(RADIATOR) user profiles

Hugh Irvine hugh at open.com.au
Sat Oct 7 04:49:37 CDT 2006


Hello Jorge -

Here is one way to do it:


<Handler>

         AuthByPolicy ContinueWhileAccept

         <AuthBy FILE>
                 Filename ./profile
         </AuthBy>

         <AuthBy GROUP>
                 AddToRequest Profile = %{Reply:Profile}
		StripFromReply Profile
                 <AuthBy FILE>
                         Filename ./default
                 </AuthBy>
         </AuthBy>

</Handler>


Here are the files:

# profile
hugh Password = hugh
         Profile = test


#default
DEFAULT Profile = test
         Class = hello


hope that helps

regards

Hugh


On 6 Oct 2006, at 22:03, Jorge Bras wrote:

> Hi,
>
> Sorry, for not be so clear in my question.
>
> I just want to create user profiles, and in this case, be able to  
> check if a certain user belonging to a certain profile can connect  
> at some given time.
>
> I can do this by adding  Time to the users attributes:
> u001    User-Password = "xxxxxxxx",
>                 Time = "MoTuWeThFr0900-1700"
>                 Expiration = "2006-12-30 23:30:00"
>
> But, I want to set this check in the user profile, not in the user  
> definition, can I do this ?
>
> Thanks,
>
> ./bras
>
>
> On 10/5/06, Hugh Irvine <hugh at open.com.au> wrote:
> Hello Jorge -
>
> I am not quite clear on what you are wanting to do, but in what you
> show below you are adding an attribute called "Profile" to the reply
> in your first AuthBy FILE, but you are checking for the "Profile"
> attribute in the request (not the reply) in your second AuthBy FILE.
>
> If you can give me more detail on your requirements I will try to
> make some suggestions.
>
> regards
>
> Hugh
>
>
> On 4 Oct 2006, at 20:42, Jorge Bras wrote:
>
> > hi there,
> >
> > I would like to add some check items to my users profiles.
> >
> > For what I have read, I need to add the Profile to the Request,
> > don't know how to do it.
> > Have tried with AddToRequest, but didn't worked.
> >
> > After digging around in the mailing list archives, the best I could
> > find was this mail,
> > http://www.open.com.au/archives/radiator/2006-01/msg00006.html .
> >
> > Here's my radius.cfg:
> >
> > <AuthBy FILE>
> >     Identifier Check_VPN_Users
> >     RejectEmptyPassword
> >     Filename %D/vpn-users
> > </AuthBy>
> >
> > <AuthBy FILE>
> >     Identifier Check_VPN_Profiles
> >     Filename %D/vpn-profiles
> > </AuthBy>
> >
> > <Handler Realm="vpn.test">
> >     UsernameCharset a-zA-Z0-9\.-_@
> >     RewriteUsername   tr/A-Z/a-z/
> >     RewriteUsername   s/^([^@]+)\@vpn.test /$1/
> >
> >     # Authentication
> >     AuthByPolicy ContinueWhileAccept
> >     AuthBy Check_VPN_Users
> >     AuthBy Check_VPN_Profiles
> >
> >     # Authentication Log
> >     AuthLog DefaultAuthLog
> >     AuthLog SQLAuthLog
> >
> >     # Log accounting to a detail file
> >     AcctLogFileName %L/detail
> > </Handler>
> >
> > vpn-users file:
> > test      User-Password = "{crypt}tEfWdlRzfeGzQ"
> >                 Expiration = "2006-12-30 23:30:00"
> >                 Profile = "guest"
> > vpn-profiles file:
> > DEFAULT Profile=consultor, Time = "MoTuWeThFr0900-1700"
> >                 Session-Timeout = 900,
> >                 Idle-Timeout = 300
> >
> > Log:
> >
> > Wed Oct  4 11:27:11 2006: DEBUG: Packet dump:
> > *** Received from X.X.X.X port 1025 ....
> > Code:       Access-Request
> > Identifier: 153
> > Authentic:  1<22><151><132>m<162>3<240>i<238><143><28>%<250><171><8>
> > Attributes:
> >         User-Name = "test at vpn.test"
> >         User-Password = <152>g<193><209><239><247><195>C/|<173>~/
> > <172><209><157>
> >         NAS-Port = 28
> >         Service-Type = Framed-User
> >         Framed-Protocol = PPP
> >         Called-Station-Id = "Y.Y.Y.Y"
> >         Calling-Station-Id = " Z.Z.Z.Z"
> >         Tunnel-Client-Endpoint = Z.Z.Z.Z
> >         NAS-IP-Address = X.X.X.X
> >         NAS-Port-Type = Virtual
> >         cisco-avpair = "ip:source-ip=Z.Z.Z.Z"
> >
> > Wed Oct  4 11:27:11 2006: DEBUG: Handling request with Handler
> > 'Service-Type=Framed-User,Called-Station-Id=" Y.Y.Y.Y"'
> > Wed Oct  4 11:27:11 2006: DEBUG: Rewrote user name to test at vpn.test
> > Wed Oct  4 11:27:11 2006: DEBUG: Rewrote user name to test
> > Wed Oct  4 11:27:11 2006: DEBUG:  Deleting session for
> > test at vpn.test, X.X.X.X, 28
> > Wed Oct  4 11:27:11 2006: DEBUG: do query is: 'delete from
> > RADONLINE where USERNAME='test' and NASIDENTIFIER=' X.X.X.X' and
> > NASPORT=028':
> > Wed Oct  4 11:27:11 2006: DEBUG: Handling with Radius::AuthFILE:
> > Check_VPN_Users
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with test [ test at vpn.test]
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE ACCEPT: : test
> > [ test at vpn.test]
> > Wed Oct  4 11:27:11 2006: DEBUG: AuthBy FILE result: ACCEPT,
> > Wed Oct  4 11:27:11 2006: DEBUG: Handling with Radius::AuthFILE:
> > Check_VPN_Profiles
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with test [ test at vpn.test]
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE REJECT: No such
> > user: test [test at vpn.test]
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with DEFAULT [ test at vpn.test]
> > Wed Oct  4 11:27:11 2006: DEBUG: Radius::AuthFILE REJECT: Check
> > item Profile expression 'guest' does not match '' in request:
> > DEFAULT [ test at vpn.test ]
> > Wed Oct  4 11:27:11 2006: DEBUG: AuthBy FILE result: REJECT, Check
> > item Profile expression 'guest' does not match '' in request
> > Wed Oct  4 11:27:11 2006: INFO: Access rejected for u001: Check
> > item Profile expression 'guest' does not match '' in request
> > Wed Oct  4 11:27:11 2006: DEBUG: do query is: 'insert into
> > RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (1159957631,
> > 'test', 0, 'Check item Profile expression \'guest\' does not match
> > \'\' in request')':
> > Wed Oct  4 11:27:11 2006: WARNING: Invalid reply item Expiration
> > ignored
> > Wed Oct  4 11:27:11 2006: WARNING: No such attribute Profile
> > Wed Oct  4 11:27:11 2006: DEBUG: Packet dump:
> > *** Sending to 192.168.0.1 port 1025 ....
> > Code:       Access-Reject
> > Identifier: 153
> > Authentic:  1<22><151><132>m<162>3<240>i<238><143><28>%<250><171><8>
> > Attributes:
> >         Expiration = "2006-12-30 23:30:00"
> >         Profile = guest
> >         Reply-Message = "Request Denied"
> >
> >
> > Thanks.
> >
> > --
> > ./bras
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
> -- 
> ./bras



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list