Hello Jaafar -
Please send me a copy of the configuration file that produced the trace. thanks Hugh At 10:58 +0800 19/7/02, Jaafar Bin Sarim wrote: >Hello Hugh, > >user test004 which is in the deny file still get authenticated against >the /etc/passwd. >pls see attached for the logs. > >Pls advise. > >Thank you. > > >Best Regards >Jaafar Sarim >SingNet > >On Fri, 19 Jul 2002, Hugh Irvine wrote: > >> >> Hello Jaafar - >> >> You will need to use AuthBy GROUP's for the different AuthBy policies. >> >> # define AuthBy clauses >> >> <AuthBy UNIX> >> Identifier System >> Filename /etc/shadow >> </AuthBy> >> >> <AuthBy SQL> >> Identifier CheckSQL >> DBSource dbi:Oracle:ahimsa >> DBUsername xxxxxx >> DBAuth xxxxxx >> >> DBSource dbi:Oracle:parthenon >> DBUsername xxxxxx >> DBAuth xxxxxx >> >> AuthSelect SELECT passwd FROM subscribers \ >> WHERE name = '%n' \ >> AND roam = 'T' \ >> AND status = 'T' >> >> AuthColumnDef 0, Encrypted-Password, check >> AuthColumnDef 1, GENERIC, check >> AuthColumnDef 2, GENERIC, check >> AuthColumnDef 3, GENERIC, reply >> AuthColumnDef 4, GENERIC, reply >> >> </AuthBy> >> >> <AuthBy FILE> >> Identifier CheckDenyFile >> Filename %D/deny >> AcceptIfMissing >> NoDefault >> </AuthBy> >> >> <AuthBy Group> >> Identifier CheckSystemThenSQL >> AuthByPolicy ContinueUntilAccept >> AuthBy System >> AuthBy CheckSQL >> </AuthBy> >> >> <AuthBy GROUP> >> Identifier CheckUsers >> AuthByPolicy ContinueWhileAccept >> AuthBy CheckDenyFile >> AuthBy CheckSystemThenSQL >> AddToReply Service-Type = Framed-User, \ >> Framed-Protocol = PPP, \ >> Framed-IP-Netmask = 255.255.255.255 >> </AuthBy> >> >> # define Handlers >> >> <Handler Realm=/.*\.sg/> >> RewriteUsername s/^([^@]+).*/$1/ >> AuthBy CheckUsers >> AcctLogFileName /radacct/%C/detail >> </Handler> >> >> >> regards >> >> Hugh >> >> >> At 8:53 +0800 19/7/02, Jaafar Bin Sarim wrote: >> >Hello Hugh >> > >> >I'm unable to establish a policy that I want to achieve as described >> >below: >> > >> >1. user access if found in the deny file will be rejected and nothing >> > else. >> > >> >2. user access if not found in the deny file will be checked against the >> > /etc/passwd file >> > if not found in the /etc/passwd then check with the oracle database >> > >> >Here's my radius configuration: >> >----------------------------------------------------- >> >LogDir /var/log/radius/test >> >DbDir /usr/local/etc/raddb >> >AuthPort 2112 >> >AcctPort 2113 >> > >> >Trace 4 >> > >> ><Log FILE> >> > Filename %L/logfile >> > Trace 4 >> ></Log> > > > > > > > > ><Client 165.21.81.35> > > > Secret xxxxxx > > ></Client> > > > > > ><Client localhost> > > > Secret xxxxxx > > ></Client> > > > > > ><Client 165.21.100.15> > > > Secret xxxxxx > > ></Client> >> > >> ><Client 165.21.100.18> >> > Secret xxxxxx >> ></Client> >> > >> ><AuthBy UNIX> >> > Identifier System >> > Filename /etc/shadow >> ></AuthBy> >> > >> ><AuthBy SQL> >> > Identifier CheckSQL >> > DBSource dbi:Oracle:ahimsa >> > DBUsername xxxxxx >> > DBAuth xxxxxx >> > >> > DBSource dbi:Oracle:parthenon >> > DBUsername xxxxxx >> > DBAuth xxxxxx >> > >> > AuthSelect SELECT passwd FROM subscribers \ >> > WHERE name = '%n' \ >> > AND roam = 'T' \ >> > AND status = 'T' >> > >> > AuthColumnDef 0, Encrypted-Password, check >> > AuthColumnDef 1, GENERIC, check >> > AuthColumnDef 2, GENERIC, check >> > AuthColumnDef 3, GENERIC, reply > > > AuthColumnDef 4, GENERIC, reply >> > >> ></AuthBy> >> > >> > >> ><Handler Realm=/.*\.sg/> >> > RewriteUsername s/^([^@]+).*/$1/ >> > AuthByPolicy ContinueWhileReject >> > <AuthBy FILE> >> > Filename %D/deny >> > </AuthBy> >> > <AuthBy FILE> >> > Filename %D/users >> > </AuthBy> >> > AuthBy CheckSQL >> > AcctLogFileName /radacct/%C/detail >> ></Handler> >> > >> >------------------------------------------------------------- >> > >> >Here's my deny file: >> >-------------------------------- >> >jaafar Auth-Type = Reject >> > >> >-------------------------------- >> > >> >Here's my users file: >> >------------------------------------------ >> >DEFAULT Auth-Type = System >> > Service-Type = Framed-User, >> > Framed-Protocol = PPP, >> > Framed-IP-Netmask = 255.255.255.255 >> >------------------------------------------- >> > >> > >> > >> >Thank you. >> > >> > >> >Best Regards >> >Jaafar Sarim >> >SingNet >> > >> >=== >> >Archive at http://www.open.com.au/archives/radiator/ >> >Announcements on [EMAIL PROTECTED] >> >To unsubscribe, email '[EMAIL PROTECTED]' with >> >'unsubscribe radiator' in the body of the message. >> >> -- >> >> NB: I am travelling this week, so there may be delays in our correspondence. >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. >> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. >> > >Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="hugh.txt" >Content-ID: <[EMAIL PROTECTED]> >Content-Description: >Content-Disposition: ATTACHMENT; FILENAME="hugh.txt" > >Attachment converted: Macintosh HD:hugh.txt (TEXT/ttxt) (0002F517) -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
