(RADIATOR) How to reject users in a file

Forbes Mike Mike.Forbes at Colorado.EDU
Mon Nov 24 12:56:43 CST 2003 

Hi Hugh,

It would seem the continue until reject is not functioning correctly in
this case. The debug show the reject but continues on.

I tried the following:

       RewriteUsername s/^([^@]+).*/$1/
        <AuthBy GROUP>
                AuthByPolicy ContinueUntilReject
                <AuthBy FILE>
                         Filename %D/reject_modem.users
                         AcceptIfMissing
                 </AuthBy>

                <AuthBy FILE>
                        Filename %D/backbone_users
                </AuthBy>
                <AuthBy PAM>
                        Fork
                        Service radiusd
                </AuthBy>
        </AuthBy>
        AuthLog Modem_Login_Failures
        # Log accounting to a detail file
        AcctLogFileName %L/modem_pool_backbone_users.log


with the reject_modem.users containing
username Auth-Type=Reject

The user can still get on.  The debug is below:
 Radiator 3.1
Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
Mon Nov 24 11:43:05 2003: DEBUG:  Deleting session for username,
192.168.x.x, 53
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with username
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with username
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username



On Sat, 13 Sep 2003, Hugh Irvine wrote:

>
> Hello Mike -
>
> Yes this is quite simple to acheive.
>
> <Handler Realm=MODEMS>
>          RewriteUsername s/^([^@]+).*/$1/
>          <AuthBy GROUP>
>                  AuthByPolicy ContinueUntilReject
>
>                  <AuthBy FILE>
>                          Filename %D/reject.users
>                          AcceptIfMissing
>                  </AuthBy>
>
>                  <AuthBy PAM>
>                          Fork
>                          Service radiusd
>                  </AuthBy>
>
>          </AuthBy>
>          AuthLog Modem_Login_Failures
>           AcctLogFileName %L/Modems.log
> </Handler>
>
>
> The file "%D/reject.users" would contain something like this:
>
> # reject.users
>
> username1	Auth-Type = Reject
>
> username2	Auth-Type = Reject
>
> .......
>
>
> If you have any other questions, please contact me.
>
> regards
>
> Hugh
>
>
> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
> wrote:
>
> >
> > I have a request to block certain users access to our modem pool.
> >
> > Users are first authenticated by kerb via PAM.  What I would like to
> > do is
> > have radius then check to see if they are listed in a file and reject
> > them
> > only if they are listed.  If they are not in the file they can logon.
> >
> > I saw the username authtype example in the manual, is there a way to do
> > this in a file for a larger number?
> >
> > Could you do the AuthByPolicy ContinueWhileReject and put this before
> > my
> > authbypam below?
> >
> > My handler is below.
> >
> > Mike Forbes
> >
> >
> > <Handler Realm=MODEMS>
> >         RewriteUsername s/^([^@]+).*/$1/
> >         <AuthBy GROUP>
> >                 AuthByPolicy ContinueUntilReject
> >                 <AuthBy PAM>
> >                         Fork
> >                         Service radiusd
> >                 </AuthBy>
> >         </AuthBy>
> >         AuthLog Modem_Login_Failures
> >          AcctLogFileName %L/Modems.log
> > </Handler>
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list