Antw: Re: (RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Mike McCauley mikem at open.com.au
Wed Apr 23 03:52:26 CDT 2003 

Hello Peter,

On Wed, 23 Apr 2003 06:05 pm, Peter Gruber wrote:
> Hello Mike,
>
> thank you for your reply.
> I use
>  * Debian-Linux
>  * libdbd-oracle-perl 1.12-2
>  * libclntsh.so.9.0
>  * oracle 9.2.0

Hmm, we have not tested here with such recent versions of DBD-Oracle.

>
> But the workaround with "NoDefault" works fine.
> Do you think the "NoDefault" causes any impacts?

No, unless you need to use the DEFAULT user fallbacks.

Cheers.

>
> Cheers,
> Peter
>
> >>> Mike McCauley <mikem at open.com.au> 22.04.2003 09:23:46 >>>
>
> Hello Peter,
>
> Hughs earlier response concerning NoDefault is a good workaround to your
> problem, but...
>
> Normally Radiator detects when it runs out of DEFAULT usernames and does
> not go into an endless loop like that.
> Your symptoms make me think that your DBD-Oracle is not behaving correctly
> when it gets an empty result from your AuthSelect query..
>
> What versions of DBD-Oracle and the Oracle client library are you using?
> On what platform?
>
> Cheers.
>
> On Thu, 17 Apr 2003 10:27 pm, Peter Gruber wrote:
> > Hi all,
> >
> > I use the AuthBySQL to authenticate via an Oracle-Database. When the
> > passwd is correct, everything works fine. When the password is incorrect,
> > the radiator goes into an endless-loop (see the trace 4 - output) and can
> > just be "-9" killed. During this loop, it is not possibly to authenticate
> > even with the correct password - the radiusd seems to be completely
> > confused.
> >
> > I use the Radiator 3.5 (Demo) on a debian-box.
> >
> > Did anybody have the same problem or know what could be the reason for
> > that behaviour?
> >
> >
> > Best regards and THX ahead,
> > Peter
> >
> >
> > This is the output of the Trace 4:
> > *** Received from x.y.z.z port 1645 ....
> > Code:       Access-Request
> > Identifier: 54
> > Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
> > Attributes:
> >         Framed-Protocol = PPP
> >         Username = "wedu at xxx"
> >         CHAP-Password = xxx
> >         NAS-Port = 1
> >         NAS-Port-Type = Virtual
> >         Service-Type = Framed-User
> >         NAS-IP-Address = x.y.z.z
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for
> > wedu at xxx, x.y.z.z, 1 Thu Apr 17 13:43:04 2003: DEBUG: Handling with
> > Radius::AuthSQL
> > Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
> > Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> > framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads l_auth
> > WHERE username = 'wedu'
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > wedu at xxx Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > ads l_auth WHERE username = 'wedu'
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > DEFAULT Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > ads l_auth WHERE username = 'wedu'
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > DEFAULT1 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > ads l_auth WHERE username = 'wedu'
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > DEFAULT2 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > ads l_auth WHERE username = 'wedu'
> >
> > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > DEFAULT3 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > ads l_auth WHERE username = 'wedu'
> >
> > and so on...
> >
> >
> >
> > This is the (partial) radius.cfg:
> > Trace 4
> >
> > Foreground
> > AuthPort 1812
> > AcctPort 1813
> > DictionaryFile /usr/local/etc/dictionary
> > DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
> > LogDir /var/log/radius
> > LogFile /var/log/radius/radius.log
> >
> > <Client DEFAULT>
> >         Secret  testsecret
> >         DupInterval 2
> > </Client>
> >
> >
> > <Realm DEFAULT>
> >     PasswordLogFileName /var/log/radius/password.log
> >     AcctLogFileName /var/log/radius/acct.log
> >
> >     <AuthBy SQL>
> >         DBSource        dbi:Oracle:xxx
> >         DBUsername      xxx
> >         DBAuth          xxx
> >
> >         AuthSelect SELECT passwd, \
> >                           servicetype, \
> >                           framedprotocol,\
> >                           ip_address,\
> >                           framedipnetmask,\
> >                           ciscoavpair \
> >                    FROM  xxxxx \
> >                    WHERE username = '%w'
> >
> >         AuthColumnDef 0,User-Password, check
> >         AuthColumnDef 1,Service-Type,reply
> >         AuthColumnDef 2,Framed-Protocol,reply
> >         AuthColumnDef 3,Framed-IP-Address,reply
> >         AuthColumnDef 4,Framed-IP-Netmask,reply
> >         AuthColumnDef 5,cisco-avpair,reply
> >
> >         IgnoreAccounting
> >     </AuthBy>
> >
> >
> >     <AuthBy GROUP>
> >        AuthByPolicy All
> >        IgnoreAuthentication
> >     <AuthBy SQL>
> >          DBSource        dbi:Oracle:xxx
> >          DBUsername      xxx
> >          DBAuth          xxx
> >          AccountingStartsOnly
> >          IgnoreAuthentication
> >          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > .
> > .
> > .
> >     </AuthBy>
> >
> >     <AuthBy SQL>
> >         DBSource        dbi:Oracle:xxx
> >         DBUsername      xxx
> >         DBAuth          xxx
> >         AccountingAlivesOnly
> >         AcctFailedLogFileName /var/log/radius/acctfail.log
> >         IgnoreAuthentication
> >         AcctSQLStatement insert into xxx
> > .
> > .
> > .
> >         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > .
> > .
> > .
> >     </AuthBy>
> >
> >     <AuthBy SQL>
> >          DBSource        dbi:Oracle:xxx
> >          DBUsername      xxx
> >          DBAuth          xxx
> >          AccountingStopsOnly
> >          AcctFailedLogFileName /var/log/radius/acctfail.log
> >          IgnoreAuthentication
> >          AcctSQLStatement insert into xxx
> > .
> > .
> > .
> >          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > .
> > .
> > .
> >     </AuthBy>
> >     </AuthBy>
> > </Realm>
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list