On Jun 7, 9:03pm, Jose Roberto Bulcao wrote:
> Subject: Re: (RADIATOR) Time check item in Authby UNIX
>
> Hi Mike,
>
> It seems the the specific clause is working ok, but the auth packet is
> being catched by the last DEFAULT clause. Here you are (debug level 4):
Yes, its clear that your clause is correctly rejecting based on the Time, but
they are being accepted by a more liberal DEFAULT that follows it.
So this is not a problem with the Time check item, but rather with the design
of the users file.
What do you really want to have happen? If you want users in group admfin to be
rejected unless they are within the time band, you should add this after your
existing admfin DEFAULT user:
DEFAULT Auth-Type = System, Group = admfin, Auth-Type=Reject
Hope that helps.
Cheers.
>
> Tks,
>
> Mon Jun 7 20:57:11 1999: DEBUG: Packet dump:
> *** Received from 200.240.25.3 port 1645 ....
> Code: Access-Request
> Identifier: 160
> Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7>#
> Attributes:
> NAS-IP-Address = 200.240.25.3
> NAS-Port = 18
> NAS-Port-Type = Virtual
> User-Name = "carmem"
> Calling-Station-Id = "200.240.25.17"
> User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>"
>
> Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler
'Realm=DEFAULT'
> Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE
> Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
in Group poponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
in Group poponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT1
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
in Group fwdonly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
in Group fwdonly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT2
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
in Group ftponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
in Group ftponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT3
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not
in Group hponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not
in Group hponly
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT4
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an
allowable Time range
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an
allowable Time range
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT5
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item
Service-Type value 'Framed-User' does not match '' in request
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item
Service-Type value 'Framed-User' does not match '' in request
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with
DEFAULT6
> Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT:
> Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Jun 7 20:57:11 1999: DEBUG: Access accepted for carmem
> Mon Jun 7 20:57:12 1999: DEBUG: Packet dump:
> *** Sending to 200.240.25.3 port 1645 ....
> Code: Access-Accept
> Identifier: 160
> Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7>#
> Attributes:
> Framed-IP-Address = 255.255.255.254
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> On Tue, 8 Jun 1999, Mike McCauley wrote:
>
> > Date: Tue, 8 Jun 1999 08:53:24 -0500
> > From: Mike McCauley <[EMAIL PROTECTED]>
> > To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > Subject: Re: (RADIATOR) Time check item in Authby UNIX
> >
> > Hello Jose,
> >
> > I have just tested your configuration and Time check item. Your
configuration
> > and users file looks fine, and it worked OK for me, allowing access only
> > betweeen the times given.
> >
> > Can you send your log file, showing what happens when it should be applying
the
> > Time restriction?
> >
> > Cheers.
> >
> > On Jun 7, 9:42am, Jose Roberto Bulcao wrote:
> > > Subject: (RADIATOR) Time check item in Authby UNIX
> > >
> > >
> > > Does anybody knows if there is a way to configure time based restriction
> > > ("Time" check item) for users authenticated via Authby UNIX ou SYSTEM?
> > > Using Radiator v.2.13.1 with latest patches, OS platform is IBM AIX
> > > v.4.1.5.
> > > The user in question has it group set to "admfin". By looking at the log
> > > (debug level of 5) Radiator seems to ignore "Time" check item,
> > > authenticating and authorizing the user any time of day.
> > >
> > > TIA,
> > >
> > > Here is our radius.cfg file (no secrets and renamed some files, paths):
> > >
> > > # radius.cfg
> > > #
> > > # Configuration file for radius server
> > > #
> > > # Author: Mike McCauley ([EMAIL PROTECTED])
> > > # Copyright (C) 1997 Open System Consultants
> > > # $Id: radius2.cfg,v 1.4 1998/03/06 04:43:37 mikem Exp $
> > > #
> > > #Foreground
> > > #LogStdout
> > > #Trace 9
> > > AuthPort 1645
> > > AcctPort 1646
> > > LogDir <**OMITTED**>
> > > DbDir <**OMITTED**>
> > > LogFile %L/<**OMITTED**>
> > > DictionaryFile %D/dictionary
> > >
> > > <SessionDatabase DBM>
> > > Filename %L/<**OMITTED**>
> > > </SessionDatabase>
> > >
> > > <Client **OMITTED_NAS_NAME**>
> > > Secret **OMITTED**
> > > DefaultRealm **MYREALM**
> > > </Client>
> > >
> > > <Realm DEFAULT>
> > > RewriteUsername s/^([^@]+).*/$1/
> > > AuthByPolicy ContinueWhileAccept
> > > <AuthBy FILE>
> > > Filename %D/MYUSERSFILE
> > > </AuthBy>
> > > MaxSessions 1
> > > AcctLogFileName %L/%Y%m/detail-%d
> > > </Realm>
> > >
> > > <Realm SoparatratarUNIXPW>
> > > <AuthBy UNIX>
> > > Identifier System
> > > Filename %D/MYPASSWDFILE
> > > GroupFilename %D/MYGROUPFILE
> > > </AuthBy>
> > > </Realm>
> > >
> > > #**** EOF radius.cfg ****
> > >
> > >
> > > And here the relevant part of MYUSERSFILE:
> > >
> > > #**** BOF MYUSERSFILE ****
> > >
> > > DEFAULT Auth-Type = System, Group = poponly, Auth-Type = "Reject:Essa
conta
> > eh somente para E-mail"
> > >
> > > DEFAULT Auth-Type = System, Group = fwdonly, Auth-Type = Reject
> > > Reply-Message = Esse eh POP
> > >
> > > DEFAULT Auth-Type = System, Group = ftponly, Auth-Type = Reject
> > > Reply-Message = Esse eh POP
> > >
> > > DEFAULT Auth-Type = System, Group = hponly, Auth-Type = Reject
> > > Reply-Message = "Acesso Proibido"
> > >
> > > #
> > > # Here is the clase in question
> > > #
> > > DEFAULT Auth-Type = System, Group = Time = "Al1200-1800"
> > > Service-Type = Login-User,
> > > Reply-Message = "Conectado!"
> > >
> > > DEFAULT Auth-Type = System, Service-Type = Framed-User
> > > Service-Type = Framed-User,
> > > Framed-Protocol = PPP,
> > > Framed-IP-Address = 255.255.255.254,
> > > Framed-Routing = None,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > > DEFAULT Auth-Type = System
> > > Service-Type = Framed-User,
> > > Framed-Protocol = PPP,
> > > Framed-IP-Address = 255.255.255.254,
> > > Framed-Routing = None,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > >
> > > #**** EOF MYUSERSFILE ****
> > >
> > > --------------------------------------
> > > Jose Roberto Bulcao - RioLink Internet
> > > Tel : (021) 577-8899
> > > e-mail : [EMAIL PROTECTED]
> > >
> > >
> > > ===
> > > Archive at http://www.thesite.com.au/~radiator/
> > > To unsubscribe, email '[EMAIL PROTECTED]' with
> > > 'unsubscribe radiator' in the body of the message.
> > >-- End of excerpt from Jose Roberto Bulcao
> >
> >
> >
> > --
> > Mike McCauley [EMAIL PROTECTED]
> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> > 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> > Phone +61 3 9598-0985 Fax +61 3 9598-0955
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> > NT, Rhapsody
> >
>
> --------------------------------------
> Jose Roberto Bulcao - RioLink Internet
> Tel : (021) 577-8899
> e-mail : [EMAIL PROTECTED]
>
>
>-- End of excerpt from Jose Roberto Bulcao
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
