(RADIATOR) How to reject users in a file
Forbes Mike
Mike.Forbes at Colorado.EDU
Wed Nov 26 17:14:36 CST 2003
Hugh,
The upgrade fixed the problem.
Mike
On Thu, 27 Nov 2003, Hugh Irvine wrote:
>
> Hello Mike -
>
> I am using the current Radiator 3.7.1 for testing.
>
> Suggest you upgrade and see what happens.
>
> regards
>
> Hugh
>
>
> On 27/11/2003, at 4:11 AM, Forbes Mike wrote:
>
> >
> > What version did you test under? I am using it under 3.1. I also use
> > a
> > handler not a realm. I am wondering if this is a version issue with
> > radiator. My continue until rejects works without the first authby
> > file.
> > The first authby file is the file with the auth-type reject in it.
> >
> > Mike
> >
> > My config is this:
> >
> > Note: I have commented and uncommented AuthyBy GROUP out, I have
> > stopped
> > and restarted radius with the init script. The trace 4 is below.
> > <Handler Realm=MODEMS,NAS-Port-Type=Virtual>
> > RewriteUsername s/^([^@]+).*/$1/
> > <AuthBy GROUP>
> > AuthByPolicy ContinueUntilReject
> > <AuthBy FILE>
> > Filename %D/reject_modem.users
> > AcceptIfMissing
> > </AuthBy>
> > <AuthBy FILE>
> > Filename %D/backbone_users
> > </AuthBy>
> > <AuthBy PAM>
> > Fork
> > Service radiusd
> > </AuthBy>
> > </AuthBy>
> > AuthLog Backbone_Login_Failures
> > # Log accounting to a detail file
> > AcctLogFileName %L/modems_backbone_users.log
> > </Handler>
> >
> > Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler
> > 'Realm=MODEMS,NAS-Port-Type=Virtual'
> > Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username
> > Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username,
> > 192.168.x.x, 98
> > Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd
> > Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password'
> > Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB
> > Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:
> >
> >
> > Now to simplify this even more I took out all the authby's execpt the
> > file
> > with the reject in it. I was still able to log on, the debug is below
> >
> >
> >
> > Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler
> > 'Realm=MODEMS,NAS-Port-Type=Virtual'
> > Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username
> > Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username,
> > 192.168.x.xB, 98
> > Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE:
> > Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with
> > username
> > Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> > Rejected explicitly by Auth-Type=Reject
> > Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username
> >
> > On Wed, 26 Nov 2003, Hugh Irvine wrote:
> >
> >>
> >> Hello Mike -
> >>
> >> I have done some testing here (as has Mike) and neither of us has this
> >> problem.
> >>
> >> Here is my configuration file (which also works with
> >> ContinueUntilReject):
> >>
> >> <Realm DEFAULT>
> >> AuthByPolicy ContinueWhileAccept
> >> <AuthBy FILE>
> >> Filename ./users.reject
> >> AcceptIfMissing
> >> </AuthBy>
> >> <AuthBy FILE>
> >> Filename ./users
> >> </AuthBy>
> >> <AuthBy FILE>
> >> Filename ./users
> >> </AuthBy>
> >> # Log accounting to a detail file
> >> AcctLogFileName ./detail-%G
> >> </Realm>
> >>
> >>
> >> Here is the "users.reject" file:
> >>
> >> username Auth-Type = Reject
> >>
> >>
> >> And here is the trace 4:
> >>
> >> perl radpwtst -user username -noacct
> >> sending Access-Request...
> >> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> >> *** Received from 127.0.0.1 port 49663 ....
