Hello Robb - No this won't work.
Handlers only do matches. AuthBy's do checks. regards Hugh On 12 Apr 2012, at 02:29, Robb Pfrank wrote: > Could I just add Group to the handler to require both the correct group, > users, and the unix password from /etc/shadow to match? I tried this out and > got the below message. > > > <Handler Client-Identifier = NetworkEquipment, Service-Type = > NAS-Prompt-User, Group = users> > AuthByPolicy ContinueUntilReject > AuthBy GroupAuthentication > AuthBy SystemAuthentication > </Handler> > > sec-l-adm02 radiator # /usr/local/bin/radiusd -config_file simple.cfg > Wed Apr 11 12:23:39 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:8100 > Wed Apr 11 12:23:39 2012: DEBUG: Finished reading configuration file > 'simple.cfg' > This Radiator license will expire on 2012-08-01 > This Radiator license will stop operating after 1000 requests > To purchase an unlimited full source version of Radiator, see > http://www.open.com.au/ordering.html > To extend your license period, contact [email protected] > > Wed Apr 11 12:23:39 2012: DEBUG: Reading dictionary file './dictionary' > Wed Apr 11 12:23:39 2012: DEBUG: Creating authentication port 0.0.0.0:1812 > Wed Apr 11 12:23:39 2012: DEBUG: Creating accounting port 0.0.0.0:1813 > Wed Apr 11 12:23:39 2012: NOTICE: Server started: Radiator 4.9 on sec-l-adm02 > (LOCKED) > Wed Apr 11 12:23:48 2012: DEBUG: Packet dump: > *** Received from 10.2.120.150 port 46200 .... > Code: Access-Request > Identifier: 252 > Authentic: p@<235><239><188><242><222><135>)|Q<213>hz<168><250> > Attributes: > User-Name = "robert" > User-Password = d<225><215>YU<149><174>V<160><3><246>wI><142>F > NAS-Port-Id = "ttyS0" > Service-Type = NAS-Prompt-User > NAS-Port = 0 > NAS-IP-Address = 10.2.120.150 > > Can't locate object method "userIsInGroup" via package "Radius::Handler" at > /usr/local/lib/perl5/site_perl/5.10.0/Radius/AuthGeneric.pm line 1707. > ...caught at /usr/local/bin/radiusd line 5. > > > Robb Pfrank > Office +1 (312) 601-8647 > [email protected] > > > > -----Original Message----- > From: Hugh Irvine [mailto:[email protected]] > Sent: Thursday, April 05, 2012 6:58 PM > To: Robb Pfrank > Cc: [email protected] List > Subject: Re: [RADIATOR] evaluation - Checkby syntax > > > Hello Robb - > > As Heikki rightly says, you will need to alter the Handler definition to > match what is actually in the incoming request. > > It is always essential to study the contents of the incoming requests with a > trace 4 debug so you can see exactly what is happening. > > My example was just that - an example showing how I tend to structure > Radiator configuration files. > > regards > > Hugh > > > On 6 Apr 2012, at 02:46, Heikki Vatiainen wrote: > >> On 04/05/2012 04:12 PM, Robb Pfrank wrote: >> >> Hello Robb, >> >>> I attempted to use the config provided but the handler is not picking my >>> device up. I have specified to specific IP address instead of DEFAULT, >>> this did not seem to work either. >> >> Try this: >> <Handler Client-Identifier = NetworkEquipment, Service-Type = >> NAS-Prompt-User> >> >> instead of this: >> >> <Handler Client-Identifier = NetworkEquipment, Service-Type = >> Login-User> >> >> Now it fails to match the Handler because Service-Type is different in >> the request than in the Handler's checklist. >> >> Heikki >> >> >>> Thu Apr 5 09:09:57 2012: DEBUG: Creating StreamServer tcp port >>> 0.0.0.0:8100 Thu Apr 5 09:09:57 2012: DEBUG: Finished reading >>> configuration file 'simple.cfg' >>> This Radiator license will expire on 2012-08-01 This Radiator license >>> will stop operating after 1000 requests To purchase an unlimited full >>> source version of Radiator, see http://www.open.com.au/ordering.html >>> To extend your license period, contact [email protected] >>> >>> Thu Apr 5 09:09:57 2012: DEBUG: Reading dictionary file './dictionary' >>> Thu Apr 5 09:09:57 2012: DEBUG: Creating authentication port >>> 0.0.0.0:1812 Thu Apr 5 09:09:57 2012: DEBUG: Creating accounting >>> port 0.0.0.0:1813 Thu Apr 5 09:09:57 2012: NOTICE: Server started: >>> Radiator 4.9 on sec-l-adm02 (LOCKED) Thu Apr 5 09:10:31 2012: DEBUG: >>> Packet dump: >>> *** Received from 10.2.120.150 port 36248 .... >>> Code: Access-Request >>> Identifier: 185 >>> Authentic: M<18>A(<17>_H<194>B<159><196>?<247>,ag >>> Attributes: >>> User-Name = "robert" >>> User-Password = "<210>J<242>Q<241>c^O<30><185>sm2<194><253> >>> NAS-Port-Id = "ttyS0" >>> Service-Type = NAS-Prompt-User >>> NAS-Port = 0 >>> NAS-IP-Address = 10.2.120.150 >>> >>> Thu Apr 5 09:10:31 2012: DEBUG: Handling request with Handler '', >>> Identifier '' >>> Thu Apr 5 09:10:31 2012: DEBUG: Deleting session for robert, >>> 10.2.120.150, 0 Thu Apr 5 09:10:31 2012: DEBUG: Handling with >>> AuthINTERNAL: RejectAuthAcceptAcct Thu Apr 5 09:10:31 2012: DEBUG: >>> AuthBy INTERNAL result: REJECT, Fixed by AuthResult Thu Apr 5 >>> 09:10:31 2012: INFO: Access rejected for robert: Fixed by AuthResult Thu >>> Apr 5 09:10:31 2012: DEBUG: Packet dump: >>> *** Sending to 10.2.120.150 port 36248 .... >>> Code: Access-Reject >>> Identifier: 185 >>> Authentic: g<182>'A/jRt]5<30><240><160><27>O<170> >>> Attributes: >>> Reply-Message = "Request Denied" >>> >>> >>> >>> >>> <Client 10.2.120.150> >>> Identifier NetworkEquipment >>> Secret mysecret >>> DupInterval 0 >>> </Client> >>> >>> >>> <AuthBy SYSTEM> >>> Identifier SystemAuthentication </AuthBy> >>> >>> <AuthBy FILE> >>> Identifier GroupAuthentication >>> Filename %D/users >>> </AuthBy> >>> >>> <AuthBy INTERNAL> >>> Identifier RejectAuthAcceptAcct >>> AuthResult REJECT >>> AcctResult ACCEPT >>> </AuthBy> >>> >>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> >>> AuthByPolicy ContinueWhileAccept >>> AuthBy GroupAuthentication >>> AuthBy SystemAuthentication >>> </Handler> >>> >>> <Handler> >>> AuthBy RejectAuthAcceptAcct >>> </Handler> >>> >>> <ServerHTTP> >>> Port 8100 >>> DefaultPrivilegeLevel 15 >>> </ServerHTTP> >>> >>> Robb Pfrank >>> Office +1 (312) 601-8647 >>> [email protected] >>> >>> >>> >>> -----Original Message----- >>> From: Hugh Irvine [mailto:[email protected]] >>> Sent: Tuesday, April 03, 2012 7:24 PM >>> To: Robb Pfrank >>> Cc: [email protected] >>> Subject: Re: [RADIATOR] evaluation - Checkby syntax >>> >>> >>> Hello Robb - >>> >>> You would do something like the following: >>> >>> >>> SIMPLE.CFG >>> >>> Foreground >>> LogStdout >>> LogDir . >>> DbDir . >>> # User a lower trace level in production systems: >>> Trace 4 >>> >>> AuthPort 1645,1812 >>> AcctPort 1646,1813 >>> >>> # You will probably want to add other Clients to suit your site, # >>> one for each NAS you want to work with >>> >>> <Client 1.1.1.1> >>> Identifier NetworkEquipment >>> Secret mysecret >>> DupInterval 0 >>> </Client> >>> >>> <Client 2.2.2.2> >>> Identifier NetworkEquipment >>> Secret mysecret >>> DupInterval 0 >>> </Client> >>> >>> <Client 3.3.3.3> >>> Identifier NetworkEquipment >>> Secret mysecret >>> DupInterval 0 >>> </Client> >>> >>> ...... >>> >>> <AuthBy SYSTEM> >>> Identifier SystemAuthentication >>> </AuthBy> >>> >>> <AuthBy FILE> >>> Identifier GroupAuthentication >>> Filename %D/users.group >>> </AuthBy> >>> >>> <AuthBy INTERNAL> >>> Identifier RejectAuthAcceptAcct >>> AuthResult REJECT >>> AcctResult ACCEPT >>> </AuthBy> >>> >>> <Handler