(RADIATOR) Continous looping of Radiator after config change
Hugh Irvine
hugh at open.com.au
Tue Feb 19 01:33:23 CST 2002
Hello Tim -
Thanks for sending the configuration file and the debug.
I am afraid I don't quite understand what the configuration file is meant to
be doing - can you please give me some details on how it is supposed to work?
Specifically - what is the AuthSelect statement meant to do?
thanks
Hugh
On Tue, 19 Feb 2002 10:20, Young, Tim wrote:
> Hello All.
>
> Been several years since I've had to post anything hear but here is my
> issue.
>
> We are upgrading from 2.13 to 2.19. I had copied over the radius.cfg file
> from the one machine to the next.
>
> When attempting to authenticate from a test server that works just fine on
> the 2.13 machine, I get this in the log file:
>
> ---Begin Log Excerpt----------------------------
> Mon Feb 18 14:43:42 2002: DEBUG: Handling request with Handler
> 'Realm=vpn.compuware.com'
> Mon Feb 18 14:43:42 2002: DEBUG: Deleting session for u43007,
> 10.255.255.5, 1645
> Mon Feb 18 14:43:42 2002: DEBUG: Handling with Radius::AuthSQL
> Mon Feb 18 14:43:42 2002: DEBUG: Handling with Radius::AuthSQL:
> Mon Feb 18 14:43:42 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where
> serauser='u43007 at vpn.compuware.com'
>
> Mon Feb 18 14:43:42 2002: DEBUG: Radius::AuthSQL looks for match with
> u43007 at vpn.compuware.com
> Mon Feb 18 14:43:42 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='DEFAULT'
>
> Mon Feb 18 14:43:42 2002: INFO: Access rejected for
> u43007 at vpn.compuware.com: No such user
> ---End Log Excerpt------------------------------
>
> It is failing because the realm has been appended to the username. In the
> config file which I have attached below, I am using the '%n' substitution
> and it works Ok in 2.13. I figured that there was some change between 2.13
> and 2.19 and I was correct. I attempted to use '%u' instead and the
> resulting logfile entry looks like this:
>
> ---Begin Log Excerpt----------------------------
> Mon Feb 18 14:51:52 2002: DEBUG: Handling request with Handler
> 'Realm=vpn.compuware.com'
> Mon Feb 18 14:51:52 2002: DEBUG: Deleting session for u33357,
> 10.255.255.5, 1645
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthSQL
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthSQL:
> Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='u33357'
>
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
> u33357 at vpn.compuware.com
> Mon Feb 18 14:51:52 2002: ERR: Attribute number 79 is not defined in your
> dictionary
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
> u33357 at vpn.compuware.com
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
> Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='u33357'
>
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
> u33357 at vpn.compuware.com
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
> Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='u33357'
>
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT1
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
> u33357 at vpn.compuware.com
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
> Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='u33357'
>
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT2
> Mon Feb 18 14:51:52 2002: DEBUG: Handling with Radius::AuthUNIX: System
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthUNIX looks for match with
> u33357 at vpn.compuware.com
> Mon Feb 18 14:51:52 2002: DEBUG: Radius::AuthSQL REJECT: No such user
> Mon Feb 18 14:51:52 2002: DEBUG: Query is: select password, 'Service-Type =
> Login-User, Auth-Type = System' from serauser where serauser='u33357'
> ---End Log Excerpt------------------------------
>
> And it continues to throw these messages up until I kill the process.
>
> Here is the config file (less secrets) that I use on the 2.13 install. I
> would appreciate any help or direction anybody can give.
>
> Regards,
>
> Tim Young
> Internet Security Analyst
> Compuware Corporation
>
> ---Begin radius.cfg------------------------------
>
> # radius.cfg
> #
> # This is a very simple radius.cfg that you can use to get started.
> # only the most important parameters are set here. The full set
> # of parameters can be seen in radius.cfg in the top of the distribution
> tree.
> #
> # As it stands, it will authenticate a single client and a
> # single realm from a flat file
> # database, and save the accounting info to a single details file.
