[RADIATOR] Rejection of access request if mac address in Sql table
Hugh Irvine
hugh at open.com.au
Mon Dec 7 13:33:46 CST 2009
Hello Robin, Hello Alex -
You can also use the "Blacklist" parameter in the first AuthBy to reverse the usual behaviour.
See section 5.18.60 in the Radiator 4.5.1 reference manual ("doc/ref.pdf").
regards
Hugh
On 8 Dec 2009, at 03:09, Robin Breathe wrote:
> Alex,
>
> We use the following for the functionality you describe:
>
> {{{
> # MAC address blacklisting
> <AuthBy SQL>
> Identifier BLACKLIST
> IgnoreAccounting
>
> NoEAP
> NoDefault
>
> # Lookup MAC address (this becomes %0)
> AuthenticateAttribute Calling-Station-Id
>
> # Accept non-blacklisted clients
> AcceptIfMissing
>
> DBSource
> dbi:Pg:dbname=%{GlobalVar:oxPsqlDb};host=%{GlobalVar:oxPsqlHost};port=%{GlobalVar:oxPsqlPort}
> DBUsername %{GlobalVar:oxPsqlUser}
> DBAuth %{GlobalVar:oxPsqlAuth}
>
> # PostgreSQL backend with macaddr type automatically deals
> with format conversion
> AuthSelect SELECT 'Reject:'||block_reason FROM
> eduroam_blacklist WHERE client = ?
> AuthSelectParam %0
> AuthColumnDef 0, Auth-Type, check
> </AuthBy>
> <Handler>
> AuthBy STANDARDIZE
> AuthBy LOCAL-ACCT
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
> NoEAP
> AuthBy BLACKLIST
> AuthBy LOCAL-AUTH
> </AuthBy>
>
> RejectHasReason
> AuthLog ...
> </Handler>
> }}}
>
> Regards,
> Robin
>
> 2009/12/7 Alex Sharaz <A.Sharaz at hull.ac.uk>:
>> Hi,
>>
>> I currently use a mysql database to authenticate our wired and wireless
>> network users. At the moment, if we detect an infected machine on our campus
>> network, we change the radius password of that user and block network access
>> until they've fixed their machine. What we'd like to do is change this
>> slightly so that we block their access from the infected machine but allow
>> them access from any other one.
>>
>> What I've currently got is an authBy SQL statement with
>>
>> AuthSelect Select password from subscribers where username=%0
>>
>> AuthColumnDef 0,User-Password,check
>>
>>
>> I sort of thinking that i could meet the extra requirement of blocking access
>> from a specific mac address with an authby group consisting of two authby sql
>> statements.
>>
>> Statement 1 would check for the presence of the calling station maca address
>> in a table called blockedmacs. If it exists, send an access-reject. If it
>> doesn't, drop down to
>>
>> Statement 2 which implements the authby statement outlined above.
>>
>> My only problem is the 1st authby clause in the group. If I use a
>> continueWhileAccept statement to define whether to drop through to the second
>> authby statement I need to have the 1st authby statement return an access
>> accept if the mac address isn't in the blockedmacs table, which is the
>> opposite of what it would do normally.
>>
>>
>> How would i implement the 1st authby statement
>>
>> Rgds
>> Alex
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
>
> --
> Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
> rbreathe at brookes.ac.uk Tel: +44 1865 483685 Fax: +44 1865 483073
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list