Hello William -
On Wed, 24 May 2000, William Hernandez wrote:
> OK, in the users file "company.com" is really meant to be just
> that. I corrected "Password = System" to "Auth-type = UNIX".
>
> What I want to happen is the following:
> if the user is in the users file
> then if the entry has a password
> then use it for authentication
> else use UNIX (/etc/passwd)
> else use UNIX (/etc/passwd)
>
> I'm running under Linux, which saves passwords in /etc/shadow so
> I tried setting "Filename /etc/shadow", but the password log file
> seems to indicate that it's still using /etc/passwd because I see
> an "x" as the correct password.
>
The file that you sent (below) has "Filename /etc/passwd".
> Thanks in advance.
> William Hernandez
>
> ----- Original Message -----
> From: Hugh Irvine <[EMAIL PROTECTED]>
> To: William Hernandez <[EMAIL PROTECTED]>; Radiator
> <[EMAIL PROTECTED]>
> Sent: Tuesday, May 23, 2000 4:12 AM
> Subject: Re: (RADIATOR) Compatibility with Livingston
>
>
>
> Hello William -
>
> On Tue, 23 May 2000, William Hernandez wrote:
> > This is my radius.cfg file:
> >
> > # livingCompat.cfg
> > #
> > # This is a simple Radiator config file that allows you
> > # to continue using a bog standard Livingston or
> > # similar users file with Radiator, It implements the
> > # Auth-Type="System" check item by using AuthBy UNIX
> > #
> > # You will probably want to change the definitions of
> > # DbDir, LogDir and the Filename parameters
> > #
> > # Author: Mike McCauley ([EMAIL PROTECTED])
> > # Copyright (C) 1997 Open System Consultants
> > # $Id: livingCompat.cfg,v 1.3 1999/07/12 02:01:35 mikem Exp $
> > LogFile /var/log/radius.log
> > DictionaryFile %D/dictionary.ascend2
> > FingerProg /usr/bin/finger
> > SnmpgetProg /usr/bin/snmpget
> > RewriteUsername tr/[A-Z]/[a-z]/
> > LogStdout
> > Trace 4
> > PidFile /tmp/radiusd.pid
> > AuthPort 1812
> > AcctPort 1813
> > LogDir /var/log/radacct
> > DbDir /etc/raddb
> > LogFile /var/log/radius.log
> > DictionaryFile %D/dictionary.ascend2
> >
> > # This clause defines a single client to listen to
> > # You will probably want to change localhost and mysecret
> > # to suit your site.
> > <Client localhost>
> > Secret mysecret
> > </Client>
> >
> > <Client DEFAULT>
> > Secret mysecret
> > DupInterval 0
> > FramedGroupBaseAddress 10.0.0.1
> > FramedGroupBaseAddress 10.0.1.1
> > FramedGroupBaseAddress 10.0.2.1
> > FramedGroupMaxPortsPerClassC 20
> > </Client>
> >
> > # This clause means we will handle any realm that arrives
> > <Realm DEFAULT>
> > <AuthBy FILE>
> > Filename /etc/raddb/users
> > </AuthBy>
> > <AuthBy UNIX>
> > Identifier System
> > Filename /etc/passwd
> > </AuthBy>
> > # Log accounting to the detail file in LogDir
> > AcctLogFileName /var/log/detail.log
> > PasswordLogFileName /var/log/radius.log
> > ExcludeFromPasswordLog root
> > </Realm>
> >
> > # This clause defines an authorization method that will be used
> > # by any users in the database with Auth-Type="System". It will
> > # match the "Identifier System"
> > <AuthBy UNIX>
> > Identifier System
> > Filename /etc/passwd
> > </AuthBy>
> >
> > This is a typical entry in my users file:
> >
> > company.com Password = "System"
> > User-Service = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-Address = 111.111.11.111,
> > Framed-Netmask = 255.255.255.255,
> > Framed-Compression = Van-Jacobsen-TCP-IP,
> > Ascend-Idle-Limit = 0
> >
> > I'm expecting authorization with the UNIX passwd file, if the
> > user is not in the users file.
> >
I would suggest something like this:
# This clause defines an AuthBy FILE with Identifier Check-FILE
<AuthBy FILE>
Identifier Check-FILE
Filename /etc/raddb/users
</AuthBy>
# This clause defines an authorization method that will be used
# by any users in the database with Auth-Type="System". It will
# match the "Identifier System"
<AuthBy UNIX>
Identifier System
Filename /etc/shadow
</AuthBy>
# This clause means we will handle any realm that arrives
<Realm DEFAULT>
AuthByPolicy ContinueUntilAccept
AuthBy Check-FILE
AuthBy System
# Log accounting to the detail file in LogDir
AcctLogFileName /var/log/detail.log
PasswordLogFileName /var/log/radius.log
ExcludeFromPasswordLog root
</Realm>
As you mentioned, your users file would look something like this:
NB - the attributes listed below are *not* in the Radiator standard dictionary!
company.com Auth-Type = "System"
User-Service = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 111.111.11.111,
Framed-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP,
Ascend-Idle-Limit = 0
The Radiator dictionary defines these (note especially the spelling of
"Van-Jacobson-TCP-IP").
company.com Auth-Type = "System"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 111.111.11.111,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobson-TCP-IP,
Ascend-Idle-Limit = 0
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
