(RADIATOR) How to reject users in a file
Hugh Irvine
hugh at open.com.au
Wed Nov 26 15:25:30 CST 2003
Hello Mike -
I am using the current Radiator 3.7.1 for testing.
Suggest you upgrade and see what happens.
regards
Hugh
On 27/11/2003, at 4:11 AM, Forbes Mike wrote:
>
> What version did you test under? I am using it under 3.1. I also use
> a
> handler not a realm. I am wondering if this is a version issue with
> radiator. My continue until rejects works without the first authby
> file.
> The first authby file is the file with the auth-type reject in it.
>
> Mike
>
> My config is this:
>
> Note: I have commented and uncommented AuthyBy GROUP out, I have
> stopped
> and restarted radius with the init script. The trace 4 is below.
> <Handler Realm=MODEMS,NAS-Port-Type=Virtual>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
> <AuthBy FILE>
> Filename %D/reject_modem.users
> AcceptIfMissing
> </AuthBy>
> <AuthBy FILE>
> Filename %D/backbone_users
> </AuthBy>
> <AuthBy PAM>
> Fork
> Service radiusd
> </AuthBy>
> </AuthBy>
> AuthLog Backbone_Login_Failures
> # Log accounting to a detail file
> AcctLogFileName %L/modems_backbone_users.log
> </Handler>
>
> Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler
> 'Realm=MODEMS,NAS-Port-Type=Virtual'
> Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username,
> 192.168.x.x, 98
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd
> Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password'
> Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB
> Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:
>
>
> Now to simplify this even more I took out all the authby's execpt the
> file
> with the reject in it. I was still able to log on, the debug is below
>
>
>
> Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler
> 'Realm=MODEMS,NAS-Port-Type=Virtual'
> Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username
> Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username,
> 192.168.x.xB, 98
> Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with
> username
> Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject
> Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username
>
> On Wed, 26 Nov 2003, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> I have done some testing here (as has Mike) and neither of us has this
>> problem.
>>
>> Here is my configuration file (which also works with
>> ContinueUntilReject):
>>
>> <Realm DEFAULT>
>> AuthByPolicy ContinueWhileAccept
>> <AuthBy FILE>
>> Filename ./users.reject
>> AcceptIfMissing
>> </AuthBy>
>> <AuthBy FILE>
>> Filename ./users
>> </AuthBy>
>> <AuthBy FILE>
>> Filename ./users
>> </AuthBy>
>> # Log accounting to a detail file
>> AcctLogFileName ./detail-%G
>> </Realm>
>>
>>
>> Here is the "users.reject" file:
>>
>> username Auth-Type = Reject
>>
>>
>> And here is the trace 4:
>>
>> perl radpwtst -user username -noacct
>> sending Access-Request...
>> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 49663 ....
>> Code: Access-Request
>> Identifier: 196
>> Authentic: 1234567890123456
>> Attributes:
>> User-Name = "username"
>> Service-Type = Framed-User
>> NAS-IP-Address = 203.63.154.1
>> NAS-Port = 1234
>> Called-Station-Id = "123456789"
>> Calling-Station-Id = "987654321"
>> NAS-Port-Type = Async
>> User-Password =
>> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>>
>> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
>> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username,
>> 203.63.154.1, 1234
>> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
>> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
>> username
>> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>> Rejected explicitly by Auth-Type=Reject
>> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
>> explicitly by Auth-Type=Reject
>> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 49663 ....
>> Code: Access-Reject
>> Identifier: 196
>> Authentic: 1234567890123456
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>> I can only suggest you try setting up a simple test configuration to
>> try it first.
>>
>> Perhaps you are not editing the correct file(s) and/or you have not
>> restarted "radiusd"?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
>>
>>>
>>> I get the following trace 4 with ContinueWhileAccept
>>>
>>> Mike
>>>
>>>
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
>>> 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
>>> Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
>>> 192.168.x.x, 9
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>>> Rejected explicitly by Auth-Type=Reject
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
>>> Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
>>> Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
>>> Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
>>>
>>> Code: Access-Accept
>>>
>>>
>>> On Tue, 25 Nov 2003, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Mike -
>>>>
>>>> Thanks for your mail - how curious!
>>>>
>>>> I wonder if you could try to change the configuration to:
>>>>
>>>> AuthByPolicy ContinueWhileAccept
>>>>
>>>> and see what happens.
