[RADIATOR] evaluation - Checkby syntax
Hugh Irvine
hugh at open.com.au
Thu Apr 5 18:58:06 CDT 2012
Hello Robb -
As Heikki rightly says, you will need to alter the Handler definition to match what is actually in the incoming request.
It is always essential to study the contents of the incoming requests with a trace 4 debug so you can see exactly what is happening.
My example was just that - an example showing how I tend to structure Radiator configuration files.
regards
Hugh
On 6 Apr 2012, at 02:46, Heikki Vatiainen wrote:
> On 04/05/2012 04:12 PM, Robb Pfrank wrote:
>
> Hello Robb,
>
>> I attempted to use the config provided but the handler is not picking my device up. I have specified to specific IP address instead of DEFAULT, this did not seem to work either.
>
> Try this:
> <Handler Client-Identifier = NetworkEquipment, Service-Type =
> NAS-Prompt-User>
>
> instead of this:
>
> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
>
> Now it fails to match the Handler because Service-Type is different in
> the request than in the Handler's checklist.
>
> Heikki
>
>
>> Thu Apr 5 09:09:57 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100
>> Thu Apr 5 09:09:57 2012: DEBUG: Finished reading configuration file 'simple.cfg'
>> This Radiator license will expire on 2012-08-01
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact admin at open.com.au
>>
>> Thu Apr 5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary'
>> Thu Apr 5 09:09:57 2012: DEBUG: Creating authentication port 0.0.0.0:1812
>> Thu Apr 5 09:09:57 2012: DEBUG: Creating accounting port 0.0.0.0:1813
>> Thu Apr 5 09:09:57 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 (LOCKED)
>> Thu Apr 5 09:10:31 2012: DEBUG: Packet dump:
>> *** Received from 10.2.120.150 port 36248 ....
>> Code: Access-Request
>> Identifier: 185
>> Authentic: M<18>A(<17>_H<194>B<159><196>?<247>,ag
>> Attributes:
>> User-Name = "robert"
>> User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253>
>> NAS-Port-Id = "ttyS0"
>> Service-Type = NAS-Prompt-User
>> NAS-Port = 0
>> NAS-IP-Address = 10.2.120.150
>>
>> Thu Apr 5 09:10:31 2012: DEBUG: Handling request with Handler '', Identifier ''
>> Thu Apr 5 09:10:31 2012: DEBUG: Deleting session for robert, 10.2.120.150, 0
>> Thu Apr 5 09:10:31 2012: DEBUG: Handling with AuthINTERNAL: RejectAuthAcceptAcct
>> Thu Apr 5 09:10:31 2012: DEBUG: AuthBy INTERNAL result: REJECT, Fixed by AuthResult
>> Thu Apr 5 09:10:31 2012: INFO: Access rejected for robert: Fixed by AuthResult
>> Thu Apr 5 09:10:31 2012: DEBUG: Packet dump:
>> *** Sending to 10.2.120.150 port 36248 ....
>> Code: Access-Reject
>> Identifier: 185
>> Authentic: g<182>'A/jRt]5<30><240><160><27>O<170>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>>
>>
>> <Client 10.2.120.150>
>> Identifier NetworkEquipment
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>>
>> <AuthBy SYSTEM>
>> Identifier SystemAuthentication
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier GroupAuthentication
>> Filename %D/users
>> </AuthBy>
>>
>> <AuthBy INTERNAL>
>> Identifier RejectAuthAcceptAcct
>> AuthResult REJECT
>> AcctResult ACCEPT
>> </AuthBy>
>>
>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy GroupAuthentication
>> AuthBy SystemAuthentication
>> </Handler>
>>
>> <Handler>
>> AuthBy RejectAuthAcceptAcct
>> </Handler>
>>
>> <ServerHTTP>
>> Port 8100
>> DefaultPrivilegeLevel 15
>> </ServerHTTP>
>>
>> Robb Pfrank
>> Office +1 (312) 601-8647
>> robb at headlandstech.com
>>
>>
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, April 03, 2012 7:24 PM
>> To: Robb Pfrank
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] evaluation - Checkby syntax
>>
>>
>> Hello Robb -
>>
>> You would do something like the following:
>>
>>
>> SIMPLE.CFG
>>
>> Foreground
>> LogStdout
>> LogDir .
>> DbDir .
>> # User a lower trace level in production systems:
>> Trace 4
>>
>> AuthPort 1645,1812
>> AcctPort 1646,1813
>>
>> # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with
>>
>> <Client 1.1.1.1>
>> Identifier NetworkEquipment
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>> <Client 2.2.2.2>
>> Identifier NetworkEquipment
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>> <Client 3.3.3.3>
>> Identifier NetworkEquipment
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>> ......
>>
>> <AuthBy SYSTEM>
>> Identifier SystemAuthentication
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier GroupAuthentication
>> Filename %D/users.group
>> </AuthBy>
>>
>> <AuthBy INTERNAL>
>> Identifier RejectAuthAcceptAcct
>> AuthResult REJECT
>> AcctResult ACCEPT
>> </AuthBy>
>>
>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
>> AuthByPolicy ContnueWhileAccept
>> AuthBy GroupAuthentication
>> AuthBy SystemAuthentication
>> </Handler>
>>
>> <Handler>
>> AuthBy RejectAuthAcceptAcct
>> </Handler>
>>
>>
>> The contents of the file "users.group" would look like this:
>>
>> # users.group
>>
>> DEFAULT Auth-Type = SystemAuthentication, Group = netadm
>>
>>
>> BTW - there are a great many example configuration files in the "goodies" directory of the Radiator distribution.
