Hugh, I attempted to use the config provided but the handler is not picking my device up. I have specified to specific IP address instead of DEFAULT, this did not seem to work either.
Thu Apr 5 09:09:57 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100 Thu Apr 5 09:09:57 2012: DEBUG: Finished reading configuration file 'simple.cfg' This Radiator license will expire on 2012-08-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your license period, contact [email protected] Thu Apr 5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary' Thu Apr 5 09:09:57 2012: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Apr 5 09:09:57 2012: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Apr 5 09:09:57 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 (LOCKED) Thu Apr 5 09:10:31 2012: DEBUG: Packet dump: *** Received from 10.2.120.150 port 36248 .... Code: Access-Request Identifier: 185 Authentic: M<18>A(<17>_H<194>B<159><196>?<247>,ag Attributes: User-Name = "robert" User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253> NAS-Port-Id = "ttyS0" Service-Type = NAS-Prompt-User NAS-Port = 0 NAS-IP-Address = 10.2.120.150 Thu Apr 5 09:10:31 2012: DEBUG: Handling request with Handler '', Identifier '' Thu Apr 5 09:10:31 2012: DEBUG: Deleting session for robert, 10.2.120.150, 0 Thu Apr 5 09:10:31 2012: DEBUG: Handling with AuthINTERNAL: RejectAuthAcceptAcct Thu Apr 5 09:10:31 2012: DEBUG: AuthBy INTERNAL result: REJECT, Fixed by AuthResult Thu Apr 5 09:10:31 2012: INFO: Access rejected for robert: Fixed by AuthResult Thu Apr 5 09:10:31 2012: DEBUG: Packet dump: *** Sending to 10.2.120.150 port 36248 .... Code: Access-Reject Identifier: 185 Authentic: g<182>'A/jRt]5<30><240><160><27>O<170> Attributes: Reply-Message = "Request Denied" <Client 10.2.120.150> Identifier NetworkEquipment Secret mysecret DupInterval 0 </Client> <AuthBy SYSTEM> Identifier SystemAuthentication </AuthBy> <AuthBy FILE> Identifier GroupAuthentication Filename %D/users </AuthBy> <AuthBy INTERNAL> Identifier RejectAuthAcceptAcct AuthResult REJECT AcctResult ACCEPT </AuthBy> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> AuthByPolicy ContinueWhileAccept AuthBy GroupAuthentication AuthBy SystemAuthentication </Handler> <Handler> AuthBy RejectAuthAcceptAcct </Handler> <ServerHTTP> Port 8100 DefaultPrivilegeLevel 15 </ServerHTTP> Robb Pfrank Office +1 (312) 601-8647 [email protected] -----Original Message----- From: Hugh Irvine [mailto:[email protected]] Sent: Tuesday, April 03, 2012 7:24 PM To: Robb Pfrank Cc: [email protected] Subject: Re: [RADIATOR] evaluation - Checkby syntax Hello Robb - You would do something like the following: SIMPLE.CFG Foreground LogStdout LogDir . DbDir . # User a lower trace level in production systems: Trace 4 AuthPort 1645,1812 AcctPort 1646,1813 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with <Client 1.1.1.1> Identifier NetworkEquipment Secret mysecret DupInterval 0 </Client> <Client 2.2.2.2> Identifier NetworkEquipment Secret mysecret DupInterval 0 </Client> <Client 3.3.3.3> Identifier NetworkEquipment Secret mysecret DupInterval 0 </Client> ...... <AuthBy SYSTEM> Identifier SystemAuthentication </AuthBy> <AuthBy FILE> Identifier GroupAuthentication Filename %D/users.group </AuthBy> <AuthBy INTERNAL> Identifier RejectAuthAcceptAcct AuthResult REJECT AcctResult ACCEPT </AuthBy> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> AuthByPolicy ContnueWhileAccept AuthBy GroupAuthentication AuthBy SystemAuthentication </Handler> <Handler> AuthBy RejectAuthAcceptAcct </Handler> The contents of the file "users.group" would look like this: # users.group DEFAULT Auth-Type = SystemAuthentication, Group = netadm BTW - there are a great many example configuration files in the "goodies" directory of the Radiator distribution. Hope that helps. regards Hugh On 4 Apr 2012, at 05:30, Robb Pfrank wrote: > I am evaluating radiator and would like to setup authentication using linux > username & passwords as well as another type of check to allow access. For > instance check if the user is part of a particular group before having their > login accepted. Specifically I want to limit networking equipment access to > users in the netadm group, I am running this on fedora 12. Below is my > simple.cfg for testing, everything else works fine but I am having trouble > interpreting the documentation for tiered