(RADIATOR) Strange behaving authentication ?

Hugh Irvine hugh at open.com.au
Thu Jun 14 03:44:50 CDT 2001 

Hello Patrick -

On Thursday 14 June 2001 17:55, Patrik Forsberg wrote:
> Hi..
>
> I've got a .. minor problem.
> I have three different ways a user could get authenticated.
> 1st is a "users" file for special cases, like static ip-addresses and so
> on.
> 2nd is a deny user file where I put users that ain't supposed to get in.
> 3rd is UNIX based authentication.
>
> I've ripped out non-intressting parts of the config-file.
> ## Configuration file ##
>
>         # If accept contiue.. we could get rejected later..
>         AuthByPolicy ContinueWhileAccept
>
>         <AuthBy DBFILE>
>                 Filename %D/db/test <-- Changed to make sure there were
> nothing wrong with my "real" users file.
>                 AcceptIfMissing
>         </AuthBy>
>
>         <AuthBy DBFILE>
>                 Filename %D/db/denied_users
>                 AcceptIfMissing
>         </AuthBy>
>
>         <AuthBy UNIX>
>                 Identifier System
>                 Filename /etc/master.passwd
>         </AuthBy>
>
> ## END ##
>
> ## Trace Level 5 from the logfile ##
>
> *** Received from 212.37.0.171 port 2178 ....
>
> Packet length = 90
> 01 85 00 5a 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 06 64 65 6d 6f 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32
> 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33
> 32 31 3d 06 00 00 00 00 02 12 47 3c 34 b3 8d fd
> 05 6a f2 12 1a 3a 98 dd 11 5f
> Code:       Access-Request
> Identifier: 133
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "demo"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "G<4<179><141><253><5>j<242><18><26>:<152><221><17>_"
>
> Thu Jun 14 09:50:13 2001: DEBUG: Rewrote user name to demo
> Thu Jun 14 09:50:13 2001: DEBUG: Handling request with Handler
> 'Realm=dataphone.se'
> Thu Jun 14 09:50:13 2001: DEBUG: Rewrote user name to demo
> Thu Jun 14 09:50:13 2001: DEBUG: Rewrote user name to demo
> Thu Jun 14 09:50:13 2001: DEBUG:  Deleting session for demo,
> 203.63.154.1, 1234
> Thu Jun 14 09:50:13 2001: DEBUG: Handling with Radius::AuthDBFILE
> Thu Jun 14 09:50:13 2001: DEBUG: Radius::AuthDBFILE looks for match with
> demo
> Thu Jun 14 09:50:13 2001: DEBUG: Radius::AuthDBFILE REJECT: Check item
> Framed-Protocol expression 'PPP' does not match '' in request
> Thu Jun 14 09:50:13 2001: DEBUG: Radius::AuthDBFILE looks for match with
> DEFAULT
> Thu Jun 14 09:50:13 2001: DEBUG: Handling with Radius::AuthUNIX
> Thu Jun 14 09:50:13 2001: DEBUG: Radius::AuthUNIX looks for match with
> demo
> Thu Jun 14 09:50:13 2001: DEBUG: Radius::AuthDBFILE REJECT: No such user
> Thu Jun 14 09:50:13 2001: INFO: Access rejected for demo: No such user
> Thu Jun 14 09:50:13 2001: DEBUG: Packet dump:
> *** Sending to 212.37.0.171 port 2178 ....
>
> Packet length = 34
> 03 85 00 22 f9 75 ee 1f f3 4c 5e 32 b9 c5 c3 6b
> 00 bb 85 00 12 0e 4e 6f 20 73 75 63 68 20 75 73
> 65 72
> Code:       Access-Reject
> Identifier: 133
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "No such user"
>
> ## END ##
>
> ## Users file ##
>
> demo            User-Password = "test1",
>                 Service-Type = Framed-User,
>                 Framed-Protocol = PPP
>
> DEFAULT         Auth-Type = System,
>                 Service-Type = Framed-User,
>                 Framed-Protocol = PPP,
>                 Framed-Compression = None,
>                 Framed-IP-Address = 255.255.255.254,
>                 Framed-IP-Netmask = 255.255.255.255
>
> ## END
>
> What I can't understand is what the
> " Check item Framed-Protocol expression 'PPP' does not match '' in
> request "
> error message is about ?
>
> The test has been done with radpwtst and the user/password have been
> checked and are correct.
>

The problem here is the format of your users file - the first line must not 
have a comma (,) at the end. It should look like this:

## Users file ##

demo            User-Password = "test1"
                Service-Type = Framed-User,
                Framed-Protocol = PPP

DEFAULT         Auth-Type = System
                Service-Type = Framed-User,
                Framed-Protocol = PPP,
                Framed-Compression = None,
                Framed-IP-Address = 255.255.255.254,
                Framed-IP-Netmask = 255.255.255.255

## END

The first line specifies the check items, and if you have a comma at the end 
of the first line, all subsequent lines are taken to be check items, not 
reply items.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list