Re: Allowing user from one realm but not another

2010-02-13 Thread Gary Gatten 
Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 



Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-13 Thread Jeff A 
Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-13 Thread Gary Gatten 
LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 



Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-13 Thread Jeff A 
So far no luck, but I will keep looking.

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 

Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-13 Thread Jeff A 
Ok,  from what I see that won’t work..

 

If I rewrite a username in preproxy

Ie(bi...@foo.net) to bi...@beg.net then in proxy username is authed cause 
radius only looks at username with stripped realm

I need to watch for billy to login and if he uses any other realm besides 
bi...@beg.net then reject him before he even gets to the

Being authed by server, cause my server strips realm off and only sees the 
username

 

Rewriting the realm on the auth request for this user would allow him login no 
matter what

 

I think best approach would be to watch for any username named billy and if his 
realm does not match realm he is allowed from then

Reject access before he is sent for authentation and the realm has been 
stripped as it is suppose to be

 

Maybe I am wrong here do not know, but here is why I am trying to do this.

 

 

Jeff

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Jeff A
Sent: Saturday, February 13, 2010 1:54 PM
To: 'FreeRadius users mailing list'
Subject: RE: Allowing user from one realm but not another

 

So far no luck, but I will keep looking.

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 

Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email

Re: Allowing user from one realm but not another

2010-02-13 Thread Alan DeKok 
Jeff A wrote:
> I have three different realms users can login with
> 
> For examples they are (foo.net, bar.net, beg.net)

  Are all users valid on all realms?  If so, why?

> Say bi...@foo.net  has abused the foo.net realm
> now I need him solely on the beg.net and disallowing the other two
> realms. In other words reject him before if he trys to use the old realm
> again. In other words I want to allow only billy to use this one new
> realm and be rejected if he trys another realm.

  Then you need a rule specifically for that user.

> This has to take place I figure in preproxy, cause my users file is
> authenticated minus the realm in proxy..

  You can still access the "Realm" attribute in the "users" file:

bob Realm != "foo.net", Auth-Type := Reject

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-14 Thread Jeff A 
Because I was never sure how to keep em off the other realm.
They should all be stuck on realm I put em on

-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Sunday, February 14, 2010 2:43 AM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another

Jeff A wrote:
> I have three different realms users can login with
> 
> For examples they are (foo.net, bar.net, beg.net)

  Are all users valid on all realms?  If so, why?

> Say bi...@foo.net <mailto:bi...@foo.net> has abused the foo.net realm
> now I need him solely on the beg.net and disallowing the other two
> realms. In other words reject him before if he trys to use the old realm
> again. In other words I want to allow only billy to use this one new
> realm and be rejected if he trys another realm.

  Then you need a rule specifically for that user.

> This has to take place I figure in preproxy, cause my users file is
> authenticated minus the realm in proxy..

  You can still access the "Realm" attribute in the "users" file:

bob Realm != "foo.net", Auth-Type := Reject

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-14 Thread Fajar A. Nugraha 
On Sun, Feb 14, 2010 at 6:18 PM, Jeff A  wrote:
> Because I was never sure how to keep em off the other realm.
> They should all be stuck on realm I put em on

I assume you want it for all users, instead of just one user?
It'd be a lot easier if you don't strip the realm. Any particular
reason why you do that?

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-14 Thread Jeff A 
I strip the realm off cause backend billing that creates the users file is
rodopi, and
All users from that have no realm just the username


-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Fajar A. Nugraha
Sent: Sunday, February 14, 2010 6:32 AM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another

On Sun, Feb 14, 2010 at 6:18 PM, Jeff A  wrote:
> Because I was never sure how to keep em off the other realm.
> They should all be stuck on realm I put em on

I assume you want it for all users, instead of just one user?
It'd be a lot easier if you don't strip the realm. Any particular
reason why you do that?

-- 
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-14 Thread Fajar A. Nugraha 
On Sun, Feb 14, 2010 at 8:23 PM, Jeff A  wrote:
> I strip the realm off cause backend billing that creates the users file is
> rodopi, and

So how would you know which user is supposed to be in which realm if
the backend doesn't supply that?
If it were me, I'd modify the billing program to create users with
realm. Also, I'd use database backend to store users.

But hey, ultimately it's your choice. If you're fine with editing user
file then Alan's example should work.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-14 Thread Jeff A 
Your idea is best.
I think I will modify, but for a work around till I get a chance to get
everything turned around.
I will use Alan's example..

My question is this
Can his example contain more than one realm to reject between the quotes?

bob Realm != "foo.net", Auth-Type := Reject

Jeff




-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Fajar A. Nugraha
Sent: Sunday, February 14, 2010 9:04 AM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another

On Sun, Feb 14, 2010 at 8:23 PM, Jeff A  wrote:
> I strip the realm off cause backend billing that creates the users file is
> rodopi, and

So how would you know which user is supposed to be in which realm if
the backend doesn't supply that?
If it were me, I'd modify the billing program to create users with
realm. Also, I'd use database backend to store users.

But hey, ultimately it's your choice. If you're fine with editing user
file then Alan's example should work.

