Hi Neale -

On Sat, 07 Aug 1999, Neale Banks wrote:
> On Sat, 7 Aug 1999, Wim Biemolt wrote:
> 
> > I experienced some troubles with the suggested configuration. If you use
> > NoForwardAuthentication RADIUS Authentication-Requests are not forwarded
> > but ACCEPTED. I noticed that if the first AuthBy failed the user would be
> > granted access anyway because of the second AuthBy. Accounting was taken
> > care of exactly as I wanted. But this was not true for Authentication ;-)
> > Currently I am using <Handler> statements as discussed on this list to
> > make a copy of accounting information without granting everybody access.
> 
> Thanks for that - ACCEPTing everybody is definitely not what we want 8-O
> 

I realised after I sent this that I had put the clauses around the wrong way.
What I should have said was this:

<Realm foo.bar>
        # Force all clauses to be executed
        AuthByPolicy ContinueAlways     
        # Set up a proxy for Accounting only
        <AuthBy RADIUS>
                Host ....
                Secret ....
                NoForwardAuthentication
        </AuthBy>
        # Do our normal processing
        <AuthBy ....>
                ......
        </AuthBy>
        # Log accounting to local file
        AcctLogFileName  filename
</Realm>

In this case the Accounting packets will be forwarded to the proxy and the
Authentication packets will be accepted. The following AuthBy will either
accept or reject normally.

 > What's the trick to doing this with a <Handler>? 

Realms are just special cases of Handlers. There is no difference other than
Realms look for an exact match on a realm and then stop processing, while all
Handlers are executed in configuration file sequence and can match on any
attribute(s).

<Realm foo.bar> is equivalent to <Handler Realm=foo.bar>

Note that you should not mix Realms and Handlers in the same configuration
(because of the conflicting continuation behaviour described above), so you
could also do something like this:

# Handler for Realm=foo.bar
<Handler Realm=foo.bar>
        # Do our normal processing
        <AuthBy ....>
                ......
        </AuthBy>
        # Log accounting to local file
        AcctLogFileName  filename
</Handler>

# Additional Handler for Accounting packets only
<Handler  Acct-Status-Type=/.+/>
        # Set up a proxy for accounting
        <AuthBy RADIUS>
                Host ....
                Secret ....
        </AuthBy>
</Handler>

In both cases above, two Accounting-Accept packets will be retutned to the
Clinet NAS. And to answer Neale's other question about <AuthBy RADIUS> - the
retry behaviour can be modified with the "Retries" and "RetryTimeout"
parameters (Section 6.25 in the 2.14.1 manual).

hth

Hugh

 --
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to