Hi Hugh,
Thanks for the suggestion, it got rid of my problem. Now I have a followup
question on the sql query itself -
- When I use the following query, the call gets accepted even if the
Calling-Station-Id is blacklisted:
AuthSelect select LOGIN from BLACKLIST \
where CLI <> '%{Calling-Station-Id}'
The query always finds the DEFAULT entry and accepts the call.
- If I use the following query ( ie <> replaced by = ) the call gets
rejected even if the number is not in the blacklist table:
AuthSelect select LOGIN from BLACKLIST \
where CLI = '%{Calling-Station-Id}'
When the CLI is not in the DB, the query fails with the message:
Fri Nov 10 11:07:33 2000: DEBUG: Handling with Radius::AuthSQL
Fri Nov 10 11:07:33 2000: DEBUG: Query is: select LOGIN from
BLACKLIST where CLI = '207505640'
Fri Nov 10 11:07:33 2000: DEBUG: Radius::AuthSQL looks for match
with lisa
Fri Nov 10 11:07:33 2000: DEBUG: Query is: select LOGIN from
BLACKLIST where CLI = '207505640'
Fri Nov 10 11:07:33 2000: INFO: Access rejected for lisa: No such
user
- How can I accomplish the following logic?:
If CLI entry exists in the DB - reject
If CLI entry not in DB - accept
- Here are my DB entries
cli | login
-----------------------------+---------------------------------
207505640 | Auth-Type = Reject
DEFAULT | Auth-Type = Accept
----------------------------------------------------------------
Thanks,
Lisa
> -----Original Message-----
> From: Hugh Irvine [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, November 09, 2000 9:53 PM
> To: Lisa Goulet
> Cc: [EMAIL PROTECTED]
> Subject: RE: (RADIATOR) AuthSelect spinning
>
>
> Hello Lisa -
>
>
>
> In any case, this configuration will not work for two reasons, first
> the order of the AuthBy clauses and second the blacklist SQL clause.
>
> You will need to do something like this:
>
> # check blacklist numbers
> <AuthBy SQL>
> Identifier CheckBlackList
> DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
> DBUsername radmin
> DBAuth radmin
> AuthSelect select LOGIN from BLACKLIST \
> where CLI <> '%{Calling-Station-Id}'
> AuthColumnDef 0, GENERIC, check
> </AuthBy>
>
> <AuthBy RADMIN>
> Identifier CheckRADMIN
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> DBSource dbi:Pg:dbname=radmin;host=62.58.62.130
> DBUsername radmin
> DBAuth radmin
>
> # You can add to or change these if you want, but you
> # will probably want to change the database schema first
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
>
> # This updates the time and octets left
> # for this user
> AcctSQLStatement update RADUSERS set \
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, \
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, \
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where \
> USERNAME='%n'
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Service-Type = Framed-User,\
> Ascend-Client-Primary-DNS = 62.58.62.132,\
> Framed-MTU = 1500
> </AuthBy>
>
> # Allocate addresses based on DNIS (Called-Station-ID)
> <AuthBy DYNADDRESS>
> Identifier AllocateIPAddress
> Allocator SQLAllocator
> PoolHint %{Called-Station-Id}
> </AuthBy>
>
> <Realm DEFAULT>
>
> RejectHasReason
> AuthByPolicy ContinueWhileAccept
>
> AuthBy CheckBlackList
> AuthBy CheckRADMIN
> AuthBy AllocateIPAddress
>
> </Realm>
>
>
> The contents of the LOGIN column in your BLACKLIST table should contain
> this:
>
> cli | login
> ---------+-------------------
> 9999999 | Auth-Type = Reject
> DEFAULT | Auth-Type = Accept
> -----------------------------
>
> The order of the AuthBy clauses is important because you must check
> the username and password *after* the blacklist, otherwise the
> blacklist DEFAULT will accept everything except the blacklist
> numbers, which is not what you want.
>
> hth
>
> Hugh
> --
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
