(RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Peter Gruber Peter.Gruber at uni-klu.ac.at
Thu Apr 17 07:27:34 CDT 2003 

Hi all,

I use the AuthBySQL to authenticate via an Oracle-Database. When the passwd is correct, everything works fine. When the password is incorrect, the radiator goes into an endless-loop (see the trace 4 - output) and can just be "-9" killed. During this loop, it is not possibly to authenticate even with the correct password - the radiusd seems to be completely confused.

I use the Radiator 3.5 (Demo) on a debian-box.

Did anybody have the same problem or know what could be the reason for that behaviour?


Best regards and THX ahead,
Peter


This is the output of the Trace 4:
*** Received from x.y.z.z port 1645 ....
Code:       Access-Request
Identifier: 54
Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
Attributes:
        Framed-Protocol = PPP
        Username = "wedu at xxx"
        CHAP-Password = xxx
        NAS-Port = 1
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-IP-Address = x.y.z.z

Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for wedu at xxx, x.y.z.z, 1
Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL
Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL: 
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with wedu at xxx
Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT
Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT1
Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT2
Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT3
Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
l_auth WHERE username = 'wedu'

and so on...



This is the (partial) radius.cfg:
Trace 4

Foreground
AuthPort 1812
AcctPort 1813
DictionaryFile /usr/local/etc/dictionary
DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
LogDir /var/log/radius
LogFile /var/log/radius/radius.log

<Client DEFAULT>
        Secret  testsecret
        DupInterval 2
</Client>


<Realm DEFAULT>
    PasswordLogFileName /var/log/radius/password.log
    AcctLogFileName /var/log/radius/acct.log

    <AuthBy SQL>
        DBSource        dbi:Oracle:xxx
        DBUsername      xxx
        DBAuth          xxx

        AuthSelect SELECT passwd, \
                          servicetype, \
                          framedprotocol,\
                          ip_address,\
                          framedipnetmask,\
                          ciscoavpair \
                   FROM  xxxxx \
                   WHERE username = '%w'

        AuthColumnDef 0,User-Password, check
        AuthColumnDef 1,Service-Type,reply
        AuthColumnDef 2,Framed-Protocol,reply
        AuthColumnDef 3,Framed-IP-Address,reply
        AuthColumnDef 4,Framed-IP-Netmask,reply
        AuthColumnDef 5,cisco-avpair,reply

        IgnoreAccounting
    </AuthBy>


    <AuthBy GROUP>
       AuthByPolicy All
       IgnoreAuthentication
    <AuthBy SQL>
         DBSource        dbi:Oracle:xxx
         DBUsername      xxx
         DBAuth          xxx
         AccountingStartsOnly
         IgnoreAuthentication
         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
.
.
.                
    </AuthBy>

    <AuthBy SQL>
        DBSource        dbi:Oracle:xxx
        DBUsername      xxx
        DBAuth          xxx
        AccountingAlivesOnly
        AcctFailedLogFileName /var/log/radius/acctfail.log
        IgnoreAuthentication
        AcctSQLStatement insert into xxx
.
.
.                 
        AcctSQLStatement update /*+ USE_CONCAT */ xxx \
.
.
.                        
    </AuthBy>

    <AuthBy SQL>
         DBSource        dbi:Oracle:xxx
         DBUsername      xxx
         DBAuth          xxx
         AccountingStopsOnly
         AcctFailedLogFileName /var/log/radius/acctfail.log
         IgnoreAuthentication
         AcctSQLStatement insert into xxx
.                              
.
.
         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
.
.
.                    
    </AuthBy>
    </AuthBy>
</Realm>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list