Hugh, The upgrade fixed the problem.
Mike On Thu, 27 Nov 2003, Hugh Irvine wrote: > > Hello Mike - > > I am using the current Radiator 3.7.1 for testing. > > Suggest you upgrade and see what happens. > > regards > > Hugh > > > On 27/11/2003, at 4:11 AM, Forbes Mike wrote: > > > > > What version did you test under? I am using it under 3.1. I also use > > a > > handler not a realm. I am wondering if this is a version issue with > > radiator. My continue until rejects works without the first authby > > file. > > The first authby file is the file with the auth-type reject in it. > > > > Mike > > > > My config is this: > > > > Note: I have commented and uncommented AuthyBy GROUP out, I have > > stopped > > and restarted radius with the init script. The trace 4 is below. > > <Handler Realm=MODEMS,NAS-Port-Type=Virtual> > > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > <AuthBy GROUP> > > AuthByPolicy ContinueUntilReject > > <AuthBy FILE> > > Filename %D/reject_modem.users > > AcceptIfMissing > > </AuthBy> > > <AuthBy FILE> > > Filename %D/backbone_users > > </AuthBy> > > <AuthBy PAM> > > Fork > > Service radiusd > > </AuthBy> > > </AuthBy> > > AuthLog Backbone_Login_Failures > > # Log accounting to a detail file > > AcctLogFileName %L/modems_backbone_users.log > > </Handler> > > > > Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler > > 'Realm=MODEMS,NAS-Port-Type=Virtual' > > Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username > > Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username, > > 192.168.x.x, 98 > > Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: > > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > > Rejected explicitly by Auth-Type=Reject > > Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: > > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT: > > Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd > > Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password' > > Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB > > Wed Nov 26 09:57:44 2003: DEBUG: Packet dump: > > > > > > Now to simplify this even more I took out all the authby's execpt the > > file > > with the reject in it. I was still able to log on, the debug is below > > > > > > > > Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler > > 'Realm=MODEMS,NAS-Port-Type=Virtual' > > Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username > > Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username, > > 192.168.x.xB, 98 > > Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE: > > Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > > Rejected explicitly by Auth-Type=Reject > > Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username > > > > On Wed, 26 Nov 2003, Hugh Irvine wrote: > > > >> > >> Hello Mike - > >> > >> I have done some testing here (as has Mike) and neither of us has this > >> problem. > >> > >> Here is my configuration file (which also works with > >> ContinueUntilReject): > >> > >> <Realm DEFAULT> > >> AuthByPolicy ContinueWhileAccept > >> <AuthBy FILE> > >> Filename ./users.reject > >> AcceptIfMissing > >> </AuthBy> > >> <AuthBy FILE> > >> Filename ./users > >> </AuthBy> > >> <AuthBy FILE> > >> Filename ./users > >> </AuthBy> > >> # Log accounting to a detail file > >> AcctLogFileName ./detail-%G > >> </Realm> > >> > >> > >> Here is the "users.reject" file: > >> > >> username Auth-Type = Reject > >> > >> > >> And here is the trace 4: > >> > >> perl radpwtst -user username -noacct > >> sending Access-Request... > >> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: > >> *** Received from 127.0.0.1 port 49663 .... > >> Code: Access-Request > >> Identifier: 196 > >> Authentic: 1234567890123456 > >> Attributes: > >> User-Name = "username" > >> Service-Type = Framed-User > >> NAS-IP-Address = 203.63.154.1 > >> NAS-Port = 1234 > >> Called-Station-Id = "123456789" > >> Calling-Station-Id = "987654321" > >> NAS-Port-Type = Async > >> User-Password = > >> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > >> > >> Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username > >> Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler > >> 'Realm=DEFAULT' > >> Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username, > >> 203.63.154.1, 1234 > >> Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE: > >> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with > >> username > >> Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > >> Rejected explicitly by Auth-Type=Reject > >> Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected > >> explicitly by Auth-Type=Reject > >> Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: > >> *** Sending to 127.0.0.1 port 49663 .... > >> Code: Access-Reject > >> Identifier: 196 > >> Authentic: 1234567890123456 > >> Attributes: > >> Reply-Message = "Request Denied" > >> > >> > >> I can only suggest you try setting up a simple test configuration to > >> try it first. > >> > >> Perhaps you are not editing the correct file(s) and/or you have not > >> restarted "radiusd"? > >> > >> regards > >> > >> Hugh > >> > >> > >> On 26/11/2003, at 5:39 AM, Forbes Mike wrote: > >> > >>> > >>> I get the following trace 4 with ContinueWhileAccept > >>> > >>> Mike > >>> > >>> > >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler > >>> 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x' > >>> Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username > >>> Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username, > >>> 192.168.x.x, 9 > >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP > >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: > >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match > >>> with > >>> username > >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > >>> Rejected explicitly by Auth-Type=Reject > >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: > >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match > >>> with > >>> username > >>> Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT: > >>> Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd > >>> Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password' > >>> Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username > >>> Tue Nov 25 11:36:11 2003: DEBUG: Packet dump: > >>> > >>> Code: Access-Accept > >>> > >>> > >>> On Tue, 25 Nov 2003, Hugh Irvine wrote: > >>> > >>>> > >>>> Hello Mike - > >>>> > >>>> Thanks for your mail - how curious! > >>>> > >>>> I wonder if you could try to change the configuration to: > >>>> > >>>> AuthByPolicy ContinueWhileAccept > >>>> > >>>> and see what happens. > >>>> > >>>> I'll also forward your mail to Mike. > >>>> > >>>> regards > >>>> > >>>> Hugh > >>>> > >>>> > >>>> On 25/11/2003, at 5:56 AM, Forbes Mike wrote: > >>>> > >>>>> > >>>>> Hi Hugh, > >>>>> > >>>>> It would seem the continue until reject is not functioning > >>>>> correctly > >>>>> in > >>>>> this case. The debug show the reject but continues on. > >>>>> > >>>>> I tried the following: > >>>>> > >>>>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>>>> <AuthBy GROUP> > >>>>> AuthByPolicy ContinueUntilReject > >>>>> <AuthBy FILE> > >>>>> Filename %D/reject_modem.users > >>>>> AcceptIfMissing > >>>>> </AuthBy> > >>>>> > >>>>> <AuthBy FILE> > >>>>> Filename %D/backbone_users > >>>>> </AuthBy> > >>>>> <AuthBy PAM> > >>>>> Fork > >>>>> Service radiusd > >>>>> </AuthBy> > >>>>> </AuthBy> > >>>>> AuthLog Modem_Login_Failures > >>>>> # Log accounting to a detail file > >>>>> AcctLogFileName %L/modem_pool_backbone_users.log > >>>>> > >>>>> > >>>>> with the reject_modem.users containing > >>>>> username Auth-Type=Reject > >>>>> > >>>>> The user can still get on. The debug is below: > >>>>> Radiator 3.1 > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username, > >>>>> 192.168.x.x, 53 > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match > >>>>> with > >>>>> username > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > >>>>> Rejected explicitly by Auth-Type=Reject > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match > >>>>> with > >>>>> username > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT: > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password' > >>>>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username > >>>>> > >>>>> > >>>>> > >>>>> On Sat, 13 Sep 2003, Hugh Irvine wrote: > >>>>> > >>>>>> > >>>>>> Hello Mike - > >>>>>> > >>>>>> Yes this is quite simple to acheive. > >>>>>> > >>>>>> <Handler Realm=MODEMS> > >>>>>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>>>>> <AuthBy GROUP> > >>>>>> AuthByPolicy ContinueUntilReject > >>>>>> > >>>>>> <AuthBy FILE> > >>>>>> Filename %D/reject.users > >>>>>> AcceptIfMissing > >>>>>> </AuthBy> > >>>>>> > >>>>>> <AuthBy PAM> > >>>>>> Fork > >>>>>> Service radiusd > >>>>>> </AuthBy> > >>>>>> > >>>>>> </AuthBy> > >>>>>> AuthLog Modem_Login_Failures > >>>>>> AcctLogFileName %L/Modems.log > >>>>>> </Handler> > >>>>>> > >>>>>> > >>>>>> The file "%D/reject.users" would contain something like this: > >>>>>> > >>>>>> # reject.users > >>>>>> > >>>>>> username1 Auth-Type = Reject > >>>>>> > >>>>>> username2 Auth-Type = Reject > >>>>>> > >>>>>> ....... > >>>>>> > >>>>>> > >>>>>> If you have any other questions, please contact me. > >>>>>> > >>>>>> regards > >>>>>> > >>>>>> Hugh > >>>>>> > >>>>>> > >>>>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes > >>>>>> Mike > >>>>>> wrote: > >>>>>> > >>>>>>> > >>>>>>> I have a request to block certain users access to our modem pool. > >>>>>>> > >>>>>>> Users are first authenticated by kerb via PAM. What I would like > >>>>>>> to > >>>>>>> do is > >>>>>>> have radius then check to see if they are listed in a file and > >>>>>>> reject > >>>>>>> them > >>>>>>> only if they are listed. If they are not in the file they can > >>>>>>> logon. > >>>>>>> > >>>>>>> I saw the username authtype example in the manual, is there a way > >>>>>>> to > >>>>>>> do > >>>>>>> this in a file for a larger number? > >>>>>>> > >>>>>>> Could you do the AuthByPolicy ContinueWhileReject and put this > >>>>>>> before > >>>>>>> my > >>>>>>> authbypam below? > >>>>>>> > >>>>>>> My handler is below. > >>>>>>> > >>>>>>> Mike Forbes > >>>>>>> > >>>>>>> > >>>>>>> <Handler Realm=MODEMS> > >>>>>>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>>>>>> <AuthBy GROUP> > >>>>>>> AuthByPolicy ContinueUntilReject > >>>>>>> <AuthBy PAM> > >>>>>>> Fork > >>>>>>> Service radiusd > >>>>>>> </AuthBy> > >>>>>>> </AuthBy> > >>>>>>> AuthLog Modem_Login_Failures > >>>>>>> AcctLogFileName %L/Modems.log > >>>>>>> </Handler> > >>>>>>> > >>>>>>> > >>>>>>> === > >>>>>>> Archive at http://www.open.com.au/archives/radiator/ > >>>>>>> Announcements on [EMAIL PROTECTED] > >>>>>>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>>>>>> 'unsubscribe radiator' in the body of the message. > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> NB: have you included a copy of your configuration file (no > >>>>>> secrets), > >>>>>> together with a trace 4 debug showing what is happening? > >>>>>> > >>>>>> -- > >>>>>> Radiator: the most portable, flexible and configurable RADIUS > >>>>>> server > >>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >>>>>> - > >>>>>> Nets: internetwork inventory and management - graphical, > >>>>>> extensible, > >>>>>> flexible with hardware, software, platform and database > >>>>>> independence. > >>>>>> > >>>>>> === > >>>>>> Archive at http://www.open.com.au/archives/radiator/ > >>>>>> Announcements on [EMAIL PROTECTED] > >>>>>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>>>>> 'unsubscribe radiator' in the body of the message. > >>>>>> > >>>>> === > >>>>> Archive at http://www.open.com.au/archives/radiator/ > >>>>> Announcements on [EMAIL PROTECTED] > >>>>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>>>> 'unsubscribe radiator' in the body of the message. > >>>>> > >>>>> > >>>> > >>>> NB: have you included a copy of your configuration file (no > >>>> secrets), > >>>> together with a trace 4 debug showing what is happening? > >>>> > >>>> -- > >>>> Radiator: the most portable, flexible and configurable RADIUS server > >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >>>> - > >>>> Nets: internetwork inventory and management - graphical, extensible, > >>>> flexible with hardware, software, platform and database > >>>> independence. > >>>> - > >>>> CATool: Private Certificate Authority for Unix and Unix-like > >>>> systems. > >>>> > >>>> > >>> === > >>> Archive at http://www.open.com.au/archives/radiator/ > >>> Announcements on [EMAIL PROTECTED] > >>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>> 'unsubscribe radiator' in the body of the message. > >>> > >>> > >> > >> NB: have you included a copy of your configuration file (no secrets), > >> together with a trace 4 debug showing what is happening? > >> > >> -- > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >> - > >> Nets: internetwork inventory and management - graphical, extensible, > >> flexible with hardware, software, platform and database independence. > >> - > >> CATool: Private Certificate Authority for Unix and Unix-like systems. > >> > >> === > >> Archive at http://www.open.com.au/archives/radiator/ > >> Announcements on [EMAIL PROTECTED] > >> To unsubscribe, email '[EMAIL PROTECTED]' with > >> 'unsubscribe radiator' in the body of the message. > >> > > > > > > NB: have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > - > CATool: Private Certificate Authority for Unix and Unix-like systems. > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
