(RADIATOR) Mysql Authentication Failing

Roger Hedrick Roger.Hedrick at myaxiom.net
Sat Jun 9 08:19:00 CDT 2001


Ok...It definitely has something to do with the fact that the mysql 
database is
using encrypted password.  If I change the password in the mysql database 
to be
a clear text password...and change the configuration file it auth's
correctly.  It definitely has something to do with the comparision of the 
clear
text password coming from radpwtst against the encrypted password retrieved 
from
the database.

Do NAS servers generally send the passwords as clear text or encyrpted?

I would hope their is someway to make the NAS server send encrypted password.

Is radpwtst a valid test compared to an actual NAS request?

I just hope that I don't get it working using radpwtst and then find out I 
have
to work the password problem all over again because of the way livingston gear
makes requests.

I feel I am close but still missing something.  Help...

Roger

At 02:44 PM 6/9/01 +1000, you wrote:

>Hello Roger -
>
> >
> > I was able to get radiator installed and tested using the simple.cfg
> > configuration
> > against the fred user.
> >
>
>Good.
>
> > I am having problems testing authentication against a mysql database.
> > Debug from the radius server looks as if it is loosing the password entered
> > from the radpwtst program.  It does look like it is able to get the
> > encrypted password from the mysql database.  Is the radpwtst not a good
> > test to use against
> > an encrypted password entry from the mysql database?  The 'AuthSql: Reject'
> > debug message from the server seems to lead to a password comparison
> > mismatch.
> >
> > What am I doing wrong?
> >
> > I have included the following:
> > 1) Radius config file
> > 2) radpwtst command output
> > 3) radiusd server debug
> > 4) mysql select output showing user account entry
> >
>
>Thanks for providing this very complete problem description.
>
>See below for my comments.
>
> >
> > <Realm DEFAULT>
> >      #PasswordLogFileName %L/password/log.%Y%m%d
> >      <AuthBy SQL>
> >          DBSource        dbi:mysql:auth
> >          DBUsername      xxxxx
> >          DBAuth          xxxxx
> >
> >          AuthSelect select password, checkattr, replyattr \
> >            from subscriber where username='%U'
> >
> >          AuthColumnDef 0, Encypted-Password, check
> >          #EncryptedPassword
> >      </AuthBy>
> > </Realm>
> >
>
>The configuration file is incorrect. The AuthColumnDef should indicate to
>Radiator what SQL response value and what radius attribute should be compared.
>
>As you can see from the packet dump below, the radius attribute containing
>the password is called "User-Password", hence you should use this:
>
>           AuthColumnDef 0, User-Password, check
>
>In addition, if this is an encrypted password you will also need this:
>
>           EncryptedPassword
>
>Alternatively, the passwords in the database can have the standard prefixes
>on the strings to indicate what form of encryption they are using ({crypt},
>$1$, {SHA}, {MD5},...). See section 13.1.2 in the Radiator 2.18.2 manual.
>
> > ../radiusd -config_file ../etc/axiom.cfg
> > Fri Jun  8 22:45:22 2001: INFO: Server started: Radiator 2.18.1 on elm
> > Fri Jun  8 22:46:10 2001: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 33799 ....
> > Code:       Access-Request
> > Identifier: 220
> > Authentic:  1234567890123456
> > Attributes:
> >          User-Name = "testuser"
> >          Service-Type = Framed-User
> >          NAS-IP-Address = 203.63.154.1
> >          NAS-Port = 1234
> >          Called-Station-Id = "123456789"
> >          Calling-Station-Id = "987654321"
> >          NAS-Port-Type = Async
> >          User-Password =
> > "<141><238>,<217><198>(<4><246><188>8<9><160><216>}x<153>"
> >
>
>hth
>
>Hugh
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list