(RADIATOR) Continous looping of Radiator after config change

Mon Feb 18 17:20:05 CST 2002

Hello All.

Been several years since I've had to post anything hear but here is my
issue.

We are upgrading from 2.13 to 2.19. I had copied over the radius.cfg file
from the one machine to the next.

When attempting to authenticate from a test server that works just fine on
the 2.13 machine, I get this in the log file:

---Begin Log Excerpt----------------------------
Mon Feb 18 14:43:42 2002: DEBUG: Handling request with Handler
'Realm=vpn.compuware.com'
Mon Feb 18 14:43:42 2002: DEBUG:  Deleting session for u43007, 10.255.255.5,
1645
Mon Feb 18 14:43:42 2002: DEBUG: Handling with Radius::AuthSQL
Mon Feb 18 14:43:42 2002: DEBUG: Handling with Radius::AuthSQL:
Mon Feb 18 14:43:42 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where
serauser='u43007 at vpn.compuware.com'

Mon Feb 18 14:43:42 2002: DEBUG: Radius::AuthSQL looks for match with
u43007 at vpn.compuware.com
Mon Feb 18 14:43:42 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='DEFAULT'

Mon Feb 18 14:43:42 2002: INFO: Access rejected for
u43007 at vpn.compuware.com: No such user
---End Log Excerpt------------------------------

It is failing because the realm has been appended to the username. In the
config file which I have attached below, I am using the '%n' substitution
and it works Ok in 2.13. I figured that there was some change between 2.13
and 2.19 and I was correct. I attempted to use '%u' instead and the
resulting logfile entry looks like this:

---Begin Log Excerpt----------------------------
Mon Feb 18 14:51:52 2002: DEBUG: Handling request with Handler
'Realm=vpn.compuware.com'
Mon Feb 18 14:51:52 2002: DEBUG:  Deleting session for u33357, 10.255.255.5,
1645
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthSQL
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthSQL:
Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='u33357'

Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
u33357 at vpn.compuware.com
Mon Feb 18 14:51:52 2002: ERR: Attribute number 79 is not defined in your
dictionary
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System 
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
u33357 at vpn.compuware.com
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='u33357'

Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
u33357 at vpn.compuware.com
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='u33357'

Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT1
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
u33357 at vpn.compuware.com
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='u33357'

Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
DEFAULT2
Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
u33357 at vpn.compuware.com
Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
Login-User, Auth-Type = System'  from serauser where serauser='u33357'
---End Log Excerpt------------------------------

And it continues to throw these messages up until I kill the process.

Here is the config file (less secrets) that I use on the 2.13 install. I
would appreciate any help or direction anybody can give.

Regards,

Tim Young
Internet Security Analyst
Compuware Corporation

---Begin radius.cfg------------------------------

# radius.cfg
#
# This is a very simple radius.cfg that you can use to get started.
# only the most important parameters are set here. The full set
# of parameters can be seen in radius.cfg in the top of the distribution
tree.
#
# As it stands, it will authenticate a single client and a 
# single realm from a flat file
# database, and save the accounting info to a single details file.
#
# Author: Mike McCauley (mikem at open.com.au)
# Copyright (C) 1997 Open System Consultants
# $Id: radius.cfg,v 1.2 1998/03/01 11:54:16 mikem Exp $

# Set this to the directory where your logfile and details file are to go
LogDir /var/log/radius
#LogFile	%L/logfile.%C.%Y%m%d
LogFile	%L/logfile.%Y%m%d
# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
DbDir /usr/local/etc/raddb
PidFile 	/usr/local/etc/radiusd.pid
#Trace 4
Trace 4
AuthPort	1645
AcctPort	1646

<Client localhost>
	Secret mysecret
	DupInterval 0
</Client>

# This clause defines a single client to listen to
# Thebox.compuware.com - answers PAL requests
<Client 1.2.3.4>
	Secret   blah1
	DefaultRealm compuware.com
</Client>

# Replacement for thebox
<Client 5.6.7.8>
	Secret blah2
	DefaultRealm compuware.com
</Client>

#Client config for boris (Shiva VPN server)
#<Client boris.eco.compuware.com>
#	Secret blah3
#	DefaultRealm vpn.eco.compuware.com
#</Client>

# Client config for tkt2ride
<Client tkt2ride.compuware.com>
	Secret blah4
	DefaultRealm vpn2.compuware.com
	IgnoreAcctSignature
</Client>

# Client config for ammut 
<Client ammut.compuware.com>
	Secret blah5
	DefaultRealm vpn3.compuware.com
	IgnoreAcctSignature
</Client>

