Antwort: Re: Antwort: Re: (RADIATOR) Radiator - Probs with Authby SQL
Hugh Irvine
hugh at open.com.au
Fri Jul 12 17:39:07 CDT 2002
Hello Christian -
You are correct in your analysis below - what you describe is indeed how the
SQL interface operates.
The reason that the Cisco is complaining is because there is no "Service-Type
= Framed-User" in the reply - Cisco's are very picky about this.
An alternative approach for common reply attributes is to simply use an
AddToReply, like this:
<AuthBy SQL>
......
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Address = .....
</AuthBy>
I am still curious to understand why your configuration file is not working.
regards
Hugh
On Fri, 12 Jul 2002 20:00, Christian Rautscher wrote:
> Hello Hugh,
>
> >Thanks for sending the DB record - which looks OK, so I am surprised that
>
> we
>
> >do not see the repy attributes that you have specified. Actually - I have
> >just noticed that you have a trailing comma ',' in the replyattr field,
>
> which
>
> >is probably confusing the parser.
>
> i did how you told me, but the result is still the same. Furthermore i
> tried with "Backslash" too, but still same result.
> It's strange and the debug on
> the Cisco Router tells me that there is "no appropriate authorization type
> for user", and in the
> Radiator log still the Attribs doesn't appear. Hmmm....Hugh, btw would it
> be possible
> to send me an easy "SQLExample for mysql" maybe for Framed-User
> authentification (radius.cfg and
> simple table SUBSCRIBERS?)
> (goodies i already checked without any success )
>
> Btw, i think that there must be the problem somewhere on the following 3
> lines:
> QUERY:
> AuthSelect select password, checkattr, replyattr from SUBSCRIBERS
> where USERNAME='%U'
>
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
>
> In my opinion the first (1) row defines the "rule" for the
> authentification, right? Using User/Pass check,
> and if that is right Radiator checks the Service-Type. (row 2)
> And than p.es. if there is a Dialin-Connection and in the DB the
> useraccount showes "Service-Type = Framed-user"
> Radiator replys the Values of the next Column (row 3). In my case there is
> the Framed protocol and the
> IP address, which i wish to assign automatically to the client.
>
> Maybe there exists another way out?
> What do you think?
>
> Thank you again for help Hugh.
> Christian
>
>
>
> Hello Christian -
>
> Thanks for sending the DB record - which looks OK, so I am surprised that
> we
> do not see the repy attributes that you have specified. Actually - I have
> just noticed that you have a trailing comma ',' in the replyattr field,
> which
> is probably confusing the parser.
>
> Please remove it and send me the results.
>
> regards
>
> Hugh
>
> On Thu, 11 Jul 2002 18:35, Christian Rautscher wrote:
> > Hi Hugh,
> > thank you for your quick response.
> >
> > >Could you please send me a couple of user definitions from your
>
> database,
>
> > so I
> >
> > >can see the contents of the various fields?
> >
> > aThat what i did is to create a simple standart Mysql DB with the Table
> > SUBSCRIBERS, where i defined
> > 4 different Test accounts. Table Colums are the following:
> >
> > USERNAME | PASSWORD | ENCRYPTED PASSWORD | CHECKATTR | REPLYATTR |
> > TIMELEFT
> > test | test | NULL | Service-Type
> > = Framed-User | Framed-Protocol = PPP, Framed-IP-Address=
>
> x.x.x.x,
>
> > | NULL
> >
> > And in the Table RADCLIENTLIST i defined only my NAS (IP) with the
>
> Radius
>
> > Key (Secret). Nothing else.
> >
> > I hope that the things i sent you can help you.
> > Thank you again and regards,
> > Christian
> >
> >
> >
> >
> >
> >
> > Hugh Irvine <hugh at open.com.au>@open.com.au am 11.07.2002 09:28:54
> >
> > Bitte antworten an hugh at open.com.au
> >
> > Gesendet von: owner-radiator at open.com.au
> >
> >
> > An: "Christian Rautscher" <Christian.Rautscher at run.bz.it>,
> > radiator at open.com.au
> > Kopie: (Blindkopie: Christian Rautscher/RUN/RAIFF)
> >
> > Thema: Re: (RADIATOR) Radiator - Probs with Authby SQL
> >
> >
> >
> > Ciao Christian -
> >
> >
> > thanks
> >
> > Hugh
> >
> > On Thu, 11 Jul 2002 00:27, Christian Rautscher wrote:
> > > Hi there,
> > >
> > > I'm actually testing Radiator 3.1 DEMO Version for different kind
> > > of AccessAuthentications for different Services on Cisco Routers.
