On 04/05/2012 04:12 PM, Robb Pfrank wrote: Hello Robb,
> I attempted to use the config provided but the handler is not picking my > device up. I have specified to specific IP address instead of DEFAULT, this > did not seem to work either. Try this: <Handler Client-Identifier = NetworkEquipment, Service-Type = NAS-Prompt-User> instead of this: <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> Now it fails to match the Handler because Service-Type is different in the request than in the Handler's checklist. Heikki > Thu Apr 5 09:09:57 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100 > Thu Apr 5 09:09:57 2012: DEBUG: Finished reading configuration file > 'simple.cfg' > This Radiator license will expire on 2012-08-01 > This Radiator license will stop operating after 1000 requests > To purchase an unlimited full source version of Radiator, see > http://www.open.com.au/ordering.html > To extend your license period, contact [email protected] > > Thu Apr 5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary' > Thu Apr 5 09:09:57 2012: DEBUG: Creating authentication port 0.0.0.0:1812 > Thu Apr 5 09:09:57 2012: DEBUG: Creating accounting port 0.0.0.0:1813 > Thu Apr 5 09:09:57 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 > (LOCKED) > Thu Apr 5 09:10:31 2012: DEBUG: Packet dump: > *** Received from 10.2.120.150 port 36248 .... > Code: Access-Request > Identifier: 185 > Authentic: M<18>A(<17>_H<194>B<159><196>?<247>,ag > Attributes: > User-Name = "robert" > User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253> > NAS-Port-Id = "ttyS0" > Service-Type = NAS-Prompt-User > NAS-Port = 0 > NAS-IP-Address = 10.2.120.150 > > Thu Apr 5 09:10:31 2012: DEBUG: Handling request with Handler '', Identifier > '' > Thu Apr 5 09:10:31 2012: DEBUG: Deleting session for robert, 10.2.120.150, 0 > Thu Apr 5 09:10:31 2012: DEBUG: Handling with AuthINTERNAL: > RejectAuthAcceptAcct > Thu Apr 5 09:10:31 2012: DEBUG: AuthBy INTERNAL result: REJECT, Fixed by > AuthResult > Thu Apr 5 09:10:31 2012: INFO: Access rejected for robert: Fixed by > AuthResult > Thu Apr 5 09:10:31 2012: DEBUG: Packet dump: > *** Sending to 10.2.120.150 port 36248 .... > Code: Access-Reject > Identifier: 185 > Authentic: g<182>'A/jRt]5<30><240><160><27>O<170> > Attributes: > Reply-Message = "Request Denied" > > > > > <Client 10.2.120.150> > Identifier NetworkEquipment > Secret mysecret > DupInterval 0 > </Client> > > > <AuthBy SYSTEM> > Identifier SystemAuthentication > </AuthBy> > > <AuthBy FILE> > Identifier GroupAuthentication > Filename %D/users > </AuthBy> > > <AuthBy INTERNAL> > Identifier RejectAuthAcceptAcct > AuthResult REJECT > AcctResult ACCEPT > </AuthBy> > > <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> > AuthByPolicy ContinueWhileAccept > AuthBy GroupAuthentication > AuthBy SystemAuthentication > </Handler> > > <Handler> > AuthBy RejectAuthAcceptAcct > </Handler> > > <ServerHTTP> > Port 8100 > DefaultPrivilegeLevel 15 > </ServerHTTP> > > Robb Pfrank > Office +1 (312) 601-8647 > [email protected] > > > > -----Original Message----- > From: Hugh Irvine [mailto:[email protected]] > Sent: Tuesday, April 03, 2012 7:24 PM > To: Robb Pfrank > Cc: [email protected] > Subject: Re: [RADIATOR] evaluation - Checkby syntax > > > Hello Robb - > > You would do something like the following: > > > SIMPLE.CFG > > Foreground > LogStdout > LogDir . > DbDir . > # User a lower trace level in production systems: > Trace 4 > > AuthPort 1645,1812 > AcctPort 1646,1813 > > # You will probably want to add other Clients to suit your site, # one for > each NAS you want to work with > > <Client 1.1.1.1> > Identifier NetworkEquipment > Secret mysecret > DupInterval 0 > </Client> > > <Client 2.2.2.2> > Identifier NetworkEquipment > Secret mysecret > DupInterval 0 > </Client> > > <Client 3.3.3.3> > Identifier NetworkEquipment > Secret mysecret > DupInterval 0 > </Client> > > ...... > > <AuthBy SYSTEM> > Identifier SystemAuthentication > </AuthBy> > > <AuthBy FILE> > Identifier GroupAuthentication > Filename %D/users.group > </AuthBy> > > <AuthBy INTERNAL> > Identifier RejectAuthAcceptAcct > AuthResult REJECT > AcctResult ACCEPT > </AuthBy> > > <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> > AuthByPolicy ContnueWhileAccept > AuthBy GroupAuthentication > AuthBy SystemAuthentication > </Handler> > > <Handler> > AuthBy RejectAuthAcceptAcct > </Handler> > > > The contents of the file "users.group" would look like this: > > # users.group > > DEFAULT Auth-Type = SystemAuthentication, Group = netadm > > > BTW - there are a great many example configuration files in the "goodies" > directory of the Radiator distribution. > > Hope that helps. > > regards > > Hugh > > > > > > On 4 Apr 2012, at 05:30, Robb Pfrank wrote: > >> I am evaluating radiator and would like to setup authentication using linux >> username & passwords as well as another type of check to allow access. For >> instance