(RADIATOR) How to reject users in a file
Forbes Mike
Mike.Forbes at Colorado.EDU
Tue Nov 25 12:39:28 CST 2003
I get the following trace 4 with ContinueWhileAccept
Mike
Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
192.168.x.x, 9
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
Code: Access-Accept
On Tue, 25 Nov 2003, Hugh Irvine wrote:
>
> Hello Mike -
>
> Thanks for your mail - how curious!
>
> I wonder if you could try to change the configuration to:
>
> AuthByPolicy ContinueWhileAccept
>
> and see what happens.
>
> I'll also forward your mail to Mike.
>
> regards
>
> Hugh
>
>
> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>
> >
> > Hi Hugh,
> >
> > It would seem the continue until reject is not functioning correctly in
> > this case. The debug show the reject but continues on.
> >
> > I tried the following:
> >
> > RewriteUsername s/^([^@]+).*/$1/
> > <AuthBy GROUP>
> > AuthByPolicy ContinueUntilReject
> > <AuthBy FILE>
> > Filename %D/reject_modem.users
> > AcceptIfMissing
> > </AuthBy>
> >
> > <AuthBy FILE>
> > Filename %D/backbone_users
> > </AuthBy>
> > <AuthBy PAM>
> > Fork
> > Service radiusd
> > </AuthBy>
> > </AuthBy>
> > AuthLog Modem_Login_Failures
> > # Log accounting to a detail file
> > AcctLogFileName %L/modem_pool_backbone_users.log
> >
> >
> > with the reject_modem.users containing
> > username Auth-Type=Reject
> >
> > The user can still get on. The debug is below:
> > Radiator 3.1
> > Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> > Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
> > 192.168.x.x, 53
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> > Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> > Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
> >
> >
> >
> > On Sat, 13 Sep 2003, Hugh Irvine wrote:
> >
> >>
> >> Hello Mike -
> >>
> >> Yes this is quite simple to acheive.
> >>
> >> <Handler Realm=MODEMS>
> >> RewriteUsername s/^([^@]+).*/$1/
> >> <AuthBy GROUP>
> >> AuthByPolicy ContinueUntilReject
> >>
> >> <AuthBy FILE>
> >> Filename %D/reject.users
> >> AcceptIfMissing
> >> </AuthBy>
> >>
> >> <AuthBy PAM>
> >> Fork
> >> Service radiusd
> >> </AuthBy>
> >>
> >> </AuthBy>
> >> AuthLog Modem_Login_Failures
> >> AcctLogFileName %L/Modems.log
> >> </Handler>
> >>
> >>
> >> The file "%D/reject.users" would contain something like this:
> >>
> >> # reject.users
> >>
> >> username1 Auth-Type = Reject
> >>
> >> username2 Auth-Type = Reject
> >>
> >> .......
> >>
> >>
> >> If you have any other questions, please contact me.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
> >> wrote:
> >>
> >>>
> >>> I have a request to block certain users access to our modem pool.
> >>>
> >>> Users are first authenticated by kerb via PAM. What I would like to
> >>> do is
> >>> have radius then check to see if they are listed in a file and reject
> >>> them
> >>> only if they are listed. If they are not in the file they can logon.
> >>>
> >>> I saw the username authtype example in the manual, is there a way to
> >>> do
> >>> this in a file for a larger number?
> >>>
> >>> Could you do the AuthByPolicy ContinueWhileReject and put this before
> >>> my
> >>> authbypam below?
> >>>
> >>> My handler is below.
> >>>
> >>> Mike Forbes
> >>>
> >>>
> >>> <Handler Realm=MODEMS>
> >>> RewriteUsername s/^([^@]+).*/$1/
> >>> <AuthBy GROUP>
> >>> AuthByPolicy ContinueUntilReject
> >>> <AuthBy PAM>
> >>> Fork
> >>> Service radiusd
> >>> </AuthBy>
> >>> </AuthBy>
> >>> AuthLog Modem_Login_Failures
> >>> AcctLogFileName %L/Modems.log
> >>> </Handler>
> >>>
> >>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >>
> >> ===
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list