Client-Identifier = NetworkEquipment, Service-Type = Login-User> >>> AuthByPolicy ContnueWhileAccept >>> AuthBy GroupAuthentication >>> AuthBy SystemAuthentication >>> </Handler> >>> >>> <Handler> >>> AuthBy RejectAuthAcceptAcct >>> </Handler> >>> >>> >>> The contents of the file "users.group" would look like this: >>> >>> # users.group >>> >>> DEFAULT Auth-Type = SystemAuthentication, Group = netadm >>> >>> >>> BTW - there are a great many example configuration files in the "goodies" >>> directory of the Radiator distribution. >>> >>> Hope that helps. >>> >>> regards >>> >>> Hugh >>> >>> >>> >>> >>> >>> On 4 Apr 2012, at 05:30, Robb Pfrank wrote: >>> >>>> I am evaluating radiator and would like to setup authentication using >>>> linux username & passwords as well as another type of check to allow >>>> access. For instance check if the user is part of a particular group >>>> before having their login accepted. Specifically I want to limit >>>> networking equipment access to users in the netadm group, I am running >>>> this on fedora 12. Below is my simple.cfg for testing, everything else >>>> works fine but I am having trouble interpreting the documentation for >>>> tiered authentication. Thank you for your assistance. >>>> >>>> >>>> >>>> SIMPLE.CFG >>>> >>>> Foreground >>>> LogStdout >>>> LogDir . >>>> DbDir . >>>> # User a lower trace level in production systems: >>>> Trace 4 >>>> >>>> AuthPort 1645,1812 >>>> AcctPort 1646,1813 >>>> >>>> # You will probably want to add other Clients to suit your site, # >>>> one for each NAS you want to work with <Client> >>>> Secret mysecret >>>> DupInterval 0 >>>> </Client> >>>> >>>> <Client DEFAULT> >>>> Secret mysecret >>>> </Client> >>>> >>>> <Realm> >>>> <AuthBy UNIX> >>>> Identifier System >>>> Filename /etc/shadow >>>> #Filename /etc/passwd >>>> GroupFilename /etc/group >>>> # Log accounting to a detail file >>>> AcctLogFileName /etc/radiator/radiator.log >>>> <ServerHTTP> >>>> Port 8100 >>>> DefaultPrivilegeLevel 15 >>>> </ServerHTTP> >>>> </Realm> >>>> >>>> >>>> Current output checking Linux /etc/passwd file, need to add group or some >>>> other type of identifier mechanism to the check. >>>> >>>> Tue Apr 3 15:28:12 2012: ERR: Could not resolve an address for >>>> Client Tue Apr 3 15:28:12 2012: ERR: Unknown keyword >>>> 'AcctLogFileName' in simple.cfg line 65 Tue Apr 3 15:28:13 2012: >>>> DEBUG: Creating StreamServer tcp port 0.0.0.0:8100 Tue Apr 3 15:28:13 >>>> 2012: DEBUG: Finished reading configuration file 'simple.cfg' >>>> This Radiator license will expire on 2012-08-01 This Radiator >>>> license will stop operating after 1000 requests To purchase an >>>> unlimited full source version of Radiator, see >>>> http://www.open.com.au/ordering.html >>>> To extend your license period, contact [email protected] Tue Apr 3 >>>> 15:28:13 2012: DEBUG: Reading dictionary file './dictionary' >>>> Tue Apr 3 15:28:13 2012: DEBUG: Creating authentication port >>>> 0.0.0.0:1645 Tue Apr 3 15:28:13 2012: DEBUG: Creating >>>> authentication port 0.0.0.0:1812 Tue Apr 3 15:28:13 2012: DEBUG: >>>> Creating accounting port 0.0.0.0:1646 Tue Apr 3 15:28:13 2012: >>>> DEBUG: Creating accounting port 0.0.0.0:1813 Tue Apr 3 15:28:13 2012: >>>> NOTICE: Server started: >>>> Radiator 4..9 on sec-l-adm02 (LOCKED) Tue Apr 3 15:28:34 2012: DEBUG: >>>> Packet dump: >>>> *** Received from 10.2.120.150 port 56193 .... >>>> Code: Access-Request >>>> Identifier: 64 >>>> Authentic: >>>> <131><19><159><26><141><164><247><161>`<143><202>G<202>mA<186> >>>> Attributes: >>>> User-Name = "robert" >>>> User-Password = <226>D4<133>#y<153>=<251><186>r<136><14><8><143><147> >>>> NAS-Port-Id = "ttyS0" >>>> Service-Type = NAS-Prompt-User >>>> NAS-Port = 0 >>>> NAS-IP-Address = 10.2.120.150 Tue Apr 3 15:28:34 2012: >>>> DEBUG: Handling request with Handler 'Realm=', Identifier '' >>>> Tue Apr 3 15:28:34 2012: DEBUG: Deleting session for robert, >>>> 10.2.120.150, 0 Tue Apr 3 15:28:34 2012: DEBUG: Handling with >>>> Radius::AuthUNIX: System Tue Apr 3 15:28:34 2012: DEBUG: Reading >>>> group file /etc/group Tue Apr 3 15:28:34 2012: DEBUG: >>>> Radius::AuthUNIX looks for match with robert [robert] Tue Apr 3 >>>> 15:28:34 2012: DEBUG: Radius::AuthUNIX ACCEPT: : robert [robert] Tue >>>> Apr 3 15:28:34 2012: DEBUG: AuthBy UNIX result: ACCEPT, Tue Apr 3 >>>> 15:28:34 2012: DEBUG: Access accepted for robert Tue Apr 3 15:28:34 2012: >>>> DEBUG: Packet dump: >>>> *** Sending to 10.2.120.150 port 56193 .... >>>> Code: Access-Accept >>>> Identifier: 64 >>>> Authentic: k<206><151><250>5<246>p=<23><141>.<197><167><244>Un >>>> Attributes: >>>> >>>> >>>> >>>> >>>> Robb Pfrank >>>> Office +1 (312) 601-8647 >>>> [email protected] >>>> >>>> >>>> >>>> >>>> >>>> The contents of this message (including any attachment(s)) may be >>>> privileged and confidential and is intended solely for the private >>>> use of the intended recipient(s). If you are not the intended >>>> recipient or have received this message in error, please notify the >>>> sender immediately and delete the message. You should not >>>> disseminate, distribute or copy this message without the permission of the >>>> author. This message cannot in any way bind Headlands Technologies LLC or >>>> any affiliate to any contract or other obligation. >>>> >>>> _______________________________________________ >>>> radiator mailing list >>>> [email protected] >>>> http://www.open.com.au/mailman/listinfo/radiator >>> >>> >>> -- >>> >>> Hugh Irvine >>> [email protected] >>> >>> Radiator: the most portable, flexible and configurable RADIUS server >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. >>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>> >>> >>> >>> >>> The contents of this message (including any attachment(s)) may be >>> privileged and confidential and is intended solely for the private use of >>> the intended recipient(s). If you are not the intended recipient or have >>> received this message in error, please notify the sender immediately and >>> delete the message. You should not disseminate, distribute or copy this >>> message without the permission of the author. This message cannot in any >>> way bind Headlands Technologies LLC or any affiliate to any contract or >>> other obligation. >>> >>> _______________________________________________ >>> radiator mailing list >>> [email protected] >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> Heikki Vatiainen <[email protected]> >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >> TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >> NetWare etc. >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > [email protected] > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > > > The contents of this message (including any attachment(s)) may be privileged > and confidential and is intended solely for the private use of the intended > recipient(s). If you are not the intended recipient or have received this > message in error, please notify the sender immediately and delete the > message. You should not disseminate, distribute or copy this message without > the permission of the author. This message cannot in any way bind Headlands > Technologies LLC or any affiliate to any contract or other obligation. > -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
