[RADIATOR] evaluation - Checkby syntax

Robb Pfrank robb at headlandstech.com
Wed Apr 11 11:29:16 CDT 2012


Could I just add Group to the handler to require both the correct group, users, and the unix password from /etc/shadow to match?  I tried this out and got the below message.


<Handler Client-Identifier = NetworkEquipment, Service-Type = NAS-Prompt-User, Group = users>
        AuthByPolicy ContinueUntilReject
        AuthBy GroupAuthentication
        AuthBy SystemAuthentication
</Handler>

sec-l-adm02 radiator # /usr/local/bin/radiusd -config_file simple.cfg
Wed Apr 11 12:23:39 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100
Wed Apr 11 12:23:39 2012: DEBUG: Finished reading configuration file 'simple.cfg'
This Radiator license will expire on 2012-08-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au

Wed Apr 11 12:23:39 2012: DEBUG: Reading dictionary file './dictionary'
Wed Apr 11 12:23:39 2012: DEBUG: Creating authentication port 0.0.0.0:1812
Wed Apr 11 12:23:39 2012: DEBUG: Creating accounting port 0.0.0.0:1813
Wed Apr 11 12:23:39 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 (LOCKED)
Wed Apr 11 12:23:48 2012: DEBUG: Packet dump:
*** Received from 10.2.120.150 port 46200 ....
Code:       Access-Request
Identifier: 252
Authentic:  p@<235><239><188><242><222><135>)|Q<213>hz<168><250>
Attributes:
        User-Name = "robert"
        User-Password = d<225><215>YU<149><174>V<160><3><246>wI><142>F
        NAS-Port-Id = "ttyS0"
        Service-Type = NAS-Prompt-User
        NAS-Port = 0
        NAS-IP-Address = 10.2.120.150

Can't locate object method "userIsInGroup" via package "Radius::Handler" at /usr/local/lib/perl5/site_perl/5.10.0/Radius/AuthGeneric.pm line 1707.
        ...caught at /usr/local/bin/radiusd line 5.


Robb Pfrank
Office +1 (312) 601-8647
robb at headlandstech.com



-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Thursday, April 05, 2012 6:58 PM
To: Robb Pfrank
Cc: radiator at open.com.au List
Subject: Re: [RADIATOR] evaluation - Checkby syntax


Hello Robb -

As Heikki rightly says, you will need to alter the Handler definition to match what is actually in the incoming request.

It is always essential to study the contents of the incoming requests with a trace 4 debug so you can see exactly what is happening.

My example was just that - an example showing how I tend to structure Radiator configuration files.

regards

Hugh


On 6 Apr 2012, at 02:46, Heikki Vatiainen wrote:

