Re: (RADIATOR) Time check item in Authby UNIX
Hey Mike, Worked like a charm by following your sugestion. Thanks again!! Great product, Great support!! Congratulations!! Rgds, On Tue, 8 Jun 1999, Mike McCauley wrote: > Date: Tue, 8 Jun 1999 11:00:10 -0500 > From: Mike McCauley <[EMAIL PROTECTED]> > To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, Mike McCauley <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Time check item in Authby UNIX > > On Jun 7, 9:03pm, Jose Roberto Bulcao wrote: > > Subject: Re: (RADIATOR) Time check item in Authby UNIX > > > > Hi Mike, > > > > It seems the the specific clause is working ok, but the auth packet is > > being catched by the last DEFAULT clause. Here you are (debug level 4): > > Yes, its clear that your clause is correctly rejecting based on the Time, but > they are being accepted by a more liberal DEFAULT that follows it. > > So this is not a problem with the Time check item, but rather with the design > of the users file. > > What do you really want to have happen? If you want users in group admfin to be > rejected unless they are within the time band, you should add this after your > existing admfin DEFAULT user: > > DEFAULT Auth-Type = System, Group = admfin, Auth-Type=Reject > > Hope that helps. > > Cheers. > > > > > Tks, > > > > Mon Jun 7 20:57:11 1999: DEBUG: Packet dump: > > *** Received from 200.240.25.3 port 1645 > > Code: Access-Request > > Identifier: 160 > > Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7># > > Attributes: > > NAS-IP-Address = 200.240.25.3 > > NAS-Port = 18 > > NAS-Port-Type = Virtual > > User-Name = "carmem" > > Calling-Station-Id = "200.240.25.17" > > User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>" > > > > Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > > Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE > > Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group poponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group poponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT1 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group fwdonly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group fwdonly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT2 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group ftponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group ftponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT3 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group hponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group hponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT4 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an > allowable Time range > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an > allowable Time range > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFIL
Re: (RADIATOR) Time check item in Authby UNIX
Hi Mike, It seems the the specific clause is working ok, but the auth packet is being catched by the last DEFAULT clause. Here you are (debug level 4): Tks, Mon Jun 7 20:57:11 1999: DEBUG: Packet dump: *** Received from 200.240.25.3 port 1645 Code: Access-Request Identifier: 160 Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7># Attributes: NAS-IP-Address = 200.240.25.3 NAS-Port = 18 NAS-Port-Type = Virtual User-Name = "carmem" Calling-Station-Id = "200.240.25.17" User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>" Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT2 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT3 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT4 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT5 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT6 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Access accepted for carmem Mon Jun 7 20:57:12 1999: DEBUG: Packet dump: *** Sending to 200.240.25.3 port 1645 Code: Access-Accept Identifier: 160 Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7># Attributes: Framed-IP-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP On Tue, 8 Jun 1999, Mike McCauley wrote: > Date: Tue, 8 Jun 1999 08:53:24 -0500 > From: Mike McCauley <[EMAIL PROTECTED]> > To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Time check item in Authby UNIX > > Hello Jose, > > I have just tested your configuration and Time check item. Your configuration > and users fi
