(RADIATOR) Cisco switch (Catalyst 2950)!!! / Mysql ERR!!!
Hugh Irvine
hugh at open.com.au
Thu May 5 18:05:44 CDT 2005
Hello Jhonny -
Your configuration file contains this:
#for the APs
<Handler Client-Identifier = ap>
<AuthBy SQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
AuthSelect select SECRET from RADCLIENTLIST where
NASIDENTIFIER=%0
</AuthBy>
AcctLogFileName %L/apacc-%m.detail
</Handler>
which is clearly wrong.
See section 6.29 in the Radiator 3.12 reference manual for details on
how to configure the AuthBy SQL clause ("doc/ref.html").
regards
Hugh
On 5 May 2005, at 18:48, Jhonny Freire de Oliveira wrote:
>
> Hi,
>
> I’m trying to authenticate a Cisco switch (Catalyst 2950) on my radius
> server (Radiator), unfortunately where other clients authenticate with
> no trouble at all, this one fails...
>
> As you can see, in the debugging that I provide, Radiator behaves in
> two different ways for the same User-Name, is this a known issue? Is
> there any work around?
>
> I also would like to know why I keep on getting the Mysql Error that
> appears on the debugging.
>
> à debug from Cisco Catalyst 2950
>
> Wed May 4 18:03:57 2005: DEBUG: Packet dump:
> *** Received from 192.168.1.10 port 1812 ....
> Code: Access-Request
> Identifier: 10
> Authentic: <246>'<29>J<241>`Bc1<20>P/<191><254><215>}
> Attributes:
> NAS-IP-Address = 192.168.1.10
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "teste at teste.net"
> Calling-Station-Id = "192.168.1.120"
> User-Password = " xxxxxxxxxxxxxxxxxxxxxxxx"
>
> Wed May 4 18:03:57 2005: DEBUG: Handling request with Handler
> 'Client-Identifier = ap'
> Wed May 4 18:03:57 2005: DEBUG: Deleting session for
> teste at teste.net, 192.168.1.10, 1
> Wed May 4 18:03:57 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='192.168.1.10' and NASPORT=01':
> Wed May 4 18:03:57 2005: DEBUG: Handling with Radius::AuthSQL
> Wed May 4 18:03:57 2005: DEBUG: Handling with Radius::AuthSQL:
> Wed May 4 18:03:57 2005: DEBUG: Query is: 'select SECRET from
> RADCLIENTLIST where NASIDENTIFIER='teste at teste.net'':
> Wed May 4 18:03:57 2005: DEBUG: Radius::AuthSQL looks for match with
> teste at teste.net
> Wed May 4 18:03:57 2005: DEBUG: Query is: 'select SECRET from
> RADCLIENTLIST where NASIDENTIFIER='DEFAULT'':
> Wed May 4 18:03:57 2005: DEBUG: AuthBy SQL result: REJECT, No such
> user
> Wed May 4 18:03:57 2005: INFO: Access rejected for teste at teste.net:
> No such user
> Wed May 4 18:03:57 2005: DEBUG: Packet dump:
> *** Sending to 192.168.1.10 port 1812 ....
> Code: Access-Reject
> Identifier: 10
> Authentic: <246>'<29>J<241>`Bc1<20>P/<191><254><215>}
> Attributes:
> Reply-Message = "Request Denied"
>
> à debug from some other client
>
> Wed May 4 18:03:30 2005: DEBUG: Packet dump:
> *** Received from 10.100.29.11 port 32769 ....
> Code: Access-Request
> Identifier: 87
> Authentic:
> <141><213><222><255><145>)<169><172>p<237>T<244><15>n<207><171>
> Attributes:
> User-Name = "teste at teste.net"
> User-Password = "xxxxxxxxxxxxxxxxxxxxxxxx"
> Service-Type = Login-User
> NAS-IP-Address = 192.168.1.3
>
> Wed May 4 18:03:30 2005: DEBUG: Handling request with Handler
> 'Realm=/teste\.net/'
> Wed May 4 18:03:30 2005: DEBUG: Deleting session for
> teste at teste.net, 192.168.1.3,
> Wed May 4 18:03:30 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='192.168.1.3' and NASPORT=0':
> Wed May 4 18:03:30 2005: ERR: do failed for 'delete from RADONLINE
> where NASIDENTIFIER='192.168.1.3' and NASPORT=0': MySQL server has
> gone away
> Wed May 4 18:03:30 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Wed May 4 18:03:30 2005: INFO: Connecting to 192.168.1.2, port 389
> Wed May 4 18:03:30 2005: INFO: Attempting to bind to LDAP server
> 192.168.1.2:389
> Wed May 4 18:03:30 2005: DEBUG: LDAP got result for CN=Para teste da
> AD!,CN=Users,DC=teste,DC=net
> Wed May 4 18:03:30 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with teste at teste.net
> Wed May 4 18:03:30 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed May 4 18:03:30 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Wed May 4 18:03:30 2005: DEBUG: Access accepted for teste at teste.net
> Wed May 4 18:03:30 2005: DEBUG: Packet dump:
> *** Sending to 10.100.29.11 port 32769 ....