authentication. Thank you for your > assistance. > > > > SIMPLE.CFG > > Foreground > LogStdout > LogDir . > DbDir . > # User a lower trace level in production systems: > Trace 4 > > AuthPort 1645,1812 > AcctPort 1646,1813 > > # You will probably want to add other Clients to suit your site, # one > for each NAS you want to work with <Client> > Secret mysecret > DupInterval 0 > </Client> > > <Client DEFAULT> > Secret mysecret > </Client> > > <Realm> > <AuthBy UNIX> > Identifier System > Filename /etc/shadow > #Filename /etc/passwd > GroupFilename /etc/group > # Log accounting to a detail file > AcctLogFileName /etc/radiator/radiator.log > <ServerHTTP> > Port 8100 > DefaultPrivilegeLevel 15 > </ServerHTTP> > </Realm> > > > Current output checking Linux /etc/passwd file, need to add group or some > other type of identifier mechanism to the check. > > Tue Apr 3 15:28:12 2012: ERR: Could not resolve an address for Client > Tue Apr 3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in > simple.cfg line 65 Tue Apr 3 15:28:13 2012: DEBUG: Creating > StreamServer tcp port 0.0.0.0:8100 Tue Apr 3 15:28:13 2012: DEBUG: Finished > reading configuration file 'simple.cfg' > This Radiator license will expire on 2012-08-01 This Radiator license > will stop operating after 1000 requests To purchase an unlimited full > source version of Radiator, see http://www.open.com.au/ordering.html > To extend your license period, contact [email protected] Tue Apr 3 > 15:28:13 2012: DEBUG: Reading dictionary file './dictionary' > Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication port > 0.0.0.0:1645 Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication > port 0.0.0.0:1812 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting > port 0.0.0.0:1646 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting > port 0.0.0.0:1813 Tue Apr 3 15:28:13 2012: NOTICE: Server started: > Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr 3 15:28:34 2012: DEBUG: Packet > dump: > *** Received from 10.2.120.150 port 56193 .... > Code: Access-Request > Identifier: 64 > Authentic: > <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186> > Attributes: > User-Name = "robert" > User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147> > NAS-Port-Id = "ttyS0" > Service-Type = NAS-Prompt-User > NAS-Port = 0 > NAS-IP-Address = 10.2.120.150 > Tue Apr 3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', > Identifier '' > Tue Apr 3 15:28:34 2012: DEBUG: Deleting session for robert, > 10.2.120.150, 0 Tue Apr 3 15:28:34 2012: DEBUG: Handling with > Radius::AuthUNIX: System Tue Apr 3 15:28:34 2012: DEBUG: Reading > group file /etc/group Tue Apr 3 15:28:34 2012: DEBUG: > Radius::AuthUNIX looks for match with robert [robert] Tue Apr 3 > 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue > Apr 3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr 3 > 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr 3 15:28:34 2012: > DEBUG: Packet dump: > *** Sending to 10.2.120.150 port 56193 .... > Code: Access-Accept > Identifier: 64 > Authentic: k<206><151><250>5<246>p=<23><141>.<197><167><244>Un > Attributes: > > > > > Robb Pfrank > Office +1 (312) 601-8647 > [email protected] > > > > > > The contents of this message (including any attachment(s)) may be > privileged and confidential and is intended solely for the private use > of the intended recipient(s). If you are not the intended recipient or > have received this message in error, please notify the sender > immediately and delete the message. You should not disseminate, > distribute or copy this message without the permission of the author. This > message cannot in any way bind Headlands Technologies LLC or any affiliate to > any contract or other obligation. > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. The contents of this message (including any attachment(s)) may be privileged and confidential and is intended solely for the private use of the intended recipient(s). If you are not the intended recipient or have received this message in error, please notify the sender immediately and delete the message. You should not disseminate, distribute or copy this message without the permission of the author. This message cannot in any way bind Headlands Technologies LLC or any affiliate to any contract or other obligation. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
