I get the following trace 4 with ContinueWhileAccept Mike
Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x' Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username, 192.168.x.x, 9 Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with username Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with username Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT: Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password' Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username Tue Nov 25 11:36:11 2003: DEBUG: Packet dump: Code: Access-Accept On Tue, 25 Nov 2003, Hugh Irvine wrote: > > Hello Mike - > > Thanks for your mail - how curious! > > I wonder if you could try to change the configuration to: > > AuthByPolicy ContinueWhileAccept > > and see what happens. > > I'll also forward your mail to Mike. > > regards > > Hugh > > > On 25/11/2003, at 5:56 AM, Forbes Mike wrote: > > > > > Hi Hugh, > > > > It would seem the continue until reject is not functioning correctly in > > this case. The debug show the reject but continues on. > > > > I tried the following: > > > > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > <AuthBy GROUP> > > AuthByPolicy ContinueUntilReject > > <AuthBy FILE> > > Filename %D/reject_modem.users > > AcceptIfMissing > > </AuthBy> > > > > <AuthBy FILE> > > Filename %D/backbone_users > > </AuthBy> > > <AuthBy PAM> > > Fork > > Service radiusd > > </AuthBy> > > </AuthBy> > > AuthLog Modem_Login_Failures > > # Log accounting to a detail file > > AcctLogFileName %L/modem_pool_backbone_users.log > > > > > > with the reject_modem.users containing > > username Auth-Type=Reject > > > > The user can still get on. The debug is below: > > Radiator 3.1 > > Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username > > Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username, > > 192.168.x.x, 53 > > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP > > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > > Rejected explicitly by Auth-Type=Reject > > Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT: > > Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd > > Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password' > > Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username > > > > > > > > On Sat, 13 Sep 2003, Hugh Irvine wrote: > > > >> > >> Hello Mike - > >> > >> Yes this is quite simple to acheive. > >> > >> <Handler Realm=MODEMS> > >> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >> <AuthBy GROUP> > >> AuthByPolicy ContinueUntilReject > >> > >> <AuthBy FILE> > >> Filename %D/reject.users > >> AcceptIfMissing > >> </AuthBy> > >> > >> <AuthBy PAM> > >> Fork > >> Service radiusd > >> </AuthBy> > >> > >> </AuthBy> > >> AuthLog Modem_Login_Failures > >> AcctLogFileName %L/Modems.log > >> </Handler> > >> > >> > >> The file "%D/reject.users" would contain something like this: > >> > >> # reject.users > >> > >> username1 Auth-Type = Reject > >> > >> username2 Auth-Type = Reject > >> > >> ....... > >> > >> > >> If you have any other questions, please contact me. > >> > >> regards > >> > >> Hugh > >> > >> > >> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike > >> wrote: > >> > >>> > >>> I have a request to block certain users access to our modem pool. > >>> > >>> Users are first authenticated by kerb via PAM. What I would like to > >>> do is > >>> have radius then check to see if they are listed in a file and reject > >>> them > >>> only if they are listed. If they are not in the file they can logon. > >>> > >>> I saw the username authtype example in the manual, is there a way to > >>> do > >>> this in a file for a larger number? > >>> > >>> Could you do the AuthByPolicy ContinueWhileReject and put this before > >>> my > >>> authbypam below? > >>> > >>> My handler is below. > >>> > >>> Mike Forbes > >>> > >>> > >>> <Handler Realm=MODEMS> > >>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>> <AuthBy GROUP> > >>> AuthByPolicy ContinueUntilReject > >>> <AuthBy PAM> > >>> Fork > >>> Service radiusd > >>> </AuthBy> > >>> </AuthBy> > >>> AuthLog Modem_Login_Failures > >>> AcctLogFileName %L/Modems.log > >>> </Handler> > >>> > >>> > >>> === > >>> Archive at http://www.open.com.au/archives/radiator/ > >>> Announcements on [EMAIL PROTECTED] > >>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>> 'unsubscribe radiator' in the body of the message. > >>> > >>> > >> > >> NB: have you included a copy of your configuration file (no secrets), > >> together with a trace 4 debug showing what is happening? > >> > >> -- > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >> - > >> Nets: internetwork inventory and management - graphical, extensible, > >> flexible with hardware, software, platform and database independence. > >> > >> === > >> Archive at http://www.open.com.au/archives/radiator/ > >> Announcements on [EMAIL PROTECTED] > >> To unsubscribe, email '[EMAIL PROTECTED]' with > >> 'unsubscribe radiator' in the body of the message. > >> > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > NB: have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > - > CATool: Private Certificate Authority for Unix and Unix-like systems. > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