>>>>
>>>> I'll also forward your mail to Mike.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
>>>>
>>>>>
>>>>> Hi Hugh,
>>>>>
>>>>> It would seem the continue until reject is not functioning
>>>>> correctly
>>>>> in
>>>>> this case. The debug show the reject but continues on.
>>>>>
>>>>> I tried the following:
>>>>>
>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>> <AuthBy GROUP>
>>>>> AuthByPolicy ContinueUntilReject
>>>>> <AuthBy FILE>
>>>>> Filename %D/reject_modem.users
>>>>> AcceptIfMissing
>>>>> </AuthBy>
>>>>>
>>>>> <AuthBy FILE>
>>>>> Filename %D/backbone_users
>>>>> </AuthBy>
>>>>> <AuthBy PAM>
>>>>> Fork
>>>>> Service radiusd
>>>>> </AuthBy>
>>>>> </AuthBy>
>>>>> AuthLog Modem_Login_Failures
>>>>> # Log accounting to a detail file
>>>>> AcctLogFileName %L/modem_pool_backbone_users.log
>>>>>
>>>>>
>>>>> with the reject_modem.users containing
>>>>> username Auth-Type=Reject
>>>>>
>>>>> The user can still get on. The debug is below:
>>>>> Radiator 3.1
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
>>>>> 192.168.x.x, 53
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with
>>>>> username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
>>>>> Rejected explicitly by Auth-Type=Reject
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with
>>>>> username
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
>>>>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
>>>>>
>>>>>
>>>>>
>>>>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Mike -
>>>>>>
>>>>>> Yes this is quite simple to acheive.
>>>>>>
>>>>>> <Handler Realm=MODEMS>
>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>> <AuthBy GROUP>
>>>>>> AuthByPolicy ContinueUntilReject
>>>>>>
>>>>>> <AuthBy FILE>
>>>>>> Filename %D/reject.users
>>>>>> AcceptIfMissing
>>>>>> </AuthBy>
>>>>>>
>>>>>> <AuthBy PAM>
>>>>>> Fork
>>>>>> Service radiusd
>>>>>> </AuthBy>
>>>>>>
>>>>>> </AuthBy>
>>>>>> AuthLog Modem_Login_Failures
>>>>>> AcctLogFileName %L/Modems.log
>>>>>> </Handler>
>>>>>>
>>>>>>
>>>>>> The file "%D/reject.users" would contain something like this:
>>>>>>
>>>>>> # reject.users
>>>>>>
>>>>>> username1 Auth-Type = Reject
>>>>>>
>>>>>> username2 Auth-Type = Reject
>>>>>>
>>>>>> .......
>>>>>>
>>>>>>
>>>>>> If you have any other questions, please contact me.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes
>>>>>> Mike
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> I have a request to block certain users access to our modem pool.
>>>>>>>
>>>>>>> Users are first authenticated by kerb via PAM. What I would like
>>>>>>> to
>>>>>>> do is
>>>>>>> have radius then check to see if they are listed in a file and
>>>>>>> reject
>>>>>>> them
>>>>>>> only if they are listed. If they are not in the file they can
>>>>>>> logon.
>>>>>>>
>>>>>>> I saw the username authtype example in the manual, is there a way
>>>>>>> to
>>>>>>> do
>>>>>>> this in a file for a larger number?
>>>>>>>
>>>>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
>>>>>>> before
>>>>>>> my
>>>>>>> authbypam below?
>>>>>>>
>>>>>>> My handler is below.
>>>>>>>
>>>>>>> Mike Forbes
>>>>>>>
>>>>>>>
>>>>>>> <Handler Realm=MODEMS>
>>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>>> <AuthBy GROUP>
>>>>>>> AuthByPolicy ContinueUntilReject
>>>>>>> <AuthBy PAM>
>>>>>>> Fork
>>>>>>> Service radiusd
>>>>>>> </AuthBy>
>>>>>>> </AuthBy>
>>>>>>> AuthLog Modem_Login_Failures
>>>>>>> AcctLogFileName %L/Modems.log
>>>>>>> </Handler>
>>>>>>>
>>>>>>>
>>>>>>> ===
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> NB: have you included a copy of your configuration file (no
>>>>>> secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>> --
>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>>
>>>>>> ===
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list