(RADIATOR) Handle the same client with different handlers

Lopez, A. a.lopez at tue.nl
Tue Jul 13 04:51:51 CDT 2004


Thanks Hugh for your answer,
I think I should use the "NAS-Identifier" to differenciate the requests. Some of them come from the OpenH323 Gatekeeper, and some other from PHP scripts of the web server. But all of them are coming from the same machine (same IP address).
Another question is... I am authenticating users through a MySQL Database (config below).
To authenticate, I make sure that the IP address of the client and the CHAP password provided match. 
I experience three different cases:
-when the user enters the right password everything goes fine, RADIATOR sends an Access-Accept.
-when the user sends the request from an IP address that is not in the database, an Access-Reject is sent back as expected, saying "No such user".
- However, when a user accesses using an IP address that is in the database, but types the wrong password, RADIATOR says that the password is "bad" but does not stop to send queries to MySQL. Like shown below at the bottom of this e-mail.
How could I avoid this and make Radiator check just once... and, if the password is wrong, send an Access-Reject?
Thanks in advance,
Alex

================
Config of the Handler:

<Handler NAS-Identifier=Video_Authentication>
 <AuthBy SQL>
 DBSource dbi:mysql:host=myhost.nl;database=auth
 DBUsername xxxx
 DBAuth xxxx

 AuthSelect SELECT pin FROM video WHERE ip_address='%{Framed-IP-Address}'

 </AuthBy>
</Handler>


================
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with DEFAULT37
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video WHERE ip_address = '131.155.192.252'':

Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with DEFAULT38
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video WHERE ip_address = '131.155.192.252'':

Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with DEFAULT39
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video WHERE ip_address = '131.155.192.252'':

Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with DEFAULT40
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video WHERE ip_address = '131.155.192.252'':

Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with DEFAULT41
Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video WHERE ip_address = '131.155.192.252'':
 

 

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: zaterdag 10 juli 2004 9:26
To: Lopez, A.
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Handle the same client with different handlers


Hello Alex -

You cannot do what you show below because only the last Client clause 
is being used (the others are overwritten).

How should the requests be differentiated?

regards

Hugh



On 9 Jul 2004, at 20:26, Lopez, A. wrote:

> Hello all,
>
> I want to handle different types of requests coming from the same 
> client with different handlers.
>
> Since the username attribute is not present in those requests (I 
> cannot use the realm) I thought about defining such a client in three 
> different ways, as follows:
>
>  
>
> <Client Ipaddress>
>
>             Secret secret1
>
>             Identifier identifier1
>
> </Client>
>
> <Client Ipaddress>
>
>             Secret secret2
>
>             Identifier identifier2
>
> </Client>
>
> <Client Ipaddress>
>
>              Secret secret3
>
>             Identifier identifier3
>
> </Client>
>
>  
>
> And then handle the request based on the identifier:
>
> <Handler Client-Identifier=identifier1>
>
> ...
>
> </Handler>
>
>  
>
> <Handler Client-Identifier=identifier2>
>
> ....
>
> </Handler>
>
>  
>
> The point is that the radius server complains "bad authenticator in 
> request"
>
> Can anyone tell me another way to do this?
>
> Thanks in adcance,
>
> Alex
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list