(RADIATOR) user profiles
Hugh Irvine
hugh at open.com.au
Sat Oct 7 04:49:37 CDT 2006
Hello Jorge -
Here is one way to do it:
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
Filename ./profile
</AuthBy>
<AuthBy GROUP>
AddToRequest Profile = %{Reply:Profile}
StripFromReply Profile
<AuthBy FILE>
Filename ./default
</AuthBy>
</AuthBy>
</Handler>
Here are the files:
# profile
hugh Password = hugh
Profile = test
#default
DEFAULT Profile = test
Class = hello
hope that helps
regards
Hugh
On 6 Oct 2006, at 22:03, Jorge Bras wrote:
> Hi,
>
> Sorry, for not be so clear in my question.
>
> I just want to create user profiles, and in this case, be able to
> check if a certain user belonging to a certain profile can connect
> at some given time.
>
> I can do this by adding Time to the users attributes:
> u001 User-Password = "xxxxxxxx",
> Time = "MoTuWeThFr0900-1700"
> Expiration = "2006-12-30 23:30:00"
>
> But, I want to set this check in the user profile, not in the user
> definition, can I do this ?
>
> Thanks,
>
> ./bras
>
>
> On 10/5/06, Hugh Irvine <hugh at open.com.au> wrote:
> Hello Jorge -
>
> I am not quite clear on what you are wanting to do, but in what you
> show below you are adding an attribute called "Profile" to the reply
> in your first AuthBy FILE, but you are checking for the "Profile"
> attribute in the request (not the reply) in your second AuthBy FILE.
>
> If you can give me more detail on your requirements I will try to
> make some suggestions.
>
> regards
>
> Hugh
>
>
> On 4 Oct 2006, at 20:42, Jorge Bras wrote:
>
> > hi there,
> >
> > I would like to add some check items to my users profiles.
> >
> > For what I have read, I need to add the Profile to the Request,
> > don't know how to do it.
> > Have tried with AddToRequest, but didn't worked.
> >
> > After digging around in the mailing list archives, the best I could
> > find was this mail,
> > http://www.open.com.au/archives/radiator/2006-01/msg00006.html .
> >
> > Here's my radius.cfg:
> >
> > <AuthBy FILE>
> > Identifier Check_VPN_Users
> > RejectEmptyPassword
> > Filename %D/vpn-users
> > </AuthBy>
> >
> > <AuthBy FILE>
> > Identifier Check_VPN_Profiles
> > Filename %D/vpn-profiles
> > </AuthBy>
> >
> > <Handler Realm="vpn.test">
> > UsernameCharset a-zA-Z0-9\.-_@
> > RewriteUsername tr/A-Z/a-z/
> > RewriteUsername s/^([^@]+)\@vpn.test /$1/
> >
> > # Authentication
> > AuthByPolicy ContinueWhileAccept
> > AuthBy Check_VPN_Users
> > AuthBy Check_VPN_Profiles
> >
> > # Authentication Log
> > AuthLog DefaultAuthLog
> > AuthLog SQLAuthLog
> >
> > # Log accounting to a detail file
> > AcctLogFileName %L/detail
> > </Handler>
> >
> > vpn-users file:
> > test User-Password = "{crypt}tEfWdlRzfeGzQ"
> > Expiration = "2006-12-30 23:30:00"
> > Profile = "guest"
> > vpn-profiles file:
> > DEFAULT Profile=consultor, Time = "MoTuWeThFr0900-1700"
> > Session-Timeout = 900,
> > Idle-Timeout = 300
> >
> > Log:
> >
> > Wed Oct 4 11:27:11 2006: DEBUG: Packet dump:
> > *** Received from X.X.X.X port 1025 ....
> > Code: Access-Request
> > Identifier: 153
> > Authentic: 1<22><151><132>m<162>3<240>i<238><143><28>%<250><171><8>
> > Attributes:
> > User-Name = "test at vpn.test"
> > User-Password = <152>g<193><209><239><247><195>C/|<173>~/
> > <172><209><157>
> > NAS-Port = 28
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Called-Station-Id = "Y.Y.Y.Y"
> > Calling-Station-Id = " Z.Z.Z.Z"
> > Tunnel-Client-Endpoint = Z.Z.Z.Z
> > NAS-IP-Address = X.X.X.X
> > NAS-Port-Type = Virtual
> > cisco-avpair = "ip:source-ip=Z.Z.Z.Z"
> >
> > Wed Oct 4 11:27:11 2006: DEBUG: Handling request with Handler
> > 'Service-Type=Framed-User,Called-Station-Id=" Y.Y.Y.Y"'
> > Wed Oct 4 11:27:11 2006: DEBUG: Rewrote user name to test at vpn.test
> > Wed Oct 4 11:27:11 2006: DEBUG: Rewrote user name to test
> > Wed Oct 4 11:27:11 2006: DEBUG: Deleting session for
> > test at vpn.test, X.X.X.X, 28
> > Wed Oct 4 11:27:11 2006: DEBUG: do query is: 'delete from
> > RADONLINE where USERNAME='test' and NASIDENTIFIER=' X.X.X.X' and
> > NASPORT=028':
> > Wed Oct 4 11:27:11 2006: DEBUG: Handling with Radius::AuthFILE:
> > Check_VPN_Users
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with test [ test at vpn.test]
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE ACCEPT: : test
> > [ test at vpn.test]
> > Wed Oct 4 11:27:11 2006: DEBUG: AuthBy FILE result: ACCEPT,
> > Wed Oct 4 11:27:11 2006: DEBUG: Handling with Radius::AuthFILE:
> > Check_VPN_Profiles
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with test [ test at vpn.test]
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE REJECT: No such
> > user: test [test at vpn.test]
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE looks for match
> > with DEFAULT [ test at vpn.test]
> > Wed Oct 4 11:27:11 2006: DEBUG: Radius::AuthFILE REJECT: Check
> > item Profile expression 'guest' does not match '' in request:
> > DEFAULT [ test at vpn.test ]
> > Wed Oct 4 11:27:11 2006: DEBUG: AuthBy FILE result: REJECT, Check
> > item Profile expression 'guest' does not match '' in request
> > Wed Oct 4 11:27:11 2006: INFO: Access rejected for u001: Check
> > item Profile expression 'guest' does not match '' in request
> > Wed Oct 4 11:27:11 2006: DEBUG: do query is: 'insert into
> > RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (1159957631,
> > 'test', 0, 'Check item Profile expression \'guest\' does not match
> > \'\' in request')':
> > Wed Oct 4 11:27:11 2006: WARNING: Invalid reply item Expiration
> > ignored
> > Wed Oct 4 11:27:11 2006: WARNING: No such attribute Profile
> > Wed Oct 4 11:27:11 2006: DEBUG: Packet dump:
> > *** Sending to 192.168.0.1 port 1025 ....
> > Code: Access-Reject
> > Identifier: 153
> > Authentic: 1<22><151><132>m<162>3<240>i<238><143><28>%<250><171><8>
> > Attributes:
> > Expiration = "2006-12-30 23:30:00"
> > Profile = guest
> > Reply-Message = "Request Denied"
> >
> >
> > Thanks.
> >
> > --
> > ./bras
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
> --
> ./bras
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list