Hello,

> On 25 Apr 2017, at 15.12, Jakub Kalnik <jakub.kal...@vsb.cz> wrote:
> 
> We use <AuthBy File> clause to implement user blacklist. Would you mind
> adding another option into this clause which enables case insensitive
> username check? We generate multiple case usernames into authfile now
> wich is obviously not very optimal (or 100% working).
> 

ack, there’s already a configuration option CaseInsensitivePasswords, so
a corresponding one for username could be added in future.

https://www.open.com.au/radiator/ref/CaseInsensitivePasswords.html#CaseInsensitivePasswords

> I am asking for this because we use PEAP-MSCHAPv2 as the main
> authentication method. We have tried the option "RewriteUsername" in
> <AuthBy GROUP> clause but this option broke the authentication. Probably
> because of MSCHAPv2 checksums creation as mentioned in
> https://lists.open.com.au/pipermail/radiator/2008-December/015242.html
> 
> Here is the blacklist implementation:
> 
> <AuthBy FILE>
>        Identifier                      check_users
>        NoCheckPassword
>        NoEAP
>        NoDefault
>        Blacklist
>        Filename
> /etc/radiator/utils/blacklistUsers.txt
> </AuthBy>
> 

you can also use a following combination:

# AuthBy for blacklisting
<AuthBy GROUP>
    Identifier AuthBy-Blacklist

    # Require all AuthBys to accept
    # ref: 
https://www.open.com.au/radiator/ref/AuthByPolicy_AuthByGROUP.html#AuthByPolicy_AuthByGROUP
    AuthByPolicy ContinueWhileAccept

    # Add a pseudo attribute containing lowercase username
    <AuthBy INTERNAL>
        Identifier Authby-lower-case-Username

        # A hook add a pseudo attribute User-Name-lc
        # which is lowercase presentation of username
        AuthHook sub { $_[0]->add_attr('User-Name-lc', 
lc($_[0]->get_attr('User-Name'))); }

        # Accept everything
        DefaultResult accept
    </AuthBy>

    # Blacklist lookup
    <AuthBy FILE>
        Identifier AuthBy-Blacklist-File

        NoCheckPassword
        NoEAP
        NoDefault

        Blacklist

        # Use a pseudo attribute User-Name-lc as a username
        AuthenticateAttribute User-Name-lc

        Filename /etc/radiator/utils/blacklistUsers.txt
    </AuthBy>
</AuthBy>


BR
--
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to