-- 
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-14 Thread Chris 

On Feb 14, 2010, at 6:11 AM, Jeff A wrote:

> Your idea is best.
> I think I will modify, but for a work around till I get a chance to get
> everything turned around.
> I will use Alan's example..
> 
> My question is this
> Can his example contain more than one realm to reject between the quotes?
> 
> bob   Realm != "foo.net", Auth-Type := Reject
> 

That's not the realm you're rejecting, but the one you're accepting, rejecting 
access if the username is "bob" and the realm is not equal to "foo.net."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-14 Thread Jeff A 

Having problems getting access reject to work, seems like no matter what I
try it lets this test user on in every realm

I am using cistron compat to accommodate my userfile inputted by rodopi

dialuptest  Password = "secret"
Framed-Protocol = PPP,
Service-Type = Framed-User,
Session-Timeout = 14400,
Ascend-Data-Filter = "ip in forward tcp est",
Ascend-Data-Filter = "ip in forward dstip 0.0.0.0/24",
Ascend-Data-Filter = "ip in drop tcp dstport = 25",
Ascend-Data-Filter = "ip in forward",
Port-Limit = 1,
Realm = "foo.net", Auth-Type = Reject

I have tried adding the ! and : symbol in the above line (makes no
difference)
Still can login on all three realms

Also have tried the realm item as a check item, quote, and no options with
same results
If a check item its placed on same line as username etc but still no go as
below example

dialuptest  Password = "secret" Realm = "foo.net", Auth-Type =
Reject


Jeff


-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Chris
Sent: Sunday, February 14, 2010 12:33 PM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another


On Feb 14, 2010, at 6:11 AM, Jeff A wrote:

> Your idea is best.
> I think I will modify, but for a work around till I get a chance to get
> everything turned around.
> I will use Alan's example..
> 
> My question is this
> Can his example contain more than one realm to reject between the quotes?
> 
> bob   Realm != "foo.net", Auth-Type := Reject
> 

That's not the realm you're rejecting, but the one you're accepting,
rejecting access if the username is "bob" and the realm is not equal to
"foo.net."
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-15 Thread Alan DeKok 
Jeff A wrote:
> I am using cistron compat to accommodate my userfile inputted by rodopi

  I'd really suggest using the FreeRADIUS features.  Ask rodopi to fix
their product.

> I have tried adding the ! and : symbol in the above line (makes no
> difference)

  Uh... "I tried random things and they didn't work".

  That's not the way to solve the problem.  See "man users" for
*documentation* on how it works.

> Also have tried the realm item as a check item, quote, and no options with
> same results
> If a check item its placed on same line as username etc but still no go as
> below example
> 
> dialuptestPassword = "secret" Realm = "foo.net", Auth-Type =
> Reject

  That is wrong on a number of points.

  I think you're really not clear on how the "users" file works.  Read
the documentation for it, and then go back and read my earlier message.
 The line above does NOT match my message.  Therefore, it's wrong.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-15 Thread Jeff A 
Ok, I figured I goofed something up. Been looking at this so long, I am
making big mistakes.


-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Monday, February 15, 2010 3:15 AM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another

Jeff A wrote:
> I am using cistron compat to accommodate my userfile inputted by rodopi

  I'd really suggest using the FreeRADIUS features.  Ask rodopi to fix
their product.

> I have tried adding the ! and : symbol in the above line (makes no
> difference)

  Uh... "I tried random things and they didn't work".

  That's not the way to solve the problem.  See "man users" for
*documentation* on how it works.

> Also have tried the realm item as a check item, quote, and no options with
> same results
> If a check item its placed on same line as username etc but still no go as
> below example
> 
> dialuptestPassword = "secret" Realm = "foo.net", Auth-Type =
> Reject

  That is wrong on a number of points.

  I think you're really not clear on how the "users" file works.  Read
the documentation for it, and then go back and read my earlier message.
 The line above does NOT match my message.  Therefore, it's wrong.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

2010-02-15 Thread Jeff A 
Ok good news I got it to work..New day less tired and man what an idiot I
was.

I have a question though.

Freeradius can look at more than one user file, what is the syntax to allow
this to read another, and where do I place the entry for it

I am wanting to do this so I can convert to complete realm names for the
users, but since so many users with different realms
The process is going to take awhile, so I need for the program to see both
entries so there will be a match till the process is completed
I I would place them in the same file then they would be overwritten

Thanks
And
Thanks so much for the help on the realm issue

Jeff


-Original Message-
From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Monday, February 15, 2010 3:15 AM
To: FreeRadius users mailing list
Subject: Re: Allowing user from one realm but not another

Jeff A wrote:
> I am using cistron compat to accommodate my userfile inputted by rodopi

  I'd really suggest using the FreeRADIUS features.  Ask rodopi to fix
their product.

> I have tried adding the ! and : symbol in the above line (makes no
> difference)

  Uh... "I tried random things and they didn't work".

  That's not the way to solve the problem.  See "man users" for
*documentation* on how it works.

> Also have tried the realm item as a check item, quote, and no options with
> same results
> If a check item its placed on same line as username etc but still no go as
> below example
> 
> dialuptestPassword = "secret" Realm = "foo.net", Auth-Type =
> Reject

  That is wrong on a number of points.

  I think you're really not clear on how the "users" file works.  Read
the documentation for it, and then go back and read my earlier message.
 The line above does NOT match my message.  Therefore, it's wrong.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

2010-02-15 Thread Alan DeKok 
Jeff A wrote:
> Freeradius can look at more than one user file, what is the syntax to allow
> this to read another, and where do I place the entry for it

$ man users

  And also see the documentation at the top of the "users" file.

  Look for "include".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html