(RADIATOR) Questions about Fall-Through attribute

Derrin Chong derrin at lava.net
Mon Jul 18 14:04:10 CDT 2005 

Hello Hugh,

On Sat, 16 Jul 2005, Hugh Irvine wrote:

>
> Hello Derrin -
>
> BTW - you can use "NoDefaultIfFound" in the AuthBy clause to do what you are 
> trying to do.

Thanks for the help.  This did the trick.

> See section 6.18.13 in the Radiator 3.13 reference manual ("doc/ref.html").
>
> regards
>
> Hugh
>
>
> On 16 Jul 2005, at 17:38, Hugh Irvine wrote:
>
>> 
>> Hello Derrin -
>> 
>> I don't really have enough information on what else you are wanting to do 
>> in your configuration file to be able to make a sensible suggestion.
>> 
>> Please include a copy of your configuration file if you have any further 
>> questions.
>> 
>> By default Radiator tries for an exact match on the username, then tries 
>> DEFAULT, DEFAULT1, etc. If you want to change this you should use 
>> "NoDefault" in the AuthBy clause. You should not be using "Fall-Through" in 
>> the user definitions.
>> 
>> The error regarding "Attribute number 79 ..." is due to the dictionary you 
>> are using. The latest standard Radiator dictionary has this attribute 
>> defined, so you should just be using the standard dictionary.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 16 Jul 2005, at 11:55, Derrin Chong wrote:
>> 
>> 
>>> Hi folks,
>>> 
>>> I'm having trouble disabling the Fall-Through attribute.  In my
>>> users file I have entries for users that must dial a certain phone
>>> number.  If they don't dial that number I'd like to refuse their
>>> connection.  I've tried setting the Fall-Through attribute to "no"
>>> to keep the access-request from falling through the DEFAULT entry
>>> but it doesn't seem to be working.
>>> 
>>> Here's what I have in my users file.
>>> 
>>> jobogus Auth-Type = "System", NAS-Port-Type = Async, Client-Port- 
>>> DNIS=5376400
>>>         Fall-Through = no,
>>>         Ascend-Maximum-Channels = 1,
>>>         Idle_Timeout = 600, Ascend-Idle-Limit = 600,
>>>         Ascend-TS-Idle-Limit = 600,
>>>         Session-Timeout = 36900, Ascend-Maximum-Call-Duration = 615,
>>>         Ascend-Multicast-Client = 1, Ascend-Multicast-Rate-Limit = 0,
>>>         Framed-Netmask = 255.255.255.255,
>>>     ...
>>> 
>>> DEFAULT Auth-Type = "System", NAS-Port-Type = Async
>>>         Ascend-Maximum-Channels = 1,
>>>         Idle_Timeout = 1200, Ascend-Idle-Limit = 1200,
>>>         Ascend-TS-Idle-Limit = 1200,
>>>         Session-Timeout = 36900, Ascend-Maximum-Call-Duration = 615,
>>>         Ascend-Multicast-Client = 1, Ascend-Multicast-Rate-Limit = 0,
>>>         Framed-Netmask = 255.255.255.255
>>> 
>>> Here's the trace 4 debug output from radiusd for a connection
>>> attempt to the wrong (disallowed) number.  Radiator rejects them
>>> on their username match but falls through to the DEFAULT users
>>> entry.  The DEFAULT user accepts the connection because it does
>>> not have the phone number limitation.
>>> 
>>> % sudo radiusd
>>> Fri Jul 15 15:24:04 2005: DEBUG: Reading group file /etc/group
>>> Fri Jul 15 15:24:04 2005: DEBUG: Finished reading configuration file 
>>> '/etc/radiator/radius.cfg'
>>> Fri Jul 15 15:24:04 2005: DEBUG: Reading dictionary file '/etc/ 
>>> radiator/dictionary'
>>> Fri Jul 15 15:24:04 2005: DEBUG: Creating authentication port 0.0.0.0:1645
>>> Fri Jul 15 15:24:04 2005: DEBUG: Creating accounting port 0.0.0.0:1646
>>> Fri Jul 15 15:24:04 2005: NOTICE: Server started: Radiator 3.13 on 
>>> hayakawa.lava.net
>>> Fri Jul 15 15:24:52 2005: DEBUG: Packet dump:
>>> *** Received from 64.65.64.43 port 1025 ....
>>> Code:       Access-Request
>>> Identifier: 197
>>> Authentic:  <179>X<176><137><196><204>|_`<174><173>Q<147><236>r}
>>> Attributes:
>>>         User-Name = "jobogus"
>>>         Password = "<31>f#<191><28>*z <239><209><7>Y"
>>>         NAS-Identifier = 64.65.64.43
>>>         NAS-Port = 20101
>>>         NAS-Port-Type = Async
>>>         State = ""
>>>         Caller-Id = "8085233517"
>>>         Client-Port-DNIS = "5666101"
>>>         Acct-Session-Id = "359126255"
>>> 
>>> Fri Jul 15 15:24:52 2005: DEBUG: Handling request with Handler 
>>> 'Realm=DEFAULT'
>>> Fri Jul 15 15:24:52 2005: DEBUG:  Deleting session for jobogus, 
>>> 64.65.64.43, 20101
>>> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthFILE:
>>> Fri Jul 15 15:24:52 2005: ERR: Attribute number 79 is not defined in your 
>>> dictionary
>>> Fri Jul 15 15:24:52 2005: DEBUG: Reading users file /etc/radiator/users
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE looks for match with 
>>> jobogus
>>> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthUNIX: System
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX looks for match with 
>>> jobogus
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX REJECT: Check item 
>>> Client-Port-DNIS expression '5376400' does not match '5666101' in request
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE REJECT: Check item 
>>> Client-Port-DNIS expression '5376400' does not match '5666101' in request
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE looks for match with 
>>> DEFAULT
>>> Fri Jul 15 15:24:52 2005: DEBUG: Handling with Radius::AuthUNIX: System
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX looks for match with 
>>> jobogus
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthUNIX ACCEPT:
>>> Fri Jul 15 15:24:52 2005: DEBUG: Radius::AuthFILE ACCEPT:
>>> Fri Jul 15 15:24:52 2005: DEBUG: AuthBy FILE result: ACCEPT,
>>> Fri Jul 15 15:24:52 2005: DEBUG: Access accepted for jobogus
>>> Fri Jul 15 15:24:52 2005: DEBUG: Packet dump:
>>> *** Sending to 64.65.64.43 port 1025 ....
>>> Code:       Access-Accept
>>> Identifier: 197
>>> Authentic:  <179>X<176><137><196><204>|_`<174><173>Q<147><236>r}
>>> Attributes:
>>>         Ascend-Maximum-Channels = 1
>>>         Idle_Timeout = 1200
>>>         Ascend-Idle-Limit = 1200
>>>         Ascend-TS-Idle-Limit = 1200
>>>         Session-Timeout = 36900
>>>         Ascend-Maximum-Call-Duration = 615
>>>         Ascend-Multicast-Client = 1
>>>         Ascend-Multicast-Rate-Limit = 0
>>>         Framed-Netmask = 255.255.255.255
>>> 
>>> Thanks in advance for any help folks out there can give me.
>>> 
>>> Mahalo,
>>> Derrin Chong
>>> 
>>> ps. Any help on tracking down the error is appreciated too.
>>> 
>>> Fri Jul 15 15:24:52 2005: ERR: Attribute number 79 is not defined in your 
>>> dictio
>>> nary
>>> 
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>> 
>>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>> 
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/ 
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list