I am having problems with this.  The problem is that we are using <AuthBy
SQL> for accounting only and <AuthBy UNIX> for the actual authentication, 
followed by a <AuthBy FILE> for secondary authentication. I am using an
AuthByPolicy of ContinueUntilAccept and have all the AuthBy's in one realm
called DEFAULT.

I tried to use your method below in a number of configurations and
although it does seem to be going from the "xyzzy" file to the AuthBy Unix
file, it is not applying any of the group permissions to particular group
members.  I am having quite a bit of difficulty testing this, and have
been using both Simulateous-Use=1 and Session-Timeout=30.

What we want is to be able to set different permissions for particular
members of different groups.  At the same time, we must be able to 
use mySQL accounting.  I do not know if all this is possible.  I am
attaching our radius.cfg file again.  This is including our current
configuration without the new <AuthBy FILE> clause you told me to insert
below.  I am still alittle unclear as to where to put the new <AuthBy
FILE> clause and the <AuthBy UNIX>.  Also, I will attach the rudimentary
"xyzzy" file that I was using?  Am I missing anything?

Oliver Stockhammer
Internet Channel

On Wed, 9 Jun 1999, Mike McCauley wrote:

> Hello Oliver.
> Its very difficult to distinguish between Unix groups of users using Handlers
> or Realm. Handler and realm only have the attributes of the incoming request to
> work with. I think the right answer for you is to set up a users file that
> authenticates through Unix, and uses check and reply items for each group.
> Something like this:
> <Realm DEFAULT>
>       <AuthBy FILE>
>               Filename xyzzy
>       </AuthBy>
> </Realm>
> # This one is used by AuthType=System
> <AuthBy UNIX>
>       Identifier System
>       Filename /etc/passwd
>       GroupFilename /etc/group
> </AuthBy>
> And in the users file xyzzy:
> # Limit of 5 sim-use to anyone in group1
> DEFAULT AuthType=System,Group=group1,Simultaneous-Use=5
> # Limit of 2 sim-use for anyone in group2
> DEFAULT AuthType=System,Group=group2,Simultaneous-Use=2
> etc....
> Hope that helps.
> Cheers.
> On Jun 8, 10:59am, O Stockhammer wrote:
> > Subject: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
> >
> >
> > Hello,
> >     With the flexibility of radiator, I wanted to know if you
> > suggested a method of implementing different session characteristics for
> > different unix group members.  I know we have to use 'check items' but I
> > am unsure of how to insert them in the cfg file.
> >     For example,  we would like to use the 'maxsessions 1' for the
> > 'nodup' unix group, while everyone else coming in should be set to
> > 'maxsessions 5'.  I am hoping to implement this in the radius.cfg file
> > using something like a <Handler> tag.  I am just unsure as to where this
> > info should go in the the actual file.
> >     I have attached part of my current (rudimentary) radius.cfg file.
> > The way we are setup is to have all accounting go to mySQL and
> > authentication first goes off of a UNIX master.passwd file and then to a
> > users file.  Ipass will be a future consideration.
> >     Thanks for your help.
> >
> > Oliver Stockhammer
> > Systems
> > Internet Channel
> >
> > [ Attachment (text/plain): "radius.cfg.partial" 6571 bytes
> >   Character set: US-ASCII
> >   Partial radius.cfg
> >   Encoded with "base64" ]
> >-- End of excerpt from O Stockhammer
> -- 
> Mike McCauley                               [EMAIL PROTECTED]
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
> NT, Rhapsody
PidFile /var/log/radius/radiator.pid
LogDir /var/log/radius
DbDir /usr/local/etc/radiusDB

#SnmpgetProg    /usr/bin/snmpget

# This clause defines a single client to listen to
<Client ancillary.inch.com>
        Secret  XXXXXXXX
        NasType TotalControl

# This is on of the USR racks at oldslip for accting only.
        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

        Secret XXXXXXXX
        NasType TotalControl

# For testing: this allows us to honour requests from radpwtst 
# on the same host.
<Client localhost>
        Secret mysecret
        DupInterval 0

