(RADIATOR) How to reject users in a file
Forbes Mike
Mike.Forbes at Colorado.EDU
Wed Nov 26 11:11:27 CST 2003
What version did you test under? I am using it under 3.1. I also use a
handler not a realm. I am wondering if this is a version issue with
radiator. My continue until rejects works without the first authby file.
The first authby file is the file with the auth-type reject in it.
Mike
My config is this:
Note: I have commented and uncommented AuthyBy GROUP out, I have stopped
and restarted radius with the init script. The trace 4 is below.
<Handler Realm=MODEMS,NAS-Port-Type=Virtual>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject
<AuthBy FILE>
Filename %D/reject_modem.users
AcceptIfMissing
</AuthBy>
<AuthBy FILE>
Filename %D/backbone_users
</AuthBy>
<AuthBy PAM>
Fork
Service radiusd
</AuthBy>
</AuthBy>
AuthLog Backbone_Login_Failures
# Log accounting to a detail file
AcctLogFileName %L/modems_backbone_users.log
</Handler>
Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Virtual'
Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username
Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username,
192.168.x.x, 98
Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT:
Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd
Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password'
Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB
Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:
Now to simplify this even more I took out all the authby's execpt the file
with the reject in it. I was still able to log on, the debug is below
Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Virtual'
Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username
Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username,
192.168.x.xB, 98
Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with
username
Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username
On Wed, 26 Nov 2003, Hugh Irvine wrote:
>
> Hello Mike -
>
> I have done some testing here (as has Mike) and neither of us has this
> problem.
>
> Here is my configuration file (which also works with
> ContinueUntilReject):
>
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
> <AuthBy FILE>
> Filename ./users.reject
> AcceptIfMissing
> </AuthBy>
> <AuthBy FILE>
> Filename ./users
> </AuthBy>
> <AuthBy FILE>
> Filename ./users
> </AuthBy>
> # Log accounting to a detail file
> AcctLogFileName ./detail-%G
> </Realm>
>
>
> Here is the "users.reject" file:
>
> username Auth-Type = Reject
>
>
> And here is the trace 4:
>
> perl radpwtst -user username -noacct
> sending Access-Request...
> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 49663 ....
> Code: Access-Request
> Identifier: 196
> Authentic: 1234567890123456
> Attributes:
> User-Name = "username"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username,
> 203.63.154.1, 1234
> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
> explicitly by Auth-Type=Reject
> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 49663 ....
> Code: Access-Reject
> Identifier: 196
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
>
> I can only suggest you try setting up a simple test configuration to
> try it first.
>
> Perhaps you are not editing the correct file(s) and/or you have not
> restarted "radiusd"?
>
> regards
>
> Hugh
>
>
> On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
>
> >
> > I get the following trace 4 with ContinueWhileAccept
> >
> > Mike
> >
> >
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
> > 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
> > Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
> > Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
> > 192.168.x.x, 9
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
> > Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
> > Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
> > Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
> >
> > Code: Access-Accept
> >
> >
> > On Tue, 25 Nov 2003, Hugh Irvine wrote:
> >
> >>
> >> Hello Mike -
> >>
> >> Thanks for your mail - how curious!
> >>
> >> I wonder if you could try to change the configuration to:
> >>
> >> AuthByPolicy ContinueWhileAccept
> >>
> >> and see what happens.
> >>
> >> I'll also forward your mail to Mike.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
> >>
> >>>
> >>> Hi Hugh,
> >>>
> >>> It would seem the continue until reject is not functioning correctly
> >>> in
> >>> this case. The debug show the reject but continues on.
