Re: (RADIATOR) Time check item in Authby UNIX
Hey Mike, Worked like a charm by following your sugestion. Thanks again!! Great product, Great support!! Congratulations!! Rgds, On Tue, 8 Jun 1999, Mike McCauley wrote: > Date: Tue, 8 Jun 1999 11:00:10 -0500 > From: Mike McCauley <[EMAIL PROTECTED]> > To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, Mike McCauley <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Time check item in Authby UNIX > > On Jun 7, 9:03pm, Jose Roberto Bulcao wrote: > > Subject: Re: (RADIATOR) Time check item in Authby UNIX > > > > Hi Mike, > > > > It seems the the specific clause is working ok, but the auth packet is > > being catched by the last DEFAULT clause. Here you are (debug level 4): > > Yes, its clear that your clause is correctly rejecting based on the Time, but > they are being accepted by a more liberal DEFAULT that follows it. > > So this is not a problem with the Time check item, but rather with the design > of the users file. > > What do you really want to have happen? If you want users in group admfin to be > rejected unless they are within the time band, you should add this after your > existing admfin DEFAULT user: > > DEFAULT Auth-Type = System, Group = admfin, Auth-Type=Reject > > Hope that helps. > > Cheers. > > > > > Tks, > > > > Mon Jun 7 20:57:11 1999: DEBUG: Packet dump: > > *** Received from 200.240.25.3 port 1645 > > Code: Access-Request > > Identifier: 160 > > Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7># > > Attributes: > > NAS-IP-Address = 200.240.25.3 > > NAS-Port = 18 > > NAS-Port-Type = Virtual > > User-Name = "carmem" > > Calling-Station-Id = "200.240.25.17" > > User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>" > > > > Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > > Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE > > Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group poponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group poponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT1 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group fwdonly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group fwdonly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT2 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group ftponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group ftponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT3 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not > in Group hponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not > in Group hponly > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with > DEFAULT4 > > Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an > allowable Time range > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an > allowable Time range > > Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFIL
Re: (RADIATOR) Time check item in Authby UNIX
Hi Mike,
It seems the the specific clause is working ok, but the auth packet is
being catched by the last DEFAULT clause. Here you are (debug level 4):
Tks,
Mon Jun 7 20:57:11 1999: DEBUG: Packet dump:
*** Received from 200.240.25.3 port 1645
Code: Access-Request
Identifier: 160
Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7>#
Attributes:
NAS-IP-Address = 200.240.25.3
NAS-Port = 18
NAS-Port-Type = Virtual
User-Name = "carmem"
Calling-Station-Id = "200.240.25.17"
User-Password = "<191>D/>|<113>b3<127><19><153><211><220>P<175><135>"
Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE
Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group
poponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group
poponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group
fwdonly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group
fwdonly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT2
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group
ftponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group
ftponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT3
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group
hponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group
hponly
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT4
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an
allowable Time range
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an
allowable Time range
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT5
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item Service-Type
value 'Framed-User' does not match '' in request
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item Service-Type
value 'Framed-User' does not match '' in request
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT6
Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT:
Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT:
Mon Jun 7 20:57:11 1999: DEBUG: Access accepted for carmem
Mon Jun 7 20:57:12 1999: DEBUG: Packet dump:
*** Sending to 200.240.25.3 port 1645
Code: Access-Accept
Identifier: 160
Authentic: l&<226><221><184><11>U#<229><181>~B<217><146><7>#
Attributes:
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
On Tue, 8 Jun 1999, Mike McCauley wrote:
> Date: Tue, 8 Jun 1999 08:53:24 -0500
> From: Mike McCauley <[EMAIL PROTECTED]>
> To: Jose Roberto Bulcao <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Time check item in Authby UNIX
>
> Hello Jose,
>
> I have just tested your configuration and Time check item. Your configuration
> and users fi
(RADIATOR) Time check item in Authby UNIX
Does anybody knows if there is a way to configure time based restriction
("Time" check item) for users authenticated via Authby UNIX ou SYSTEM?
Using Radiator v.2.13.1 with latest patches, OS platform is IBM AIX
v.4.1.5.
The user in question has it group set to "admfin". By looking at the log
(debug level of 5) Radiator seems to ignore "Time" check item,
authenticating and authorizing the user any time of day.
