(RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Mike McCauley mikem at open.com.au
Tue Apr 22 02:23:46 CDT 2003 

Hello Peter,

Hughs earlier response concerning NoDefault is a good workaround to your 
problem, but...

Normally Radiator detects when it runs out of DEFAULT usernames and does not 
go into an endless loop like that.
Your symptoms make me think that your DBD-Oracle is not behaving correctly 
when it gets an empty result from your AuthSelect query..

What versions of DBD-Oracle and the Oracle client library are you using?
On what platform?

Cheers.



On Thu, 17 Apr 2003 10:27 pm, Peter Gruber wrote:
> Hi all,
>
> I use the AuthBySQL to authenticate via an Oracle-Database. When the passwd
> is correct, everything works fine. When the password is incorrect, the
> radiator goes into an endless-loop (see the trace 4 - output) and can just
> be "-9" killed. During this loop, it is not possibly to authenticate even
> with the correct password - the radiusd seems to be completely confused.
>
> I use the Radiator 3.5 (Demo) on a debian-box.
>
> Did anybody have the same problem or know what could be the reason for that
> behaviour?
>
>
> Best regards and THX ahead,
> Peter
>
>
> This is the output of the Trace 4:
> *** Received from x.y.z.z port 1645 ....
> Code:       Access-Request
> Identifier: 54
> Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
> Attributes:
>         Framed-Protocol = PPP
>         Username = "wedu at xxx"
>         CHAP-Password = xxx
>         NAS-Port = 1
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         NAS-IP-Address = x.y.z.z
>
> Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for
> wedu at xxx, x.y.z.z, 1 Thu Apr 17 13:43:04 2003: DEBUG: Handling with
> Radius::AuthSQL
> Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
> Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads l_auth
> WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> wedu at xxx Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
> ads l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
> ads l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT1 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
> ads l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT2 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
> ads l_auth WHERE username = 'wedu'
>
> Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> DEFAULT3 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
> ads l_auth WHERE username = 'wedu'
>
> and so on...
>
>
>
> This is the (partial) radius.cfg:
> Trace 4
>
> Foreground
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /usr/local/etc/dictionary
> DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
> LogDir /var/log/radius
> LogFile /var/log/radius/radius.log
>
> <Client DEFAULT>
>         Secret  testsecret
>         DupInterval 2
> </Client>
>
>
> <Realm DEFAULT>
>     PasswordLogFileName /var/log/radius/password.log
>     AcctLogFileName /var/log/radius/acct.log
>
>     <AuthBy SQL>
>         DBSource        dbi:Oracle:xxx
>         DBUsername      xxx
>         DBAuth          xxx
>
>         AuthSelect SELECT passwd, \
>                           servicetype, \
>                           framedprotocol,\
>                           ip_address,\
>                           framedipnetmask,\
>                           ciscoavpair \
>                    FROM  xxxxx \
>                    WHERE username = '%w'
>
>         AuthColumnDef 0,User-Password, check
>         AuthColumnDef 1,Service-Type,reply
>         AuthColumnDef 2,Framed-Protocol,reply
>         AuthColumnDef 3,Framed-IP-Address,reply
>         AuthColumnDef 4,Framed-IP-Netmask,reply
>         AuthColumnDef 5,cisco-avpair,reply
>
>         IgnoreAccounting
>     </AuthBy>
>
>
>     <AuthBy GROUP>
>        AuthByPolicy All
>        IgnoreAuthentication
>     <AuthBy SQL>
>          DBSource        dbi:Oracle:xxx
>          DBUsername      xxx
>          DBAuth          xxx
>          AccountingStartsOnly
>          IgnoreAuthentication
>          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>
>     <AuthBy SQL>
>         DBSource        dbi:Oracle:xxx
>         DBUsername      xxx
>         DBAuth          xxx
>         AccountingAlivesOnly
>         AcctFailedLogFileName /var/log/radius/acctfail.log
>         IgnoreAuthentication
>         AcctSQLStatement insert into xxx
> .
> .
> .
>         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>
>     <AuthBy SQL>
>          DBSource        dbi:Oracle:xxx
>          DBUsername      xxx
>          DBAuth          xxx
>          AccountingStopsOnly
>          AcctFailedLogFileName /var/log/radius/acctfail.log
>          IgnoreAuthentication
>          AcctSQLStatement insert into xxx
> .
> .
> .
>          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> .
> .
> .
>     </AuthBy>
>     </AuthBy>
> </Realm>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list