RE: (RADIATOR) Users Blacklists
Just as a feedback: I did several tests and found out that Idle-Timeout didn't work though Session-Timout did work. NAS type Hyper 3 COMM . thanks for the hint. cheers, R. Riley -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Tuesday, October 15, 2002 9:11 AM Para: Rolando Riley CC: [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You can add both Session-Timeout and Idle-Timeout in the AuthBy GROUP: AuthBy GROUP Identifier DoAuthentication . AddToReply Session-Timeout = 10800, \ Idle-Timeout = 3600 /AuthBy Note that the actual disconnection is performed by the NAS, which must support these attributes. regards Hugh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Users Blacklists
Sorry to skip that one =(( . Hugh .. one last questionon what of those AuthBy I should add the line: AddToReply Session-Timeout = 10800 to have a user disconnected after 3 hour session? Hugh... Does Radiator have idle timeout? I wish to disconnect 1 hour idleing connection . cheers, R. Riley -Mensaje original- De: Hugh Irvine [mailto:[EMAIL PROTECTED]] Enviado el: Tuesday, October 15, 2002 12:12 AM Para: Rolando Riley Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - Thanks for sending the files. You have incorrectly specified AuthColumnDef instead of AcctColumnDef in your AuthBy SQL clause for accounting. regards Hugh On Tuesday, October 15, 2002, at 07:10 AM, Rolando Riley wrote: Hugh: The configuration is not giving me any error but it is not Logging anything on the ACCOUNTING table. I am ataching my radius.cfg (radius.txt) and a trace debug 4 of the radius. What could be wrong? cheers, R. Riley -Mensaje original- De: Hugh Irvine [mailto:[EMAIL PROTECTED]] Enviado el: Saturday, September 28, 2002 7:55 PM Para: Rolando Riley CC: [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You should do something like this: # define AuthBy clauses AuthBy SQL Identifier DoSQLAccounting DBSource.. DBUsername.. DBAuth .. AuthSelect AccountingTable ACCOUNTING AcctColumnDef . .. /AuthBy AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy AuthBy GROUP Identifier DoAuthentication AuthByPolicy ContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP /AuthBy # define Realms Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueAlways AuthBy DoSQLAccounting AuthBy DoAuthentication AcctLogFileName %L/detailu /Realm regards Hugh On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote: Hi Hugh: Sometime ago I posted this email but I am getting tired of processing big flat logs for reports. What should I have to add to my cfg to have the ACCOUNTING going to the ACCOUNTING table and hence use radcgi and radwho for reports? regards, Rolando -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAME REJECT someuser Auth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm Please let me know how you get on. regards Hugh On Thu, 13 Jun 2002 04:52, Rolando Riley wrote: Hi Hugh: Well this time I want to configure a users blacklist and what I want to do is simple: 1) Everytime I have a request this list (BLACKLIST
Re: (RADIATOR) Users Blacklists
Hello Rolando - You can add both Session-Timeout and Idle-Timeout in the AuthBy GROUP: AuthBy GROUP Identifier DoAuthentication . AddToReply Session-Timeout = 10800, \ Idle-Timeout = 3600 /AuthBy Note that the actual disconnection is performed by the NAS, which must support these attributes. regards Hugh On Tuesday, October 15, 2002, at 11:59 PM, Rolando Riley wrote: Sorry to skip that one =(( . Hugh .. one last questionon what of those AuthBy I should add the line: AddToReply Session-Timeout = 10800 to have a user disconnected after 3 hour session? Hugh... Does Radiator have idle timeout? I wish to disconnect 1 hour idleing connection . cheers, R. Riley -Mensaje original- De: Hugh Irvine [mailto:[EMAIL PROTECTED]] Enviado el: Tuesday, October 15, 2002 12:12 AM Para: Rolando Riley Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - Thanks for sending the files. You have incorrectly specified AuthColumnDef instead of AcctColumnDef in your AuthBy SQL clause for accounting. regards Hugh On Tuesday, October 15, 2002, at 07:10 AM, Rolando Riley wrote: Hugh: The configuration is not giving me any error but it is not Logging anything on the ACCOUNTING table. I am ataching my radius.cfg (radius.txt) and a trace debug 4 of the radius. What could be wrong? cheers, R. Riley -Mensaje original- De: Hugh Irvine [mailto:[EMAIL PROTECTED]] Enviado el: Saturday, September 28, 2002 7:55 PM Para: Rolando Riley CC: [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You should do something like this: # define AuthBy clauses AuthBy SQL Identifier DoSQLAccounting DBSource.. DBUsername.. DBAuth .. AuthSelect AccountingTable ACCOUNTING AcctColumnDef . .. /AuthBy AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy AuthBy GROUP Identifier DoAuthentication AuthByPolicy ContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP /AuthBy # define Realms Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueAlways AuthBy DoSQLAccounting AuthBy DoAuthentication AcctLogFileName %L/detailu /Realm regards Hugh On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote: Hi Hugh: Sometime ago I posted this email but I am getting tired of processing big flat logs for reports. What should I have to add to my cfg to have the ACCOUNTING going to the ACCOUNTING table and hence use radcgi and radwho for reports? regards, Rolando -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAMEREJECT someuserAuth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1
