(RADIATOR) Mysql Authentication Failing
Roger Hedrick
Roger.Hedrick at voyager.net
Sat Jun 9 08:06:32 CDT 2001
Ok...I made the changes and simplied the configuration by removing the
query to
return the checkattr and replyattr. It is still not authenticating.
One more piece of information...the encrypted password it is retrieving from
the mysql database was loaded from the /etc/shadow file on a solaris box.
Here is the config file:
Foreground
LogStdout
Trace 4
LogDir /usr/local/radius/log/
DbDir /usr/local/radius/etc/
LogFile %L/log_%Y-%m
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
#<SessionDatabase NULL>
# Identifier nulldb
#</SessionDatabase>
<Realm DEFAULT>
#PasswordLogFileName %L/password/log.%Y%m%d
<AuthBy SQL>
DBSource dbi:mysql:auth
DBUsername radius
DBAuth b at nANa5
AuthSelect select password from subscriber where username='%U'
AuthColumnDef 0, User-Password, check
EncryptedPassword
</AuthBy>
</Realm>
Here is the radius server debug:
./radiusd -config_file ../etc/veroom.cfg
Sat Jun 9 09:09:35 2001: INFO: Server started: Radiator 2.18.1 on elm
Sat Jun 9 09:09:49 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33923 ....
Code: Access-Request
Identifier: 154
Authentic: 1234567890123456
Attributes:
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<141><238>,<217><198>(<4><246><188>8<9><160><216>}x<153>"
Sat Jun 9 09:09:49 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Sat Jun 9 09:09:49 2001: DEBUG: Deleting session for testuser,
203.63.154.1, 1234
Sat Jun 9 09:09:49 2001: DEBUG: Handling with Radius::AuthSQL
Sat Jun 9 09:09:49 2001: DEBUG: Handling with Radius::AuthSQL
Sat Jun 9 09:09:49 2001: DEBUG: Query is: select password from subscriber
where username='testuser'
Sat Jun 9 09:09:49 2001: DEBUG: Radius::AuthSQL looks for match with testuser
Sat Jun 9 09:09:49 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password
Sat Jun 9 09:09:49 2001: DEBUG: Query is: select password from subscriber
where username='DEFAULT'
Sat Jun 9 09:09:49 2001: INFO: Access rejected for testuser: Bad Password
Sat Jun 9 09:09:49 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33923 ....
Code: Access-Reject
Identifier: 154
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Sat Jun 9 09:09:49 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33923 ....
Code: Accounting-Request
Identifier: 155
Authentic: %<143><17>^J7/<205>a<30><199><165>d:<250>+
Attributes:
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Sat Jun 9 09:09:49 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Sat Jun 9 09:09:49 2001: DEBUG: Adding session for testuser,
203.63.154.1, 1234
Sat Jun 9 09:09:49 2001: DEBUG: Handling with Radius::AuthSQL
Sat Jun 9 09:09:49 2001: DEBUG: Handling accounting with Radius::AuthSQL
Sat Jun 9 09:09:49 2001: DEBUG: Accounting accepted
Sat Jun 9 09:09:49 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33923 ....
Code: Accounting-Response
Identifier: 155
Authentic: %<143><17>^J7/<205>a<30><199><165>d:<250>+
Attributes:
Sat Jun 9 09:09:49 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33923 ....
Code: Accounting-Request
Identifier: 156
Authentic: <142><0><142>V<218><14>.sP<196><26><11><161><210><229><157>
Attributes:
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Sat Jun 9 09:09:50 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Sat Jun 9 09:09:50 2001: DEBUG: Deleting session for testuser,
203.63.154.1, 1234
Sat Jun 9 09:09:50 2001: DEBUG: Handling with Radius::AuthSQL
Sat Jun 9 09:09:50 2001: DEBUG: Handling accounting with Radius::AuthSQL
Sat Jun 9 09:09:50 2001: DEBUG: Accounting accepted
Sat Jun 9 09:09:50 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33923 ....
Code: Accounting-Response
Identifier: 156
Authentic: <142><0><142>V<218><14>.sP<196><26><11><161><210><229><157>
Attributes:
Seems like there is still a problem with the password comparison.
Please help...I am not getting out of the gates on this one.
Roger
At 02:44 PM 6/9/01 +1000, you wrote:
>Hello Roger -
>
> >
> > I was able to get radiator installed and tested using the simple.cfg
> > configuration
> > against the fred user.
> >
>
>Good.
>
> > I am having problems testing authentication against a mysql database.
> > Debug from the radius server looks as if it is loosing the password entered
> > from the radpwtst program. It does look like it is able to get the
> > encrypted password from the mysql database. Is the radpwtst not a good
> > test to use against
> > an encrypted password entry from the mysql database? The 'AuthSql: Reject'
> > debug message from the server seems to lead to a password comparison
> > mismatch.
> >
> > What am I doing wrong?
> >
> > I have included the following:
> > 1) Radius config file
> > 2) radpwtst command output
> > 3) radiusd server debug
> > 4) mysql select output showing user account entry
> >
>
>Thanks for providing this very complete problem description.
>
>See below for my comments.
>
> >
> > <Realm DEFAULT>
> > #PasswordLogFileName %L/password/log.%Y%m%d
> > <AuthBy SQL>
> > DBSource dbi:mysql:auth
> > DBUsername xxxxx
> > DBAuth xxxxx
> >
> > AuthSelect select password, checkattr, replyattr \
> > from subscriber where username='%U'
> >
> > AuthColumnDef 0, Encypted-Password, check
> > #EncryptedPassword
> > </AuthBy>
> > </Realm>
> >
>
>The configuration file is incorrect. The AuthColumnDef should indicate to
>Radiator what SQL response value and what radius attribute should be compared.
>
>As you can see from the packet dump below, the radius attribute containing
>the password is called "User-Password", hence you should use this:
>
> AuthColumnDef 0, User-Password, check
>
>In addition, if this is an encrypted password you will also need this:
>
> EncryptedPassword
>
>Alternatively, the passwords in the database can have the standard prefixes
>on the strings to indicate what form of encryption they are using ({crypt},
>$1$, {SHA}, {MD5},...). See section 13.1.2 in the Radiator 2.18.2 manual.
>
> > ../radiusd -config_file ../etc/axiom.cfg
> > Fri Jun 8 22:45:22 2001: INFO: Server started: Radiator 2.18.1 on elm
> > Fri Jun 8 22:46:10 2001: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 33799 ....
> > Code: Access-Request
> > Identifier: 220
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "testuser"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "<141><238>,<217><198>(<4><246><188>8<9><160><216>}x<153>"
> >
>
>hth
>
>Hugh
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list