Re: (RADIATOR) Time check item in Authby UNIX

Jose Roberto Bulcao Mon, 7 Jun 1999 18:00:52 -0700

Hey Mike,

Worked like a charm by following your sugestion.
Thanks again!! Great product, Great support!! Congratulations!!

Rgds,


On Tue, 8 Jun 1999, Mike McCauley wrote:

> Date: Tue, 8 Jun 1999 11:00:10 -0500
> From: Mike McCauley <[EMAIL PROTECTED]>
> To: Jose Roberto Bulcao <[EMAIL PROTECTED]>,
     Mike McCauley <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Time check item in Authby UNIX
> 
> On Jun 7,  9:03pm, Jose Roberto Bulcao wrote:
> > Subject: Re: (RADIATOR) Time check item in Authby UNIX
> >
> > Hi Mike,
> >
> > It seems the the specific clause is working ok, but the auth packet is
> > being catched by the last DEFAULT clause. Here you are (debug level 4):
> 
> Yes, its clear that your clause is correctly rejecting based on the Time, but
> they are being accepted by a more liberal DEFAULT that follows it.
> 
> So this is not a problem with the Time check item, but rather with the design
> of the users file.
> 
> What do you really want to have happen? If you want users in group admfin to be
> rejected unless they are within the time band, you should add this after your
> existing admfin DEFAULT user:
> 
> DEFAULT       Auth-Type = System, Group = admfin, Auth-Type=Reject
> 
> Hope that helps.
> 
> Cheers.
> 
> >
> > Tks,
> >
> > Mon Jun  7 20:57:11 1999: DEBUG: Packet dump:
> > *** Received from 200.240.25.3 port 1645 ....
> > Code:       Access-Request
> > Identifier: 160
> > Authentic:  l&<226><221><184><11>U#<229><181>~B<217><146><7>#
> > Attributes:
> >     NAS-IP-Address = 200.240.25.3
> >     NAS-Port = 18
> >     NAS-Port-Type = Virtual
> >     User-Name = "carmem"
> >     Calling-Station-Id = "200.240.25.17"
> >     User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>"
> >
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> > Mon Jun  7 20:57:11 1999: DEBUG: Rewrote user name to carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE
> > Mon Jun  7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
> in Group poponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
> in Group poponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT1
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
> in Group fwdonly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
> in Group fwdonly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT2
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
> in Group ftponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
> in Group ftponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT3
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
> in Group hponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
> in Group hponly
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT4
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an
> allowable Time range
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an
> allowable Time range
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT5
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item
> Service-Type value 'Framed-User' does not match '' in request
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item
> Service-Type value 'Framed-User' does not match '' in request
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT6
> > Mon Jun  7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT:
> > Mon Jun  7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon Jun  7 20:57:11 1999: DEBUG: Access accepted for carmem
> > Mon Jun  7 20:57:12 1999: DEBUG: Packet dump:
> > *** Sending to 200.240.25.3 port 1645 ....
> > Code:       Access-Accept
> > Identifier: 160
> > Authentic:  l&<226><221><184><11>U#<229><181>~B<217><146><7>#
> > Attributes:
> >     Framed-IP-Address = 255.255.255.254
> >     Service-Type = Framed-User
> >     Framed-Protocol = PPP
> >     Framed-Routing = None
> >     Framed-MTU = 1500
> >     Framed-Compression = Van-Jacobson-TCP-IP
> >
> >
> >
> > On Tue, 8 Jun 1999, Mike McCauley wrote:
> >
> > > Date: Tue, 8 Jun 1999 08:53:24 -0500
> > > From: Mike McCauley <[EMAIL PROTECTED]>
> > > To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > > Subject: Re: (RADIATOR) Time check item in Authby UNIX
> > >
> > > Hello Jose,
> > >
> > > I have just tested your configuration and Time check item. Your
> configuration
> > > and users file looks fine, and it worked OK for me, allowing access only
> > > betweeen the times given.
> > >
> > > Can you send your log file, showing what happens when it should be applying
> the
> > > Time restriction?
> > >
> > > Cheers.
> > >
> > > On Jun 7,  9:42am, Jose Roberto Bulcao wrote:
> > > > Subject: (RADIATOR) Time check item in Authby UNIX
> > > >
> > > >
> > > > Does anybody knows if there is a way to configure time based restriction
