(RADIATOR) How to reject users in a file
Hugh Irvine
hugh at open.com.au
Wed Nov 26 01:26:29 CST 2003
Hello Mike -
I have done some testing here (as has Mike) and neither of us has this
problem.
Here is my configuration file (which also works with
ContinueUntilReject):
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
Filename ./users.reject
AcceptIfMissing
</AuthBy>
<AuthBy FILE>
Filename ./users
</AuthBy>
<AuthBy FILE>
Filename ./users
</AuthBy>
# Log accounting to a detail file
AcctLogFileName ./detail-%G
</Realm>
Here is the "users.reject" file:
username Auth-Type = Reject
And here is the trace 4:
perl radpwtst -user username -noacct
sending Access-Request...
Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 49663 ....
Code: Access-Request
Identifier: 196
Authentic: 1234567890123456
Attributes:
User-Name = "username"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username,
203.63.154.1, 1234
Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
explicitly by Auth-Type=Reject
Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 49663 ....
Code: Access-Reject
Identifier: 196
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
I can only suggest you try setting up a simple test configuration to
try it first.
Perhaps you are not editing the correct file(s) and/or you have not
restarted "radiusd"?
regards
Hugh
On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
>
> I get the following trace 4 with ContinueWhileAccept
>
> Mike
>
>
> Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
> 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
> Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
> Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
> 192.168.x.x, 9
> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
> Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
> Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
> Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
>
> Code: Access-Accept
>
>
> On Tue, 25 Nov 2003, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> Thanks for your mail - how curious!
>>
>> I wonder if you could try to change the configuration to:
>>
>> AuthByPolicy ContinueWhileAccept
>>
>> and see what happens.
>>
>> I'll also forward your mail to Mike.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>>
>>>
>>> Hi Hugh,
>>>
>>> It would seem the continue until reject is not functioning correctly
>>> in
>>> this case. The debug show the reject but continues on.
>>>
>>> I tried the following:
>>>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy GROUP>
>>> AuthByPolicy ContinueUntilReject
>>> <AuthBy FILE>
>>> Filename %D/reject_modem.users
>>> AcceptIfMissing
>>> </AuthBy>
>>>
>>> <AuthBy FILE>
>>> Filename %D/backbone_users
>>> </AuthBy>
>>> <AuthBy PAM>
>>> Fork
>>> Service radiusd
>>> </AuthBy>
>>> </AuthBy>
>>> AuthLog Modem_Login_Failures
>>> # Log accounting to a detail file
>>> AcctLogFileName %L/modem_pool_backbone_users.log
>>>
>>>
>>> with the reject_modem.users containing
>>> username Auth-Type=Reject
>>>
>>> The user can still get on. The debug is below:
>>> Radiator 3.1
>>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
>>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
>>> 192.168.x.x, 53
>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> username
>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>>> Rejected explicitly by Auth-Type=Reject
>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> username
>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
>>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
>>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
>>>
>>>
>>>
>>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Mike -
>>>>
>>>> Yes this is quite simple to acheive.
>>>>
>>>> <Handler Realm=MODEMS>
>>>> RewriteUsername s/^([^@]+).*/$1/
>>>> <AuthBy GROUP>
>>>> AuthByPolicy ContinueUntilReject
>>>>
>>>> <AuthBy FILE>
>>>> Filename %D/reject.users
>>>> AcceptIfMissing
>>>> </AuthBy>
>>>>
>>>> <AuthBy PAM>
>>>> Fork
>>>> Service radiusd
>>>> </AuthBy>
>>>>
>>>> </AuthBy>
>>>> AuthLog Modem_Login_Failures
>>>> AcctLogFileName %L/Modems.log
>>>> </Handler>
>>>>
>>>>
>>>> The file "%D/reject.users" would contain something like this:
>>>>
>>>> # reject.users
>>>>
>>>> username1 Auth-Type = Reject
>>>>
>>>> username2 Auth-Type = Reject
>>>>
>>>> .......
>>>>
>>>>
>>>> If you have any other questions, please contact me.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
>>>> wrote:
>>>>
>>>>>
>>>>> I have a request to block certain users access to our modem pool.
>>>>>
>>>>> Users are first authenticated by kerb via PAM. What I would like
>>>>> to
>>>>> do is
>>>>> have radius then check to see if they are listed in a file and
>>>>> reject
>>>>> them
>>>>> only if they are listed. If they are not in the file they can
>>>>> logon.
>>>>>
>>>>> I saw the username authtype example in the manual, is there a way
>>>>> to
>>>>> do
>>>>> this in a file for a larger number?
>>>>>
>>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
>>>>> before
>>>>> my
>>>>> authbypam below?
>>>>>
>>>>> My handler is below.
>>>>>
>>>>> Mike Forbes
>>>>>
>>>>>
>>>>> <Handler Realm=MODEMS>
>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>> <AuthBy GROUP>
>>>>> AuthByPolicy ContinueUntilReject
>>>>> <AuthBy PAM>
>>>>> Fork
>>>>> Service radiusd
>>>>> </AuthBy>
>>>>> </AuthBy>
>>>>> AuthLog Modem_Login_Failures
>>>>> AcctLogFileName %L/Modems.log
>>>>> </Handler>
>>>>>
>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list