(RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth n ot working as in 2.19
Matthew Trout
MatthewTrout at businessserve.co.uk
Thu Jan 16 06:04:52 CST 2003
I'm currently having some nasty problems going from Radiator 2.19 to 3.5;
most things work, but I have a configuration hack that we need that's
suddenly stopped working.
Our FRIACO dialup products are locked to a single CLI, so no username and
password should be needed. Wherein lies the problem - ensuring they have the
correct CLI (which means AcceptIfMissing isn't suitable, so far as I can
see) but getting auth to succeed with no password. Previously, I used a
PostSearchHook in the AuthBy clause to set the EAP_MESSAGE attribute, which
then meant Radiator assumed the password had already been authenticated.
However, this doesn't seem to work under 3.5 and I've spent an entire day
trwaling through the source trying to figure it out without success.
Following is my config files, and an extract from logfile for both versions.
--- Configuration
AuthByPolicy ContinueUntilAccept
<AuthBy LDAP2>
***** elided; simple user search for roaming FRIACO users
(internal only, no customers) *****
</AuthBy>
<AuthBy LDAP2>
NoDefault
HoldServerConnection
Host **********
AuthDN **********
AuthPassword **********
BaseDN ou=customers, ou=people, dc=bsve.net,
o=internet
PasswordAttr friacopassword
AuthAttrDef FRIACO-todr, Time, check
SearchFilter
(&(objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes)))
PostSearchHook sub {
$_[2]->addAttrByNum($Radius::Radius::EAP_MESSAGE,1); }
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Address = 255.255.255.254, \
Framed-IP-Netmask = 255.255.255.255, \
Framed-Routing = None, \
Framed-Compression = Van-Jacobsen-TCP-IP, \
Framed-MTU = 1500, \
Session-Timeout = 7200
</AuthBy>
--- Logfile excerpts (trace 5, command radpwtst -s localhost -user blah
-password blah -calling_station_id 1524848611)
With 2.19, I get -
Code: Access-Request
Identifier: 51
Authentic: 1234567890123456
Attributes:
User-Name = "blah"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "1524848611"
NAS-Port-Type = Async
User-Password =
"<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>"
Wed Jan 15 12:30:51 2003: DEBUG: Check if Handler Client-Identifier =
BT-FRIACO-Radius should be used to handle this request
Wed Jan 15 12:30:51 2003: DEBUG: Handling request with Handler
'Client-Identifier = BT-FRIACO-Radius'
Wed Jan 15 12:30:51 2003: DEBUG: FRIACO-SessDB Deleting session for blah,
203.63.154.1, 1234
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *********
Wed Jan 15 12:30:51 2003: DEBUG: No entries for blah found in LDAP database
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *********
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got result for cn=01524848611, ou=11,
ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
.net, o=internet
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400
Wed Jan 15 12:30:51 2003: ERR: There was no password attribute found for
blah. Check your LDAP database.
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with EAP
Wed Jan 15 12:30:51 2003: DEBUG: EAP code 49, ,
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jan 15 12:30:51 2003: DEBUG: Access accepted for blah
Wed Jan 15 12:30:51 2003: DEBUG: Packet dump:
With 3.5, I get -
Code: Access-Request
Identifier: 31
Authentic: 1234567890123456
Attributes:
User-Name = "blah"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "1524848611"
NAS-Port-Type = Async
User-Password =
"<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>"
Wed Jan 15 09:40:31 2003: DEBUG: Handling request with Handler
'Client-Identifier = BT-FRIACO-Radius'
Wed Jan 15 09:40:31 2003: DEBUG: FRIACO-SessDB Deleting session for blah,
203.63.154.1, 1234
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 09:40:31 2003: DEBUG: No entries for blah found in LDAP database
Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 09:40:31 2003: DEBUG: LDAP got result for cn=01524848611, ou=11,
ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
.net, o=internet
Wed Jan 15 09:40:31 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400
Wed Jan 15 09:40:31 2003: ERR: There was no password attribute found for
blah. Check your LDAP database.
Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password
Wed Jan 15 09:40:31 2003: INFO: Access rejected for blah: Bad Encrypted
password
Wed Jan 15 09:40:31 2003: DEBUG: Packet dump:
- Matt S Trout
Internet Systems Developer
Business Serve plc
E-mail : matthewtrout at businessserve.co.uk
Tel : 0870 759 2041
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030116/8ac87f46/attachment.html>
More information about the radiator
mailing list