[RADIATOR] evaluation - Checkby syntax
Robb Pfrank
robb at headlandstech.com
Thu Apr 5 08:12:59 CDT 2012
Hugh,
I attempted to use the config provided but the handler is not picking my device up. I have specified to specific IP address instead of DEFAULT, this did not seem to work either.
Thu Apr 5 09:09:57 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100
Thu Apr 5 09:09:57 2012: DEBUG: Finished reading configuration file 'simple.cfg'
This Radiator license will expire on 2012-08-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au
Thu Apr 5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary'
Thu Apr 5 09:09:57 2012: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Apr 5 09:09:57 2012: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Apr 5 09:09:57 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 (LOCKED)
Thu Apr 5 09:10:31 2012: DEBUG: Packet dump:
*** Received from 10.2.120.150 port 36248 ....
Code: Access-Request
Identifier: 185
Authentic: M<18>A(<17>_H<194>B<159><196>?<247>,ag
Attributes:
User-Name = "robert"
User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253>
NAS-Port-Id = "ttyS0"
Service-Type = NAS-Prompt-User
NAS-Port = 0
NAS-IP-Address = 10.2.120.150
Thu Apr 5 09:10:31 2012: DEBUG: Handling request with Handler '', Identifier ''
Thu Apr 5 09:10:31 2012: DEBUG: Deleting session for robert, 10.2.120.150, 0
Thu Apr 5 09:10:31 2012: DEBUG: Handling with AuthINTERNAL: RejectAuthAcceptAcct
Thu Apr 5 09:10:31 2012: DEBUG: AuthBy INTERNAL result: REJECT, Fixed by AuthResult
Thu Apr 5 09:10:31 2012: INFO: Access rejected for robert: Fixed by AuthResult
Thu Apr 5 09:10:31 2012: DEBUG: Packet dump:
*** Sending to 10.2.120.150 port 36248 ....
Code: Access-Reject
Identifier: 185
Authentic: g<182>'A/jRt]5<30><240><160><27>O<170>
Attributes:
Reply-Message = "Request Denied"
<Client 10.2.120.150>
Identifier NetworkEquipment
Secret mysecret
DupInterval 0
</Client>
<AuthBy SYSTEM>
Identifier SystemAuthentication
</AuthBy>
<AuthBy FILE>
Identifier GroupAuthentication
Filename %D/users
</AuthBy>
<AuthBy INTERNAL>
Identifier RejectAuthAcceptAcct
AuthResult REJECT
AcctResult ACCEPT
</AuthBy>
<Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
AuthByPolicy ContinueWhileAccept
AuthBy GroupAuthentication
AuthBy SystemAuthentication
</Handler>
<Handler>
AuthBy RejectAuthAcceptAcct
</Handler>
<ServerHTTP>
Port 8100
DefaultPrivilegeLevel 15
</ServerHTTP>
Robb Pfrank
Office +1 (312) 601-8647
robb at headlandstech.com
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Tuesday, April 03, 2012 7:24 PM
To: Robb Pfrank
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] evaluation - Checkby syntax
Hello Robb -
You would do something like the following:
SIMPLE.CFG
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
AuthPort 1645,1812
AcctPort 1646,1813
# You will probably want to add other Clients to suit your site, # one for each NAS you want to work with
<Client 1.1.1.1>
Identifier NetworkEquipment
Secret mysecret
DupInterval 0
</Client>
<Client 2.2.2.2>
Identifier NetworkEquipment
Secret mysecret
DupInterval 0
</Client>
<Client 3.3.3.3>
Identifier NetworkEquipment
Secret mysecret
DupInterval 0
</Client>
......
<AuthBy SYSTEM>
Identifier SystemAuthentication
</AuthBy>
<AuthBy FILE>
Identifier GroupAuthentication
Filename %D/users.group
</AuthBy>
<AuthBy INTERNAL>
Identifier RejectAuthAcceptAcct
AuthResult REJECT
AcctResult ACCEPT
</AuthBy>
<Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
AuthByPolicy ContnueWhileAccept
AuthBy GroupAuthentication
AuthBy SystemAuthentication
</Handler>
<Handler>
AuthBy RejectAuthAcceptAcct
</Handler>
The contents of the file "users.group" would look like this:
# users.group
DEFAULT Auth-Type = SystemAuthentication, Group = netadm
BTW - there are a great many example configuration files in the "goodies" directory of the Radiator distribution.
