Hello Mike -
I am using the current Radiator 3.7.1 for testing.
Suggest you upgrade and see what happens.
regards
Hugh
On 27/11/2003, at 4:11 AM, Forbes Mike wrote:
What version did you test under? I am using it under 3.1. I also use a
handler not a realm. I am wondering if this is a version issue with
radiator. My continue until rejects works without the first authby file.
The first authby file is the file with the auth-type reject in it.
Mike
My config is this:
Note: I have commented and uncommented AuthyBy GROUP out, I have stopped
and restarted radius with the init script. The trace 4 is below.
<Handler Realm=MODEMS,NAS-Port-Type=Virtual>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject
<AuthBy FILE>
Filename %D/reject_modem.users
AcceptIfMissing
</AuthBy>
<AuthBy FILE>
Filename %D/backbone_users
</AuthBy>
<AuthBy PAM>
Fork
Service radiusd
</AuthBy>
</AuthBy>
AuthLog Backbone_Login_Failures
# Log accounting to a detail file
AcctLogFileName %L/modems_backbone_users.log
</Handler>
Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Virtual' Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username, 192.168.x.x, 98 Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password' Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB Wed Nov 26 09:57:44 2003: DEBUG: Packet dump:
Now to simplify this even more I took out all the authby's execpt the file
with the reject in it. I was still able to log on, the debug is below
Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Virtual' Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username, 192.168.x.xB, 98 Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username
On Wed, 26 Nov 2003, Hugh Irvine wrote:
Hello Mike -
I have done some testing here (as has Mike) and neither of us has this problem.
Here is my configuration file (which also works with ContinueUntilReject):
<Realm DEFAULT> AuthByPolicy ContinueWhileAccept <AuthBy FILE> Filename ./users.reject AcceptIfMissing </AuthBy> <AuthBy FILE> Filename ./users </AuthBy> <AuthBy FILE> Filename ./users </AuthBy> # Log accounting to a detail file AcctLogFileName ./detail-%G </Realm>
Here is the "users.reject" file:
username Auth-Type = Reject
And here is the trace 4:
perl radpwtst -user username -noacct sending Access-Request... Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 49663 .... Code: Access-Request Identifier: 196 Authentic: 1234567890123456 Attributes: User-Name = "username" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username, 203.63.154.1, 1234 Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected explicitly by Auth-Type=Reject Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 49663 .... Code: Access-Reject Identifier: 196 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied"
I can only suggest you try setting up a simple test configuration to try it first.
Perhaps you are not editing the correct file(s) and/or you have not restarted "radiusd"?
regards
Hugh
On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
I get the following trace 4 with ContinueWhileAccept
Mike
Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler
'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x'
Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username
Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username,
192.168.x.x, 9
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with
username
Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT:
Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd
Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password'
Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username
Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
Code: Access-Accept
On Tue, 25 Nov 2003, Hugh Irvine wrote:
Hello Mike -
Thanks for your mail - how curious!
I wonder if you could try to change the configuration to:
AuthByPolicy ContinueWhileAccept
and see what happens.
I'll also forward your mail to Mike.
regards
Hugh
On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
Hi Hugh,
It would seem the continue until reject is not functioning correctly
in
this case. The debug show the reject but continues on.
I tried the following:
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject <AuthBy FILE> Filename %D/reject_modem.users AcceptIfMissing </AuthBy>
<AuthBy FILE> Filename %D/backbone_users </AuthBy> <AuthBy PAM> Fork Service radiusd </AuthBy> </AuthBy> AuthLog Modem_Login_Failures # Log accounting to a detail file AcctLogFileName %L/modem_pool_backbone_users.log
with the reject_modem.users containing username Auth-Type=Reject
The user can still get on. The debug is below: Radiator 3.1 Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username, 192.168.x.x, 53 Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with username Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with username Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT: Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password' Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
On Sat, 13 Sep 2003, Hugh Irvine wrote:
Hello Mike -
Yes this is quite simple to acheive.
<Handler Realm=MODEMS> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject
<AuthBy FILE> Filename %D/reject.users AcceptIfMissing </AuthBy>
<AuthBy PAM> Fork Service radiusd </AuthBy>
</AuthBy> AuthLog Modem_Login_Failures AcctLogFileName %L/Modems.log </Handler>
The file "%D/reject.users" would contain something like this:
# reject.users
username1 Auth-Type = Reject
username2 Auth-Type = Reject
.......
If you have any other questions, please contact me.
regards
Hugh
On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike
wrote:
I have a request to block certain users access to our modem pool.
Users are first authenticated by kerb via PAM. What I would like to do is have radius then check to see if they are listed in a file and reject them only if they are listed. If they are not in the file they can logon.
I saw the username authtype example in the manual, is there a way to do this in a file for a larger number?
Could you do the AuthByPolicy ContinueWhileReject and put this before my authbypam below?
My handler is below.
Mike Forbes
<Handler Realm=MODEMS> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject <AuthBy PAM> Fork Service radiusd </AuthBy> </AuthBy> AuthLog Modem_Login_Failures AcctLogFileName %L/Modems.log </Handler>
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database
independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
