Hello Tariq -
You might try something more restrictive in your Reject Handler:
#Handler to reject users with extra characters
<Handler User-Name=/[^a-zA-Z0-9-@._]/>
.....
The Handler above will match on any character that is not in the list, ie. not
any of the following: "a-z", "A-Z", "0-9", "-", "@", ".", "_".
You should alter the list to reflect whatever characters are acceptable in
usernames in your situation.
This topic has also been discussed on the list, so check the archive site:
http://www.starport.net/~radiator
hth
Hugh
On Sat, 09 Sep 2000, Mohammad Tariq wrote:
>
> I'm using radiator 2.14.1 with LDAP 4.11. I have set the maxsession to
one but there are users who are cheating by adding extra characters and are
able to have multiple concurrent logins. For example, a user "bobsmith", "
bobsmith" (with a leading space) and "\bobsmith" is able to have three
concurrent logins while " bobsmith" and "\bobsmith" do not exist in the LDAP.
Any help on how to prevent multiple logins will be highly appreciated.
> # Foreground
> # LogStdout
> LogDir /var/adm
> LogFile %L/radius.log
> DbDir /usr/local/etc
>
> Trace 3
>
> #
> <Client DEFAULT>
> Secret xxxxx
> DupInterval 2
> </Client>
>
> #Handler to reject users with extra characters
> <Handler User-Name=/\\x/>
> <AuthBy FILE>
> Filename %D/reject
> </AuthBy>
> </Handler>
>
> <Realm xxxxxx>
>
> RewriteUsername tr/-.A-Za-z0-9_@//cd
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/[A-Z]/[a-z]/
> PasswordLogFileName %L/radpwd.log
>
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
>
> <AuthBy SQL>
> DBSource dbi:mysql:database=xxxx;host=xxxxx
> DBUsername radius
> DBAuth xxxxx
>
> Timeout 30
> # don't identify, accounting only
> AuthSelect
> AccountingTable accounting
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef ACCTCHARGE,Acct-Charge
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port, integer
> AcctColumnDef DNIS,Called-Station-Id
>
> </AuthBy>
>
> <AuthBy LDAP2>
> #DefaultSimultaneousUse 1
> # Tell Radiator how to talk to the LDAP server
> Host ldap-lh.arabcircle.net.sa
> Port 389
> AuthDN uid=radius,ou=xxx,o=xxx
> AuthPassword xxxxx
> BaseDN o=xxx
>
> UsernameAttr uid
> PasswordAttr userpassword
> # Simultanueous-Use number
> </AuthBy>
>
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> DefaultReply Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.128,\
> Framed-IP-Address = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 600,\
> Framed-Compression = Van-Jacobson-TCP-IP,\
> Session-Timeout = 1200
> </AuthBy>
> MaxSessions 1
>
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Realm>
>
>
>
>
>
> This is what I have in the reject file.
> DEFAULT Auth-Type = Reject
>
>
> Regards
> Tariq
>
>
>
----------------------------------------
Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: quoted-printable
Content-Description:
----------------------------------------
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