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: radius.cfg,v 1.2 1998/03/01 11:54:16 mikem Exp $
>
> # Set this to the directory where your logfile and details file are to go
> LogDir /var/log/radius
> #LogFile %L/logfile.%C.%Y%m%d
> LogFile %L/logfile.%Y%m%d
> # Set this to the database directory. It should contain these files:
> # users The user database
> # dictionary The dictionary for your NAS
> DbDir /usr/local/etc/raddb
> PidFile /usr/local/etc/radiusd.pid
> #Trace 4
> Trace 4
> AuthPort 1645
> AcctPort 1646
>
> <Client localhost>
> Secret mysecret
> DupInterval 0
> </Client>
>
> # This clause defines a single client to listen to
> # Thebox.compuware.com - answers PAL requests
> <Client 1.2.3.4>
> Secret blah1
> DefaultRealm compuware.com
> </Client>
>
> # Replacement for thebox
> <Client 5.6.7.8>
> Secret blah2
> DefaultRealm compuware.com
> </Client>
>
> #Client config for boris (Shiva VPN server)
> #<Client boris.eco.compuware.com>
> # Secret blah3
> # DefaultRealm vpn.eco.compuware.com
> #</Client>
>
> # Client config for tkt2ride
> <Client tkt2ride.compuware.com>
> Secret blah4
> DefaultRealm vpn2.compuware.com
> IgnoreAcctSignature
> </Client>
>
> # Client config for ammut
> <Client ammut.compuware.com>
> Secret blah5
> DefaultRealm vpn3.compuware.com
> IgnoreAcctSignature
> </Client>
>
> # Client config for natasha
> <Client natasha.compuware.com>
> Secret blah6
> DefaultRealm vpn.compuware.com
> </Client>
>
> <Client rocky.nl.compuware.com>
> Secret blah7
> DefaultRealm vpn.nl.compuware.com
> </Client>
>
> <Realm vpn.eco.compuware.com>
> # <AuthBy FILE>
> # Filename %D/VPN_User
> # Nocache
> # DynamicCheck Group
> # </AuthBy>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%n'
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> # DynamicCheck Group
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/Boris.%Y%m%d
> </Realm>
>
> <Realm vpn.compuware.com>
> # <AuthBy FILE>
> # Filename %D/VPN_User
> # Nocache
> # DynamicCheck Group
> # </AuthBy>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%u'
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> # DynamicCheck Group
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%u' and seragroup = '%{Shiva-VPN-Group}'
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/Natasha.%Y%m%d
> </Realm>
>
> #Realm setup for tkt2ride
> <Realm vpn2.compuware.com>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%n'
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/tkt2ride.%Y%m%d
> </Realm>
>
>
>
> #Realm setup for ammut
> <Realm vpn3.compuware.com>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%n'
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/ammut.%Y%m%d
> </Realm>
>
> <Realm vpn.nl.compuware.com>
> # <AuthBy FILE>
> # Filename %D/VPN_User
> # Nocache
> # DynamicCheck Group
> # </AuthBy>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%n'
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> # DynamicCheck Group
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%n' and seragroup = '%{Shiva-VPN-Group}'
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/Rocky.%Y%m%d
> </Realm>
>
> <Realm compuware.com>
> RewriteUsername s/^([^@]+).*/$1/
> # PasswordLogFileName %L/Worldcom.pass
> AuthByPolicy ContinueWhileAccept
> <AuthBy FILE>
> Filename %D/Worldcom_User
> </AuthBy>
> <AuthBy SQL>
> DynamicReply Service-Type
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password from serauser where serauser='%n'
> EncryptedPassword
> # AddToReply Service-Type = %{Service-Type}
> AddToReply Idle-Timeout = 1800, Service-Type=%{Service-Type}
> </AuthBy>
> # RewriteUsername s/^(.*)/$1 at compuware.com/
> AcctLogFileName %L/Worldcom.%Y%m%d
> </Realm>
>
> # This clause defines a single realm to handle
> #<Realm DEFAULT>
> # <AuthBy FILE>
> # # The filename defaults to %D/users
> # </AuthBy>
> # # Log accounting to the detail file in LogDir
> # AcctLogFileName %L/detail
> #</Realm>
>
> # The following is a dummy realm for holding authby Unix
>
> <Realm thisisnotarealrealmbutjustaholder>
> <AuthBy UNIX>
> Identifier System
> Filename %D/passwd
> GroupFilename %D/group
> DynamicCheck Group
> </AuthBy>
> </Realm>
> ---End radius.cfg-----------------------------------
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list