Actually, I managed to get it working using your hints and a
user file. I just replaced the Auth-Type to point to the
identifier specified by the <AuthBy GROUP>:
In my "users" file:
DEFAULT Auth-Type = ANCI-SQLFallbackFILE
Ascend-Idle-Limit = 1800,
Ascend-Assign-IP-Pool = 0,
User-Service = Framed-User,
Framed-Protocol = PPP,
Ascend-Maximum-Call-Duration = 480,
Ascend-Client-Primary-DNS = 208.133.27.10,
Ascend-Client-Secondary-DNS = 216.152.26.168,
Ascend-Client-Assign-DNS = DNS-Assign-Yes,
Ascend-Shared-Profile-Enable = 0,
Ascend-Multicast-Client = 1,
Ascend-Multicast-Rate-Limit = 5
and in my radiusd.cfg:
<AuthBy GROUP>
Identifier ANCI-SQLFallbackFILE
AuthByPolicy ContinueWhileIgnore
AuthBy ANCI-AuthSQLPasswd
AuthBy UNIX
</AuthBy>
This way I could set default attributes and fall back to a flat
file if the SQL database failed. Worked like a champ.
Thanks a ton for your assistance!
At 12:01 PM 4/30/01 +1000, Hugh Irvine wrote:
>
>Hello John -
>
>You would not use the "users" file.
>
>hth
>
>Hugh
>
>On Saturday 28 April 2001 14:11, John Coy wrote:
>> Hugh,
>>
>> In your example below, I'm unclear how I involve my "users"
>> file (which contains the DEFAULT entries I'd like to assign
>> authenticated users) -- that's why I have <AuthBy FILE>
>> and in that file, I have the Auth-Type pointing to the
>> appropriate authentication process.
>>
>> John
>>
>> At 12:15 PM 4/28/01 +1000, Hugh Irvine wrote:
>> >Hello John, Hello Dave -
>> >
>> >The problem you are seeing has to do with the the differences between
>> >multiple DEFAULT handling in a user file and multiple AuthBy clauses under
>> >the control of an AuthByPolicy.
>> >
>> >In the case of multiple DEFAULT entries, these are only consulted in the
>> > case of a Reject (or multiple Rejects), except when Fall-Through is used,
>> > in which case it will go on to the next in the case of an Accept. There
>> > is no provision for Ignore as you have discovered.
>> >
>> >The way to deal with Ignore is by using multiple AuthBy clauses under the
>> >control of an AuthByPolicy ContinueWhileIgnore. In your case, you could
>> >replace your AuthBy FILE, with an AuthBy GROUP:
>> >
>> ><Realm DEFAULT>
>> > RewriteUsername tr/A-Z/a-z/
>> > AuthByPolicy ContinueWhileIgnore
>> >
>> > AuthBy AuthANCIUsers
>> ></Realm>
>> >
>> ><AuthBy GROUP>
>> > Identifier AuthANCIUsers
>> > AuthByPolicy ContinueWhileIgnore
>> > AuthBy AuthSQLPasswd
>> > AuthBy UNIX
>> ></AuthBy>
>> >
>> ><AuthBy SQL>
>> > Identifier AuthSQLPasswd
>> >
>> > DBSource dbi:Oracle:starship
>> > DBUsername uname
>> > DBAuth password
>> >
>> > AuthSelect SELECT password, checkattr, replyattr \
>> > FROM passwd \
>> > WHERE username = LOWER('%n')
>> >
>> > AuthColumnDef 0, Encrypted-Password, check
>> > AuthColumnDef 1, GENERIC, check
>> > AuthColumnDef 2, GENERIC, reply
>> >
>> > AddToReplyIfNotExist Ascend-Maximum-Channels = 1
>> >
>> > AccountingTable
>> ></AuthBy>
>> >
>> ><AuthBy UNIX>
>> > Identifier UNIX
>> > Filename /usr/local/etc/shadow
>> > GroupFilename /usr/local/etc/group
>> >
>> > AddToReplyIfNotExist Ascend-Maximum-Channels = 1
>> ></Authby>
>> >
>> >
>> >hth
>> >
>> >Hugh
>> >
>> >On Saturday 28 April 2001 03:04, John Coy wrote:
>> >> It's my understanding that Fall-Through = yes is the default
>> >> setting. However, I did try it and it still did not work.