TIA,
Here is our radius.cfg file (no secrets and renamed some files, paths):
# radius.cfg
#
# Configuration file for radius server
#
# Author: Mike McCauley ([EMAIL PROTECTED])
# Copyright (C) 1997 Open System Consultants
# $Id: radius2.cfg,v 1.4 1998/03/06 04:43:37 mikem Exp $
#
#Foreground
#LogStdout
#Trace 9
AuthPort1645
AcctPort1646
LogDir <**OMITTED**>
DbDir <**OMITTED**>
LogFile %L/<**OMITTED**>
DictionaryFile %D/dictionary
Filename%L/<**OMITTED**>
Secret **OMITTED**
DefaultRealm **MYREALM**
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueWhileAccept
Filename %D/MYUSERSFILE
MaxSessions 1
AcctLogFileName %L/%Y%m/detail-%d
Identifier System
Filename %D/MYPASSWDFILE
GroupFilename %D/MYGROUPFILE
# EOF radius.cfg
And here the relevant part of MYUSERSFILE:
# BOF MYUSERSFILE
DEFAULT Auth-Type = System, Group = poponly, Auth-Type = "Reject:Essa conta eh somente
para E-mail"
DEFAULT Auth-Type = System, Group = fwdonly, Auth-Type = Reject
Reply-Message = Esse eh POP
DEFAULT Auth-Type = System, Group = ftponly, Auth-Type = Reject
Reply-Message = Esse eh POP
DEFAULT Auth-Type = System, Group = hponly, Auth-Type = Reject
Reply-Message = "Acesso Proibido"
#
# Here is the clase in question
#
DEFAULT Auth-Type = System, Group = admfin, Time = "Al1200-1800"
Service-Type = Login-User,
Reply-Message = "Conectado!"
DEFAULT Auth-Type = System, Service-Type = Framed-User
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
# EOF MYUSERSFILE
--
Jose Roberto Bulcao - RioLink Internet
Tel: (021) 577-8899
e-mail : [EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Strangeness with CISCO nas'
Do this in general configuration mode on the CiscoDo, conf terminal radius-server host auth-port 1812 acct-port 1813 On Fri, 26 Mar 1999, Stephen Ollis wrote: > Date: Fri, 26 Mar 1999 14:16:42 +1100 > From: Stephen Ollis <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: (RADIATOR) Strangeness with CISCO nas' > > This had me and another engineer absolutely confused.. > > Why is the source port on the CISCO always 1645 and 1646 when > I'm using 1812 and 1813?? > > > radius.cfg has ... > > # > # Authport - where do we listen for AUTHENTICATION (per RFC2138) > # > AuthPort 1812 > > # > # Acctport - where do we listen for ACCOUNTING (per RFC2138) > # > AcctPort 1813 > - > logfile shows (for CISCO nas)... > - > Fri Mar 26 14:11:41 1999: DEBUG: Packet dump: > *** Received from x.x.x.x port 1646 > Code: Accounting-Request > Identifier: 79 > Authentic: [}<216>i<187><25>/5<132><130><253>'<150><2>Y<160> > Attributes: > NAS-IP-Address = x.x.x.x > NAS-Port = 1311440901 > NAS-Port-Type = Async > User-Name = "notlikely" > Called-Station-Id = "x" > Acct-Status-Type = Start > Acct-Authentic = RADIUS > Service-Type = Framed-User > Acct-Session-Id = "000142B8" > Framed-Protocol = PPP > Acct-Delay-Time = 0 > - > logfile shows (for NORTEL nas)... > - > Fri Mar 26 14:13:21 1999: DEBUG: Packet dump: > *** Received from 202.10.4.131 port 1049 > Code: Accounting-Request > Identifier: 167 > Authentic: > <215><247>6P6<168><158><184><154><8>(<147><181><189><26><141> > Attributes: > Acct-Status-Type = Modem-Start > Acct-Delay-Time = 1 > Acct-Session-Id = "8b080a74" > NAS-Port = 11 > NAS-Port-Type = Async > Calling-Station-Id = "296695426" > Called-Station-Id = "x" > NAS-IP-Address = x.x.x.x > > -- > Stephen Ollis <[EMAIL PROTECTED]> Ph: +61 2 9911 1606(BH) > Team Leader, Server Systems - Network Engineering +61 2 9911 1555(FAX) > AT&T EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066 > Australia > "Service to others is the rent you pay for room here on Earth" - M. Ali > > > === > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > -- Jose Roberto Bulcao - RioLink Internet Tel: (021) 577-8899 e-mail : [EMAIL PROTECTED] === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