> On 04/05/2012 04:12 PM, Robb Pfrank wrote:
>
> Hello Robb,
>
>> I attempted to use the config provided but the handler is not picking my device up.  I have specified to specific IP address instead of DEFAULT, this did not seem to work either.
>
> Try this:
> <Handler Client-Identifier = NetworkEquipment, Service-Type =
> NAS-Prompt-User>
>
> instead of this:
>
> <Handler Client-Identifier = NetworkEquipment, Service-Type =
> Login-User>
>
> Now it fails to match the Handler because Service-Type is different in
> the request than in the Handler's checklist.
>
> Heikki
>
>
>> Thu Apr  5 09:09:57 2012: DEBUG: Creating StreamServer tcp port
>> 0.0.0.0:8100 Thu Apr  5 09:09:57 2012: DEBUG: Finished reading configuration file 'simple.cfg'
>> This Radiator license will expire on 2012-08-01 This Radiator license
>> will stop operating after 1000 requests To purchase an unlimited full
>> source version of Radiator, see http://www.open.com.au/ordering.html
>> To extend your license period, contact admin at open.com.au
>>
>> Thu Apr  5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary'
>> Thu Apr  5 09:09:57 2012: DEBUG: Creating authentication port
>> 0.0.0.0:1812 Thu Apr  5 09:09:57 2012: DEBUG: Creating accounting
>> port 0.0.0.0:1813 Thu Apr  5 09:09:57 2012: NOTICE: Server started:
>> Radiator 4.9 on sec-l-adm02 (LOCKED) Thu Apr  5 09:10:31 2012: DEBUG: Packet dump:
>> *** Received from 10.2.120.150 port 36248 ....
>> Code:       Access-Request
>> Identifier: 185
>> Authentic:  M<18>A(<17>_H<194>B<159><196>?<247>,ag
>> Attributes:
>>        User-Name = "robert"
>>        User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253>
>>        NAS-Port-Id = "ttyS0"
>>        Service-Type = NAS-Prompt-User
>>        NAS-Port = 0
>>        NAS-IP-Address = 10.2.120.150
>>
>> Thu Apr  5 09:10:31 2012: DEBUG: Handling request with Handler '', Identifier ''
>> Thu Apr  5 09:10:31 2012: DEBUG:  Deleting session for robert,
>> 10.2.120.150, 0 Thu Apr  5 09:10:31 2012: DEBUG: Handling with
>> AuthINTERNAL: RejectAuthAcceptAcct Thu Apr  5 09:10:31 2012: DEBUG:
>> AuthBy INTERNAL result: REJECT, Fixed by AuthResult Thu Apr  5
>> 09:10:31 2012: INFO: Access rejected for robert: Fixed by AuthResult Thu Apr  5 09:10:31 2012: DEBUG: Packet dump:
>> *** Sending to 10.2.120.150 port 36248 ....
>> Code:       Access-Reject
>> Identifier: 185
>> Authentic:  g<182>'A/jRt]5<30><240><160><27>O<170>
>> Attributes:
>>        Reply-Message = "Request Denied"
>>
>>
>>
>>
>> <Client 10.2.120.150>
>>        Identifier NetworkEquipment
>>        Secret  mysecret
>>        DupInterval 0
>> </Client>
>>
>>
>> <AuthBy SYSTEM>
>>        Identifier SystemAuthentication </AuthBy>
>>
>> <AuthBy FILE>
>>        Identifier GroupAuthentication
>>        Filename %D/users
>> </AuthBy>
>>
>> <AuthBy INTERNAL>
>>        Identifier RejectAuthAcceptAcct
>>        AuthResult REJECT
>>        AcctResult ACCEPT
>> </AuthBy>
>>
>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
>>        AuthByPolicy ContinueWhileAccept
>>        AuthBy GroupAuthentication
>>        AuthBy SystemAuthentication
>> </Handler>
>>
>> <Handler>
>>        AuthBy RejectAuthAcceptAcct
>> </Handler>
>>
>> <ServerHTTP>
>>        Port  8100
>>        DefaultPrivilegeLevel 15
>> </ServerHTTP>
>>
>> Robb Pfrank
>> Office +1 (312) 601-8647
>> robb at headlandstech.com
>>
>>
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, April 03, 2012 7:24 PM
>> To: Robb Pfrank
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] evaluation - Checkby syntax
>>
>>
>> Hello Robb -
>>
>> You would do something like the following:
>>
>>
>> SIMPLE.CFG
>>
>> Foreground
>> LogStdout
>> LogDir          .
>> DbDir           .
>> # User a lower trace level in production systems:
>> Trace           4
>>
>> AuthPort        1645,1812
>> AcctPort        1646,1813
>>
>> # You will probably want to add other Clients to suit your site, #
>> one for each NAS you want to work with
>>
>> <Client 1.1.1.1>
>>      Identifier NetworkEquipment
>>        Secret  mysecret
>>        DupInterval 0
>> </Client>
>>
>> <Client 2.2.2.2>
>>      Identifier NetworkEquipment
>>        Secret  mysecret
>>        DupInterval 0
>> </Client>
>>
>> <Client 3.3.3.3>
>>      Identifier NetworkEquipment
>>        Secret  mysecret
>>        DupInterval 0
>> </Client>
>>
>> ......
>>
>> <AuthBy SYSTEM>
>>      Identifier SystemAuthentication
>> </AuthBy>
>>
>> <AuthBy FILE>
>>      Identifier GroupAuthentication
>>      Filename %D/users.group
>> </AuthBy>
>>
>> <AuthBy INTERNAL>
>>      Identifier RejectAuthAcceptAcct
>>      AuthResult REJECT
>>      AcctResult ACCEPT
>> </AuthBy>
>>
>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
>>      AuthByPolicy ContnueWhileAccept
>>      AuthBy GroupAuthentication
>>      AuthBy SystemAuthentication
>> </Handler>
>>
>> <Handler>
>>      AuthBy RejectAuthAcceptAcct
>> </Handler>
>>
>>
>> The contents of the file "users.group" would look like this:
>>
>> # users.group
>>
>> DEFAULT Auth-Type = SystemAuthentication, Group = netadm
>>
>>
>> BTW - there are a great many example configuration files in the "goodies" directory of the Radiator distribution.
>>
>> Hope that helps.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>>
>> On 4 Apr 2012, at 05:30, Robb Pfrank wrote:
>>
