Re: [RADIATOR] evaluation - Checkby syntax

Hugh Irvine Tue, 03 Apr 2012 17:24:22 -0700

Hello Robb -

You would do something like the following:



SIMPLE.CFG
 
Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4
 
AuthPort        1645,1812
AcctPort        1646,1813
 
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with

<Client 1.1.1.1>
        Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
<Client 2.2.2.2>
        Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
<Client 3.3.3.3>
        Identifier NetworkEquipment
        Secret  mysecret
        DupInterval 0
</Client>
 
…..

<AuthBy SYSTEM>
        Identifier SystemAuthentication
</AuthBy>

<AuthBy FILE>
        Identifier GroupAuthentication
        Filename %D/users.group
</AuthBy>

<AuthBy INTERNAL>
        Identifier RejectAuthAcceptAcct
        AuthResult REJECT
        AcctResult ACCEPT
</AuthBy>

<Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User>
        AuthByPolicy ContnueWhileAccept
        AuthBy GroupAuthentication
        AuthBy SystemAuthentication
</Handler>

<Handler>
        AuthBy RejectAuthAcceptAcct
</Handler>


The contents of the file "users.group" would look like this:

# users.group

DEFAULT Auth-Type = SystemAuthentication, Group = netadm


BTW - there are a great many example configuration files in the "goodies" 
directory of the Radiator distribution.

Hope that helps.

regards

Hugh
        
 



On 4 Apr 2012, at 05:30, Robb Pfrank wrote:

> I am evaluating radiator and would like to setup authentication using linux 
> username & passwords as well as another type of check to allow access.  For 
> instance check if the user is part of a particular group before having their 
> login accepted.  Specifically I want to limit networking equipment access to 
> users in the netadm group, I am running this on fedora 12.   Below is my 
> simple.cfg for testing, everything else works fine but I am having trouble 
> interpreting the documentation for tiered authentication.  Thank you for your 
> assistance.
>  
>  
>  
> SIMPLE.CFG
>  
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> # User a lower trace level in production systems:
> Trace           4
>  
> AuthPort        1645,1812
> AcctPort        1646,1813
>  
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>  
> <Client DEFAULT>
>         Secret  mysecret
> </Client>
>  
> <Realm>
>         <AuthBy UNIX>
>         Identifier System
>         Filename /etc/shadow
>         #Filename /etc/passwd
>         GroupFilename /etc/group
>         # Log accounting to a detail file
>         AcctLogFileName /etc/radiator/radiator.log
>         <ServerHTTP>
>                 Port  8100
>                 DefaultPrivilegeLevel 15
>         </ServerHTTP>
> </Realm>
>  
>  
> Current output checking Linux /etc/passwd file, need to add group or some 
> other type of identifier mechanism to the check.
>  
> Tue Apr  3 15:28:12 2012: ERR: Could not resolve an address for Client
> Tue Apr  3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in 
> simple.cfg line 65
> Tue Apr  3 15:28:13 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100
> Tue Apr  3 15:28:13 2012: DEBUG: Finished reading configuration file 
> 'simple.cfg'
> This Radiator license will expire on 2012-08-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact [email protected]
> Tue Apr  3 15:28:13 2012: DEBUG: Reading dictionary file './dictionary'
> Tue Apr  3 15:28:13 2012: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Apr  3 15:28:13 2012: DEBUG: Creating authentication port 0.0.0.0:1812
> Tue Apr  3 15:28:13 2012: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Apr  3 15:28:13 2012: DEBUG: Creating accounting port 0.0.0.0:1813
> Tue Apr  3 15:28:13 2012: NOTICE: Server started: Radiator 4..9 on 
> sec-l-adm02 (LOCKED)
> Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
> *** Received from 10.2.120.150 port 56193 ....
> Code:       Access-Request
> Identifier: 64
> Authentic:  <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186>
> Attributes:
>         User-Name = "robert"
>         User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147>
>         NAS-Port-Id = "ttyS0"
>         Service-Type = NAS-Prompt-User
>         NAS-Port = 0
>         NAS-IP-Address = 10.2.120.150
> Tue Apr  3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', 
> Identifier ''
> Tue Apr  3 15:28:34 2012: DEBUG:  Deleting session for robert, 10.2.120.150, 0
> Tue Apr  3 15:28:34 2012: DEBUG: Handling with Radius::AuthUNIX: System
> Tue Apr  3 15:28:34 2012: DEBUG: Reading group file /etc/group
> Tue Apr  3 15:28:34 2012: DEBUG: Radius::AuthUNIX looks for match with robert 
> [robert]
> Tue Apr  3 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert]
> Tue Apr  3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT,
> Tue Apr  3 15:28:34 2012: DEBUG: Access accepted for robert
> Tue Apr  3 15:28:34 2012: DEBUG: Packet dump:
> *** Sending to 10.2.120.150 port 56193 ....
> Code:       Access-Accept
> Identifier: 64
> Authentic:  k<206><151><250>5<246>p=<23><141>.<197><167><244>Un
> Attributes:
>  
>  
>  
>  
> Robb Pfrank
> Office +1 (312) 601-8647
> [email protected]
>  
>  
> 
> 
> 
> The contents of this message (including any attachment(s)) may be privileged 
> and confidential
> and is intended solely for the private use of the intended recipient(s). If 
> you are not the 
> intended recipient or have received this message in error, please notify the 
> sender 
> immediately and delete the message. You should not disseminate, distribute or 
> copy this 
> message without the permission of the author. This message cannot in any way 
> bind 
> Headlands Technologies LLC or any affiliate to any contract or other 
> obligation.
> 
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
[email protected]

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] evaluation - Checkby syntax

Reply via email to