Re: (RADIATOR) Users Blacklists
Hello Rolando - You should do something like this: # define AuthBy clauses AuthBy SQL Identifier DoSQLAccounting DBSource.. DBUsername.. DBAuth .. AuthSelect AccountingTable ACCOUNTING AcctColumnDef . .. /AuthBy AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy AuthBy GROUP Identifier DoAuthentication AuthByPolicy ContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP /AuthBy # define Realms Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueAlways AuthBy DoSQLAccounting AuthBy DoAuthentication AcctLogFileName %L/detailu /Realm regards Hugh On Saturday, September 28, 2002, at 07:45 AM, Rolando Riley wrote: Hi Hugh: Sometime ago I posted this email but I am getting tired of processing big flat logs for reports. What should I have to add to my cfg to have the ACCOUNTING going to the ACCOUNTING table and hence use radcgi and radwho for reports? regards, Rolando -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAME REJECT someuser Auth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm Please let me know how you get on. regards Hugh On Thu, 13 Jun 2002 04:52, Rolando Riley wrote: Hi Hugh: Well this time I want to configure a users blacklist and what I want to do is simple: 1) Everytime I have a request this list (BLACKLIST) will be checked. If the user is found the request is Rejected. NO further queries should be performed after the user is rejected. 2) If the user isn't found then the authentication should be done against LDAP uid and userPassword attributes. I have searched the mailing lists and have found something very similar that was done against calling stations id. For some reason the user, although it is being found on the BLACKLIST, radiator continue the searching and auth process over LDAP. What could I have been doing wrong? Here is the output of Check-Users file - # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users # NoDefaultIfFound AcceptIfMissing /AuthBy AuthBy LDAP2 Identifier
RE: (RADIATOR) Users Blacklists
Hi Hugh: Sometime ago I posted this email but I am getting tired of processing big flat logs for reports. What should I have to add to my cfg to have the ACCOUNTING going to the ACCOUNTING table and hence use radcgi and radwho for reports? regards, Rolando -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAMEREJECT someuserAuth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm Please let me know how you get on. regards Hugh On Thu, 13 Jun 2002 04:52, Rolando Riley wrote: Hi Hugh: Well this time I want to configure a users blacklist and what I want to do is simple: 1) Everytime I have a request this list (BLACKLIST) will be checked. If the user is found the request is Rejected. NO further queries should be performed after the user is rejected. 2) If the user isn't found then the authentication should be done against LDAP uid and userPassword attributes. I have searched the mailing lists and have found something very similar that was done against calling stations id. For some reason the user, although it is being found on the BLACKLIST, radiator continue the searching and auth process over LDAP. What could I have been doing wrong? Here is the output of Check-Users file - # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users # NoDefaultIfFound AcceptIfMissing /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm -- Here is a trace debug 4 of a test: - Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='rriley' Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE: CheckUSERS Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL: VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select REJECT from BLACKLIST where USERNAME='rriley' Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password Wed Jun 12 04:57:24 2002: DEBUG: Query is: select REJECT from BLACKLIST where USERNAME='DEFAULT' Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jun 12 04:57:24 2002: DEBUG: Handling
Re: (RADIATOR) Users Blacklists
Hello Wilco - No I don't think that what you show below will work. You need the AuthColumnDef so that Radiator will do all the right things internally to reject the request and so on. regards Hugh On Thu, 13 Jun 2002 17:45, wilco heinneman wrote: Hi *, Also close, but not quite there ;-) All of this are only my thoughts, but you Hugh are the expert. In the select statement of Hugh, you should forget about the quotes around REJECT: AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' or do it like Rolando and leave the quotes: AuthSelect select REJECT: This user is on the BLACKLIST from \ BLACKLIST where USERNAME='%n' Then you need only one column in the table BLACKLIST: USERNAME someuser anotheruser If all of this is right, I could make a check I need: AuthSelect select REJECT: You should choose channel one from \ RADONLINE_CHANNEL1 where count(*) 10 This should do the following : You cannot get Authorized on other Channels if the amount of users on Channel 1 is less then 10. Hugh Irvine wrote: Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAMEREJECT someuserAuth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Users Blacklists