# Client config for natasha
<Client natasha.compuware.com>
	Secret blah6
	DefaultRealm vpn.compuware.com
</Client>

<Client rocky.nl.compuware.com>
	Secret blah7
	DefaultRealm vpn.nl.compuware.com
</Client>

<Realm vpn.eco.compuware.com>
#	<AuthBy FILE>
#		Filename %D/VPN_User
#		Nocache
#		DynamicCheck Group
#	</AuthBy>
	AuthByPolicy ContinueWhileAccept
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password, 'Service-Type = Login-User,
Auth-Type = System'  \
			from serauser where serauser='%n'
		EncryptedPassword
	</AuthBy>
	<AuthBy SQL>
#		DynamicCheck Group
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select seragroup from seragroup where
serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
		AuthColumnDef 0, Shiva-VPN-Group, check
	</AuthBy>
	AcctLogFileName %L/Boris.%Y%m%d
</Realm>

<Realm vpn.compuware.com>
#	<AuthBy FILE>
#		Filename %D/VPN_User
#		Nocache
#		DynamicCheck Group
#	</AuthBy>
	AuthByPolicy ContinueWhileAccept
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password, 'Service-Type = Login-User,
Auth-Type = System'  \
			from serauser where serauser='%u'
		EncryptedPassword
	</AuthBy>
	<AuthBy SQL>
#		DynamicCheck Group
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select seragroup from seragroup where
serauser='%u' and seragroup = '%{Shiva-VPN-Group}'
		AuthColumnDef 0, Shiva-VPN-Group, check
	</AuthBy>
	AcctLogFileName %L/Natasha.%Y%m%d
</Realm>

#Realm setup for tkt2ride
<Realm vpn2.compuware.com>
	AuthByPolicy ContinueWhileAccept
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password, 'Service-Type = Login-User,
Auth-Type = System'  \
			from serauser where serauser='%n'
		EncryptedPassword
	</AuthBy>
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select seragroup from seragroup where
serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
		AuthColumnDef 0, Shiva-VPN-Group, check
	</AuthBy>
	AcctLogFileName %L/tkt2ride.%Y%m%d
</Realm>

#Realm setup for ammut
<Realm vpn3.compuware.com>
	AuthByPolicy ContinueWhileAccept
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password, 'Service-Type = Login-User,
Auth-Type = System'  \
			from serauser where serauser='%n'
		EncryptedPassword
	</AuthBy>
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select seragroup from seragroup where
serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
		AuthColumnDef 0, Shiva-VPN-Group, check
	</AuthBy>
	AcctLogFileName %L/ammut.%Y%m%d
</Realm>

<Realm vpn.nl.compuware.com>
#	<AuthBy FILE>
#		Filename %D/VPN_User
#		Nocache
#		DynamicCheck Group
#	</AuthBy>
	AuthByPolicy ContinueWhileAccept
	<AuthBy SQL>
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password, 'Service-Type = Login-User,
Auth-Type = System'  \
			from serauser where serauser='%n'
		EncryptedPassword
	</AuthBy>
	<AuthBy SQL>
#		DynamicCheck Group
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select seragroup from seragroup where
serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
		AuthColumnDef 0, Shiva-VPN-Group, check
	</AuthBy>
	AcctLogFileName %L/Rocky.%Y%m%d
</Realm>

<Realm compuware.com>
	RewriteUsername s/^([^@]+).*/$1/
#	PasswordLogFileName %L/Worldcom.pass
	AuthByPolicy ContinueWhileAccept
	<AuthBy FILE>
		Filename %D/Worldcom_User
	</AuthBy>
	<AuthBy SQL>
		DynamicReply Service-Type
		DBSource dbi:mysql:serauser
		DBUsername radius
		DBAuth blah 
		AuthSelect select password from serauser where serauser='%n'
		EncryptedPassword
#		AddToReply Service-Type = %{Service-Type}
		AddToReply Idle-Timeout = 1800, Service-Type=%{Service-Type}
	</AuthBy>
#	RewriteUsername s/^(.*)/$1 at compuware.com/
	AcctLogFileName %L/Worldcom.%Y%m%d
</Realm>

# This clause defines a single realm to handle
#<Realm DEFAULT>
#	<AuthBy FILE>
#		# The filename defaults to %D/users
#	</AuthBy>
#	# Log accounting to the detail file in LogDir
#	AcctLogFileName	%L/detail
#</Realm>

# The following is a dummy realm for holding authby Unix

<Realm thisisnotarealrealmbutjustaholder>
	<AuthBy UNIX>
		Identifier System
		Filename	%D/passwd
		GroupFilename	%D/group
		DynamicCheck Group
	</AuthBy>
</Realm>
---End radius.cfg-----------------------------------
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.