(RADIATOR) How to reject users in a file

Forbes Mike Mike.Forbes at Colorado.EDU
Tue Nov 25 12:39:28 CST 2003


I get the following trace 4 with ContinueWhileAccept

Mike


Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
Tue Nov 25 11:36:11 2003: DEBUG:  Deleting session for username,
192.168.x.x, 9
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:

Code:       Access-Accept


On Tue, 25 Nov 2003, Hugh Irvine wrote:

>
> Hello Mike -
>
> Thanks for your mail - how curious!
>
> I wonder if you could try to change the configuration to:
>
> 		AuthByPolicy ContinueWhileAccept
>
> and see what happens.
>
> I'll also forward your mail to Mike.
>
> regards
>
> Hugh
>
>
> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>
> >
> > Hi Hugh,
> >
> > It would seem the continue until reject is not functioning correctly in
> > this case. The debug show the reject but continues on.
> >
> > I tried the following:
> >
> >        RewriteUsername s/^([^@]+).*/$1/
> >         <AuthBy GROUP>
> >                 AuthByPolicy ContinueUntilReject
> >                 <AuthBy FILE>
> >                          Filename %D/reject_modem.users
> >                          AcceptIfMissing
> >                  </AuthBy>
> >
> >                 <AuthBy FILE>
> >                         Filename %D/backbone_users
> >                 </AuthBy>
> >                 <AuthBy PAM>
> >                         Fork
> >                         Service radiusd
> >                 </AuthBy>
> >         </AuthBy>
> >         AuthLog Modem_Login_Failures
> >         # Log accounting to a detail file
> >         AcctLogFileName %L/modem_pool_backbone_users.log
> >
> >
> > with the reject_modem.users containing
> > username Auth-Type=Reject
> >
> > The user can still get on.  The debug is below:
> >  Radiator 3.1
> > Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> > Mon Nov 24 11:43:05 2003: DEBUG:  Deleting session for username,
> > 192.168.x.x, 53
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> > Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> > Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
> >
> >
> >
> > On Sat, 13 Sep 2003, Hugh Irvine wrote:
> >
> >>
> >> Hello Mike -
> >>
> >> Yes this is quite simple to acheive.
> >>
> >> <Handler Realm=MODEMS>
> >>          RewriteUsername s/^([^@]+).*/$1/
> >>          <AuthBy GROUP>
> >>                  AuthByPolicy ContinueUntilReject
> >>
> >>                  <AuthBy FILE>
> >>                          Filename %D/reject.users
> >>                          AcceptIfMissing
> >>                  </AuthBy>
> >>
> >>                  <AuthBy PAM>
> >>                          Fork
> >>                          Service radiusd
> >>                  </AuthBy>
> >>
> >>          </AuthBy>
> >>          AuthLog Modem_Login_Failures
> >>           AcctLogFileName %L/Modems.log
> >> </Handler>
> >>
> >>
> >> The file "%D/reject.users" would contain something like this:
> >>
> >> # reject.users
> >>
> >> username1	Auth-Type = Reject
> >>
> >> username2	Auth-Type = Reject
> >>
> >> .......
> >>
> >>
> >> If you have any other questions, please contact me.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
> >> wrote:
> >>
> >>>
> >>> I have a request to block certain users access to our modem pool.
> >>>
> >>> Users are first authenticated by kerb via PAM.  What I would like to
> >>> do is
> >>> have radius then check to see if they are listed in a file and reject
> >>> them
> >>> only if they are listed.  If they are not in the file they can logon.
> >>>
> >>> I saw the username authtype example in the manual, is there a way to
> >>> do
> >>> this in a file for a larger number?
> >>>
> >>> Could you do the AuthByPolicy ContinueWhileReject and put this before
> >>> my
> >>> authbypam below?
> >>>
> >>> My handler is below.
> >>>
> >>> Mike Forbes
> >>>
> >>>
> >>> <Handler Realm=MODEMS>
> >>>         RewriteUsername s/^([^@]+).*/$1/
> >>>         <AuthBy GROUP>
> >>>                 AuthByPolicy ContinueUntilReject
> >>>                 <AuthBy PAM>
> >>>                         Fork
> >>>                         Service radiusd
> >>>                 </AuthBy>
> >>>         </AuthBy>
> >>>         AuthLog Modem_Login_Failures
> >>>          AcctLogFileName %L/Modems.log
> >>> </Handler>
> >>>
> >>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >>
> >> ===
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list