Looking good so far !!! . Just one observation though; AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' I had to remove the double quotes on REJECT to make it work like this: AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' What happened is that Mysql used REJECT as a constant and not as a field. Hence that query returned just REJECT and returning the error Bad attribute=value pair cheers, R. Riley -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAMEREJECT someuserAuth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm Please let me know how you get on. regards Hugh On Thu, 13 Jun 2002 04:52, Rolando Riley wrote: Hi Hugh: Well this time I want to configure a users blacklist and what I want to do is simple: 1) Everytime I have a request this list (BLACKLIST) will be checked. If the user is found the request is Rejected. NO further queries should be performed after the user is rejected. 2) If the user isn't found then the authentication should be done against LDAP uid and userPassword attributes. I have searched the mailing lists and have found something very similar that was done against calling stations id. For some reason the user, although it is being found on the BLACKLIST, radiator continue the searching and auth process over LDAP. What could I have been doing wrong? Here is the output of Check-Users file - # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users # NoDefaultIfFound AcceptIfMissing /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm -- Here is a trace debug 4 of a test: - Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='rriley' Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE: CheckUSERS Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL: VE_blacklist Wed Jun 12 04:57:24 2002: DEBUG: Query is: select REJECT from BLACKLIST where USERNAME='rriley' Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL looks for match with rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password Wed
Re: (RADIATOR) Users Blacklists
Hi Rolando - Sorry about that - I just cut and pasted your original text and I missed the quotes - my apologies. regards Hugh On Fri, 14 Jun 2002 07:53, Rolando Riley wrote: Looking good so far !!! . Just one observation though; AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' I had to remove the double quotes on REJECT to make it work like this: AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' What happened is that Mysql used REJECT as a constant and not as a field. Hence that query returned just REJECT and returning the error Bad attribute=value pair cheers, R. Riley -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Hugh Irvine Enviado el: Wednesday, June 12, 2002 6:14 PM Para: Rolando Riley; [EMAIL PROTECTED] Asunto: Re: (RADIATOR) Users Blacklists Hello Rolando - You are close, but not quite there. Here is what to do: # Check-Users file # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist DEFAULT Auth-Type = Accept Your BLACKLIST SQL table should contain this: USERNAME REJECT someuser Auth-Type = Reject: This user is on the BLACKLIST anotheruser Auth-Type = Reject: This user is on the BLACKLIST Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AuthColumnDef 0, GENERIC, check AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm Please let me know how you get on. regards Hugh On Thu, 13 Jun 2002 04:52, Rolando Riley wrote: Hi Hugh: Well this time I want to configure a users blacklist and what I want to do is simple: 1) Everytime I have a request this list (BLACKLIST) will be checked. If the user is found the request is Rejected. NO further queries should be performed after the user is rejected. 2) If the user isn't found then the authentication should be done against LDAP uid and userPassword attributes. I have searched the mailing lists and have found something very similar that was done against calling stations id. For some reason the user, although it is being found on the BLACKLIST, radiator continue the searching and auth process over LDAP. What could I have been doing wrong? Here is the output of Check-Users file - # ENTRADA default para chequear la tabla BLACKLIST DEFAULT Auth-Type = VE_blacklist Here is a snippet of my radius.cfg -- AuthBy SQL Identifier VE_blacklist DBSource.. DBUsername.. DBAuth .. AuthSelect select REJECT from BLACKLIST \ where USERNAME='%n' AccountingTable /AuthBy AuthBy FILE Identifier CheckUSERS Filename %D/Check-Users # NoDefaultIfFound AcceptIfMissing /AuthBy AuthBy LDAP2 Identifier CheckLDAP Host.. AuthDN .. AuthPassword .. BaseDN .. UsernameAttruid PasswordAttruserPassword /AuthBy Realm UsernameCharset a-zA-Z0-9\._@- MaxSessions 1 RewriteUsername tr/A-Z/a-z/ AuthByPolicyContinueWhileAccept AuthBy CheckUSERS AuthBy CheckLDAP AcctLogFileName %L/detailu /Realm -- Here is a trace debug 4 of a test: - Wed Jun 12 04:57:24 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='rriley' Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthFILE: CheckUSERS Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with rriley Wed Jun 12 04:57:24 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Wed Jun 12 04:57:24 2002: DEBUG: Handling with Radius::AuthSQL Wed Jun 12 04