> Code: Access-Accept
> Identifier: 87
> Authentic:
> <141><213><222><255><145>)<169><172>p<237>T<244><15>n<207><171>
> Attributes:
>
>
> àradius.cfg
>
> AuthPort 1812
> AcctPort 1813
> LogDir /var/log/radius
> DbDir /etc/radiator
> DictionaryFile %D/dictionary
> PidFile /var/run/radiusd.pid
>
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
>
> # You can put client details in a database table
> # and get their details from there with something like this:
> <ClientListSQL>
> DBSource dbi:mysql:radius:localhost
> DBUsername dbuser
> DBAuth Ultrasecret
>
> # for APs accountig , IDENTIFIER added
> GetClientQuery select
> NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL,DEFAULTREALM,\
>
> NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS,LIVINGST
> ONHOLE,\
>
> FRAMEDGROUPBASEADDRESS,FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME,\
>
> NOIGNOREDUPLICATES,PREHANDLERHOOK,IDENTIFIER from RADCLIENTLIST
>
> # If RefreshPeriod is set to non-zero, it specifies the period
> in seconds that the client list will
> # be refreshed by rereading the database. Each RefreshPeriod
> the previous client list
> # is cleared and a new list of clients read from the database
> # The same effect can be got by signalling the process with
> with SIGHUP
> #RefreshPeriod 600
> </ClientListSQL>
>
> <SessionDatabase SQL>
> DBSource dbi:mysql:radius:localhost
> DBUsername dbuser
> DBAuth Ultrasecret
> </SessionDatabase>
>
> <AuthLog SQL>
> DBSource dbi:mysql:radius:localhost
> DBUsername dbuser
> DBAuth Ultrasecret
>
> LogSuccess 1
> LogFailure 1
> </AuthLog>
>
> #<StatsLog SQL>
> # DBSource dbi:mysql:radius:localhost
> # DBUsername dbuser
> # DBAuth Ultrasecret
> #</StatsLog>
>
> #<Log SQL>
> # DBSource dbi:mysql:radius:localhost
> # DBUsername dbuser
> # DBAuth Ultrasecret
> #</Log>
>
> # APs thorough wlccp
> <Handler User-Name=/^(some|teste)$/>
> <AuthBy SQL>
> DBSource dbi:mysql:radius:localhost
> DBUsername dbuser
> DBAuth Ultrasecret
>
> EAPType LEAP
>
> # You may want to tailor these for your ACCOUNTING
> table
> # You can add your own columns to store whatever you
> like
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef
> ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> # You can arrange to log accounting to a file if the
> # SQL insert fails with AcctFailedLogFileName
> # That way you could recover from a broken SQL
> # server
> AcctFailedLogFileName %D/missedaccounting
>
> # Alternatively, you can arrange to save failed SQL
> accounting insert queries to a text
> # file with SQLRecoveryFile
> SQLRecoveryFile %L/missedaccounting
>
> </AuthBy>
>
> # Log accounting to a detail file
> AcctLogFileName %L/wlsm-%m.detail
>
> </Handler>
>
> #for the APs
> <Handler Client-Identifier = ap>
> <AuthBy SQL>
> DBSource dbi:mysql:radius:localhost
> DBUsername dbuser
> DBAuth Ultrasecret
>
> AuthSelect select SECRET from RADCLIENTLIST where
> NASIDENTIFIER=%0
>
> </AuthBy>
>
> AcctLogFileName %L/apacc-%m.detail
>
> </Handler>
>
> #For AD users
> <Handler Realm=/teste\.net/>
> <AuthBy LDAP2>
> Host 192.168.1.2
> Port 389
>
> Version 3
>
> AuthDN cn=NIC,ou=adm,dc=teste,dc=net
> AuthPassword Verysecret
> BaseDN dc=teste,dc=net
> EAPType TTLS
> ServerChecksPassword
> UsernameAttr userPrincipalName
> AuthAttrDef logonHours,MS-Login-Hours,check
>
> EAPTLS_CAFile
> /usr/share/doc/Radiator-Locked-3.12/certificates/demoCA/cacert.pem
>
> EAPTLS_CertificateFile
> /usr/share/doc/Radiator-Locked-3.12/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile
> /usr/share/doc/Radiator-Locked-3.12/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
> AcctLogFileName %L/%R-%m.detail
>
> </Handler>
>
>
> àCatalyst 2590 configuration
>
> Current configuration :
> !
> version 12.1
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname Switch
> !
> aaa new-model
> aaa authentication login VTYRAD group radius enable
> enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
> enable password 7 XXXXXXXXXXXXXXXXXXX
> !
> ip subnet-zero
> !
> vtp domain somedomain
> vtp mode transparent
> !
> spanning-tree mode pvst
> no spanning-tree optimize bpdu transmission
> spanning-tree extend system-id
> !
> !
> !
> !
> vlan 2
> !
> vlan 504
> name XXXXXXXXXX
> !
> interface FastEthernet0/1
> switchport access vlan 504
> spanning-tree portfast
> !
> interface FastEthernet0/2
> !.......
> !.......
> !
> interface Vlan1
> no ip address
> no ip route-cache
> shutdown
> !
> interface Vlan504
> ip address 192.168.1.10 255.255.255.0
> no ip route-cache
> !
> ip default-gateway 192.168.1.1
> ip http server
> radius-server host 192.168.1.200 auth-port 1812 acct-port 1813 key
> XXXXXXXXXXXXXXXXX
> radius-server retransmit 3
> !
> line con 0
> line vty 0 4
> login authentication VTYRAD
> line vty 5 15
> !
> !
> end
>
> Regards,
> --
> ____________________________________________________________________
> Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
> joliveira at nic.ul.pt Reitoria da UL, Alameda da Universidade
> Tel: +351 210113447 Campo Grande – 1649-004 Lisboa, Portugal
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list