(RADIATOR) probleem <Handler> and <Realm>
Hugh Irvine
hugh at open.com.au
Tue Apr 27 17:22:52 CDT 2004
Hello Roel -
Thanks for the additional information.
Realms and Handlers should not be mixed in the same configuration file
because Realms are always evaluated first.
It is always much easier to understand if only Realms or only Handlers
are used.
There is one exception which is when you have a list of explicit
Realms, followed by a series of Handlers.
You could do something like this:
#---------------------------------------------------------------------
# REALMS
#---------------------------------------------------------------------
<Realm digisecr>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
</Realm>
<Realm ewiopdr>
</Realm>
<Realm 3tu.utwente.nl>
</Realm>
<Realm webapps>
</Realm>
<Realm adsl2.utwente.nl>
</Realm>
# saxion.nl wat geen WLAN is
<Handler realm=saxion.nl>
AuthByPolicy ContinueAlways
<SessionDatabase NULL>
</SessionDatabase>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
# voeg een real toe
RewriteUsername s/(.*)/$1\@sexion/
<AuthBy FILE>
Filename %D/users-saxiondefault
</AuthBy>
# als er ooit accounting wordt gestuurd, dan moet het naar deze
file
AcctLogFileName %Ldetail-saxiondefault.%Y-%m
# Stuur authorisatie-logging:
AuthLog authlogging-saxiondefault
</Handler>
# This clause means we will handle any real that arrives
<Handler>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
# neem eerste 8 char (eerste letter + 7 cijfers)
RewriteUsername s/(.{8,8}).*/$1/
<AuthBy FILE>
Filename %D/users-default
</AuthBy>
# Log accounting to the detail file in LogDir
AcctLogFileName %Ldetail-default.%Y-%m
# Stuur de authorisatie-logging naar:
AuthLog authlogging-default
</Handler>
#---------------------------------------------------------------------
# This clause defines an authorisation method that will be used
# by any users in the database with Auth-Type="System". It will
# match the "Identifier System"
<AuthBy UNIX>
Identifier System
Filename /xxxxx/passwd
</AuthBy>
<AuthBy LDAP2>
</AuthBy>
However as I say, I myself find it _much_ easier to use either all
Realms or all Handlers.
Hope that helps.
regards
Hugh
On 28 Apr 2004, at 07:51, r.h.hoek wrote:
>
>
> Hugh Irvine wrote:
>
>> Hello Roel -
>> I suspect the problem is in the part of the configuration file that
>> is not shown.
>
> That part looks like this (its a mix of Realms and Handlers (or is
> this the problem like suggested before by Alexander Mateos Candela))
>
> +++++++ begin part radius.cfg +++++++++++++++++++++++++++++++++++++++
>
> #---------------------------------------------------------------------
> # REALMS
> #---------------------------------------------------------------------
>
> <Realm digisecr>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
> .
> .
> </Realm>
>
> # saxion.nl wat geen WLAN is
> # <Handler Realm=saxion.nl, Client-Identifier=/^(?!WLANATUT-ID$)/>
> #<Handler Realm = saxion.nl , Client-Identifier = /^LOCALHOST-ID$/ >
> <Handler realm=saxion.nl>
> # <Realm saxion.nl>
>
> AuthByPolicy ContinueAlways
>
> <SessionDatabase NULL>
> </SessionDatabase>
>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
> # Stripoff leading whitespaces en zo
> RewriteUsername s/^\s*//
> # Stripoff trailing whitespaces en zo
> RewriteUsername s/\s*$//
>
> # voeg een real toe
> RewriteUsername s/(.*)/$1\@sexion/
>
> <AuthBy FILE>
> Filename %D/users-saxiondefault
> </AuthBy>
>
> # als er ooit accounting wordt gestuurd, dan moet het naar
> deze file
> AcctLogFileName %Ldetail-saxiondefault.%Y-%m
>
> # Stuur authorisatie-logging:
> AuthLog authlogging-saxiondefault
>
> </Handler>
> # </Realm>
>
> <Realm ewiopdr>
> .
> </Realm>
>
> <Realm 3tu.utwente.nl>
> .
> </Realm>
>
> <Realm webapps>
> .
> </Realm>
> .
> .
> .
> <Realm adsl2.utwente.nl>
> .
> </Realm>
> .
> .