>>> I am evaluating radiator and would like to setup authentication using linux username & passwords as well as another type of check to allow access.  For instance check if the user is part of a particular group before having their login accepted.  Specifically I want to limit networking equipment access to users in the netadm group, I am running this on fedora 12.   Below is my simple.cfg for testing, everything else works fine but I am having trouble interpreting the documentation for tiered authentication.  Thank you for your assistance.
>>>
>>>
>>>
>>> SIMPLE.CFG
>>>
>>> Foreground
>>> LogStdout
>>> LogDir          .
>>> DbDir           .
>>> # User a lower trace level in production systems:
>>> Trace           4
>>>
>>> AuthPort        1645,1812
>>> AcctPort        1646,1813
>>>
>>> # You will probably want to add other Clients to suit your site, #
>>> one for each NAS you want to work with <Client>
>>>        Secret  mysecret
>>>        DupInterval 0
>>> </Client>
>>>
>>> <Client DEFAULT>
>>>        Secret  mysecret
>>> </Client>
>>>
>>> <Realm>
>>>        <AuthBy UNIX>
>>>        Identifier System
>>>        Filename /etc/shadow
>>>        #Filename /etc/passwd
>>>        GroupFilename /etc/group
>>>        # Log accounting to a detail file
>>>        AcctLogFileName /etc/radiator/radiator.log
>>>        <ServerHTTP>
>>>                Port  8100
>>>                DefaultPrivilegeLevel 15
>>>        </ServerHTTP>
>>> </Realm>
>>>
>>>
>>> Current output checking Linux /etc/passwd file, need to add group or some other type of identifier mechanism to the check.
>>>
>>> Tue Apr  3 15:28:12 2012: ERR: Could not resolve an address for
>>> Client Tue Apr  3 15:28:12 2012: ERR: Unknown keyword
>>> 'AcctLogFileName' in simple.cfg line 65 Tue Apr  3 15:28:13 2012:
>>> DEBUG: Creating StreamServer tcp port 0.0.0.0:8100 Tue Apr  3 15:28:13 2012: DEBUG: Finished reading configuration file 'simple.cfg'
>>> This Radiator license will expire on 2012-08-01 This Radiator
>>> license will stop operating after 1000 requests To purchase an
>>> unlimited full source version of Radiator, see
>>> http://www.open.com.au/ordering.html
>>> To extend your license period, contact admin at open.com.au Tue Apr  3
>>> 15:28:13 2012: DEBUG: Reading dictionary file './dictionary'
>>> Tue Apr  3 15:28:13 2012: DEBUG: Creating authentication port
>>> 0.0.0.0:1645 Tue Apr  3 15:28:13 2012: DEBUG: Creating
>>> authentication port 0.0.0.0:1812 Tue Apr  3 15:28:13 2012: DEBUG:
>>> Creating accounting port 0.0.0.0:1646 Tue Apr  3 15:28:13 2012:
>>> DEBUG: Creating accounting port 0.0.0.0:1813 Tue Apr  3 15:28:13 2012: NOTICE: Server started:
>>> Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
>>> *** Received from 10.2.120.150 port 56193 ....
>>> Code:       Access-Request
>>> Identifier: 64
>>> Authentic:
>>> <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186>
>>> Attributes:
>>>        User-Name = "robert"
>>>        User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147>
>>>        NAS-Port-Id = "ttyS0"
>>>        Service-Type = NAS-Prompt-User
>>>        NAS-Port = 0
>>>        NAS-IP-Address = 10.2.120.150 Tue Apr  3 15:28:34 2012:
>>> DEBUG: Handling request with Handler 'Realm=', Identifier ''
>>> Tue Apr  3 15:28:34 2012: DEBUG:  Deleting session for robert,
>>> 10.2.120.150, 0 Tue Apr  3 15:28:34 2012: DEBUG: Handling with
>>> Radius::AuthUNIX: System Tue Apr  3 15:28:34 2012: DEBUG: Reading
>>> group file /etc/group Tue Apr  3 15:28:34 2012: DEBUG:
>>> Radius::AuthUNIX looks for match with robert [robert] Tue Apr  3
>>> 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue
>>> Apr  3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr  3
>>> 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
>>> *** Sending to 10.2.120.150 port 56193 ....
>>> Code:       Access-Accept
>>> Identifier: 64
>>> Authentic:  k<206><151><250>5<246>p=<23><141>.<197><167><244>Un
>>> Attributes:
>>>
>>>
>>>
>>>
>>> Robb Pfrank
>>> Office +1 (312) 601-8647
>>> robb at headlandstech.com
>>>
>>>
>>>
>>>
>>>
>>> The contents of this message (including any attachment(s)) may be
>>> privileged and confidential and is intended solely for the private
>>> use of the intended recipient(s). If you are not the intended
>>> recipient or have received this message in error, please notify the
>>> sender immediately and delete the message. You should not
>>> disseminate, distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>>
>>
>>
>> The contents of this message (including any attachment(s)) may be privileged and confidential and is intended solely for the private use of the intended recipient(s). If you are not the intended recipient or have received this message in error, please notify the sender immediately and delete the message. You should not disseminate, distribute or copy this message without the permission of the author.  This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.




The contents of this message (including any attachment(s)) may be privileged and confidential and is intended solely for the private use of the intended recipient(s). If you are not the intended recipient or have received this message in error, please notify the sender immediately and delete the message. You should not disseminate, distribute or copy this message without the permission of the author.  This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation.



More information about the radiator mailing list