Hope that helps.
regards
Hugh
On 4 Apr 2012, at 05:30, Robb Pfrank wrote:
> I am evaluating radiator and would like to setup authentication using linux username & passwords as well as another type of check to allow access. For instance check if the user is part of a particular group before having their login accepted. Specifically I want to limit networking equipment access to users in the netadm group, I am running this on fedora 12. Below is my simple.cfg for testing, everything else works fine but I am having trouble interpreting the documentation for tiered authentication. Thank you for your assistance.
>
>
>
> SIMPLE.CFG
>
> Foreground
> LogStdout
> LogDir .
> DbDir .
> # User a lower trace level in production systems:
> Trace 4
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
> # You will probably want to add other Clients to suit your site, # one
> for each NAS you want to work with <Client>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client DEFAULT>
> Secret mysecret
> </Client>
>
> <Realm>
> <AuthBy UNIX>
> Identifier System
> Filename /etc/shadow
> #Filename /etc/passwd
> GroupFilename /etc/group
> # Log accounting to a detail file
> AcctLogFileName /etc/radiator/radiator.log
> <ServerHTTP>
> Port 8100
> DefaultPrivilegeLevel 15
> </ServerHTTP>
> </Realm>
>
>
> Current output checking Linux /etc/passwd file, need to add group or some other type of identifier mechanism to the check.
>
> Tue Apr 3 15:28:12 2012: ERR: Could not resolve an address for Client
> Tue Apr 3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in
> simple.cfg line 65 Tue Apr 3 15:28:13 2012: DEBUG: Creating
> StreamServer tcp port 0.0.0.0:8100 Tue Apr 3 15:28:13 2012: DEBUG: Finished reading configuration file 'simple.cfg'
> This Radiator license will expire on 2012-08-01 This Radiator license
> will stop operating after 1000 requests To purchase an unlimited full
> source version of Radiator, see http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au Tue Apr 3
> 15:28:13 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication port
> 0.0.0.0:1645 Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication
> port 0.0.0.0:1812 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting
> port 0.0.0.0:1646 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting
> port 0.0.0.0:1813 Tue Apr 3 15:28:13 2012: NOTICE: Server started:
> Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr 3 15:28:34 2012: DEBUG: Packet dump:
> *** Received from 10.2.120.150 port 56193 ....
> Code: Access-Request
> Identifier: 64
> Authentic:
> <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186>
> Attributes:
> User-Name = "robert"
> User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147>
> NAS-Port-Id = "ttyS0"
> Service-Type = NAS-Prompt-User
> NAS-Port = 0
> NAS-IP-Address = 10.2.120.150
> Tue Apr 3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', Identifier ''
> Tue Apr 3 15:28:34 2012: DEBUG: Deleting session for robert,
> 10.2.120.150, 0 Tue Apr 3 15:28:34 2012: DEBUG: Handling with
> Radius::AuthUNIX: System Tue Apr 3 15:28:34 2012: DEBUG: Reading
> group file /etc/group Tue Apr 3 15:28:34 2012: DEBUG:
> Radius::AuthUNIX looks for match with robert [robert] Tue Apr 3
> 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue
> Apr 3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr 3
> 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr 3 15:28:34 2012: DEBUG: Packet dump:
> *** Sending to 10.2.120.150 port 56193 ....
> Code: Access-Accept
> Identifier: 64
> Authentic: k<206><151><250>5<246>p=<23><141>.<197><167><244>Un
> Attributes:
>
>
>
>
> Robb Pfrank
> Office +1 (312) 601-8647
> robb at headlandstech.com
>
>
>
>
>
> The contents of this message (including any attachment(s)) may be
> privileged and confidential and is intended solely for the private use
> of the intended recipient(s). If you are not the intended recipient or
> have received this message in error, please notify the sender
> immediately and delete the message. You should not disseminate,
> distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
The contents of this message (including any attachment(s)) may be privileged and confidential and is intended solely for the private use of the intended recipient(s). If you are not the intended recipient or have received this message in error, please notify the sender immediately and delete the message. You should not disseminate, distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
More information about the radiator
mailing list