Allowing user from one realm but not another
Heres my issue and no idea exactly how to do this. Trying to figure it out is making me more confused. 1st I use the usersfile for authentation I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) When users login from one of the realms from my two upstream providers they login as one of these realms Then freeradius will strip the realm and auth the user My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others Say billy@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. But as I said I have no idea on what to do to set this up.. I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how.. Jeff
Jeff A wrote:
I have three different realms users can login with
For examples they are (foo.net, bar.net, beg.net)
Are all users valid on all realms? If so, why?
Say billy@foo.net <mailto:billy@foo.net> has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm.
Then you need a rule specifically for that user.
This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy..
You can still access the "Realm" attribute in the "users" file: bob Realm != "foo.net", Auth-Type := Reject Alan DeKok.
Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 14, 2010 2:43 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote:
I have three different realms users can login with
For examples they are (foo.net, bar.net, beg.net)
Are all users valid on all realms? If so, why?
Say billy@foo.net <mailto:billy@foo.net> has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm.
Then you need a rule specifically for that user.
This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy..
You can still access the "Realm" attribute in the "users" file: bob Realm != "foo.net", Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, Feb 14, 2010 at 6:18 PM, Jeff A <jeffa@globalco.net> wrote:
Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on
I assume you want it for all users, instead of just one user? It'd be a lot easier if you don't strip the realm. Any particular reason why you do that? -- Fajar
I strip the realm off cause backend billing that creates the users file is rodopi, and All users from that have no realm just the username -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 6:32 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 6:18 PM, Jeff A <jeffa@globalco.net> wrote:
Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on
I assume you want it for all users, instead of just one user? It'd be a lot easier if you don't strip the realm. Any particular reason why you do that? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, Feb 14, 2010 at 8:23 PM, Jeff A <jeffa@globalco.net> wrote:
I strip the realm off cause backend billing that creates the users file is rodopi, and
So how would you know which user is supposed to be in which realm if the backend doesn't supply that? If it were me, I'd modify the billing program to create users with realm. Also, I'd use database backend to store users. But hey, ultimately it's your choice. If you're fine with editing user file then Alan's example should work. -- Fajar
Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != "foo.net", Auth-Type := Reject Jeff -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 9:04 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 8:23 PM, Jeff A <jeffa@globalco.net> wrote:
I strip the realm off cause backend billing that creates the users file is rodopi, and
So how would you know which user is supposed to be in which realm if the backend doesn't supply that? If it were me, I'd modify the billing program to create users with realm. Also, I'd use database backend to store users. But hey, ultimately it's your choice. If you're fine with editing user file then Alan's example should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 14, 2010, at 6:11 AM, Jeff A wrote:
Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example..
My question is this Can his example contain more than one realm to reject between the quotes?
bob Realm != "foo.net", Auth-Type := Reject
That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is "bob" and the realm is not equal to "foo.net."
Having problems getting access reject to work, seems like no matter what I try it lets this test user on in every realm I am using cistron compat to accommodate my userfile inputted by rodopi dialuptest Password = "secret" Framed-Protocol = PPP, Service-Type = Framed-User, Session-Timeout = 14400, Ascend-Data-Filter = "ip in forward tcp est", Ascend-Data-Filter = "ip in forward dstip 0.0.0.0/24", Ascend-Data-Filter = "ip in drop tcp dstport = 25", Ascend-Data-Filter = "ip in forward", Port-Limit = 1, Realm = "foo.net", Auth-Type = Reject I have tried adding the ! and : symbol in the above line (makes no difference) Still can login on all three realms Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example dialuptest Password = "secret" Realm = "foo.net", Auth-Type = Reject Jeff -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Chris Sent: Sunday, February 14, 2010 12:33 PM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Feb 14, 2010, at 6:11 AM, Jeff A wrote:
Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example..
My question is this Can his example contain more than one realm to reject between the quotes?
bob Realm != "foo.net", Auth-Type := Reject
That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is "bob" and the realm is not equal to "foo.net." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jeff A wrote:
I am using cistron compat to accommodate my userfile inputted by rodopi
I'd really suggest using the FreeRADIUS features. Ask rodopi to fix their product.
I have tried adding the ! and : symbol in the above line (makes no difference)
Uh... "I tried random things and they didn't work". That's not the way to solve the problem. See "man users" for *documentation* on how it works.
Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example
dialuptest Password = "secret" Realm = "foo.net", Auth-Type = Reject
That is wrong on a number of points. I think you're really not clear on how the "users" file works. Read the documentation for it, and then go back and read my earlier message. The line above does NOT match my message. Therefore, it's wrong. Alan DeKok.
Ok, I figured I goofed something up. Been looking at this so long, I am making big mistakes. -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 15, 2010 3:15 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote:
I am using cistron compat to accommodate my userfile inputted by rodopi
I'd really suggest using the FreeRADIUS features. Ask rodopi to fix their product.
I have tried adding the ! and : symbol in the above line (makes no difference)
Uh... "I tried random things and they didn't work". That's not the way to solve the problem. See "man users" for *documentation* on how it works.
Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example
dialuptest Password = "secret" Realm = "foo.net", Auth-Type = Reject
That is wrong on a number of points. I think you're really not clear on how the "users" file works. Read the documentation for it, and then go back and read my earlier message. The line above does NOT match my message. Therefore, it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok good news I got it to work..New day less tired and man what an idiot I was. I have a question though. Freeradius can look at more than one user file, what is the syntax to allow this to read another, and where do I place the entry for it I am wanting to do this so I can convert to complete realm names for the users, but since so many users with different realms The process is going to take awhile, so I need for the program to see both entries so there will be a match till the process is completed I I would place them in the same file then they would be overwritten Thanks And Thanks so much for the help on the realm issue Jeff -----Original Message----- From: freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 15, 2010 3:15 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote:
I am using cistron compat to accommodate my userfile inputted by rodopi
I'd really suggest using the FreeRADIUS features. Ask rodopi to fix their product.
I have tried adding the ! and : symbol in the above line (makes no difference)
Uh... "I tried random things and they didn't work". That's not the way to solve the problem. See "man users" for *documentation* on how it works.
Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example
dialuptest Password = "secret" Realm = "foo.net", Auth-Type = Reject
That is wrong on a number of points. I think you're really not clear on how the "users" file works. Read the documentation for it, and then go back and read my earlier message. The line above does NOT match my message. Therefore, it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Chris -
Fajar A. Nugraha -
Jeff A