[RADIATOR] evaluation - Checkby syntax

Hugh Irvine hugh at open.com.au
Tue Apr 3 19:24:02 CDT 2012 

Hello Robb -

You would do something like the following:


SIMPLE.CFG
 
Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4
 
AuthPort        1645,1812
AcctPort        1646,1813
 
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with

<Client 1.1.1.1>
	Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
<Client 2.2.2.2>
	Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
<Client 3.3.3.3>
	Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
…..

<AuthBy SYSTEM>
	Identifier SystemAuthentication
</AuthBy>

<AuthBy FILE>
	Identifier GroupAuthentication
	Filename %D/users.group
</AuthBy>

<AuthBy INTERNAL>
	Identifier RejectAuthAcceptAcct
	AuthResult REJECT
	AcctResult ACCEPT
</AuthBy>

<Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
	AuthByPolicy ContnueWhileAccept
	AuthBy GroupAuthentication
	AuthBy SystemAuthentication
</Handler>

<Handler>
	AuthBy RejectAuthAcceptAcct
</Handler>


The contents of the file "users.group" would look like this:

# users.group

DEFAULT Auth-Type = SystemAuthentication, Group = netadm


BTW - there are a great many example configuration files in the "goodies" directory of the Radiator distribution.

Hope that helps.

regards

Hugh
	
 



On 4 Apr 2012, at 05:30, Robb Pfrank wrote:

> I am evaluating radiator and would like to setup authentication using linux username & passwords as well as another type of check to allow access.  For instance check if the user is part of a particular group before having their login accepted.  Specifically I want to limit networking equipment access to users in the netadm group, I am running this on fedora 12.   Below is my simple.cfg for testing, everything else works fine but I am having trouble interpreting the documentation for tiered authentication.  Thank you for your assistance.
>  
>  
>  
> SIMPLE.CFG
>  
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> # User a lower trace level in production systems:
> Trace           4
>  
> AuthPort        1645,1812
> AcctPort        1646,1813
>  
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>  
> <Client DEFAULT>
>         Secret  mysecret
> </Client>
>  
> <Realm>
>         <AuthBy UNIX>
>         Identifier System
>         Filename /etc/shadow
>         #Filename /etc/passwd
>         GroupFilename /etc/group
>         # Log accounting to a detail file
>         AcctLogFileName /etc/radiator/radiator.log
>         <ServerHTTP>
>                 Port  8100
>                 DefaultPrivilegeLevel 15
>         </ServerHTTP>
> </Realm>
>  
>  
> Current output checking Linux /etc/passwd file, need to add group or some other type of identifier mechanism to the check.
>  
> Tue Apr  3 15:28:12 2012: ERR: Could not resolve an address for Client
> Tue Apr  3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in simple.cfg line 65
> Tue Apr  3 15:28:13 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100
> Tue Apr  3 15:28:13 2012: DEBUG: Finished reading configuration file 'simple.cfg'
> This Radiator license will expire on 2012-08-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
> Tue Apr  3 15:28:13 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Apr  3 15:28:13 2012: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Apr  3 15:28:13 2012: DEBUG: Creating authentication port 0.0.0.0:1812
> Tue Apr  3 15:28:13 2012: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Apr  3 15:28:13 2012: DEBUG: Creating accounting port 0.0.0.0:1813
> Tue Apr  3 15:28:13 2012: NOTICE: Server started: Radiator 4..9 on sec-l-adm02 (LOCKED)
> Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
> *** Received from 10.2.120.150 port 56193 ....
> Code:       Access-Request
> Identifier: 64
> Authentic:  <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186>
> Attributes:
>         User-Name = "robert"
>         User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147>
>         NAS-Port-Id = "ttyS0"
>         Service-Type = NAS-Prompt-User
>         NAS-Port = 0
>         NAS-IP-Address = 10.2.120.150
> Tue Apr  3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', Identifier ''
> Tue Apr  3 15:28:34 2012: DEBUG:  Deleting session for robert, 10.2.120.150, 0
> Tue Apr  3 15:28:34 2012: DEBUG: Handling with Radius::AuthUNIX: System
> Tue Apr  3 15:28:34 2012: DEBUG: Reading group file /etc/group
> Tue Apr  3 15:28:34 2012: DEBUG: Radius::AuthUNIX looks for match with robert [robert]
> Tue Apr  3 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert]
> Tue Apr  3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT,
> Tue Apr  3 15:28:34 2012: DEBUG: Access accepted for robert
> Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
> *** Sending to 10.2.120.150 port 56193 ....
> Code:       Access-Accept
> Identifier: 64
> Authentic:  k<206><151><250>5<246>p=<23><141>.<197><167><244>Un
> Attributes:
>  
>  
>  
>  
> Robb Pfrank
> Office +1 (312) 601-8647
> robb at headlandstech.com
>  
>  
> 
> 
> 
> The contents of this message (including any attachment(s)) may be privileged and confidential
> and is intended solely for the private use of the intended recipient(s). If you are not the 
> intended recipient or have received this message in error, please notify the sender 
> immediately and delete the message. You should not disseminate, distribute or copy this 
> message without the permission of the author. This message cannot in any way bind 
> Headlands Technologies LLC or any affiliate to any contract or other obligation.
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list