> # This clause means we will handle any real that arrives
> <Realm DEFAULT>
>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
> # Stripoff leading whitespaces en zo
> RewriteUsername s/^\s*//
> # Stripoff trailing whitespaces en zo
> RewriteUsername s/\s*$//
> # neem eerste 8 char (eerste letter + 7 cijfers)
> RewriteUsername s/(.{8,8}).*/$1/
>
> <AuthBy FILE>
> Filename %D/users-default
> </AuthBy>
>
> # Log accounting to the detail file in LogDir
> AcctLogFileName %Ldetail-default.%Y-%m
>
> # Stuur de authorisatie-logging naar:
> AuthLog authlogging-default
>
> </Realm>
>
> #---------------------------------------------------------------------
> # This clause defines an authorisation method that will be used
> # by any users in the database with Auth-Type="System". It will
> # match the "Identifier System"
> <AuthBy UNIX>
> Identifier System
> Filename /xxxxx/passwd
> </AuthBy>
>
>
> <AuthBy LDAP2>
> .
> </AuthBy>
>
> +++++++ end part radius.cfg +++++++++++++++++++++++++++++++++++++++
>
>> Handlers are evaluated in the order they appear in the configuration
>> file and the trace shows that
>> <Handler Realm = DEFAULT>
>> is processing the request, which I am guessing is before what you
>> show below.
>> regards
>> Hugh
>> On 27 Apr 2004, at 19:05, R.H.Hoek wrote:
>>> Hello,
>>>
>>> I have a problem with the use of <Handlers>. <Realm> work, but
>>> Handlers doesn't. The request is handled by DEFAULT.
>>> What I am doing wrong?
>>>
>>>
>>> ----------------------------------part of radius.cfg
>>> # <Handler Realm=saxion.nl, Client-Identifier=/^(?!WLANATUT-ID$)/>
>>> #<Handler Realm = saxion.nl , Client-Identifier = /^LOCALHOST-ID$/ >
>>> <Handler Realm=saxion.nl>
>>> # <Realm saxion.nl>
>>>
>>> AuthByPolicy ContinueAlways
>>>
>>> <SessionDatabase NULL>
>>> </SessionDatabase>
>>>
>>> # Stripoff de realm
>>> RewriteUsername s/^([^@]+).*/$1/
>>> # Stripoff leading whitespaces en zo
>>> RewriteUsername s/^\s*//
>>> # Stripoff trailing whitespaces en zo
>>> RewriteUsername s/\s*$//
>>>
>>> # voeg een real toe
>>> RewriteUsername s/(.*)/$1\@sexion/
>>>
>>> <AuthBy FILE>
>>> Filename %D/users-saxiondefault
>>> </AuthBy>
>>>
>>> # als er ooit accounting wordt gestuurd, dan moet het naar
>>> deze file
>>> AcctLogFileName %Ldetail-saxiondefault.%Y-%m
>>>
>>> # Stuur authorisatie-logging:
>>> AuthLog authlogging-saxiondefault
>>>
>>> </Handler>
>>> # </Realm>
>>> ----------------------------------part of radius.cfg
>>> ----------------------------------part of radiator-log
>>> Tue Apr 27 10:29:09 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 61520 ....
>>> Code: Access-Request
>>> Identifier: 189
>>> Authentic: 1234567890123456
>>> Attributes:
>>> User-Name = "studdiv at saxion.nl"
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 203.63.154.1
>>> NAS-Port = 1234
>>> Called-Station-Id = "123456789"
>>> Calling-Station-Id = "987654321"
>>> NAS-Port-Type = Async
>>> User-Password =
>>> "<157><226>)<222><219>)`<246><188>8<9><160><216>}x<153>"
>>>
>>> Tue Apr 27 10:29:09 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Apr 27 10:29:09 2004: DEBUG: Rewrote user name to studdiv
>>> Tue Apr 27 10:29:09 2004: DEBUG: Rewrote user name to studdiv
>>> Tue Apr 27 10:29:09 2004: DEBUG: Rewrote user name to studdiv
>>> Tue Apr 27 10:29:09 2004: DEBUG: Rewrote user name to studdiv
>>> Tue Apr 27 10:29:09 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Apr 27 10:29:09 2004: DEBUG: Radius::AuthFILE looks for match
>>> with studdiv
>>> Tue Apr 27 10:29:09 2004: INFO: Access rejected for studdiv: No such
>>> user
>>> Tue Apr 27 10:29:09 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 61520 ....
>>> Code: Access-Reject
>>> Identifier: 189
>>> Authentic: 1234567890123456
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>> ----------------------------------part of radiator-log
>>>
>>> --
>>>
>>> Greetings,
>>>
>>> Roel H.Hoek, SeniorNetworkmanager
>>> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
>>> Universiteit Twente, Postbus 217, 7500 AE Enschede kmr SP 422,
>>> telefoon: 053 - 489 4598, fax: 053 - 489 2383
>>> e-mail: R.H.Hoek at UTwente.NL http://www.utwente.nl/itbe
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> --
>
> Groeten,
>
> Roel H.Hoek, SeniorNetworkmanager
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 -
> 489 4598, fax: 053 - 489 2383
> e-mail: R.H.Hoek at UTwente.NL http://www.utwente.nl/itbe
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list