> > > When i tested Radiator by a "flat-file" Authentication everything
> > > went well.
> > > Actually i am using Mysql as DB and it works fine
> > > for Login and Administrative Services, but only the Dial-IN connections
> > > with PPP doesn't work. The Debug on my Cisco-Router tells me
> >
> > Authorization
> >
> > > errors.
> > >
> > > ( I am sure that the Cisco Config is fine, 'coz it works with
> > > Radiator-Flat-File-Authentication)
> > >
> > > My Radiator config looks like this:
>
> ---------------------------------------------------------------------------
>
> > >------------------------- <ClientListSQL>
> > > DBSource dbi:mysql:radius
> > > DBUsername [snip]
> > > DBAuth [snip]
> > > </ClientListSQL>
> > >
> > > <Realm DEFAULT>
> > > <AuthBy SQL>
> > > DBSource dbi:mysql:radius
> > > DBUsername [snip]
> > > DBAuth [snip]
> > >
> > > AuthSelect select password, checkattr, replyattr from SUBSCRIBERS
> > > where USERNAME='%U'
> > >
> > > AuthColumnDef 0, User-Password, check
> > > AuthColumnDef 1, GENERIC, check
> > > AuthColumnDef 2, GENERIC, reply
>
> ---------------------------------------------------------------------------
>
> > >----------------------------
> > >
> > > The Radiator Log "trace 5" looks like this. The User Authentication
>
> seems
>
> > > going well, but after that
> > > in the Section of "Reply-Attributes" the log acruptly ends without any
> > > reason.
> > >
> > > I'd like to thank you just in advance for your help, and if anyone
>
> needs
>
> > > any other
> > > information, please don't hesitate to contact me.
> > > Thankyou and kind regards,
> > > Chris
> > >
> > >
> > > ----------------------------
> > > Log-File Radiator (trace5)
> > >
> > > Code: Access-Request
> > > Identifier: 131
> > > Authentic: <185><152>Mw&<156><132><27>h;<179><160>c6<233>9
> > > Attributes:
> > > NAS-IP-Address = [snip]
> > > NAS-Port = 74
> > > NAS-Port-Type = Async
> > > User-Name = "test"
> > > Called-Station-Id = "[snip]"
> > > Calling-Station-Id = "[snip]"
> > > User-Password = "[snip]"
> > > Service-Type = Framed-User
> > > Framed-Protocol = PPP
> > >
> > > Wed Jul 10 15:51:36 2002: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Wed Jul 10 15:51:36 2002: DEBUG: Deleting session for test,
> > > IP-ADDRESS[snip], 74
> > > Wed Jul 10 15:51:36 2002: DEBUG: Handling with Radius::AuthSQL
> > > Wed Jul 10 15:51:36 2002: DEBUG: Handling with Radius::AuthSQL:
> > > Wed Jul 10 15:51:36 2002: DEBUG: Query is: select password, checkattr,
> > > replyattr from SUBSCRIBERS where USERNAME='test'
> > >
> > > Wed Jul 10 15:51:36 2002: DEBUG: Radius::AuthSQL looks for match with
> > > bcomtest
> > > Wed Jul 10 15:51:36 2002: DEBUG: Radius::AuthSQL ACCEPT:
> > > Wed Jul 10 15:51:36 2002: DEBUG: Access accepted for test
> > > Wed Jul 10 15:51:36 2002: DEBUG: Packet dump:
> > > *** Sending to IP[snip] port 1645 ....
> > >
> > > Packet length = 20
> > > 02 83 00 14 9a 9e 5d 4b 4f 70 91 b2 73 7f f1 dc
> > > a1 6e 2b 7b
> > > Code: Access-Accept
> > > Identifier: 131
> > > Authentic: <185><152>Mw&<156><132><27>h;<179><160>c6<233>9
> > > Attributes:
> > >
> > >
> > >
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list