[RADIATOR] Radmin: IIS, MS SQL2005 - authentication access to listusers.pl page doesn't work

scottshaw at 163.com scottshaw at 163.com
Mon Jul 7 20:13:41 CDT 2008 

Hello all,
any of you have experience with Radmin scripts page access control on 
windows 2003 server with MS SQL 2005 ?
the attachment descripted what I did step by step.As anonymous login was 
disabled and windows integration authentication enabled on IIS for "scripts" 
directory  , I was prompt to login for accessing listusers.pl page. I login 
with  windows login ID "weber01" ,which was also created on radmin ,with 
limited privilege.But I think it might not able to find weber01 matched and 
jumped to to page after authentication successfully, which shows LOGIN AS 
DEFAULT. Because the weber01 on radmin was created into a MS SQL table while 
the weber01 created in windows may not link together, I am wondering how 
radmin works with IIS as web server.Understand this could be more on IIS and 
MS SQL problem and not in the scope of radiator/radmin,but they do work 
together to let radmin works properly . Hope any of you can share your 
experience on this. Thanks!
Regards
Scott

----- Original Message ----- 
From: "ScottXiao at Gmail.com" <scottxiao at gmail.com>
To: "Mike McCauley" <mikem at open.com.au>
Sent: Friday, July 04, 2008 6:18 PM
Subject: Re: Radmin: Login failed , Sorry, you do not have permission to do 
that (USER_V).