>> >>
>> >> Thank you for your reply, however. I'm certain that I'm
>> >> doing something wrong, but I know eventually I'll figure
>> >> it out or someone will nudge me in the right direction.
>> >>
>> >> John
>> >>
>> >> At 01:02 PM 4/27/01 -0400, you wrote:
>> >> >I'm not a whiz at using DEFAULT, but you might benefit from:
>> >> >
>> >> >13.2.6 Fall-Through
>> >> >This attribute is not actually returned to the NAS. Its presence causes
>> >> >Radiator to continue looking for a match with the next DEFAULT user
>> >> > name.
>> >> >
>> >> > Fall-Through = yes
>> >> >
>> >> >http://www.open.com.au/radiator/ref.html#pgfId=330995
>> >> >
>> >> >Dave
>> >> >
>> >> > > -----Original Message-----
>> >> > > From: John Coy [mailto:[EMAIL PROTECTED]]
>> >> > > Sent: Friday, April 27, 2001 11:31 AM
>> >> > > To: [EMAIL PROTECTED]
>> >> > > Subject: Re: (RADIATOR) best technique to fallback to flat file if
>> >> > > DB server not available
>> >> > >
>> >> > >
>> >> > > I know it's wierd to reply to my own message, but I found
>> >> > > something in the RADIATOR archives:
>> >> > >
>> >> > > [ From Mike McCauley ]
>> >> > > 2. Chain a second authentication method after SQL, so that if
>> >> > > SQL fails (and
>> >> > > says IGNORE), it will then auth from (say) a local flat file:
>> >> > >
>> >> > > <Realm whatever>
>> >> > > AuthByPolicy ContinueWhileIgnore
>> >> > > <AuthBy SQL>
>> >> > > # whatever
>> >> > > </AuthBy>
>> >> > > # If SQL fails, auth from flat file:
>> >> > > <AuthBy FILE>
>> >> > > Filename whatever
>> >> > > </AuthBy>
>> >> > > </Realm>
>> >> > >
>> >> > > However, this technique doesn't work if you have an arrangement
>> >> > > similar to this one -- here, my default realm is authenticated
>> >> > > using <Authby FILE>. Inside that file, I make references to
>> >> > > several authentication methods, including <AuthBy SQL> and
>> >> > > <AuthBy UNIX>. However, since the <AuthBy SQL> fails, it
>> >> > > never gets to move on to the second DEFAULT. Not sure if this
>> >> > > is intended to be this way, or if my config is just so messed
>> >> > > up... anyhow, if there's a way to get it to move on to the next
>> >> > > DEFAULT entry that's what I'd like to do....
>> >> > >
>> >> > > My radiusd.cfg (excerpts):
>> >> > >
>> >> > > -- radiusd.cfg --
>> >> > > <Realm DEFAULT>
>> >> > > RewriteUsername tr/A-Z/a-z/
>> >> > > AuthByPolicy ContinueWhileIgnore
>> >> > >
>> >> > > AuthBy AuthANCIUsers
>> >> > > </Realm>
>> >> > >
>> >> > > <AuthBy FILE>
>> >> > > Identifier AuthANCIUsers
>> >> > > Filename %D/users
>> >> > > </AuthBy>
>> >> > >
>> >> > > <AuthBy SQL>
>> >> > > Identifier AuthSQLPasswd
>> >> > >
>> >> > > DBSource dbi:Oracle:starship
>> >> > > DBUsername uname
>> >> > > DBAuth password
>> >> > >
>> >> > > AuthSelect SELECT password, checkattr, replyattr \
>> >> > > FROM passwd \
>> >> > > WHERE username = LOWER('%n')
>> >> > >
>> >> > > AuthColumnDef 0, Encrypted-Password, check
>> >> > > AuthColumnDef 1, GENERIC, check
>> >> > > AuthColumnDef 2, GENERIC, reply
>> >> > >
>> >> > > AddToReplyIfNotExist Ascend-Maximum-Channels = 1
>> >> > >
>> >> > > AccountingTable
>> >> > > </AuthBy>
>> >> > >
>> >> > > <AuthBy UNIX>
>> >> > > Identifier UNIX
>> >> > > Filename /usr/local/etc/shadow
>> >> > > GroupFilename /usr/local/etc/group
>> >> > >
>> >> > > AddToReplyIfNotExist Ascend-Maximum-Channels = 1
>> >> > > </Authby>
