(RADIATOR) How to reject users in a file
Hugh Irvine
hugh at open.com.au
Tue Nov 25 01:20:50 CST 2003
Hello Mike -
Thanks for your mail - how curious!
I wonder if you could try to change the configuration to:
AuthByPolicy ContinueWhileAccept
and see what happens.
I'll also forward your mail to Mike.
regards
Hugh
On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>
> Hi Hugh,
>
> It would seem the continue until reject is not functioning correctly in
> this case. The debug show the reject but continues on.
>
> I tried the following:
>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
> <AuthBy FILE>
> Filename %D/reject_modem.users
> AcceptIfMissing
> </AuthBy>
>
> <AuthBy FILE>
> Filename %D/backbone_users
> </AuthBy>
> <AuthBy PAM>
> Fork
> Service radiusd
> </AuthBy>
> </AuthBy>
> AuthLog Modem_Login_Failures
> # Log accounting to a detail file
> AcctLogFileName %L/modem_pool_backbone_users.log
>
>
> with the reject_modem.users containing
> username Auth-Type=Reject
>
> The user can still get on. The debug is below:
> Radiator 3.1
> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
> 192.168.x.x, 53
> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
>
>
>
> On Sat, 13 Sep 2003, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> Yes this is quite simple to acheive.
>>
>> <Handler Realm=MODEMS>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy GROUP>
>> AuthByPolicy ContinueUntilReject
>>
>> <AuthBy FILE>
>> Filename %D/reject.users
>> AcceptIfMissing
>> </AuthBy>
>>
>> <AuthBy PAM>
>> Fork
>> Service radiusd
>> </AuthBy>
>>
>> </AuthBy>
>> AuthLog Modem_Login_Failures
>> AcctLogFileName %L/Modems.log
>> </Handler>
>>
>>
>> The file "%D/reject.users" would contain something like this:
>>
>> # reject.users
>>
>> username1 Auth-Type = Reject
>>
>> username2 Auth-Type = Reject
>>
>> .......
>>
>>
>> If you have any other questions, please contact me.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
>> wrote:
>>
>>>
>>> I have a request to block certain users access to our modem pool.
>>>
>>> Users are first authenticated by kerb via PAM. What I would like to
>>> do is
>>> have radius then check to see if they are listed in a file and reject
>>> them
>>> only if they are listed. If they are not in the file they can logon.
>>>
>>> I saw the username authtype example in the manual, is there a way to
>>> do
>>> this in a file for a larger number?
>>>
>>> Could you do the AuthByPolicy ContinueWhileReject and put this before
>>> my
>>> authbypam below?
>>>
>>> My handler is below.
>>>
>>> Mike Forbes
>>>
>>>
>>> <Handler Realm=MODEMS>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy GROUP>
>>> AuthByPolicy ContinueUntilReject
>>> <AuthBy PAM>
>>> Fork
>>> Service radiusd
>>> </AuthBy>
>>> </AuthBy>
>>> AuthLog Modem_Login_Failures
>>> AcctLogFileName %L/Modems.log
>>> </Handler>
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list