(RADIATOR) Group checking *only* with AuthBy UNIX?

Ray Van Dolson rayvd at corp.digitalpath.net
Wed Jun 15 21:40:13 CDT 2005 

Here's how it would *ideally* work (if we didn't have to do MSCHAPv2
authentication:

# Authentication Requests
<Handler Realm=domain.net,NAS-IP-Address=XXX.XXX.XX.X>
        # Strip the realm from the username.
        RewriteUsername s/^([^@]+).*/$1/

        # Grab defaults from this file and handle any rejections.
        <AuthBy FILE>
                Filename        %D/users
        </AuthBy>

        # Authenticate against the Unix user file
        <AuthBy UNIX>
                AutoMPPEKeys    yes
                Identifier      System
                Filename        %D/passwd
                GroupFilename   %D/group
        </AuthBy>

        # Pass the reason for rejection back to the customer.
        RejectHasReason
</Handler>

Here are the pertinent contents of the users file referenced above:

# Basic Account - 384Kbps / 128Kbps
DEFAULT Auth-Type = System, Group = wirmcb
        MS-MPPE-Encryption-Policy = Encryption-Required,
        Acct-Interim-Interval = 300,
        Ascend-Data-Rate = 384000,
        Ascend-Xmit-Rate = 128000
# Express - 2Mbps / 1Mbps
DEFAULT Auth-Type = System, Group = wirmcexp
        MS-MPPE-Encryption-Policy = Encryption-Required,
        Acct-Interim-Interval = 300,
        Ascend-Data-Rate = 2000000,
        Ascend-Xmit-Rate = 1000000
# Excel - 1Mbps / 384Kbps
DEFAULT Auth-Type = System, Group = wirmcexc
        MS-MPPE-Encryption-Policy = Encryption-Required,
        Acct-Interim-Interval = 300,
        Ascend-Data-Rate = 1000000,
        Ascend-Xmit-Rate = 384000
# Comp Relay Customer
DEFAULT Auth-Type = System, Group = wirccrc
        MS-MPPE-Encryption-Policy = Encryption-Required,
        Acct-Interim-Interval = 300,
        Ascend-Data-Rate = 4000000,
        Ascend-Xmit-Rate = 2000000

If I just had to get this up and running _yesterday_, I'd probably juse use an
AuthBy FILE as we're talking about a small amount of customers.  I'd recommend
that the client switch to an SQL-based backend.  Our contract doesn't really
include setting this up for them, we are helping out though, but it would be
their responsibility to tackle anything major.

I've got some ideas on how to get this working (multiple Auth-Type's), but am
hoping someone out there might see some obvious solutions.

Thanks again,
Ray

On Thu, Jun 16, 2005 at 11:37:06AM +1000, Hugh Irvine wrote:
> 
> Hello Ray -
> 
> You don't say what AuthBy clause you are going to use for the  
> MSCHAPv2 - can you tell me what you are planning to use?
> 
> It would also be useful to see the existing configuration file to be  
> able to make sensible suggestions.
> 
> regards
> 
> Hugh
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list