Re: Reject user without realm

2007-04-09 Thread Arran Cudbard-Bell
Marcos Roberto Greiner wrote:
 Hi,

 I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]).
 Basically, if a user uses [EMAIL PROTECTED], I want Radius to
 authenticate locally. If it's @provider2.com, 3.com, etc, on other
 servers listed in proxy.conf.

 The problem I'm having is that if a user adds no realm, only the user,
 the server is autenticating locally. I wanted it to deny the
 authentication. How should I proceed?

 Thank you very much,

 Roberto

   
Ok , so you just want to Reject users who don't provide a realm ?

Then you would need an entry in the users file like this

DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, 
Auth-Type := 
Reject

---
Arran
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Reject user without realm

2007-04-09 Thread Kevin Bonner
On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote:
 The problem I'm having is that if a user adds no realm, only the user,
 the server is autenticating locally. I wanted it to deny the
 authentication. How should I proceed?

A username with no realm will match the NULL realm.  You can reject NULL 
realms with:

== users ==
DEFAULT Realm == NULL, Auth-Type := Reject
== users ==

 hints file. Added only the following entry:
 # The following entry is to be authenticated locally
 DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes
 Hint = PPP,
 Service-Type = Framed-User,
 Framed-Protocol = PPP

A realm definition for domain1.com and a small users file entry should do the 
same thing, as long as you don't add the nostrip option for the realm.

 rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58
 User-Name = [EMAIL PROTECTED]
 User-Password = user
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 0
   hints: Matched DEFAULT at 36
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 rlm_realm: No '@' in User-Name = user, looking up realm NULL
 rlm_realm: No such realm NULL

This request matches the NULL realm, which should be impossible based on your 
configuration and the description of how the NULL realm works.  The User-Name 
has a realm in this request, so it should match the DEFAULT realm if it is 
defined.  Since the hints file matched at line 36 here, I assume you actually 
configured provider1.com instead of domain1.com in your hints file.

Is this assumption correct?  If not, what is in your hints file at line 36?

Kevin Bonner


pgpAUsH7FbwDX.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user without realm

2007-04-09 Thread Roberto Greiner
Arran Cudbard-Bell wrote:
 Marcos Roberto Greiner wrote:
   
 Hi,

 I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]).
 Basically, if a user uses [EMAIL PROTECTED], I want Radius to
 authenticate locally. If it's @provider2.com, 3.com, etc, on other
 servers listed in proxy.conf.

 The problem I'm having is that if a user adds no realm, only the user,
 the server is autenticating locally. I wanted it to deny the
 authentication. How should I proceed?

 Thank you very much,

 Roberto

   
 
 Ok , so you just want to Reject users who don't provide a realm ?

 Then you would need an entry in the users file like this

 DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, 
 Auth-Type := 
 Reject
   
That didn't work. When the user adds the 'local' domain (provider1.com),
the hints file strips the domain for the checking against the database.
After that, the new entry in the users file will reject the user,
because there is no longer any domain in the login.

Roberto

-- 
  -
Marcos Roberto Greiner

   Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
   Murphy
  -

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Reject user without realm

2007-04-09 Thread Roberto Greiner
Kevin Bonner wrote:
 On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote:
   
 The problem I'm having is that if a user adds no realm, only the user,
 the server is autenticating locally. I wanted it to deny the
 authentication. How should I proceed?
 

 A username with no realm will match the NULL realm.  You can reject NULL 
 realms with:

 == users ==
 DEFAULT Realm == NULL, Auth-Type := Reject
 == users ==

   
 hints file. Added only the following entry:
 # The following entry is to be authenticated locally
 DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes
 Hint = PPP,
 Service-Type = Framed-User,
 Framed-Protocol = PPP
 

 A realm definition for domain1.com and a small users file entry should do the 
 same thing, as long as you don't add the nostrip option for the realm.
   
The problem here was that I couldn't find the proper entry to add to the
users file :-(
   
 rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58
 User-Name = [EMAIL PROTECTED]
 User-Password = user
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 0
   hints: Matched DEFAULT at 36
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 rlm_realm: No '@' in User-Name = user, looking up realm NULL
 rlm_realm: No such realm NULL
 

 This request matches the NULL realm, which should be impossible based on your 
 configuration and the description of how the NULL realm works.  The User-Name 
 has a realm in this request, so it should match the DEFAULT realm if it is 
 defined.  Since the hints file matched at line 36 here, I assume you actually 
 configured provider1.com instead of domain1.com in your hints file.

 Is this assumption correct?  If not, what is in your hints file at line 36?

 Kevin Bonner
   
I mistyped domain1 and provider1. The entry at line 36 is provider1. The
Hints file I wrote incorrectly in the explanation. It actually contains
provider1.

I tried to change the 'Strip-User-Name = Yes' to 'Strip-User-Name = NO'
in the Hints file, but got the problem that I didn't know what would be
to correct entry in the users file. With the change, with the @provider1
domain, the server is replying properly, but without domain, the server
didn't replying at all.

I then tried your suggestion of adding the 'DEFAULT Realm == NULL,
Auth-Type := Reject' entry. Same case as above. Without a domain, the
server simply didn't answer, not even a with a reject.

BUT, looking at the debug output of Radius -X I found the missing piece. In the 
proxy.conf file, the NULL entry was commented. I removed the comments, pointed 
it to LOCAL, and the entry you suggested for the users file (DEFAULT Realm == 
NULL) kicked in. It's now working as desired.

Thank you for your help,

Marcos Roberto Greiner

-- 
  -
Marcos Roberto Greiner

   Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
   Murphy
  -

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html