> >> Code: Access-Request
> >> Identifier: 196
> >> Authentic: 1234567890123456
> >> Attributes:
> >> User-Name = "username"
> >> Service-Type = Framed-User
> >> NAS-IP-Address = 203.63.154.1
> >> NAS-Port = 1234
> >> Called-Station-Id = "123456789"
> >> Calling-Station-Id = "987654321"
> >> NAS-Port-Type = Async
> >> User-Password =
> >> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
> >>
> >> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
> >> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler
> >> 'Realm=DEFAULT'
> >> Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username,
> >> 203.63.154.1, 1234
> >> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
> >> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with
> >> username
> >> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> >> Rejected explicitly by Auth-Type=Reject
> >> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected
> >> explicitly by Auth-Type=Reject
> >> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
> >> *** Sending to 127.0.0.1 port 49663 ....
> >> Code: Access-Reject
> >> Identifier: 196
> >> Authentic: 1234567890123456
> >> Attributes:
> >> Reply-Message = "Request Denied"
> >>
> >>
> >> I can only suggest you try setting up a simple test configuration to
> >> try it first.
> >>
> >> Perhaps you are not editing the correct file(s) and/or you have not
> >> restarted "radiusd"?
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
> >>
> >>>
> >>> I get the following trace 4 with ContinueWhileAccept
> >>>
> >>> Mike
> >>>
> >>>
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
> >>> 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
> >>> 192.168.x.x, 9
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> >>> Rejected explicitly by Auth-Type=Reject
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match
> >>> with
> >>> username
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
> >>> Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
> >>> Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
> >>>
> >>> Code: Access-Accept
> >>>
> >>>
> >>> On Tue, 25 Nov 2003, Hugh Irvine wrote:
> >>>
> >>>>
> >>>> Hello Mike -
> >>>>
> >>>> Thanks for your mail - how curious!
> >>>>
> >>>> I wonder if you could try to change the configuration to:
> >>>>
> >>>> AuthByPolicy ContinueWhileAccept
> >>>>
> >>>> and see what happens.
> >>>>
> >>>> I'll also forward your mail to Mike.
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>>
> >>>> On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
> >>>>
> >>>>>
> >>>>> Hi Hugh,
> >>>>>
> >>>>> It would seem the continue until reject is not functioning
> >>>>> correctly
> >>>>> in
> >>>>> this case. The debug show the reject but continues on.
> >>>>>
> >>>>> I tried the following:
> >>>>>
> >>>>> RewriteUsername s/^([^@]+).*/$1/
> >>>>> <AuthBy GROUP>
> >>>>> AuthByPolicy ContinueUntilReject
> >>>>> <AuthBy FILE>
> >>>>> Filename %D/reject_modem.users
> >>>>> AcceptIfMissing
> >>>>> </AuthBy>
> >>>>>
> >>>>> <AuthBy FILE>
> >>>>> Filename %D/backbone_users
> >>>>> </AuthBy>
> >>>>> <AuthBy PAM>
> >>>>> Fork
> >>>>> Service radiusd
> >>>>> </AuthBy>
> >>>>> </AuthBy>
> >>>>> AuthLog Modem_Login_Failures
> >>>>> # Log accounting to a detail file
> >>>>> AcctLogFileName %L/modem_pool_backbone_users.log
> >>>>>
> >>>>>
> >>>>> with the reject_modem.users containing
> >>>>> username Auth-Type=Reject
> >>>>>
> >>>>> The user can still get on. The debug is below:
> >>>>> Radiator 3.1
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
> >>>>> 192.168.x.x, 53
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>>>> with
> >>>>> username
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> >>>>> Rejected explicitly by Auth-Type=Reject
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match
> >>>>> with
> >>>>> username
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
> >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Sat, 13 Sep 2003, Hugh Irvine wrote:
> >>>>>
> >>>>>>
> >>>>>> Hello Mike -
> >>>>>>
> >>>>>> Yes this is quite simple to acheive.