> Hi Mike
> Thanks for prompt reply. From your reply, it seems I didn't do anything
> wrong. I created different users a few times and tested. The user created 
> in
> radmin is same name as what I created with windows computer management, 
> for
> sure.Are you convenient to simulate what I did on your pc and send me a
> screenshot of creating users on IIS/windows and radmin and I can find out
> some difference?
> My current status is, I created a weber01 with limited right,but finally 
> it
> gave a page with all right. I put my step-by-step screenshots in
> attachement, please help.Thanks!
> Regards
> Scott
> ----- Original Message ----- 
> From: "Mike McCauley" <mikem at open.com.au>
> To: "ScottXiao at Gmail.com" <scottxiao at gmail.com>
> Sent: Friday, July 04, 2008 5:55 PM
> Subject: Re: Radmin: Login failed , Sorry, you do not have permission to 
> do
> that (USER_V).
>
>
> Hello,
>
> On Friday 04 July 2008 19:33, ScottXiao at Gmail.com wrote:
>> Hi Mike
>> Thanks!
>> Regarding what you mentioned
>>  ..." 1. set up the user names of the radmin administrators
>> in both Radmin and in the web server authenticaiotn system...
>> ...2. for a small number of administrators, it is easier to
>> add them to the IIS authentication by hand."
>>
>>
>> For 1. Setup user name in radmin is done; but not sure if my way for  the
>> user setup for web server authentition system correct or not. What I did
>> is
>> use windows management console to add the user name, assign it to
>> administrators group and IIS_WPG group. Change IIS webserver security
>> setting to disable anonymous login and enable windows integrated
>> authentication. Is it correct to link this user to the Radmin?
>> For 2. Same, it's easier to add them, but not sure if I did as question 1
>> mentioned ,correct or not. Can you advise?
>
> You need to make sure that the user name that IIS authenticates is the 
> same
> as
> the user name in the 'Add Admin user' page. The only connection is that 
> the
> user names are the same.
>
> Cheers.
>
>>
>> Thanks!
>> Regards
>> Scott
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "ScottXiao at Gmail.com" <scottxiao at gmail.com>
>> Sent: Friday, July 04, 2008 2:46 PM
>> Subject: Re: Radmin: Login failed , Sorry, you do not have permission to
>> do
>> that (USER_V).
>>
>>
>> Hello Scott,
>>
>> On Friday 04 July 2008 16:38, you wrote:
>> > Hi Mike
>> > Thanks for the reply.
>> > Sorry I might not describe my problem very clear. I am totally ok with
>> > how to config permission profile and add radmin users and how the
>> > authentication will work: check if access control available ,if not,
>> > then
>> > anonymous ,etc,etc. My main issue is the paragraph  you skiped the
>> > details,
>> > "Alter your web server configuration to authenticate all access to
>> > cgi-bin/Radmin/private directory. Make sure user fred exists in the web
>> > server authentication user list."
>> > I use IIS,so there could be some way to link the users of IIS, windows
>> > to
>> > the radmin users. I have issue on this. I feel the web1 user I created
>> > in
>> > radmin not linked to the user web1 I created on windows. So after the
>> > authentication on the web page, the access control doesn't work as
>> > imagined. that's why I sent you a screenshot of IIS and windows user
>> > creation. Can you advise from that point?Or send me some document
>> > related
>> > to ALTER IIS web server configruation to authenticate all access to
>> > scripts/radmin/....
>>
>> Normally, the web server authenticaiotn is _not_ connected to Radmin user
>> authentication. You mjust set up the user names of the radmin
>> administrators in both Radmin and in the web server authenticaiotn 
>> system.
>>
>> It is possible to make IIS authenticate from Radius and therefore join 
>> the
>> systems together, but for a small number of administrators, it is easier
>> to
>> add them to the IIS authentication by hand.
>>
>> Cheers.
>>
>> > Thanks !
>> > Regards
>> > Scott
>> >
>> >
>> > ----- Original Message -----
>> > From: "Mike McCauley" <mikem at open.com.au>
>> > To: <scottshaw at 163.com>
>> > Cc: "Hugh Irvine" <hugh at open.com.au>; <scottxiao at gmail.com>
>> > Sent: Friday, July 04, 2008 1:15 PM
>> > Subject: Re: Radmin: Login failed , Sorry, you do not have permission 
>> > to
>> > do
>> > that (USER_V).
>> >
>> >
>> > Hello Scott,
>> >
>> > here are basic instructions showing how to create a new limited
>> > permissions
>> > profile. Permissions control relies on your web server to authenticate
>> > access
>> > to the Radmin scripts, using whatever authentications system it
>> > requires.
>> >
>> > Connect to cgi-bin/Radmin/private/listUsers.pl
>> >
>> > Add Permissions profile->
>> >  Profile Name: test
>> >  as an example, enable only these 4 options:
>> >   Add a user
>> >   Delete a user
>> >   Edit a user
>> >   View a user
>> > Update
>> >
>> > Add Admin user->
>> >  User Name: fred
>> >  Permissions profile: 'test'
>> > Update
>> >
>> > Alter your web server configuration to authenticate all access to
>> > cgi-bin/Radmin/private directory. Make sure user fred exists
>> > in the web server authentication user list.
>> >
>> > Log in to cgi-bin/Radmin/private/listUsers.pl, authenticate as 'fred'
>> > will see that only [List Users] [Add a User]
>> > options are available.
>> >
>> > If you log in to cgi-bin/Radmin/private/listUsers.pl and authenticate 
>> > as
>> > any other user except fred (make sure they exist
>> > in the web server authentication user list first) you will see they are
>> > able to access all options.
>> >
>> > This is how it works:
>> > If the user was required by the web server to authenticate for access 
>> > to
>> > the script,and if there is a matching Admin user, then the Admin Users
>> > Permissions Profile will be used.
>> >
>> > Else the 'anonymous' users Permissions Profile will be used.
>> >
>> > Hope that helps.
>> > Cheers.
>> >
>> > On Friday 04 July 2008 13:13, scottshaw at 163.com wrote:
>> > > Hello,thanks for the advice that the user may have no View_user
>> > > privilege. I added a new user "staff" to use STAFF permission 
>> > > profile,
>> > > which make sure
>> > > it has view user right. And added "Staff" user into windows local 
>> > > user
>> > > group IIS_WPG. When I access the listusers.pl page, it goes directly
>> > > to
>> > > the
>> > > page with all permission and shows it's login as DEFAULT instead of
>> > > user Staff, although it prompted me and I did use Staff to login. It
>> > > means "there is no exact matching RAdmin user name" accoridng to the
>> > > ref doc.And the doc mentions "RAdmin will attempt to match their web
>> > > user name with a RAdmin Administrator User Name', what does the web
>> > > user mean?
>> > > Is it the same as what I added into windows users group?And Radmin
>> > > administrator user
>> > > name is the "staff" user I added?Anything I understand wrongly? 
>> > > Please
>> > > advise,thanks! Regards
>> > > Scott
>> > >   ----- Original Message -----
>> > >   From: scottshaw at 163.com
>> > >   To: radiator-request at open.com.au
>> > >   Cc: Mike McCauley ; Hugh Irvine ; scottxiao at gmail.com
>> > >   Sent: Friday, July 04, 2008 9:18 AM
>> > >   Subject: Radmin: Login failed , Sorry, you do not have permission 
>> > > to
>> > > do
>> > > that (USER_V).
>> > >
>> > >
>> > >   Hello team,
>> > >   I try to verify the role based security on
>> > > IIS/Window2003/Radmin1.10,
>> > > I
>> > > added a permission profile p1 with limited privilege , add a radmin
>> > > admin
>> > > users web1 into this profile group. Add web1 users into windows
>> > > administrators group, change IIS setting as attached screenshot for
>> > > default
>> > > webserver,which is radmin, to disable anonymous login and enable
>> > > windows integrated authentication. I launch the radmin listuser.pl
>> > > page, it prompted the login,but come back with error: A serious error
>> > > has occurred: Sorry, you do not have permission to do that (USER_V). 
>> > > I
>> > > am not
>> > > able to find related configuration guide on radmin ref.pdf or 
>> > > archived
>> > > mailist. can
>> > > you advise which configure is wrong, or point me to a correct
>> > > document?
>> > > My config screenshot is attached. I also tried reduced anonymous ID’s
>> > > privilege but not able to revert it back to “everything”. Please
>> > > kindly
>> > > advise as soon as possible. Thank you very much!
>> > >
>> > >   best regards
>> > >   Scott
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.rar
Type: application/octet-stream
Size: 148238 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080708/fd348fc1/attachment-0001.obj>

More information about the radiator mailing list