check if the user is part of a particular group before having their >> login accepted. Specifically I want to limit networking equipment access to >> users in the netadm group, I am running this on fedora 12. Below is my >> simple.cfg for testing, everything else works fine but I am having trouble >> interpreting the documentation for tiered authentication. Thank you for >> your assistance. >> >> >> >> SIMPLE.CFG >> >> Foreground >> LogStdout >> LogDir . >> DbDir . >> # User a lower trace level in production systems: >> Trace 4 >> >> AuthPort 1645,1812 >> AcctPort 1646,1813 >> >> # You will probably want to add other Clients to suit your site, # one >> for each NAS you want to work with <Client> >> Secret mysecret >> DupInterval 0 >> </Client> >> >> <Client DEFAULT> >> Secret mysecret >> </Client> >> >> <Realm> >> <AuthBy UNIX> >> Identifier System >> Filename /etc/shadow >> #Filename /etc/passwd >> GroupFilename /etc/group >> # Log accounting to a detail file >> AcctLogFileName /etc/radiator/radiator.log >> <ServerHTTP> >> Port 8100 >> DefaultPrivilegeLevel 15 >> </ServerHTTP> >> </Realm> >> >> >> Current output checking Linux /etc/passwd file, need to add group or some >> other type of identifier mechanism to the check. >> >> Tue Apr 3 15:28:12 2012: ERR: Could not resolve an address for Client >> Tue Apr 3 15:28:12 2012: ERR: Unknown keyword 'AcctLogFileName' in >> simple.cfg line 65 Tue Apr 3 15:28:13 2012: DEBUG: Creating >> StreamServer tcp port 0.0.0.0:8100 Tue Apr 3 15:28:13 2012: DEBUG: Finished >> reading configuration file 'simple.cfg' >> This Radiator license will expire on 2012-08-01 This Radiator license >> will stop operating after 1000 requests To purchase an unlimited full >> source version of Radiator, see http://www.open.com.au/ordering.html >> To extend your license period, contact [email protected] Tue Apr 3 >> 15:28:13 2012: DEBUG: Reading dictionary file './dictionary' >> Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication port >> 0.0.0.0:1645 Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication >> port 0.0.0.0:1812 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting >> port 0.0.0.0:1646 Tue Apr 3 15:28:13 2012: DEBUG: Creating accounting >> port 0.0.0.0:1813 Tue Apr 3 15:28:13 2012: NOTICE: Server started: >> Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr 3 15:28:34 2012: DEBUG: >> Packet dump: >> *** Received from 10.2.120.150 port 56193 .... >> Code: Access-Request >> Identifier: 64 >> Authentic: >> <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186> >> Attributes: >> User-Name = "robert" >> User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147> >> NAS-Port-Id = "ttyS0" >> Service-Type = NAS-Prompt-User >> NAS-Port = 0 >> NAS-IP-Address = 10.2.120.150 >> Tue Apr 3 15:28:34 2012: DEBUG: Handling request with Handler 'Realm=', >> Identifier '' >> Tue Apr 3 15:28:34 2012: DEBUG: Deleting session for robert, >> 10.2.120.150, 0 Tue Apr 3 15:28:34 2012: DEBUG: Handling with >> Radius::AuthUNIX: System Tue Apr 3 15:28:34 2012: DEBUG: Reading >> group file /etc/group Tue Apr 3 15:28:34 2012: DEBUG: >> Radius::AuthUNIX looks for match with robert [robert] Tue Apr 3 >> 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue >> Apr 3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr 3 >> 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr 3 15:28:34 2012: >> DEBUG: Packet dump: >> *** Sending to 10.2.120.150 port 56193 .... >> Code: Access-Accept >> Identifier: 64 >> Authentic: k<206><151><250>5<246>p=<23><141>.<197><167><244>Un >> Attributes: >> >> >> >> >> Robb Pfrank >> Office +1 (312) 601-8647 >> [email protected] >> >> >> >> >> >> The contents of this message (including any attachment(s)) may be >> privileged and confidential and is intended solely for the private use >> of the intended recipient(s). If you are not the intended recipient or >> have received this message in error, please notify the sender >> immediately and delete the message. You should not disseminate, >> distribute or copy this message without the permission of the author. This >> message cannot in any way bind Headlands Technologies LLC or any affiliate >> to any contract or other obligation. >> >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > [email protected] > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > > > The contents of this message (including any attachment(s)) may be privileged > and confidential and is intended solely for the private use of the intended > recipient(s). If you are not the intended recipient or have received this > message in error, please notify the sender immediately and delete the > message. You should not disseminate, distribute or copy this message without > the permission of the author. This message cannot in any way bind Headlands > Technologies LLC or any affiliate to any contract or other obligation. > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
