Re: using radius user file to deny access

Terry Manderson (terrym@peg.apc.org)
Fri, 8 Nov 1996 11:02:37 +1000 (EST)

At 02:45 PM 11/7/96 -0500, John Driscoll wrote:
>Hi all;
>
>We're running radius on a linux server (runs great - please no flames!).
>Presently we're using the default 'UNIX' user to have radius authenticate
>against the /etc/passwd file. Is there a clever way to add someone to the
>radius USER file such that they would be denied dial-up PPP access thru the
>PM but still have a valid userid/password in /etc/passwd? I'd like to have
>it so that if they tried to dial in they would get some sort of 'access
>denied' message.
>

If you still wish to keep the default entry in the users file, but still
want some people in your /etc/passwd to be denied access. I'd grab a version
of radiusd that supports shell checking.

so that if the person you want to deny access via radius has a shell that
is NOT in /etc/shells they are given the NAK :-)

so basically cp /bin/bash /bin/norad
chmod 755 /bin/norad etc etc
don't put /bin/norad in /etc/shells
change the users shell (who is not to have radius access) to /bin/norad

and bingo.. they get the denied message.
to give them access is just a matter of changing their shell.. :-)

It is a hack.. but thems the breaks :-0

Terry

--
____________________________________________________________________
Terry Manderson        PO Box 3220, SBBC 4101  Phone +61 7 3259 6259
System Administrator      QLD, AUSTRALIA       Fax   +61 7 3255 0555
Pegasus Networks       http://www.peg.apc.org    terrym@peg.apc.org