(RADIATOR) Time check item in Authby UNIX
Does anybody knows if there is a way to configure time based restriction ("Time" check item) for users authenticated via Authby UNIX ou SYSTEM? Using Radiator v.2.13.1 with latest patches, OS platform is IBM AIX v.4.1.5. The user in question has it group set to "admfin". By looking at the log (debug level of 5) Radiator seems to ignore "Time" check item, authenticating and authorizing the user any time of day. TIA, Here is our radius.cfg file (no secrets and renamed some files, paths): # radius.cfg # # Configuration file for radius server # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 1997 Open System Consultants # $Id: radius2.cfg,v 1.4 1998/03/06 04:43:37 mikem Exp $ # #Foreground #LogStdout #Trace 9 AuthPort1645 AcctPort1646 LogDir <**OMITTED**> DbDir <**OMITTED**> LogFile %L/<**OMITTED**> DictionaryFile %D/dictionary Filename%L/<**OMITTED**> Secret **OMITTED** DefaultRealm **MYREALM** RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueWhileAccept Filename %D/MYUSERSFILE MaxSessions 1 AcctLogFileName %L/%Y%m/detail-%d Identifier System Filename %D/MYPASSWDFILE GroupFilename %D/MYGROUPFILE # EOF radius.cfg And here the relevant part of MYUSERSFILE: # BOF MYUSERSFILE DEFAULT Auth-Type = System, Group = poponly, Auth-Type = "Reject:Essa conta eh somente para E-mail" DEFAULT Auth-Type = System, Group = fwdonly, Auth-Type = Reject Reply-Message = Esse eh POP DEFAULT Auth-Type = System, Group = ftponly, Auth-Type = Reject Reply-Message = Esse eh POP DEFAULT Auth-Type = System, Group = hponly, Auth-Type = Reject Reply-Message = "Acesso Proibido" # # Here is the clase in question # DEFAULT Auth-Type = System, Group = admfin, Time = "Al1200-1800" Service-Type = Login-User, Reply-Message = "Conectado!" DEFAULT Auth-Type = System, Service-Type = Framed-User Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP # EOF MYUSERSFILE -- Jose Roberto Bulcao - RioLink Internet Tel: (021) 577-8899 e-mail : [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Strangeness with CISCO nas'
Do this in general configuration mode on the CiscoDo, conf terminal radius-server host auth-port 1812 acct-port 1813 On Fri, 26 Mar 1999, Stephen Ollis wrote: > Date: Fri, 26 Mar 1999 14:16:42 +1100 > From: Stephen Ollis <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: (RADIATOR) Strangeness with CISCO nas' > > This had me and another engineer absolutely confused.. > > Why is the source port on the CISCO always 1645 and 1646 when > I'm using 1812 and 1813?? > > > radius.cfg has ... > > # > # Authport - where do we listen for AUTHENTICATION (per RFC2138) > # > AuthPort 1812 > > # > # Acctport - where do we listen for ACCOUNTING (per RFC2138) > # > AcctPort 1813 > - > logfile shows (for CISCO nas)... > - > Fri Mar 26 14:11:41 1999: DEBUG: Packet dump: > *** Received from x.x.x.x port 1646 > Code: Accounting-Request > Identifier: 79 > Authentic: [}<216>i<187><25>/5<132><130><253>'<150><2>Y<160> > Attributes: > NAS-IP-Address = x.x.x.x > NAS-Port = 1311440901 > NAS-Port-Type = Async > User-Name = "notlikely" > Called-Station-Id = "x" > Acct-Status-Type = Start > Acct-Authentic = RADIUS > Service-Type = Framed-User > Acct-Session-Id = "000142B8" > Framed-Protocol = PPP > Acct-Delay-Time = 0 > - > logfile shows (for NORTEL nas)... > - > Fri Mar 26 14:13:21 1999: DEBUG: Packet dump: > *** Received from 202.10.4.131 port 1049 > Code: Accounting-Request > Identifier: 167 > Authentic: > <215><247>6P6<168><158><184><154><8>(<147><181><189><26><141> > Attributes: > Acct-Status-Type = Modem-Start > Acct-Delay-Time = 1 > Acct-Session-Id = "8b080a74" > NAS-Port = 11 > NAS-Port-Type = Async > Calling-Station-Id = "296695426" > Called-Station-Id = "x" > NAS-IP-Address = x.x.x.x > > -- > Stephen Ollis <[EMAIL PROTECTED]> Ph: +61 2 9911 1606(BH) > Team Leader, Server Systems - Network Engineering +61 2 9911 1555(FAX) > AT&T EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066 > Australia > "Service to others is the rent you pay for room here on Earth" - M. Ali > > > === > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > -- Jose Roberto Bulcao - RioLink Internet Tel: (021) 577-8899 e-mail : [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.