        RewriteUsername s/^([^@]+).*/$1/
        AcctLogFileName %L/detail
        AuthByPolicy    ContinueUntilAccept
        <AuthBy SQL>
                DBSource        dbi:mysql:Radiator
                DBUsername      root 
                DBAuth          XXXXXXXX
                # an empty AuthSelect turns off auth
                AccountingTable ACCOUNTING
               AcctColumnDef   USERNAME,User-Name
                AcctColumnDef   CLIENT_ID,Client-Id
               AcctColumnDef   TIME_STAMP,Timestamp,integer
                AcctColumnDef   ACTUAL_TIME,Timestamp,integer-date
               AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
               AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
               AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
               AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
               AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
               AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
               AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
               AcctColumnDef   NAS_IDENTIFIER,Client-Id
               AcctColumnDef   NAS_IP_ADDRESS,NAS-IP-Address
               AcctColumnDef   NAS_PORT,NAS-Port,integer
                AcctColumnDef   NAS_PORT_TYPE,NAS-Port-Type
                AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic
                AcctColumnDef   SERVICE_TYPE,Service-Type       
                AcctColumnDef   USR_MODEM_TIME,USR-Modem-Training-Time,integer
                AcctColumnDef   USR_INTERFACE,USR-Interface-Index,integer
                AcctColumnDef   USR_CHASSIS_SLOT,Chassis-Call-Slot,integer
                AcctColumnDef   USR_CHASSIS_SPAN,Chassis-Call-Span,integer
                AcctColumnDef   USR_CHASSIS_CHANNEL,Chassis-Call-Channel,integer
                AcctColumnDef   USR_UNAUTH_TIME,Unauthenticated-Time,integer
                AcctColumnDef   CALLING_STATION_ID,Calling-Station-Id
                AcctColumnDef   CALLED_STATION_ID,Called-Station-Id
                AcctColumnDef   USR_MODULATION_TYPE,Modulation-Type
                AcctColumnDef   USR_SMNP_LEVELS,Simplified-MNP-Levels
                AcctColumnDef   USR_SimplifiedV42BIS_USAGE,Simplified-V42bis-Usage
                AcctColumnDef   USR_CONNECT_SPEED,Connect-Speed
                AcctColumnDef   FRAMED_PROTOCOL,Framed-Protocol
                AcctColumnDef   FRAMED_IP_ADDRESS,Framed-IP-Address
                AcctColumnDef   USR_MP_MRRU,MP-MRRU,integer
                AcctColumnDef   ACCTLINKCOUNT,Acct-Link-Count,integer
                AcctColumnDef   ACCTMULTISESSION_ID,Acct-Multi-Session-Id 
        <AuthBy UNIX>
                Identifier System
                Filename /usr/local/etc/radiusDB/master.passwd
                Match ^([^:]*):([^:]*)  
                GroupFilename /usr/local/etc/radiusDB/group
        </AuthBy UNIX>
        <AuthBy FILE>
        #       The filename defaults to %D/users
                Filename %D/users
        <AuthBy FILE>
                Filename %D/users1
#       <AuthBy IPASS>
#       Debug
#       Config /usr/local/ipass/ipass.cfg
#       Trace /var/log/radius/iprd.trace
#       Home /usr/local/ipass
#       </AuthBy>

        <SessionDatabase SQL>
                DBSource        dbi:mysql:Radiator         
                DBUsername      root
                DBAuth          XXXXXXXX
                AddQuery insert into RADONLINE (USERNAME, NAS_IDENTIFIER, NAS_PORT, 
('%n', '%N', %{NAS-Port}, '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}', 
'%{NAS-Port-Type}', '%{Service-Type}')
                DeleteQuery delete from RADONLINE where USERNAME='%n' and 
                ClearNasQuery delete from RADONLINE where NAS_IDENTIFIER='%N'
                CountQuery select NAS_IDENTIFIER, NAS_PORT, ACCTSESSIONID from 

<Log SQL>
                DBSource        dbi:mysql:Radiator
                DBUsername      root       
                DBAuth          XXXXXXXX
                Trace 3
DEFAULT AuthType=System,Group=nodup,Simultaneous-Use=1,Session-Timeout=30

Reply via email to