What version did you test under? I am using it under 3.1. I also use a handler not a realm. I am wondering if this is a version issue with radiator. My continue until rejects works without the first authby file. The first authby file is the file with the auth-type reject in it.
Mike My config is this: Note: I have commented and uncommented AuthyBy GROUP out, I have stopped and restarted radius with the init script. The trace 4 is below. <Handler Realm=MODEMS,NAS-Port-Type=Virtual> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy GROUP> AuthByPolicy ContinueUntilReject <AuthBy FILE> Filename %D/reject_modem.users AcceptIfMissing </AuthBy> <AuthBy FILE> Filename %D/backbone_users </AuthBy> <AuthBy PAM> Fork Service radiusd </AuthBy> </AuthBy> AuthLog Backbone_Login_Failures # Log accounting to a detail file AcctLogFileName %L/modems_backbone_users.log </Handler> Wed Nov 26 09:57:44 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Virtual' Wed Nov 26 09:57:44 2003: DEBUG: Rewrote user name to username Wed Nov 26 09:57:44 2003: DEBUG: Deleting session for username, 192.168.x.x, 98 Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Wed Nov 26 09:57:44 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 09:57:44 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Nov 26 09:57:44 2003: DEBUG: Handling with PAM service radiusd Wed Nov 26 09:57:44 2003: DEBUG: PAM is asking for 1: 'Password' Wed Nov 26 09:57:44 2003: DEBUG: Access accepted for usernameB Wed Nov 26 09:57:44 2003: DEBUG: Packet dump: Now to simplify this even more I took out all the authby's execpt the file with the reject in it. I was still able to log on, the debug is below Wed Nov 26 10:05:57 2003: DEBUG: Handling request with Handler 'Realm=MODEMS,NAS-Port-Type=Virtual' Wed Nov 26 10:05:57 2003: DEBUG: Rewrote user name to username Wed Nov 26 10:05:57 2003: DEBUG: Deleting session for username, 192.168.x.xB, 98 Wed Nov 26 10:05:57 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE looks for match with username Wed Nov 26 10:05:57 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: Rejected explicitly by Auth-Type=Reject Wed Nov 26 10:05:57 2003: DEBUG: Access accepted for username On Wed, 26 Nov 2003, Hugh Irvine wrote: > > Hello Mike - > > I have done some testing here (as has Mike) and neither of us has this > problem. > > Here is my configuration file (which also works with > ContinueUntilReject): > > <Realm DEFAULT> > AuthByPolicy ContinueWhileAccept > <AuthBy FILE> > Filename ./users.reject > AcceptIfMissing > </AuthBy> > <AuthBy FILE> > Filename ./users > </AuthBy> > <AuthBy FILE> > Filename ./users > </AuthBy> > # Log accounting to a detail file > AcctLogFileName ./detail-%G > </Realm> > > > Here is the "users.reject" file: > > username Auth-Type = Reject > > > And here is the trace 4: > > perl radpwtst -user username -noacct > sending Access-Request... > Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 49663 .... > Code: Access-Request > Identifier: 196 > Authentic: 1234567890123456 > Attributes: > User-Name = "username" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > > Wed Nov 26 18:17:01 2003: DEBUG: Rewrote user name to username > Wed Nov 26 18:17:01 2003: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Wed Nov 26 18:17:01 2003: DEBUG: Deleting session for username, > 203.63.154.1, 1234 > Wed Nov 26 18:17:01 2003: DEBUG: Handling with Radius::AuthFILE: > Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE looks for match with > username > Wed Nov 26 18:17:01 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > Rejected explicitly by Auth-Type=Reject > Wed Nov 26 18:17:01 2003: INFO: Access rejected for username: Rejected > explicitly by Auth-Type=Reject > Wed Nov 26 18:17:01 2003: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 49663 .... > Code: Access-Reject > Identifier: 196 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > > I can only suggest you try setting up a simple test configuration to > try it first. > > Perhaps you are not editing the correct file(s) and/or you have not > restarted "radiusd"? > > regards > > Hugh > > > On 26/11/2003, at 5:39 AM, Forbes Mike wrote: > > > > > I get the following trace 4 with ContinueWhileAccept > > > > Mike > > > > > > Tue Nov 25 11:36:11 2003: DEBUG: Handling request with Handler > > 'Realm=MODEMS,NAS-Port-Type=Async,NAS-IP-Address=192.168.x.x' > > Tue Nov 25 11:36:11 2003: DEBUG: Rewrote user name to username > > Tue Nov 25 11:36:11 2003: DEBUG: Deleting session for username, > > 192.168.x.x, 9 > > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthGROUP > > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: > > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > > Rejected explicitly by Auth-Type=Reject > > Tue Nov 25 11:36:11 2003: DEBUG: Handling with Radius::AuthFILE: > > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE looks for match with > > username > > Tue Nov 25 11:36:11 2003: DEBUG: Radius::AuthFILE ACCEPT: > > Tue Nov 25 11:36:11 2003: DEBUG: Handling with PAM service radiusd > > Tue Nov 25 11:36:11 2003: DEBUG: PAM is asking for 1: 'Password' > > Tue Nov 25 11:36:11 2003: DEBUG: Access accepted for username > > Tue Nov 25 11:36:11 2003: DEBUG: Packet dump: > > > > Code: Access-Accept > > > > > > On Tue, 25 Nov 2003, Hugh Irvine wrote: > > > >> > >> Hello Mike - > >> > >> Thanks for your mail - how curious! > >> > >> I wonder if you could try to change the configuration to: > >> > >> AuthByPolicy ContinueWhileAccept > >> > >> and see what happens. > >> > >> I'll also forward your mail to Mike. > >> > >> regards > >> > >> Hugh > >> > >> > >> On 25/11/2003, at 5:56 AM, Forbes Mike wrote: > >> > >>> > >>> Hi Hugh, > >>> > >>> It would seem the continue until reject is not functioning correctly > >>> in > >>> this case. The debug show the reject but continues on. > >>> > >>> I tried the following: > >>> > >>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>> <AuthBy GROUP> > >>> AuthByPolicy ContinueUntilReject > >>> <AuthBy FILE> > >>> Filename %D/reject_modem.users > >>> AcceptIfMissing > >>> </AuthBy> > >>> > >>> <AuthBy FILE> > >>> Filename %D/backbone_users > >>> </AuthBy> > >>> <AuthBy PAM> > >>> Fork > >>> Service radiusd > >>> </AuthBy> > >>> </AuthBy> > >>> AuthLog Modem_Login_Failures > >>> # Log accounting to a detail file > >>> AcctLogFileName %L/modem_pool_backbone_users.log > >>> > >>> > >>> with the reject_modem.users containing > >>> username Auth-Type=Reject > >>> > >>> The user can still get on. The debug is below: > >>> Radiator 3.1 > >>> Mon Nov 24 11:43:05 2003: DEBUG: Rewrote user name to username > >>> Mon Nov 24 11:43:05 2003: DEBUG: Deleting session for username, > >>> 192.168.x.x, 53 > >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthGROUP > >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match > >>> with > >>> username > >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE: > >>> Rejected explicitly by Auth-Type=Reject > >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with Radius::AuthFILE: > >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE looks for match > >>> with > >>> username > >>> Mon Nov 24 11:43:05 2003: DEBUG: Radius::AuthFILE ACCEPT: > >>> Mon Nov 24 11:43:05 2003: DEBUG: Handling with PAM service radiusd > >>> Mon Nov 24 11:43:05 2003: DEBUG: PAM is asking for 1: 'Password' > >>> Mon Nov 24 11:43:05 2003: DEBUG: Access accepted for username > >>> > >>> > >>> > >>> On Sat, 13 Sep 2003, Hugh Irvine wrote: > >>> > >>>> > >>>> Hello Mike - > >>>> > >>>> Yes this is quite simple to acheive. > >>>> > >>>> <Handler