>>
>> Hope that helps.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>>
>> On 4 Apr 2012, at 05:30, Robb Pfrank wrote:
>>
>>> I am evaluating radiator and would like to setup authentication using linux username & passwords as well as another type of check to allow access. For instance check if the user is part of a particular group before having their login accepted. Specifically I want to limit networking equipment access to users in the netadm group, I am running this on fedora 12. Below is my simple.cfg for testing, everything else works fine but I am having trouble interpreting the documentation for tiered authentication. Thank you for your assistance.
>>>
>>>
>>>
>>> SIMPLE.CFG
>>>
>>> Foreground
>>> LogStdout
>>> LogDir .
>>> DbDir .
>>> # User a lower trace level in production systems:
>>> Trace 4
>>>
>>> AuthPort 1645,1812
>>> AcctPort 1646,1813
>>>
>>> # You will probably want to add other Clients to suit your site, # one
>>> for each NAS you want to work with <Client>
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>>
>>> <Client DEFAULT>
>>> Secret mysecret
>>> </Client>
>>>
>>> <Realm>
>>> <AuthBy UNIX>
>>> Identifier System
>>> Filename /etc/shadow
>>> #Filename /etc/passwd
>>> GroupFilename /etc/group
>>> # Log accounting to a detail file
>>> AcctLogFileName /etc/radiator/radiator.log
>>> <ServerHTTP>
>>> Port 8100
>>> DefaultPrivilegeLevel 15
>>> </ServerHTTP>
>>> </Realm>
>>>
>>>
>>> Current output checking Linux /etc/passwd file, need to add group or some other type of identifier mechanism to the check.
>>>
>>> Tue Apr 3 15:28:12 2012: ERR: Could not resolve an address for Client
>>> Tue Apr 3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in
>>> simple.cfg line 65 Tue Apr 3 15:28:13 2012: DEBUG: Creating
>>> StreamServer tcp port 0.0.0.0:8100 Tue Apr 3 15:28:13 2012: DEBUG: Finished reading configuration file 'simple.cfg'
>>> This Radiator license will expire on 2012-08-01 This Radiator license
>>> will stop operating after 1000 requests To purchase an unlimited full
>>> source version of Radiator, see http://www.open.com.au/ordering.html
>>> To extend your license period, contact admin at open.com.au Tue Apr 3
>>> 15:28:13 2012: DEBUG: Reading dictionary file './dictionary'
>>> Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication port
>>> 0.0.0.0:1645 Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication
>>> port 0.0.0.0:1812 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting
>>> port 0.0.0.0:1646 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting
>>> port 0.0.0.0:1813 Tue Apr 3 15:28:13 2012: NOTICE: Server started:
>>> Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr 3 15:28:34 2012: DEBUG: Packet dump:
>>> *** Received from 10.2.120.150 port 56193 ....
>>> Code: Access-Request
>>> Identifier: 64
>>> Authentic:
>>> <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186>
>>> Attributes:
>>> User-Name = "robert"
>>> User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147>
>>> NAS-Port-Id = "ttyS0"
>>> Service-Type = NAS-Prompt-User
>>> NAS-Port = 0
>>> NAS-IP-Address = 10.2.120.150
>>> Tue Apr 3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', Identifier ''
>>> Tue Apr 3 15:28:34 2012: DEBUG: Deleting session for robert,
>>> 10.2.120.150, 0 Tue Apr 3 15:28:34 2012: DEBUG: Handling with
>>> Radius::AuthUNIX: System Tue Apr 3 15:28:34 2012: DEBUG: Reading
>>> group file /etc/group Tue Apr 3 15:28:34 2012: DEBUG:
>>> Radius::AuthUNIX looks for match with robert [robert] Tue Apr 3
>>> 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue
>>> Apr 3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr 3
>>> 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr 3 15:28:34 2012: DEBUG: Packet dump:
>>> *** Sending to 10.2.120.150 port 56193 ....
>>> Code: Access-Accept
>>> Identifier: 64
>>> Authentic: k<206><151><250>5<246>p=<23><141>.<197><167><244>Un
>>> Attributes:
>>>
>>>
>>>
>>>
>>> Robb Pfrank
>>> Office +1 (312) 601-8647
>>> robb at headlandstech.com
>>>
>>>
>>>
>>>
>>>
>>> The contents of this message (including any attachment(s)) may be
>>> privileged and confidential and is intended solely for the private use
>>> of the intended recipient(s). If you are not the intended recipient or
>>> have received this message in error, please notify the sender
>>> immediately and delete the message. You should not disseminate,
>>> distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>>
>>
>>
>> The contents of this message (including any attachment(s)) may be privileged and confidential and is intended solely for the private use of the intended recipient(s). If you are not the intended recipient or have received this message in error, please notify the sender immediately and delete the message. You should not disseminate, distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list