Hello Toomas -
This is not a bug really - it is more a configuration issue.
The problem that you show below is due to the fact that the AuthBy is looking for the username, and you are overriding it to look for something else. This leads to the AuthBy continuing to look for DEFAULT... .
The correct way to build a configuration file to do blacklist checking is to use cascaded AuthBy clauses.
Something like this:
# define AuthBy clauses
<AuthBy SQL>
Identifier CheckMACAddress
......
</AuthBy>
<AuthBy FILE>
Identifier CheckBlacklist
Filename %D/blacklist
</AuthBy>
......
# define Realms or Handlers
<Realm ...>
AuthByPolicy ContinueWhileAccept
.....
AuthBy CheckBlacklist
.....
</Realm>
.....
The SQL table would contain something like this:
MACADDRESS ACTION
nn.nn.nn.nn.nn.nn Auth-Type = Reject
oo.oo.oo.oo.oo.oo Auth-Type = Reject
.....
The file "blacklist" would contain this:
# blacklist
DEFAULT Auth-Type = CheckMACAddress
DEFAULT Auth-Type = Accept
This topic has been discussed on the list many times, so check the archive if you are interested.
www.open.com.au/archives/radiator
regards
Hugh
On Thursday, Dec 12, 2002, at 21:38 Australia/Melbourne, Toomas K�rner wrote:
Hi
When I have config like:
<Realm plah>
AuthByPolicy ContinueUntilReject
AuthBy Identifier_of_some_authby_that_gives_reject
<AuthBy SQL>
plahplah
</AuthBy>
</Realm plah>
This kind a conf results loop in Identifier_of_some_authby_that_gives_reject
and never goes to AuthBy SQL.
debug 4 of such config (it had other problems as well but it shouldnt have
gone to loop because MACADDRESS like '00-50-04-E8-B4-AF' was found).
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT52061
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
request
Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
'Yes'
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT52062
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
request
Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
'Yes'
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT52063
Thu Dec 12 09:18:48 2002: DEBUG: Radius::AuthSQL REJECT: Check item
Service-Type expression '00-50-04-E8-B4-AF' does not match 'Login-User' in
request
Thu Dec 12 09:18:48 2002: DEBUG: Query is: select MACADDRESS, REPLYMESSAGE
from macblacklist where MACADDRESS like '00-50-04-E8-B4-AF' and ACTIVE =
'Yes'
Anyway I think it would be good idea to add a keyword RejectIfFound to
features for blacklist buliding pruposes.
Rgds.
Toomas K�rner
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
