(RADIATOR) Handle the same client with different handlers

Hugh Irvine hugh at open.com.au
Tue Jul 13 18:39:22 CDT 2004 

Hello Alex -

You should add NoDefault to the AuthBy clause.

See section 6.17.12 in the Radiator 3.9 reference manual 
("doc/ref.html").

regards

Hugh


On 13 Jul 2004, at 19:51, Lopez, A. wrote:

> Thanks Hugh for your answer,
> I think I should use the "NAS-Identifier" to differenciate the 
> requests. Some of them come from the OpenH323 Gatekeeper, and some 
> other from PHP scripts of the web server. But all of them are coming 
> from the same machine (same IP address).
> Another question is... I am authenticating users through a MySQL 
> Database (config below).
> To authenticate, I make sure that the IP address of the client and the 
> CHAP password provided match.
> I experience three different cases:
> -when the user enters the right password everything goes fine, 
> RADIATOR sends an Access-Accept.
> -when the user sends the request from an IP address that is not in the 
> database, an Access-Reject is sent back as expected, saying "No such 
> user".
> - However, when a user accesses using an IP address that is in the 
> database, but types the wrong password, RADIATOR says that the 
> password is "bad" but does not stop to send queries to MySQL. Like 
> shown below at the bottom of this e-mail.
> How could I avoid this and make Radiator check just once... and, if 
> the password is wrong, send an Access-Reject?
> Thanks in advance,
> Alex
>
> ================
> Config of the Handler:
>
> <Handler NAS-Identifier=Video_Authentication>
>  <AuthBy SQL>
>  DBSource dbi:mysql:host=myhost.nl;database=auth
>  DBUsername xxxx
>  DBAuth xxxx
>
>  AuthSelect SELECT pin FROM video WHERE 
> ip_address='%{Framed-IP-Address}'
>
>  </AuthBy>
> </Handler>
>
>
> ================
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT37
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video 
> WHERE ip_address = '131.155.192.252'':
>
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT38
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video 
> WHERE ip_address = '131.155.192.252'':
>
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT39
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video 
> WHERE ip_address = '131.155.192.252'':
>
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT40
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video 
> WHERE ip_address = '131.155.192.252'':
>
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT41
> Tue Jul 13 11:43:48 2004: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Tue Jul 13 11:43:48 2004: DEBUG: Query is: 'SELECT pin FROM video 
> WHERE ip_address = '131.155.192.252'':
>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: zaterdag 10 juli 2004 9:26
> To: Lopez, A.
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Handle the same client with different handlers
>
>
> Hello Alex -
>
> You cannot do what you show below because only the last Client clause
> is being used (the others are overwritten).
>
> How should the requests be differentiated?
>
> regards
>
> Hugh
>
>
>
> On 9 Jul 2004, at 20:26, Lopez, A. wrote:
>
>> Hello all,
>>
>> I want to handle different types of requests coming from the same
>> client with different handlers.
>>
>> Since the username attribute is not present in those requests (I
>> cannot use the realm) I thought about defining such a client in three
>> different ways, as follows:
>>
>>  
>>
>> <Client Ipaddress>
>>
>>             Secret secret1
>>
>>             Identifier identifier1
>>
>> </Client>
>>
>> <Client Ipaddress>
>>
>>             Secret secret2
>>
>>             Identifier identifier2
>>
>> </Client>
>>
>> <Client Ipaddress>
>>
>>              Secret secret3
>>
>>             Identifier identifier3
>>
>> </Client>
>>
>>  
>>
>> And then handle the request based on the identifier:
>>
>> <Handler Client-Identifier=identifier1>
>>
>> ...
>>
>> </Handler>
>>
>>  
>>
>> <Handler Client-Identifier=identifier2>
>>
>> ....
>>
>> </Handler>
>>
>>  
>>
>> The point is that the radius server complains "bad authenticator in
>> request"
>>
>> Can anyone tell me another way to do this?
>>
>> Thanks in adcance,
>>
>> Alex
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list