Re: how to deny access based on realm
Hi Chris, Thanks for the tip. Good call, I didnt have a DEFAULT realm. I added one, and if it matches, it seems Realm is set to DEFAULT rather than whatever the realm was. This is probably not a problem. If I have realms I explicitly need to reject, I'll add a separate entry for each to proxy.conf, then add a line to users to catch it like I had below. That appears to work. Another plan would be to use DEFAULT to catch illegal realms. This would require an entry for each "good" realm in proxy.conf so it won't match DEFAULT. It seems strange to fill up proxy.conf with local realms, but I guess that behavior can be configured whichever way makes life easier for the operators. Are there any guidelines I should be aware of for how or whether to use proxy.conf for local realms? Dave Chris Parker wrote: At 01:51 PM 6/13/2003 -0500, Dave Mason wrote: Hi, I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file: --- DEFAULT Realm == "badrealm.com", Auth-Type := Reject Reply-Message = "This realm is not supported." DEFAULT Auth-Type := EAP I'm going to take a stab in the dark and guess that you don't have a DEFAULT realm configured. I would suggest you add a DEFAULT realm entry to process it locally. The Realm attribute is not added unless if matches a realm ( and *everything* not otherwise defined will match DEFAULT ). Alternatively, you could define 'badrealm' in your config in lieu of a DEFAULT entry if you didn't want to create the DEFAULT for other reasons. -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to deny access based on realm
At 01:51 PM 6/13/2003 -0500, Dave Mason wrote: Hi, I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file: --- DEFAULT Realm == "badrealm.com", Auth-Type := Reject Reply-Message = "This realm is not supported." DEFAULT Auth-Type := EAP I'm going to take a stab in the dark and guess that you don't have a DEFAULT realm configured. I would suggest you add a DEFAULT realm entry to process it locally. The Realm attribute is not added unless if matches a realm ( and *everything* not otherwise defined will match DEFAULT ). Alternatively, you could define 'badrealm' in your config in lieu of a DEFAULT entry if you didn't want to create the DEFAULT for other reasons. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to deny access based on realm
Hi, I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file: --- DEFAULT Realm == "badrealm.com", Auth-Type := Reject Reply-Message = "This realm is not supported." DEFAULT Auth-Type := EAP However when I send Access-Request for "[EMAIL PROTECTED]" it gets past this line and starts the auth process. Am I missing something? I turn on eap in the authorize section. Maybe I dont really need the DEFAULT Auth-Type := EAP line but it makes life simple. I'll add the trace below. Also, it may be preferrable to define a group of bad realms somewhere, rather than list them all separately here. I saw the example that looks like this: DEFAULTGroup == "disabled", Auth-Type := Reject Where do you define the group? Here's the trace: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=53, length=85 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = "[EMAIL PROTECTED]" Message-Authenticator = 0x09d10d402d5ad1c98c60e4081f729884 EAP-Message = 0x020100180165617075736572407472616e7361742e636f6d modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: Looking up realm badrealm.com for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm badrealm.com modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 194 <--- this is the DEFAULT Auth-Type := EAP modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type sim rlm_eap_sim: Issuing EAP-Request/SIM/Start for [EMAIL PROTECTED] modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 53 to 127.0.0.1:32768 EAP-Message = 0x01020014120a0f02000200010a01 Message-Authenticator = 0x State = "state1" Finished request 0 Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html