Hi Neale -
On Sat, 07 Aug 1999, Neale Banks wrote:
> On Sat, 7 Aug 1999, Wim Biemolt wrote:
>
> > I experienced some troubles with the suggested configuration. If you use
> > NoForwardAuthentication RADIUS Authentication-Requests are not forwarded
> > but ACCEPTED. I noticed that if the first AuthBy failed the user would be
> > granted access anyway because of the second AuthBy. Accounting was taken
> > care of exactly as I wanted. But this was not true for Authentication ;-)
> > Currently I am using <Handler> statements as discussed on this list to
> > make a copy of accounting information without granting everybody access.
>
> Thanks for that - ACCEPTing everybody is definitely not what we want 8-O
>
I realised after I sent this that I had put the clauses around the wrong way.
What I should have said was this:
<Realm foo.bar>
# Force all clauses to be executed
AuthByPolicy ContinueAlways
# Set up a proxy for Accounting only
<AuthBy RADIUS>
Host ....
Secret ....
NoForwardAuthentication
</AuthBy>
# Do our normal processing
<AuthBy ....>
......
</AuthBy>
# Log accounting to local file
AcctLogFileName filename
</Realm>
In this case the Accounting packets will be forwarded to the proxy and the
Authentication packets will be accepted. The following AuthBy will either
accept or reject normally.
> What's the trick to doing this with a <Handler>?
Realms are just special cases of Handlers. There is no difference other than
Realms look for an exact match on a realm and then stop processing, while all
Handlers are executed in configuration file sequence and can match on any
attribute(s).
<Realm foo.bar> is equivalent to <Handler Realm=foo.bar>
Note that you should not mix Realms and Handlers in the same configuration
(because of the conflicting continuation behaviour described above), so you
could also do something like this:
# Handler for Realm=foo.bar
<Handler Realm=foo.bar>
# Do our normal processing
<AuthBy ....>
......
</AuthBy>
# Log accounting to local file
AcctLogFileName filename
</Handler>
# Additional Handler for Accounting packets only
<Handler Acct-Status-Type=/.+/>
# Set up a proxy for accounting
<AuthBy RADIUS>
Host ....
Secret ....
</AuthBy>
</Handler>
In both cases above, two Accounting-Accept packets will be retutned to the
Clinet NAS. And to answer Neale's other question about <AuthBy RADIUS> - the
retry behaviour can be modified with the "Retries" and "RetryTimeout"
parameters (Section 6.25 in the 2.14.1 manual).
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