> >>>
> >>> I tried the following:
> >>>
> >>> RewriteUsername s/^([^@]+).*/$1/
> >>> <AuthBy GROUP>
> >>> AuthByPolicy ContinueUntilReject
> >>> <AuthBy FILE>
> >>> Filename %D/reject_modem.users
> >>> AcceptIfMissing
> >>> </AuthBy>
> >>>
> >>> <AuthBy FILE>
> >>> Filename %D/backbone_users
> >>> </AuthBy>
> >>> <AuthBy PAM>
> >>> Fork
> >>> Service radiusd
> >>> </AuthBy>
> >>> </AuthBy>
> >>> AuthLog Modem_Login_Failures
> >>> # Log accounting to a detail file
> >>> AcctLogFileName %L/modem_pool_backbone_users.log
> >>>
> >>>
> >>> with the reject_modem.users containing
> >>> username Auth-Type=Reject
> >>>
> >>> The user can still get on. The debug is below:
> >>> Radiator 3.1
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
> >>> 192.168.x.x, 53
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> >>> Rejected explicitly by Auth-Type=Reject
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> >>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> >>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
> >>>
> >>>
> >>>
> >>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
> >>>
> >>>>
> >>>> Hello Mike -
> >>>>
> >>>> Yes this is quite simple to acheive.
> >>>>
> >>>> <Handler Realm=MODEMS>
> >>>> RewriteUsername s/^([^@]+).*/$1/
> >>>> <AuthBy GROUP>
> >>>> AuthByPolicy ContinueUntilReject
> >>>>
> >>>> <AuthBy FILE>
> >>>> Filename %D/reject.users
> >>>> AcceptIfMissing
> >>>> </AuthBy>
> >>>>
> >>>> <AuthBy PAM>
> >>>> Fork
> >>>> Service radiusd
> >>>> </AuthBy>
> >>>>
> >>>> </AuthBy>
> >>>> AuthLog Modem_Login_Failures
> >>>> AcctLogFileName %L/Modems.log
> >>>> </Handler>
> >>>>
> >>>>
> >>>> The file "%D/reject.users" would contain something like this:
> >>>>
> >>>> # reject.users
> >>>>
> >>>> username1 Auth-Type = Reject
> >>>>
> >>>> username2 Auth-Type = Reject
> >>>>
> >>>> .......
> >>>>
> >>>>
> >>>> If you have any other questions, please contact me.
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>>
> >>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
> >>>> wrote:
> >>>>
> >>>>>
> >>>>> I have a request to block certain users access to our modem pool.
> >>>>>
> >>>>> Users are first authenticated by kerb via PAM. What I would like
> >>>>> to
> >>>>> do is
> >>>>> have radius then check to see if they are listed in a file and
> >>>>> reject
> >>>>> them
> >>>>> only if they are listed. If they are not in the file they can
> >>>>> logon.
> >>>>>
> >>>>> I saw the username authtype example in the manual, is there a way
> >>>>> to
> >>>>> do
> >>>>> this in a file for a larger number?
> >>>>>
> >>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
> >>>>> before
> >>>>> my
> >>>>> authbypam below?
> >>>>>
> >>>>> My handler is below.
> >>>>>
> >>>>> Mike Forbes
> >>>>>
> >>>>>
> >>>>> <Handler Realm=MODEMS>
> >>>>> RewriteUsername s/^([^@]+).*/$1/
> >>>>> <AuthBy GROUP>
> >>>>> AuthByPolicy ContinueUntilReject
> >>>>> <AuthBy PAM>
> >>>>> Fork
> >>>>> Service radiusd
> >>>>> </AuthBy>
> >>>>> </AuthBy>
> >>>>> AuthLog Modem_Login_Failures
> >>>>> AcctLogFileName %L/Modems.log
> >>>>> </Handler>
> >>>>>
> >>>>>
> >>>>> ===
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>>
> >>>>
> >>>> NB: have you included a copy of your configuration file (no
> >>>> secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>> flexible with hardware, software, platform and database
> >>>> independence.
> >>>>
> >>>> ===
> >>>> Archive at http://www.open.com.au/archives/radiator/
> >>>> Announcements on radiator-announce at open.com.au
> >>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>> 'unsubscribe radiator' in the body of the message.
> >>>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list