> > > > ("Time" check item) for users authenticated via Authby UNIX ou SYSTEM?
> > > > Using Radiator v.2.13.1 with latest patches, OS platform is IBM AIX
> > > > v.4.1.5.
> > > > The user in question has it group set to "admfin". By looking at the log
> > > > (debug level of 5) Radiator seems to ignore "Time" check item,
> > > > authenticating and authorizing the user any time of day.
> > > >
> > > > TIA,
> > > >
> > > > Here is our radius.cfg file (no secrets and renamed some files, paths):
> > > >
> > > > # radius.cfg
> > > > #
> > > > # Configuration file for radius server
> > > > #
> > > > # Author: Mike McCauley ([EMAIL PROTECTED])
> > > > # Copyright (C) 1997 Open System Consultants
> > > > # $Id: radius2.cfg,v 1.4 1998/03/06 04:43:37 mikem Exp $
> > > > #
> > > > #Foreground
> > > > #LogStdout
> > > > #Trace 9
> > > > AuthPort        1645
> > > > AcctPort        1646
> > > > LogDir          <**OMITTED**>
> > > > DbDir           <**OMITTED**>
> > > > LogFile         %L/<**OMITTED**>
> > > > DictionaryFile  %D/dictionary
> > > >
> > > > <SessionDatabase DBM>
> > > >         Filename        %L/<**OMITTED**>
> > > > </SessionDatabase>
> > > >
> > > > <Client **OMITTED_NAS_NAME**>
> > > >         Secret **OMITTED**
> > > >         DefaultRealm **MYREALM**
> > > > </Client>
> > > >
> > > > <Realm DEFAULT>
> > > >         RewriteUsername s/^([^@]+).*/$1/
> > > >         AuthByPolicy ContinueWhileAccept
> > > >         <AuthBy FILE>
> > > >                 Filename %D/MYUSERSFILE
> > > >         </AuthBy>
> > > >         MaxSessions 1
> > > >         AcctLogFileName %L/%Y%m/detail-%d
> > > > </Realm>
> > > >
> > > > <Realm SoparatratarUNIXPW>
> > > >         <AuthBy UNIX>
> > > >                 Identifier System
> > > >                 Filename %D/MYPASSWDFILE
> > > >                 GroupFilename %D/MYGROUPFILE
> > > >         </AuthBy>
> > > > </Realm>
> > > >
> > > > #**** EOF radius.cfg ****
> > > >
> > > >
> > > > And here the relevant part of MYUSERSFILE:
> > > >
> > > > #**** BOF MYUSERSFILE ****
> > > >
> > > > DEFAULT Auth-Type = System, Group = poponly, Auth-Type = "Reject:Essa
> conta
> > > eh somente para E-mail"
> > > >
> > > > DEFAULT Auth-Type = System, Group = fwdonly, Auth-Type = Reject
> > > >         Reply-Message = Esse eh POP
> > > >
> > > > DEFAULT Auth-Type = System, Group = ftponly, Auth-Type = Reject
> > > >         Reply-Message = Esse eh POP
> > > >
> > > > DEFAULT Auth-Type = System, Group = hponly, Auth-Type = Reject
> > > >         Reply-Message = "Acesso Proibido"
> > > >
> > > > #
> > > > # Here is the clase in question
> > > > #
> > > > DEFAULT Auth-Type = System, Group =  Time = "Al1200-1800"
> > > >         Service-Type = Login-User,
> > > >         Reply-Message = "Conectado!"
> > > >
> > > > DEFAULT Auth-Type = System, Service-Type = Framed-User
> > > >         Service-Type = Framed-User,
> > > >         Framed-Protocol = PPP,
> > > >         Framed-IP-Address = 255.255.255.254,
> > > >         Framed-Routing = None,
> > > >         Framed-MTU = 1500,
> > > >         Framed-Compression = Van-Jacobson-TCP-IP
> > > >
> > > > DEFAULT Auth-Type = System
> > > >         Service-Type = Framed-User,
> > > >         Framed-Protocol = PPP,
> > > >         Framed-IP-Address = 255.255.255.254,
> > > >         Framed-Routing = None,
> > > >         Framed-MTU = 1500,
> > > >         Framed-Compression = Van-Jacobson-TCP-IP
> > > >
> > > >
> > > > #**** EOF MYUSERSFILE ****
> > > >
> > > > --------------------------------------
> > > > Jose Roberto Bulcao - RioLink Internet
> > > > Tel    : (021) 577-8899
> > > > e-mail : [EMAIL PROTECTED]
> > > >
> > > >
> > > > ===
> > > > Archive at http://www.thesite.com.au/~radiator/
> > > > To unsubscribe, email '[EMAIL PROTECTED]' with
> > > > 'unsubscribe radiator' in the body of the message.
> > > >-- End of excerpt from Jose Roberto Bulcao
> > >
> > >
> > >
> > > --
> > > Mike McCauley                               [EMAIL PROTECTED]
> > > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > > 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> > > Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> > > NT, Rhapsody
> > >
> >
> > --------------------------------------
> > Jose Roberto Bulcao - RioLink Internet
> > Tel    : (021) 577-8899
> > e-mail : [EMAIL PROTECTED]
> >
> >
> >-- End of excerpt from Jose Roberto Bulcao
> 
> 
> 
> -- 
> Mike McCauley                               [EMAIL PROTECTED]
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
> NT, Rhapsody
> 

--------------------------------------
Jose Roberto Bulcao - RioLink Internet
Tel    : (021) 577-8899
e-mail : [EMAIL PROTECTED]


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time check item in Authby UNIX

Reply via email to
