(RADIATOR) Mysql ENCRYPTEDPASSWORD problem

Separovic, Jason jseparov at uecomm.com.au
Wed Jul 18 00:34:51 CDT 2001 

I set up Radiator using a Postgresql database with crypt_md5 password
encryption. Everything worked fine.
Then, because of Postgres's lack of redundancy features, I decided to move
to a Mysql database. I changed nothing (except the DB params).
Now it doesn't work. 
The ENCRYPTEDPASSWORD stored in the Mysql database is not accepted against a
request using that password.


When I change the AuthSelect Statement to
        
	AuthSelect select PASSWORD,CHECKATTR,REPLYATTR from SUBSCRIBERS
where USERNAME='%U'

everything works fine.





Here is Mysql Table :

+----------+----------+------------------------------------+-----------+----
-------+
| USERNAME | PASSWORD | ENCRYPTEDPASSWORD                  | CHECKATTR |
REPLYATTR |
+----------+----------+------------------------------------+-----------+----
-------+
| user     | password | $1$63f6a87c$GF5oBm1XkNbPzuhKn4DFi1 | NULL      |
NULL      |
+----------+----------+------------------------------------+-----------+----
-------+





Here is my radius.cfg file :

=================================================================
# radius configuration file

Foreground      yes
LogStdout       yes
Trace           5
LogDir          /opt/radiator/log
DbDir           /opt/radiator/radiusdb
DictionaryFile  /opt/radiator/dictionary
AuthPort        1812
AcctPort        1813
BindAddress     192.168.0.10

# You can put client details in a database table
# and get their details from there with something like this:
<ClientListSQL>
        DBSource        dbi:mysql:radiusdb
        DBUsername      root
        DBAuth          password
</ClientListSQL>

# This will authenticate users from SUBSCRIBERS
<Handler Realm=Enterasys>
    <AuthBy SQL>
        # Adjust DBSource, DBUsername, DBAuth to suit your DB
        DBSource        dbi:mysql:radiusdb
        DBUsername      root
        DBAuth          password

        RejectEmptyPassword

        AuthSelect select ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR from
SUBSCRIBERS where USERNAME='%U'
        AuthColumnDef 0, User-Password, check
        AuthColumnDef 1, GENERIC, check
        AuthColumnDef 2, GENERIC, reply
    </AuthBy>
</Handler>

==================================================================





Here is the MD5 script (complements of Mickey)

==================================================================

#!/usr/bin/perl

use Crypt::PasswdMD5;


print &md5($_[0])."\n";

sub md5 {
   my $Password = $_[0];
   my $Salt = sprintf("%4.4x%4.4x",  rand(10000000), rand(10000000));
   my $MD5Password = unix_md5_crypt($Password, $Salt);
   return $MD5Password;
}

==================================================================




A log using ENCRYPTEDPASSWORD :
==================================================================

Wed Jul 18 14:08:24 2001: INFO: Server started: Radiator 2.17.1 on radius
Wed Jul 18 14:08:37 2001: DEBUG: Packet dump:
*** Received from 192.168.0.17 port 1963 ....

Packet length = 56
01 4a 00 38 35 ca 3b 58 b1 96 17 04 ed 22 b3 70
e9 6e 0f 9c 01 06 75 73 65 72 02 12 f7 0a 21 4d
2f 27 b7 d2 3f 9d 00 ef 30 13 d8 b6 06 06 00 00
00 08 04 06 cb 5e 80 66
Code:       Access-Request
Identifier: 74
Authentic:  5<202>;X<177><150><23><4><237>"<179>p<233>n<15><156>
Attributes:
        User-Name = "user"
        User-Password =
"<247><10>!M/'<183><210>?<157><0><239>0<19><216><182>"
        Service-Type = Authenticate-Only
        NAS-IP-Address = 203.94.128.102

Wed Jul 18 14:08:37 2001: DEBUG: Check if Handler Realm=Enterasys should be
used to handle this request
Wed Jul 18 14:08:37 2001: DEBUG: Handling request with Handler
'Realm=Enterasys'Wed Jul 18 14:08:37 2001: DEBUG:  Deleting session for
user, 203.94.128.102, 
Wed Jul 18 14:08:37 2001: DEBUG: Handling with Radius::AuthSQL
Wed Jul 18 14:08:37 2001: DEBUG: Handling with Radius::AuthSQL
Wed Jul 18 14:08:37 2001: DEBUG: Query is: select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR from SUBSCRIBERS where USERNAME='user'

Wed Jul 18 14:08:37 2001: DEBUG: Radius::AuthSQL looks for match with
user at Enterasys
Wed Jul 18 14:08:37 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password
Wed Jul 18 14:08:37 2001: DEBUG: Query is: select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR from SUBSCRIBERS where
USERNAME='DEFAULT'

Wed Jul 18 14:08:37 2001: INFO: Access rejected for user at Enterasys: Bad
PasswordWed Jul 18 14:08:37 2001: DEBUG: Packet dump:
*** Sending to 192.168.0.17 port 1963 ....
Code:       Access-Reject
Identifier: 74
Authentic:  5<202>;X<177><150><23><4><237>"<179>p<233>n<15><156>
Attributes:
        Reply-Message = "Request Denied"
==================================================================






A log using PASSWORD :
==================================================================

Wed Jul 18 14:09:22 2001: INFO: Server started: Radiator 2.17.1 on radius
Wed Jul 18 14:09:28 2001: DEBUG: Packet dump:
*** Received from 192.168.0.17 port 1970 ....

Packet length = 56
01 4b 00 38 7f 4c 95 aa 9b 38 11 76 77 e4 4d 02
13 50 49 4e 01 06 75 73 65 72 02 12 ad 93 aa 13
0e 22 97 ba 44 06 12 33 c6 58 df d1 06 06 00 00
00 08 04 06 cb 5e 80 66
Code:       Access-Request
Identifier: 75
Authentic:  <127>L<149><170><155>8<17>vw<228>M<2><19>PIN
Attributes:
        User-Name = "user"
        User-Password =
"<173><147><170><19><14>"<151><186>D<6><18>3<198>X<223><209>"
        Service-Type = Authenticate-Only
        NAS-IP-Address = 203.94.128.102

Wed Jul 18 14:09:28 2001: DEBUG: Check if Handler Realm=Enterasys should be
used to handle this request
Wed Jul 18 14:09:28 2001: DEBUG: Handling request with Handler
'Realm=Enterasys'Wed Jul 18 14:09:28 2001: DEBUG:  Deleting session for
user, 203.94.128.102, 
Wed Jul 18 14:09:28 2001: DEBUG: Handling with Radius::AuthSQL
Wed Jul 18 14:09:28 2001: DEBUG: Handling with Radius::AuthSQL
Wed Jul 18 14:09:28 2001: DEBUG: Query is: select
PASSWORD,CHECKATTR,REPLYATTR from SUBSCRIBERS where USERNAME='user'

Wed Jul 18 14:09:28 2001: DEBUG: Radius::AuthSQL looks for match with
user at Enterasys
Wed Jul 18 14:09:28 2001: DEBUG: Radius::AuthSQL ACCEPT: 
Wed Jul 18 14:09:28 2001: DEBUG: Access accepted for user at Enterasys
Wed Jul 18 14:09:28 2001: DEBUG: Packet dump:
*** Sending to 192.168.0.17 port 1970 ....
Code:       Access-Accept
Identifier: 75
Authentic:  <127>L<149><170><155>8<17>vw<228>M<2><19>PIN
Attributes:
==================================================================


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list