(RADIATOR) Questions about Fall-Through attribute

Hugh Irvine hugh at open.com.au
Sat Jul 16 02:38:24 CDT 2005 

Hello Derrin -

I don't really have enough information on what else you are wanting  
to do in your configuration file to be able to make a sensible  
suggestion.

Please include a copy of your configuration file if you have any  
further questions.

By default Radiator tries for an exact match on the username, then  
tries DEFAULT, DEFAULT1, etc. If you want to change this you should  
use "NoDefault" in the AuthBy clause. You should not be using "Fall- 
Through" in the user definitions.

The error regarding "Attribute number 79 ..." is due to the  
dictionary you are using. The latest standard Radiator dictionary has  
this attribute defined, so you should just be using the standard  
dictionary.

regards

Hugh


On 16 Jul 2005, at 11:55, Derrin Chong wrote:

> Hi folks,
>
> I'm having trouble disabling the Fall-Through attribute.  In my
> users file I have entries for users that must dial a certain phone
> number.  If they don't dial that number I'd like to refuse their
> connection.  I've tried setting the Fall-Through attribute to "no"
> to keep the access-request from falling through the DEFAULT entry
> but it doesn't seem to be working.
>
> Here's what I have in my users file.
>
> jobogus Auth-Type = "System", NAS-Port-Type = Async, Client-Port- 
> DNIS=5376400
>         Fall-Through = no,
>         Ascend-Maximum-Channels = 1,
>         Idle_Timeout = 600, Ascend-Idle-Limit = 600,
>         Ascend-TS-Idle-Limit = 600,
>         Session-Timeout = 36900, Ascend-Maximum-Call-Duration = 615,
>         Ascend-Multicast-Client = 1, Ascend-Multicast-Rate-Limit = 0,
>         Framed-Netmask = 255.255.255.255,
>     ...
>
> DEFAULT Auth-Type = "System", NAS-Port-Type = Async
>         Ascend-Maximum-Channels = 1,
>         Idle_Timeout = 1200, Ascend-Idle-Limit = 1200,
>         Ascend-TS-Idle-Limit = 1200,
>         Session-Timeout = 36900, Ascend-Maximum-Call-Duration = 615,
>         Ascend-Multicast-Client = 1, Ascend-Multicast-Rate-Limit = 0,
>         Framed-Netmask = 255.255.255.255
>
> Here's the trace 4 debug output from radiusd for a connection
> attempt to the wrong (disallowed) number.  Radiator rejects them
> on their username match but falls through to the DEFAULT users
> entry.  The DEFAULT user accepts the connection because it does
> not have the phone number limitation.
>
> % sudo radiusd
> Fri Jul 15 15:24:04 2005: DEBUG: Reading group file /etc/group
> Fri Jul 15 15:24:04 2005: DEBUG: Finished reading configuration  
> file '/etc/radiator/radius.cfg'
> Fri Jul 15 15:24:04 2005: DEBUG: Reading dictionary file '/etc/ 
> radiator/dictionary'
> Fri Jul 15 15:24:04 2005: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Fri Jul 15 15:24:04 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Fri Jul 15 15:24:04 2005: NOTICE: Server started: Radiator 3.13 on  
> hayakawa.lava.net
> Fri Jul 15 15:24:52 2005: DEBUG: Packet dump:
> *** Received from 64.65.64.43 port 1025 ....
> Code:       Access-Request
> Identifier: 197
> Authentic:  <179>X<176><137><196><204>|_`<174><173>Q<147><236>r}
> Attributes:
>         User-Name = "jobogus"
>         Password = "<31>f#<191><28>*z <239><209><7>Y"
>         NAS-Identifier = 64.65.64.43
>         NAS-Port = 20101
>         NAS-Port-Type = Async
>         State = ""
>         Caller-Id = "8085233517"
>         Client-Port-DNIS = "5666101"
>         Acct-Session-Id = "359126255"
>
> Fri Jul 15 15:24:52 2005: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Jul 15 15:24:52 2005: DEBUG:  Deleting session for jobogus,  
> 64.65.64.43, 20101
> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 15 15:24:52 2005: ERR: Attribute number 79 is not defined  
> in your dictionary
> Fri Jul 15 15:24:52 2005: DEBUG: Reading users file /etc/radiator/ 
> users
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE looks for match  
> with jobogus
> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthUNIX:  
> System
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX looks for match  
> with jobogus
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX REJECT: Check  
> item Client-Port-DNIS expression '5376400' does not match '5666101'  
> in request
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE REJECT: Check  
> item Client-Port-DNIS expression '5376400' does not match '5666101'  
> in request
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT
> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthUNIX:  
> System
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX looks for match  
> with jobogus
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX ACCEPT:
> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Jul 15 15:24:52 2005: DEBUG: AuthBy FILE result: ACCEPT,
> Fri Jul 15 15:24:52 2005: DEBUG: Access accepted for jobogus
> Fri Jul 15 15:24:52 2005: DEBUG: Packet dump:
> *** Sending to 64.65.64.43 port 1025 ....
> Code:       Access-Accept
> Identifier: 197
> Authentic:  <179>X<176><137><196><204>|_`<174><173>Q<147><236>r}
> Attributes:
>         Ascend-Maximum-Channels = 1
>         Idle_Timeout = 1200
>         Ascend-Idle-Limit = 1200
>         Ascend-TS-Idle-Limit = 1200
>         Session-Timeout = 36900
>         Ascend-Maximum-Call-Duration = 615
>         Ascend-Multicast-Client = 1
>         Ascend-Multicast-Rate-Limit = 0
>         Framed-Netmask = 255.255.255.255
>
> Thanks in advance for any help folks out there can give me.
>
> Mahalo,
> Derrin Chong
>
> ps. Any help on tracking down the error is appreciated too.
>
> Fri Jul 15 15:24:52 2005: ERR: Attribute number 79 is not defined  
> in your dictio
> nary
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list