(RADIATOR) How to reject users in a file

Hugh Irvine hugh at open.com.au
Wed Nov 26 15:25:30 CST 2003


Hello Mike -

I am using the current Radiator 3.7.1 for testing.

Suggest you upgrade and see what happens.

regards

Hugh


On 27/11/2003, at 4:11 AM, Forbes Mike wrote:

>
> What version did you test under?  I am using it under 3.1.  I also use 
> a
> handler not a realm.  I am wondering if this is a version issue with
> radiator. My continue until rejects works without the first authby 
> file.
> The first authby file is the file with the auth-type reject in it.
>
> Mike
>
> My config is this:
>
> Note: I have commented and uncommented AuthyBy GROUP out, I have 
> stopped
> and restarted radius with the init script.  The trace 4 is below.
> <Handler Realm=MODEMS,NAS-Port-Type=Virtual>
>         RewriteUsername s/^([^@]+).*/$1/
>        <AuthBy GROUP>
>                 AuthByPolicy ContinueUntilReject
>                <AuthBy FILE>
>                          Filename %D/reject_modem.users
>                          AcceptIfMissing
>                 </AuthBy>
>                 <AuthBy FILE>
>                         Filename %D/backbone_users
>                 </AuthBy>
>                 <AuthBy PAM>
>                         Fork
>                         Service radiusd
>                 </AuthBy>
>        </AuthBy>
>         AuthLog Backbone_Login_Failures
>         # Log accounting to a detail file
>         AcctLogFileName %L/modems_backbone_users.log
> </Handler>
>
> Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler
> 'Realm=MODEMS,NAS-Port-Type=Virtual'
> Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 09:57:44 2003: DEBUG:  Deleting session for username,
> 192.168.x.x, 98
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd
> Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password'
> Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB
> Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:
>
>
> Now to simplify this even more I took out all the authby's execpt the 
> file
> with the reject in it.  I was still able to log on, the debug is below
>
>
>
> Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler
> 'Realm=MODEMS,NAS-Port-Type=Virtual'
> Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 10:05:57 2003: DEBUG:  Deleting session for username,
> 192.168.x.xB, 98
> Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username
>
> On Wed, 26 Nov 2003, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> I have done some testing here (as has Mike) and neither of us has this
>> problem.
>>
>> Here is my configuration file (which also works with
>> ContinueUntilReject):
>>
>> <Realm DEFAULT>
>>          AuthByPolicy ContinueWhileAccept
>>          <AuthBy FILE>
>>                  Filename ./users.reject
>>                  AcceptIfMissing
>>          </AuthBy>
>>          <AuthBy FILE>
>>                  Filename ./users
>>          </AuthBy>
>>          <AuthBy FILE>
>>                  Filename ./users
>>          </AuthBy>
>>          # Log accounting to a detail file
>>          AcctLogFileName ./detail-%G
>> </Realm>
>>
>>
>> Here is the "users.reject" file:
>>
>> username Auth-Type = Reject
>>
>>
>> And here is the trace 4:
>>
>> perl radpwtst -user username -noacct
>> sending Access-Request...
>> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 49663 ....
>> Code:       Access-Request
>> Identifier: 196
>> Authentic:  1234567890123456
>> Attributes:
>>          User-Name = "username"
>>          Service-Type = Framed-User
>>          NAS-IP-Address = 203.63.154.1
>>          NAS-Port = 1234
>>          Called-Station-Id = "123456789"
>>          Calling-Station-Id = "987654321"
>>          NAS-Port-Type = Async
>>          User-Password =
>> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>>
>> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
>> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Wed Nov 26 18:17:01 2003: DEBUG:  Deleting session for username,
>> 203.63.154.1, 1234
>> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
>> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
>> username
>> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>> Rejected explicitly by Auth-Type=Reject
>> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
>> explicitly by Auth-Type=Reject
>> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 49663 ....
>> Code:       Access-Reject
>> Identifier: 196
>> Authentic:  1234567890123456
>> Attributes:
>>          Reply-Message = "Request Denied"
>>
>>
>> I can only suggest you try setting up a simple test configuration to
>> try it first.
>>
>> Perhaps you are not editing the correct file(s) and/or you have not
>> restarted "radiusd"?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
>>
>>>
>>> I get the following trace 4 with ContinueWhileAccept
>>>
>>> Mike
>>>
>>>
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
>>> 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
>>> Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
>>> Tue Nov 25 11:36:11 2003: DEBUG:  Deleting session for username,
>>> 192.168.x.x, 9
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match 
>>> with
>>> username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>>> Rejected explicitly by Auth-Type=Reject
