(RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Hugh Irvine hugh at open.com.au
Thu Apr 17 18:27:44 CDT 2003


Hello Peter -

Thanks for sending the log and the configuration file.

Radiator by default looks for DEFAULT, DEFAULT1, DEFAULT2, etc., but 
you can turn this off by using NoDefault:

	<AuthBy SQL>
		....
		NoDefault
		....
	</AuthBy>

regards

Hugh


On Thursday, Apr 17, 2003, at 22:27 Australia/Melbourne, Peter Gruber 
wrote:

> Hi all,
>
> I use the AuthBySQL to authenticate via an Oracle-Database. When the 
> passwd is correct, everything works fine. When the password is 
> incorrect, the radiator goes into an endless-loop (see the trace 4 - 
> output) and can just be "-9" killed. During this loop, it is not 
> possibly to authenticate even with the correct password - the radiusd 
> seems to be completely confused.
>
> I use the Radiator 3.5 (Demo) on a debian-box.
>
> Did anybody have the same problem or know what could be the reason for 
> that behaviour?
>
>
> Best regards and THX ahead,
> Peter
>
>
> This is the output of the Trace 4:
> *** Received from x.y.z.z port 1645 ....
> Code:       Access-Request
> Identifier: 54
> Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
> Attributes:
>         Framed-Protocol = PPP
>         Username = "wedu at xxx"
>         CHAP-Password = xxx
>         NAS-Port = 1
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         NAS-IP-Address = x.y.z.z
>
> Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for wedu at xxx, 
> x.y.z.z, 1
> Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL
> Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with 
> wedu at xxx
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT1
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT2
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with 
> DEFAULT3
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype, 
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads
> l_auth WHERE username = 'wedu'
>
> and so on...
>
>
>
> This is the (partial) radius.cfg:
> Trace 4
>
> Foreground
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /usr/local/etc/dictionary
> DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
> LogDir /var/log/radius
> LogFile /var/log/radius/radius.log
>
> <Client DEFAULT>
>         Secret  testsecret
>         DupInterval 2
> </Client>
>
>
> <Realm DEFAULT>
>     PasswordLogFileName /var/log/radius/password.log
>     AcctLogFileName /var/log/radius/acct.log
>
>     <AuthBy SQL>
>         DBSource        dbi:Oracle:xxx
>         DBUsername      xxx
>         DBAuth          xxx
>
>         AuthSelect SELECT passwd, \
>                           servicetype, \
>                           framedprotocol,\
>                           ip_address,\
>                           framedipnetmask,\
>                           ciscoavpair \
>                    FROM  xxxxx \
>                    WHERE username = '%w'
>
>         AuthColumnDef 0,User-Password, check
>         AuthColumnDef 1,Service-Type,reply
>         AuthColumnDef 2,Framed-Protocol,reply
>         AuthColumnDef 3,Framed-IP-Address,reply
>         AuthColumnDef 4,Framed-IP-Netmask,reply
>         AuthColumnDef 5,cisco-avpair,reply
>
>         IgnoreAccounting
>     </AuthBy>
>
>
>     <AuthBy GROUP>
>        AuthByPolicy All
>        IgnoreAuthentication
>     <AuthBy SQL>
>          DBSource        dbi:Oracle:xxx
>          DBUsername      xxx
>          DBAuth          xxx
>          AccountingStartsOnly
>          IgnoreAuthentication
>          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>
>     <AuthBy SQL>
>         DBSource        dbi:Oracle:xxx
>         DBUsername      xxx
>         DBAuth          xxx
>         AccountingAlivesOnly
>         AcctFailedLogFileName /var/log/radius/acctfail.log
>         IgnoreAuthentication
>         AcctSQLStatement insert into xxx
> .
> .
> .
>         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>
>     <AuthBy SQL>
>          DBSource        dbi:Oracle:xxx
>          DBUsername      xxx
>          DBAuth          xxx
>          AccountingStopsOnly
>          AcctFailedLogFileName /var/log/radius/acctfail.log
>          IgnoreAuthentication
>          AcctSQLStatement insert into xxx
> .
> .
> .
>          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>     </AuthBy>
> </Realm>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list