Hello Mike -
I have done some testing here (as has Mike) and neither of us has this problem.
Here is my configuration file (which also works with ContinueUntilReject):
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
Filename ./users.reject
AcceptIfMissing
</AuthBy>
<AuthBy FILE>
Filename ./users
</AuthBy>
<AuthBy FILE>
Filename ./users
</AuthBy>
# Log accounting to a detail file
AcctLogFileName ./detail-%G
</Realm>Here is the "users.reject" file:
username Auth-Type = Reject
And here is the trace 4:
perl radpwtst -user username -noacct
sending Access-Request...
Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 49663 ....
Code: Access-Request
Identifier: 196
Authentic: 1234567890123456
Attributes:
User-Name = "username"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username
Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username, 203.63.154.1, 1234
Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with username
Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject
Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected explicitly by Auth-Type=Reject
Wed Nov 26 18:17:01 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 49663 ....
Code: Access-Reject
Identifier: 196
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
I can only suggest you try setting up a simple test configuration to try it first.
Perhaps you are not editing the correct file(s) and/or you have not restarted "radiusd"?
regards
Hugh
On 26/11/2003, at 5:39 AM, Forbes Mike wrote:
I get the following trace 4 with ContinueWhileAccept
Mike
Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x' Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username, 192.168.x.x, 9 Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with username Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with username Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT: Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password' Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username Tue Nov 25 11:36:11 2003: DEBUG: Packet dump:
Code: Access-Accept
On Tue, 25 Nov 2003, Hugh Irvine wrote:
Hello Mike -
Thanks for your mail - how curious!
I wonder if you could try to change the configuration to:
AuthByPolicy ContinueWhileAccept
and see what happens.
I'll also forward your mail to Mike.
regards
Hugh
On 25/11/2003, at 5:56 AM, Forbes Mike wrote:
Hi Hugh,
It would seem the continue until reject is not functioning correctly in
this case. The debug show the reject but continues on.
I tried the following:
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject <AuthBy FILE> Filename %D/reject_modem.users AcceptIfMissing </AuthBy>
<AuthBy FILE> Filename %D/backbone_users </AuthBy> <AuthBy PAM> Fork Service radiusd </AuthBy> </AuthBy> AuthLog Modem_Login_Failures # Log accounting to a detail file AcctLogFileName %L/modem_pool_backbone_users.log
with the reject_modem.users containing username Auth-Type=Reject
The user can still get on. The debug is below:
Radiator 3.1
Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username
Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username,
192.168.x.x, 53
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
username
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject
Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match with
username
Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT:
Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd
Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password'
Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username
On Sat, 13 Sep 2003, Hugh Irvine wrote:
Hello Mike -
Yes this is quite simple to acheive.
<Handler Realm=MODEMS> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject
<AuthBy FILE> Filename %D/reject.users AcceptIfMissing </AuthBy>
<AuthBy PAM> Fork Service radiusd </AuthBy>
</AuthBy> AuthLog Modem_Login_Failures AcctLogFileName %L/Modems.log </Handler>
The file "%D/reject.users" would contain something like this:
# reject.users
username1 Auth-Type = Reject
username2 Auth-Type = Reject
.......
If you have any other questions, please contact me.
regards
Hugh
On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike wrote:
I have a request to block certain users access to our modem pool.
Users are first authenticated by kerb via PAM. What I would like to
do is
have radius then check to see if they are listed in a file and reject
them
only if they are listed. If they are not in the file they can logon.
I saw the username authtype example in the manual, is there a way to
do
this in a file for a larger number?
Could you do the AuthByPolicy ContinueWhileReject and put this before
my
authbypam below?
My handler is below.
Mike Forbes
<Handler Realm=MODEMS> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject <AuthBy PAM> Fork Service radiusd </AuthBy> </AuthBy> AuthLog Modem_Login_Failures AcctLogFileName %L/Modems.log </Handler>
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