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match 
>>> with
>>> username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
>>> Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
>>> Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
>>>
>>> Code:       Access-Accept
>>>
>>>
>>> On Tue, 25 Nov 2003, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Mike -
>>>>
>>>> Thanks for your mail - how curious!
>>>>
>>>> I wonder if you could try to change the configuration to:
>>>>
>>>> 		AuthByPolicy ContinueWhileAccept
>>>>
>>>> and see what happens.
>>>>
>>>> I'll also forward your mail to Mike.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>>>>
>>>>>
>>>>> Hi Hugh,
>>>>>
>>>>> It would seem the continue until reject is not functioning 
>>>>> correctly
>>>>> in
>>>>> this case. The debug show the reject but continues on.
>>>>>
>>>>> I tried the following:
>>>>>
>>>>>        RewriteUsername s/^([^@]+).*/$1/
>>>>>         <AuthBy GROUP>
>>>>>                 AuthByPolicy ContinueUntilReject
>>>>>                 <AuthBy FILE>
>>>>>                          Filename %D/reject_modem.users
>>>>>                          AcceptIfMissing
>>>>>                  </AuthBy>
>>>>>
>>>>>                 <AuthBy FILE>
>>>>>                         Filename %D/backbone_users
>>>>>                 </AuthBy>
>>>>>                 <AuthBy PAM>
>>>>>                         Fork
>>>>>                         Service radiusd
>>>>>                 </AuthBy>
>>>>>         </AuthBy>
>>>>>         AuthLog Modem_Login_Failures
>>>>>         # Log accounting to a detail file
>>>>>         AcctLogFileName %L/modem_pool_backbone_users.log
>>>>>
>>>>>
>>>>> with the reject_modem.users containing
>>>>> username Auth-Type=Reject
>>>>>
>>>>> The user can still get on.  The debug is below:
>>>>>  Radiator 3.1
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG:  Deleting session for username,
>>>>> 192.168.x.x, 53
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with
>>>>> username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>>>>> Rejected explicitly by Auth-Type=Reject
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with
>>>>> username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
>>>>>
>>>>>
>>>>>
>>>>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Mike -
>>>>>>
>>>>>> Yes this is quite simple to acheive.
>>>>>>
>>>>>> <Handler Realm=MODEMS>
>>>>>>          RewriteUsername s/^([^@]+).*/$1/
>>>>>>          <AuthBy GROUP>
>>>>>>                  AuthByPolicy ContinueUntilReject
>>>>>>
>>>>>>                  <AuthBy FILE>
>>>>>>                          Filename %D/reject.users
>>>>>>                          AcceptIfMissing
>>>>>>                  </AuthBy>
>>>>>>
>>>>>>                  <AuthBy PAM>
>>>>>>                          Fork
>>>>>>                          Service radiusd
>>>>>>                  </AuthBy>
>>>>>>
>>>>>>          </AuthBy>
>>>>>>          AuthLog Modem_Login_Failures
>>>>>>           AcctLogFileName %L/Modems.log
>>>>>> </Handler>
>>>>>>
>>>>>>
>>>>>> The file "%D/reject.users" would contain something like this:
>>>>>>
>>>>>> # reject.users
>>>>>>
>>>>>> username1	Auth-Type = Reject
>>>>>>
>>>>>> username2	Auth-Type = Reject
>>>>>>
>>>>>> .......
>>>>>>
>>>>>>
>>>>>> If you have any other questions, please contact me.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes 
>>>>>> Mike
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> I have a request to block certain users access to our modem pool.
>>>>>>>
>>>>>>> Users are first authenticated by kerb via PAM.  What I would like
>>>>>>> to
>>>>>>> do is
>>>>>>> have radius then check to see if they are listed in a file and
>>>>>>> reject
>>>>>>> them
>>>>>>> only if they are listed.  If they are not in the file they can
>>>>>>> logon.
>>>>>>>
>>>>>>> I saw the username authtype example in the manual, is there a way
>>>>>>> to
>>>>>>> do
>>>>>>> this in a file for a larger number?
>>>>>>>
>>>>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
>>>>>>> before
>>>>>>> my
>>>>>>> authbypam below?
>>>>>>>
>>>>>>> My handler is below.
>>>>>>>
>>>>>>> Mike Forbes
>>>>>>>
>>>>>>>
>>>>>>> <Handler Realm=MODEMS>
>>>>>>>         RewriteUsername s/^([^@]+).*/$1/
>>>>>>>         <AuthBy GROUP>
>>>>>>>                 AuthByPolicy ContinueUntilReject
>>>>>>>                 <AuthBy PAM>
>>>>>>>                         Fork
>>>>>>>                         Service radiusd
>>>>>>>                 </AuthBy>
>>>>>>>         </AuthBy>
>>>>>>>         AuthLog Modem_Login_Failures
>>>>>>>          AcctLogFileName %L/Modems.log
>>>>>>> </Handler>
>>>>>>>
>>>>>>>
>>>>>>> ===
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> NB: have you included a copy of your configuration file (no
>>>>>> secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>> --
>>>>>> Radiator: the most portable, flexible and configurable RADIUS 
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical, 
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>>
>>>>>> ===
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no 
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database 
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like 
>>>> systems.
>>>>
>>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list