SQL - Accounting Only (no auth)



Hello Mark -

You will need to use the AuthBy GROUP construct to be able to apply 
different AuthByPolicy's.

Something like this:

# define AuthBy clauses

<AuthBy SQL>
	Identifier SQLAccounting
	DBSource        dbi:mysql:radius:<blah>
       	DBUsername      radiator
       	DBAuth          <blah>

	# Just accounting, no auth

	IgnoreAuthentication
	AuthSelect

	AccountingTable	ACCOUNTING
	AcctColumnDef	<blah blah blah>
	AcctColumnDef	...
</AuthBy>

<AuthBy ADSI>
	Identifier CheckADSI
	[ ADSI config goes here, works fine ]
</AuthBy>

<AuthBy NT>
	Identifier CheckNT
	[ NT domain config here, works fine ]
</AuthBy>

# define AuthBy GROUP

<AuthBy GROUP>
	Identifier CheckUser
	AuthByPolicy ContinueUntilAccept
	AuthBy CheckNT
	AuthBy CheckADSI
</AuthBy>

# define Realm's

<Realm DEFAULT>
	AuthByPolicy ContinueAlways
	AuthBy SQLAccounting
	AuthBy CheckUsers
	.....
</Realm>

Hope that helps.

regards

Hugh


>
> Hi folks,
>
> I've searched through the archives and am still having some 
> difficulties
> with accounting information to a SQL database (without authenticating
> against the SQL database).  I've seen some posts that are close, but my
> situation is a bit unique (aren't they all?)
>
> My company is transitioning from a Windows NT domain to Active 
> Directory.
> Because of this, I need to be able to authenticate against both ADSI 
> and NT.
> Basically, ADSI is tried first, followed by NT.  Because of this, I 
> have:
>
> AuthByPolicy	ContinueWhileReject
>
> in my config file, so it will continue down the line until done (but 
> stop
> once the user is authenticated).  In essence, if the user is found in 
> AD
> (via ADSI), authentication stops and the Authby NT is never tried.  
> This
> works just fine.
>
> In the examples I've seen on the list archives, the AuthByPolicy is 
> set to
> "ContinueAlways", which I don't think will work for our situation 
> (correct
> me if I'm wrong please).
>
> So, I put an AuthBy SQL section in my config file.  Since I want
> authentication to be ignored for this clause, I add 
> "IgnoreAuthentication".
> Accounting DOES work, however it would appear that the AuthBy SQL 
> clause is
> still trying to do authentication even though I've told it NOT to.  
> With
> this section, ADSI or NT is never even tried.
>
> Here's the snipped config file.  Any help is appreciated...
>
> ------
> <Realm DEFAULT>
>
> AuthByPolicy	ContinueWhileReject
>
> <AuthBy SQL>
> 	DBSource        dbi:mysql:radius:<blah>
>       DBUsername      radiator
>       DBAuth          <blah>
>
> 	# Just accounting, no auth
>
> 	IgnoreAuthentication
> 	AuthSelect
>
> 	AccountingTable	ACCOUNTING
> 	AcctColumnDef	<blah blah blah>
> 	AcctColumnDef	...
> </AuthBy>
>
> <AuthBy ADSI>
> 	[ ADSI config goes here, works fine ]
> </AuthBy>
>
> <AuthBy NT>
> 	[ NT domain config here, works fine ]
> </AuthBy>
>
> </Realm>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list