(RADIATOR) Problems with additonal test after an AuthRADIUS

Stefan.Gruendel at mlp-ag.com Stefan.Gruendel at mlp-ag.com
Wed Dec 19 17:58:03 CST 2001 

Hello,

we are using a one time password generator which has a radius
interface. This one is hosted at an outsourcing provider, so I
want to maintain local profiles for the different users types.

I proxy the authentication request to the OTP radius server and
add an additional stage for the profiles as outlined in the
examples. (see the attached config-, user- and profile-files)

The problem is that after the successful radius proxy authenti-
cation the request returns with an Access-Accept but no further
processing of the profiles is done.
(please have a look at the trace at the end)

Without the radius proxying everything works fine with the
profiles, so what's my mistake ?

Do you have any ideas ?


Thanks in advance
Stefan Gründel


---------------------------------------------------------------
Stefan Gründel                       stefan.gruendel at mlp-ag.com
IT Security
MLP Login GmbH                   Tel.: +49 / (0)6221 / 308-2378
Forum 7                          Fax.: +49 / (0)6221 / 308-1621
69126 Heidelberg


Radiator Configuration:
-----------------------
Foreground
LogStdout

Trace 4

# Set this to the directory where your logfile and details file are to go
LogDir /var/log/radius

# PID File in /var/run
PidFile /var/run/radiusd.pid

# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
DbDir /usr/local/etc/raddb

AuthPort 1645
AcctPort 1646

<Client localhost>
    Secret mysecret
    DupInterval 0
    Identifier RAS
</Client>

#----------------------
# RADIUS_PROXY
#----------------------
<AuthBy RADIUS>
    Identifier RADIUS_PROXY
    <Host y.y.y.y>
        Secret xxxxxxxx
    </Host>
</AuthBy>

#----------------------
# LOCAL_PROFILE
#----------------------
<AuthBy GROUP>
    Identifier LOCAL_PROFILE
    AuthByPolicy ContinueWhileAccept
    RewriteUsername s/^([^@]+).*/$1/
    <AuthBy FILE>
        Filename /usr/local/etc/raddb/dynamic_users
    </AuthBy>
    <AuthBy FILE>
        Filename /usr/local/etc/raddb/profiles
        # Pseudo-Attribut Profile entfernen
        StripFromReply Profile
    </AuthBy>
</AuthBy>

#----------------------
# Handler
#----------------------
<Handler Request-Type = Accounting-Request>
    # lokales Accounting in ein File
    AcctLogFileName /var/log/radius/detail
</Handler>

<Handler>
    AuthByPolicy ContinueWhileAccept
    RewriteUsername s/^(.*)/$1\@MLP/
    AuthBy RADIUS_PROXY
    AuthBy LOCAL_PROFILE
</Handler>

-------------------------------------------------------------
File profiles:
--------------
DEFAULT Reply:Profile = RAS-Login
        Service-Type       = Framed-User,
        Framed-Protocol    = PPP,
        Filter-Id          = RAS-Login


Userfile:
---------
sgruende  Client-Identifier = RAS
          Profile         = RAS-Login

-------------------------------------------------------------

linux:/usr/local/etc/raddb # radpwtst -s localhost -secret mysecret -nostart
-nostop -trace -user sgruende -password 59894217

gives:

Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32843 ....
Code:       Access-Request
Identifier: 178
Authentic:  1234567890123456
Attributes:
        User-Name = "sgruende"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<204><178>g<148><155>n5<193><188>8<9><160><216>}x<153>"

Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler Request-Type =
Accounting-Request should be used to handle this request
Thu Dec 20 00:52:14 2001: DEBUG: Check if Handler  should be used to handle this
 request
Thu Dec 20 00:52:14 2001: DEBUG: Handling request with Handler ''
Thu Dec 20 00:52:14 2001: DEBUG: Rewrote user name to sgruende at MLP
Thu Dec 20 00:52:14 2001: DEBUG:  Deleting session for sgruende, 203.63.154.1,
1234
Thu Dec 20 00:52:14 2001: DEBUG: Handling with Radius::AuthRADIUS
Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
*** Sending to 10.96.177.6 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  1234567890123456
Attributes:
        User-Name = "sgruende at MLP"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password =
"<167><173><207>C<242><179>@<153><182>(S<164><215>U<214>-"

Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
*** Received from 10.96.177.6 port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:  <176>;<164><227>8/<203><174><149><176><13><146>C<195><146><152>
Attributes:
        Framed-Protocol = PPP
        Filter-Id = "std.in"
        Framed-MTU = 1500
        Reply-Message = "geschafft"
        Session-Timeout = 900
        Framed-IP-Address = 255.255.255.254
        Service-Type = Framed-User

Thu Dec 20 00:52:14 2001: DEBUG: Received reply in AuthRADIUS for req 1 from
10.96.177.6:1645
Thu Dec 20 00:52:14 2001: DEBUG: Access accepted for sgruende at MLP
Thu Dec 20 00:52:14 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32843 ....
Code:       Access-Accept
Identifier: 178
Authentic:  1234567890123456
Attributes:
        Framed-Protocol = PPP
        Filter-Id = "std.in"
        Framed-MTU = 1500
        Reply-Message = "geschafft"
        Session-Timeout = 900
        Framed-IP-Address = 255.255.255.254
        Service-Type = Framed-User



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list