>> >> > > -- end radiusd.cfg --
>> >> > >
>> >> > > Then, inside the "users" file, you have a DEFAULT entry:
>> >> > >
>> >> > > -- users --
>> >> > > DEFAULT Auth-Type = AuthSQLPasswd
>> >> > > Ascend-Idle-Limit = 1800,
>> >> > > Ascend-Assign-IP-Pool = 0,
>> >> > > User-Service = Framed-User,
>> >> > > Framed-Protocol = PPP,
>> >> > > Ascend-Maximum-Call-Duration = 480,
>> >> > > Ascend-Client-Primary-DNS = 208.133.27.10,
>> >> > > Ascend-Client-Secondary-DNS = 216.152.26.168,
>> >> > > Ascend-Client-Assign-DNS = DNS-Assign-Yes,
>> >> > > Ascend-Shared-Profile-Enable = 0,
>> >> > > Ascend-Multicast-Client = 1,
>> >> > > Ascend-Multicast-Rate-Limit = 5
>> >> > >
>> >> > > DEFAULT Auth-Type = UNIX
>> >> > > Ascend-Idle-Limit = 1800,
>> >> > > Ascend-Assign-IP-Pool = 0,
>> >> > > User-Service = Framed-User,
>> >> > > Framed-Protocol = PPP,
>> >> > > Ascend-Maximum-Call-Duration = 480,
>> >> > > Ascend-Client-Primary-DNS = 208.133.27.10,
>> >> > > Ascend-Client-Secondary-DNS = 216.152.26.168,
>> >> > > Ascend-Client-Assign-DNS = DNS-Assign-Yes,
>> >> > > Ascend-Shared-Profile-Enable = 0,
>> >> > > Ascend-Multicast-Client = 1,
>> >> > > Ascend-Multicast-Rate-Limit = 5
>> >> > > -- end users --
>> >> > >
>> >> > > At 09:02 PM 4/26/01 -0500, you wrote:
>> >> > > >What's the best technique to have Radiator fall back to
>> >> > >
>> >> > > authentication
>> >> > >
>> >> > > >via flat file (UNIX-style auth for example) instead of SQL
>> >> > >
>> >> > > database if the
>> >> > >
>> >> > > >SQL database isn't available.
>> >> > > >
>> >> > > >I tried using two DEFAULT entries in my users file, one which did
>> >> > > > SQL auth, the other which did UNIX auth but that didn't work.
>> >> > >
>> >> > > Instead, it
>> >> > >
>> >> > > >fails to connect to the DB server and won't move on to the flat
>> >> > > > file.
>> >> > > >
>> >> > > >Hints, tips welcome.
>> >> > > >
>> >> > > >John
>> >> > > >
>> >> > > >
>> >> > > >===
>> >> > > >Archive at http://www.starport.net/~radiator/
>> >> > > >Announcements on [EMAIL PROTECTED]
>> >> > > >To unsubscribe, email '[EMAIL PROTECTED]' with
>> >> > > >'unsubscribe radiator' in the body of the message.
>> >> > >
>> >> > > ===
>> >> > > Archive at http://www.starport.net/~radiator/
>> >> > > Announcements on [EMAIL PROTECTED]
>> >> > > To unsubscribe, email '[EMAIL PROTECTED]' with
>> >> > > 'unsubscribe radiator' in the body of the message.
>> >>
>> >> ===
>> >> Archive at http://www.starport.net/~radiator/
>> >> Announcements on [EMAIL PROTECTED]
>> >> To unsubscribe, email '[EMAIL PROTECTED]' with
>> >> 'unsubscribe radiator' in the body of the message.
>> >
>> >--
>> >Radiator: the most portable, flexible and configurable RADIUS server
>> >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> >-
>> >Nets: internetwork inventory and management - graphical, extensible,
>> >flexible with hardware, software, platform and database independence.
>> >
>> >===
>> >Archive at http://www.starport.net/~radiator/
>> >Announcements on [EMAIL PROTECTED]
>> >To unsubscribe, email '[EMAIL PROTECTED]' with
>> >'unsubscribe radiator' in the body of the message.
>>
>> ===
>> Archive at http://www.starport.net/~radiator/
>> Announcements on [EMAIL PROTECTED]
>> To unsubscribe, email '[EMAIL PROTECTED]' with
>> 'unsubscribe radiator' in the body of the message.
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
