IMPORTANT - Re: (RADIATOR) RewriteUsername & Simultaneous-Use problem

Thu, 20 Jul 2000 17:51:51 -0700 


Hello Nikos -

Several similar questions have come up recently, and my response has always
been this: why not set up a Handler clause to catch the illegal usernames and
reject them out of hand? The list in the Handler below will match on any
character other than "a-z", "A-Z", "0-9", "-", "_", "@". Obviously you would
alter the list to whatever makes sense in your environment.

Something like this:

<SessionDatabase INTERNAL>
        Identifier SDB_INTERNAL
</SessionDatabase>

<Handler User-Name = /^(?!a-zA-Z0-9-_@)/>
        SessionDatabase SDB_INTERNAL
        <AuthBy FILE>
                Filename  %D/users.reject
        </AuthBy>
</Handler>


The users.reject file would contain this:

DEFAULT Auth-Type = Reject


In conjunction with the above, you can use custom SQL queries in your
SQL session database and a NasType of Ping in your Client clauses. That way you
can control what gets written to the session database to make sure you always
write the same thing no matter how the username was entered, and you can use
strict simultaneous use checking without relying on what is recorded for the
username in the NAS.

hth

Hugh



On Thu, 20 Jul 2000, Nikos Aslanakis wrote:
> We have a problem regarding simultaneous logins.
> One of our users did the following:
> 
> Logged in once using his normal username, eg. "user"
> ..and then logged in successfuly using the same username with additional
> ttrailing spaces: "user    ".
> 
> When radiator writes the accounting records to the SQL online database, it
> uses the original username, without the modifications made by the
> RewriteUsername commands. So it thinks that the usename "user" is different
> from "user   " and lets the user login more than once.
> 
> Is there some solution to this problem? Can radiator write to the online
> database the final username, after all modifications?
> We cannot afford not to strip the leading & trailing spaces, as we will have
> tech support overload..
> 
> Of course, the same can happen if the user uses uppercase and lowercase
> letters in his username and if he uses realms.
> Here is the part of the conf file that does the RewriteUsername:
> 
> 
> 
> <Handler Realm=spark.net.gr,NAS-Port-Type=ISDN>
> #               Strip the realm
>         RewriteUsername         s/^([^@]+).*/$1/
> #               Remove spaces from username
>         RewriteUsername         s/\s+//g
> #               Translates all uppercase chars to lowercase
>         RewriteUsername        tr/[A-Z]/[a-z]/
> #               Remove char '(' from username (causes radiator to lock)
>         RewriteUsername         s/\(//g
> 
>         RejectHasReason
>         SessionDatabase         SESSQL
>         AuthByPolicy            ContinueWhileReject
> #       AcctLogFileName         /var/adm/radacct/RADIATOR/detail
> 
>         <AuthBy SQL>
>                 DBSource        dbi:mysql:regcod:xxx.xxx.xxx.xxx
>                 DBUsername      xxxxxx
>                 DBAuth              xxxxxx
>                 AuthSelect
>                 AccountingStopsOnly
>                 AccountingTable account%m%Y
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   CALLINGSTATIONID,Calling-Station-Id
>         </AuthBy>
> 
> 
> Thanks in advance for any help.
> 
>         _____________________________
>         Nikos Aslanakis
>         SPARKnet S.A. - Systems Admin
>         Thessaloniki - Greece
>         tel.  +30 31 868080
>         http://www.spark.net.gr
>         mailto:[EMAIL PROTECTED]
> 
> 
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to