Antw: Re: (RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Bon sy bon at bunny.cs.qc.edu
Wed Apr 23 07:36:10 CDT 2003


Hi Mike and Peter,

	We also use the same DBD-Oracle version on Redhat 8.0 3.2-7
Kernal 2.4.18 running Oracle 9.2.0 and it works fine. The only difference
is that we use Redhat distribution instead of Debian distribution. Also,
we write our own SQL auth and acct statements to fit our homemade schema. 

	I assume your Oracle system is up and running already. But you may
want to keep in mind that Oracle only offers official support for Redhat
distribution (and previously SUSE as well). Although Linux distribution
should not be a matter, we did have a nightmare installing
Oracle to "non offical" distribution. This is due to the way that Oracle
wrote their Java-based installer. And we ended up using the so called
offical distribution (for support) or else metalink will not even offer
help.

	Hope this infor about our experience can shed some lights to
your problem.

Bon


On Wed, 23 Apr 2003, Mike McCauley wrote:

> Hello Peter,
> 
> On Wed, 23 Apr 2003 06:05 pm, Peter Gruber wrote:
> > Hello Mike,
> >
> > thank you for your reply.
> > I use
> >  * Debian-Linux
> >  * libdbd-oracle-perl 1.12-2
> >  * libclntsh.so.9.0
> >  * oracle 9.2.0
> 
> Hmm, we have not tested here with such recent versions of DBD-Oracle.
> 
> >
> > But the workaround with "NoDefault" works fine.
> > Do you think the "NoDefault" causes any impacts?
> 
> No, unless you need to use the DEFAULT user fallbacks.
> 
> Cheers.
> 
> >
> > Cheers,
> > Peter
> >
> > >>> Mike McCauley <mikem at open.com.au> 22.04.2003 09:23:46 >>>
> >
> > Hello Peter,
> >
> > Hughs earlier response concerning NoDefault is a good workaround to your
> > problem, but...
> >
> > Normally Radiator detects when it runs out of DEFAULT usernames and does
> > not go into an endless loop like that.
> > Your symptoms make me think that your DBD-Oracle is not behaving correctly
> > when it gets an empty result from your AuthSelect query..
> >
> > What versions of DBD-Oracle and the Oracle client library are you using?
> > On what platform?
> >
> > Cheers.
> >
> > On Thu, 17 Apr 2003 10:27 pm, Peter Gruber wrote:
> > > Hi all,
> > >
> > > I use the AuthBySQL to authenticate via an Oracle-Database. When the
> > > passwd is correct, everything works fine. When the password is incorrect,
> > > the radiator goes into an endless-loop (see the trace 4 - output) and can
> > > just be "-9" killed. During this loop, it is not possibly to authenticate
> > > even with the correct password - the radiusd seems to be completely
> > > confused.
> > >
> > > I use the Radiator 3.5 (Demo) on a debian-box.
> > >
> > > Did anybody have the same problem or know what could be the reason for
> > > that behaviour?
> > >
> > >
> > > Best regards and THX ahead,
> > > Peter
> > >
> > >
> > > This is the output of the Trace 4:
> > > *** Received from x.y.z.z port 1645 ....
> > > Code:       Access-Request
> > > Identifier: 54
> > > Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
> > > Attributes:
> > >         Framed-Protocol = PPP
> > >         Username = "wedu at xxx"
> > >         CHAP-Password = xxx
> > >         NAS-Port = 1
> > >         NAS-Port-Type = Virtual
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = x.y.z.z
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT' Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for
> > > wedu at xxx, x.y.z.z, 1 Thu Apr 17 13:43:04 2003: DEBUG: Handling with
> > > Radius::AuthSQL
> > > Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
> > > Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
> > > framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads l_auth
> > > WHERE username = 'wedu'
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > > wedu at xxx Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > > ads l_auth WHERE username = 'wedu'
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > > DEFAULT Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > > ads l_auth WHERE username = 'wedu'
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > > DEFAULT1 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > > ads l_auth WHERE username = 'wedu'
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > > DEFAULT2 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > > ads l_auth WHERE username = 'wedu'
> > >
> > > Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
> > > DEFAULT3 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
> > > Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
> > > servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM
> > > ads l_auth WHERE username = 'wedu'
> > >
> > > and so on...
> > >
> > >
> > >
> > > This is the (partial) radius.cfg:
> > > Trace 4
> > >
> > > Foreground
> > > AuthPort 1812
> > > AcctPort 1813
> > > DictionaryFile /usr/local/etc/dictionary
> > > DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
> > > LogDir /var/log/radius
> > > LogFile /var/log/radius/radius.log
> > >
> > > <Client DEFAULT>
> > >         Secret  testsecret
> > >         DupInterval 2
> > > </Client>
> > >
> > >
> > > <Realm DEFAULT>
> > >     PasswordLogFileName /var/log/radius/password.log
> > >     AcctLogFileName /var/log/radius/acct.log
> > >
> > >     <AuthBy SQL>
> > >         DBSource        dbi:Oracle:xxx
> > >         DBUsername      xxx
> > >         DBAuth          xxx
> > >
> > >         AuthSelect SELECT passwd, \
> > >                           servicetype, \
> > >                           framedprotocol,\
> > >                           ip_address,\
> > >                           framedipnetmask,\
> > >                           ciscoavpair \
> > >                    FROM  xxxxx \
> > >                    WHERE username = '%w'
> > >
> > >         AuthColumnDef 0,User-Password, check
> > >         AuthColumnDef 1,Service-Type,reply
> > >         AuthColumnDef 2,Framed-Protocol,reply
> > >         AuthColumnDef 3,Framed-IP-Address,reply
> > >         AuthColumnDef 4,Framed-IP-Netmask,reply
> > >         AuthColumnDef 5,cisco-avpair,reply
> > >
> > >         IgnoreAccounting
> > >     </AuthBy>
> > >
> > >
> > >     <AuthBy GROUP>
> > >        AuthByPolicy All
> > >        IgnoreAuthentication
> > >     <AuthBy SQL>
> > >          DBSource        dbi:Oracle:xxx
> > >          DBUsername      xxx
> > >          DBAuth          xxx
> > >          AccountingStartsOnly
> > >          IgnoreAuthentication
> > >          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > > .
> > > .
> > > .
> > >     </AuthBy>
> > >
> > >     <AuthBy SQL>
> > >         DBSource        dbi:Oracle:xxx
> > >         DBUsername      xxx
> > >         DBAuth          xxx
> > >         AccountingAlivesOnly
> > >         AcctFailedLogFileName /var/log/radius/acctfail.log
> > >         IgnoreAuthentication
> > >         AcctSQLStatement insert into xxx
> > > .
> > > .
> > > .
> > >         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > > .
> > > .
> > > .
> > >     </AuthBy>
> > >
> > >     <AuthBy SQL>
> > >          DBSource        dbi:Oracle:xxx
> > >          DBUsername      xxx
> > >          DBAuth          xxx
> > >          AccountingStopsOnly
> > >          AcctFailedLogFileName /var/log/radius/acctfail.log
> > >          IgnoreAuthentication
> > >          AcctSQLStatement insert into xxx
> > > .
> > > .
> > > .
> > >          AcctSQLStatement update /*+ USE_CONCAT */ xxx \
> > > .
> > > .
> > > .
> > >     </AuthBy>
> > >     </AuthBy>
> > > </Realm>
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> 
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list