> >>>>>>
> >>>>>> <Handler Realm=MODEMS>
> >>>>>> RewriteUsername s/^([^@]+).*/$1/
> >>>>>> <AuthBy GROUP>
> >>>>>> AuthByPolicy ContinueUntilReject
> >>>>>>
> >>>>>> <AuthBy FILE>
> >>>>>> Filename %D/reject.users
> >>>>>> AcceptIfMissing
> >>>>>> </AuthBy>
> >>>>>>
> >>>>>> <AuthBy PAM>
> >>>>>> Fork
> >>>>>> Service radiusd
> >>>>>> </AuthBy>
> >>>>>>
> >>>>>> </AuthBy>
> >>>>>> AuthLog Modem_Login_Failures
> >>>>>> AcctLogFileName %L/Modems.log
> >>>>>> </Handler>
> >>>>>>
> >>>>>>
> >>>>>> The file "%D/reject.users" would contain something like this:
> >>>>>>
> >>>>>> # reject.users
> >>>>>>
> >>>>>> username1 Auth-Type = Reject
> >>>>>>
> >>>>>> username2 Auth-Type = Reject
> >>>>>>
> >>>>>> .......
> >>>>>>
> >>>>>>
> >>>>>> If you have any other questions, please contact me.
> >>>>>>
> >>>>>> regards
> >>>>>>
> >>>>>> Hugh
> >>>>>>
> >>>>>>
> >>>>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes
> >>>>>> Mike
> >>>>>> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>> I have a request to block certain users access to our modem pool.
> >>>>>>>
> >>>>>>> Users are first authenticated by kerb via PAM. What I would like
> >>>>>>> to
> >>>>>>> do is
> >>>>>>> have radius then check to see if they are listed in a file and
> >>>>>>> reject
> >>>>>>> them
> >>>>>>> only if they are listed. If they are not in the file they can
> >>>>>>> logon.
> >>>>>>>
> >>>>>>> I saw the username authtype example in the manual, is there a way
> >>>>>>> to
> >>>>>>> do
> >>>>>>> this in a file for a larger number?
> >>>>>>>
> >>>>>>> Could you do the AuthByPolicy ContinueWhileReject and put this
> >>>>>>> before
> >>>>>>> my
> >>>>>>> authbypam below?
> >>>>>>>
> >>>>>>> My handler is below.
> >>>>>>>
> >>>>>>> Mike Forbes
> >>>>>>>
> >>>>>>>
> >>>>>>> <Handler Realm=MODEMS>
> >>>>>>> RewriteUsername s/^([^@]+).*/$1/
> >>>>>>> <AuthBy GROUP>
> >>>>>>> AuthByPolicy ContinueUntilReject
> >>>>>>> <AuthBy PAM>
> >>>>>>> Fork
> >>>>>>> Service radiusd
> >>>>>>> </AuthBy>
> >>>>>>> </AuthBy>
> >>>>>>> AuthLog Modem_Login_Failures
> >>>>>>> AcctLogFileName %L/Modems.log
> >>>>>>> </Handler>
> >>>>>>>
> >>>>>>>
> >>>>>>> ===
> >>>>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>>>> Announcements on radiator-announce at open.com.au
> >>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> NB: have you included a copy of your configuration file (no
> >>>>>> secrets),
> >>>>>> together with a trace 4 debug showing what is happening?
> >>>>>>
> >>>>>> --
> >>>>>> Radiator: the most portable, flexible and configurable RADIUS
> >>>>>> server
> >>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>>>> -
> >>>>>> Nets: internetwork inventory and management - graphical,
> >>>>>> extensible,
> >>>>>> flexible with hardware, software, platform and database
> >>>>>> independence.
> >>>>>>
> >>>>>> ===
> >>>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>>> Announcements on radiator-announce at open.com.au
> >>>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>>
> >>>>> ===
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>>
> >>>>
> >>>> NB: have you included a copy of your configuration file (no
> >>>> secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>> flexible with hardware, software, platform and database
> >>>> independence.
> >>>> -
> >>>> CATool: Private Certificate Authority for Unix and Unix-like
> >>>> systems.
> >>>>
> >>>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >> ===
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list