(RADIATOR) Enless-Loop when wrong passwd and AuthBySQL
Hugh Irvine
hugh at open.com.au
Thu Apr 17 18:27:44 CDT 2003
Hello Peter -
Thanks for sending the log and the configuration file.
Radiator by default looks for DEFAULT, DEFAULT1, DEFAULT2, etc., but
you can turn this off by using NoDefault:
<AuthBy SQL>
....
NoDefault
....
</AuthBy>
regards
Hugh
On Thursday, Apr 17, 2003, at 22:27 Australia/Melbourne, Peter Gruber
wrote:
> Hi all,
>
> I use the AuthBySQL to authenticate via an Oracle-Database. When the
> passwd is correct, everything works fine. When the password is
> incorrect, the radiator goes into an endless-loop (see the trace 4 -
> output) and can just be "-9" killed. During this loop, it is not
> possibly to authenticate even with the correct password - the radiusd
> seems to be completely confused.
>
> I use the Radiator 3.5 (Demo) on a debian-box.
>
> Did anybody have the same problem or know what could be the reason for
> that behaviour?
>
>
> Best regards and THX ahead,
> Peter
>
>
> This is the output of the Trace 4:
> *** Received from x.y.z.z port 1645 ....
> Code: Access-Request
> Identifier: 54
> Authentic: <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
> Attributes:
> Framed-Protocol = PPP
> Username = "wedu at xxx"
> CHAP-Password = xxx
> NAS-Port = 1
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> NAS-IP-Address = x.y.z.z
>
> Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Apr 17 13:43:04 2003: DEBUG: Deleting session for wedu at xxx,
> x.y.z.z, 1
> Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL
> Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> wedu at xxx
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT1
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT2
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT3
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM ads
> l_auth WHERE username = 'wedu'
>
> and so on...
>
>
>
> This is the (partial) radius.cfg:
> Trace 4
>
> Foreground
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /usr/local/etc/dictionary
> DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
> LogDir /var/log/radius
> LogFile /var/log/radius/radius.log
>
> <Client DEFAULT>
> Secret testsecret
> DupInterval 2
> </Client>
>
>
> <Realm DEFAULT>
> PasswordLogFileName /var/log/radius/password.log
> AcctLogFileName /var/log/radius/acct.log
>
> <AuthBy SQL>
> DBSource dbi:Oracle:xxx
> DBUsername xxx
> DBAuth xxx
>
> AuthSelect SELECT passwd, \
> servicetype, \
> framedprotocol,\
> ip_address,\
> framedipnetmask,\
> ciscoavpair \
> FROM xxxxx \
> WHERE username = '%w'
>
> AuthColumnDef 0,User-Password, check
> AuthColumnDef 1,Service-Type,reply
> AuthColumnDef 2,Framed-Protocol,reply
> AuthColumnDef 3,Framed-IP-Address,reply
> AuthColumnDef 4,Framed-IP-Netmask,reply
> AuthColumnDef 5,cisco-avpair,reply
>
> IgnoreAccounting
> </AuthBy>
>
>
> <AuthBy GROUP>
> AuthByPolicy All
> IgnoreAuthentication
> <AuthBy SQL>
> DBSource dbi:Oracle:xxx
> DBUsername xxx
> DBAuth xxx
> AccountingStartsOnly
> IgnoreAuthentication
> AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
> </AuthBy>
>
> <AuthBy SQL>
> DBSource dbi:Oracle:xxx
> DBUsername xxx
> DBAuth xxx
> AccountingAlivesOnly
> AcctFailedLogFileName /var/log/radius/acctfail.log
> IgnoreAuthentication
> AcctSQLStatement insert into xxx
> .
> .
> .
> AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
> </AuthBy>
>
> <AuthBy SQL>
> DBSource dbi:Oracle:xxx
> DBUsername xxx
> DBAuth xxx
> AccountingStopsOnly
> AcctFailedLogFileName /var/log/radius/acctfail.log
> IgnoreAuthentication
> AcctSQLStatement insert into xxx
> .
> .
> .
> AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
> </AuthBy>
> </AuthBy>
> </Realm>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list