(RADIATOR) Mysql Authentication Failing

Hugh Irvine hugh at open.com.au
Fri Jun 8 23:44:56 CDT 2001 

Hello Roger -

>
> I was able to get radiator installed and tested using the simple.cfg
> configuration
> against the fred user.
>

Good.

> I am having problems testing authentication against a mysql database.
> Debug from the radius server looks as if it is loosing the password entered
> from the radpwtst program.  It does look like it is able to get the
> encrypted password from the mysql database.  Is the radpwtst not a good
> test to use against
> an encrypted password entry from the mysql database?  The 'AuthSql: Reject'
> debug message from the server seems to lead to a password comparison
> mismatch.
>
> What am I doing wrong?
>
> I have included the following:
> 1) Radius config file
> 2) radpwtst command output
> 3) radiusd server debug
> 4) mysql select output showing user account entry
>

Thanks for providing this very complete problem description.

See below for my comments.

>
> <Realm DEFAULT>
>      #PasswordLogFileName %L/password/log.%Y%m%d
>      <AuthBy SQL>
>          DBSource        dbi:mysql:auth
>          DBUsername      xxxxx
>          DBAuth          xxxxx
>
>          AuthSelect select password, checkattr, replyattr \
>            from subscriber where username='%U'
>
>          AuthColumnDef 0, Encypted-Password, check
>          #EncryptedPassword
>      </AuthBy>
> </Realm>
>

The configuration file is incorrect. The AuthColumnDef should indicate to 
Radiator what SQL response value and what radius attribute should be compared.

As you can see from the packet dump below, the radius attribute containing 
the password is called "User-Password", hence you should use this:

          AuthColumnDef 0, User-Password, check

In addition, if this is an encrypted password you will also need this:

          EncryptedPassword

Alternatively, the passwords in the database can have the standard prefixes 
on the strings to indicate what form of encryption they are using ({crypt}, 
$1$, {SHA}, {MD5},...). See section 13.1.2 in the Radiator 2.18.2 manual.

> ../radiusd -config_file ../etc/axiom.cfg
> Fri Jun  8 22:45:22 2001: INFO: Server started: Radiator 2.18.1 on elm
> Fri Jun  8 22:46:10 2001: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33799 ....
> Code:       Access-Request
> Identifier: 220
> Authentic:  1234567890123456
> Attributes:
>          User-Name = "testuser"
>          Service-Type = Framed-User
>          NAS-IP-Address = 203.63.154.1
>          NAS-Port = 1234
>          Called-Station-Id = "123456789"
>          Calling-Station-Id = "987654321"
>          NAS-Port-Type = Async
>          User-Password =
> "<141><238>,<217><198>(<4><246><188>8<9><160><216>}x<153>"
>

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list