Realm=MODEMS> > >>>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>>> <AuthBy GROUP> > >>>> AuthByPolicy ContinueUntilReject > >>>> > >>>> <AuthBy FILE> > >>>> Filename %D/reject.users > >>>> AcceptIfMissing > >>>> </AuthBy> > >>>> > >>>> <AuthBy PAM> > >>>> Fork > >>>> Service radiusd > >>>> </AuthBy> > >>>> > >>>> </AuthBy> > >>>> AuthLog Modem_Login_Failures > >>>> AcctLogFileName %L/Modems.log > >>>> </Handler> > >>>> > >>>> > >>>> The file "%D/reject.users" would contain something like this: > >>>> > >>>> # reject.users > >>>> > >>>> username1 Auth-Type = Reject > >>>> > >>>> username2 Auth-Type = Reject > >>>> > >>>> ....... > >>>> > >>>> > >>>> If you have any other questions, please contact me. > >>>> > >>>> regards > >>>> > >>>> Hugh > >>>> > >>>> > >>>> On Saturday, Sep 13, 2003, at 06:56 Australia/Melbourne, Forbes Mike > >>>> wrote: > >>>> > >>>>> > >>>>> I have a request to block certain users access to our modem pool. > >>>>> > >>>>> Users are first authenticated by kerb via PAM. What I would like > >>>>> to > >>>>> do is > >>>>> have radius then check to see if they are listed in a file and > >>>>> reject > >>>>> them > >>>>> only if they are listed. If they are not in the file they can > >>>>> logon. > >>>>> > >>>>> I saw the username authtype example in the manual, is there a way > >>>>> to > >>>>> do > >>>>> this in a file for a larger number? > >>>>> > >>>>> Could you do the AuthByPolicy ContinueWhileReject and put this > >>>>> before > >>>>> my > >>>>> authbypam below? > >>>>> > >>>>> My handler is below. > >>>>> > >>>>> Mike Forbes > >>>>> > >>>>> > >>>>> <Handler Realm=MODEMS> > >>>>> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > >>>>> <AuthBy GROUP> > >>>>> AuthByPolicy ContinueUntilReject > >>>>> <AuthBy PAM> > >>>>> Fork > >>>>> Service radiusd > >>>>> </AuthBy> > >>>>> </AuthBy> > >>>>> AuthLog Modem_Login_Failures > >>>>> AcctLogFileName %L/Modems.log > >>>>> </Handler> > >>>>> > >>>>> > >>>>> === > >>>>> Archive at http://www.open.com.au/archives/radiator/ > >>>>> Announcements on [EMAIL PROTECTED] > >>>>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>>>> 'unsubscribe radiator' in the body of the message. > >>>>> > >>>>> > >>>> > >>>> NB: have you included a copy of your configuration file (no > >>>> secrets), > >>>> together with a trace 4 debug showing what is happening? > >>>> > >>>> -- > >>>> Radiator: the most portable, flexible and configurable RADIUS server > >>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >>>> - > >>>> Nets: internetwork inventory and management - graphical, extensible, > >>>> flexible with hardware, software, platform and database > >>>> independence. > >>>> > >>>> === > >>>> Archive at http://www.open.com.au/archives/radiator/ > >>>> Announcements on [EMAIL PROTECTED] > >>>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>>> 'unsubscribe radiator' in the body of the message. > >>>> > >>> === > >>> Archive at http://www.open.com.au/archives/radiator/ > >>> Announcements on [EMAIL PROTECTED] > >>> To unsubscribe, email '[EMAIL PROTECTED]' with > >>> 'unsubscribe radiator' in the body of the message. > >>> > >>> > >> > >> NB: have you included a copy of your configuration file (no secrets), > >> together with a trace 4 debug showing what is happening? > >> > >> -- > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X. > >> - > >> Nets: internetwork inventory and management - graphical, extensible, > >> flexible with hardware, software, platform and database independence. > >> - > >> CATool: Private Certificate Authority for Unix and Unix-like systems. > >> > >> > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > NB: have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > - > CATool: Private Certificate Authority for Unix and Unix-like systems. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.