(RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth n ot working as in 2.19
Ingvar Berg (EAB)
Ingvar.Berg at era.ericsson.se
Thu Jan 16 06:44:24 CST 2003
Just don't specify any PasswordAttr, that will give you a warning at startup, but then it works just fine by checking only according to your SearchFilter.
/Ingvar
> -----Original Message-----
> From: Matthew Trout [mailto:MatthewTrout at businessserve.co.uk]
> Sent: den 16 januari 2003 13:05
> To: 'radiator at open.com.au'
> Subject: (RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth n ot working as in 2.19
>
> I'm currently having some nasty problems going from Radiator 2.19 to 3.5; most things work, but I have a configuration hack that we need that's suddenly stopped working.
>
> Our FRIACO dialup products are locked to a single CLI, so no username and password should be needed. Wherein lies the problem - ensuring they have the correct CLI (which means AcceptIfMissing isn't suitable, so far as I can see) but getting auth to succeed with no password. Previously, I used a PostSearchHook in the AuthBy clause to set the EAP_MESSAGE attribute, which then meant Radiator assumed the password had already been authenticated. However, this doesn't seem to work under 3.5 and I've spent an entire day trwaling through the source trying to figure it out without success. Following is my config files, and an extract from logfile for both versions.
>
> --- Configuration
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy LDAP2>
> ***** elided; simple user search for roaming FRIACO users (internal only, no customers) *****
> </AuthBy>
>
> <AuthBy LDAP2>
> NoDefault
> HoldServerConnection
> Host **********
> AuthDN **********
> AuthPassword **********
> BaseDN ou=customers, ou=people, dc=bsve.net, o=internet
> PasswordAttr friacopassword
> AuthAttrDef FRIACO-todr, Time, check
> SearchFilter (&(objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes)))
> PostSearchHook sub { $_[2]->addAttrByNum($Radius::Radius::EAP_MESSAGE,1); }
> AddToReply Service-Type = Framed-User, \
> Framed-Protocol = PPP, \
> Framed-IP-Address = 255.255.255.254, \
> Framed-IP-Netmask = 255.255.255.255, \
> Framed-Routing = None, \
> Framed-Compression = Van-Jacobsen-TCP-IP, \
> Framed-MTU = 1500, \
> Session-Timeout = 7200
> </AuthBy>
>
> --- Logfile excerpts (trace 5, command radpwtst -s localhost -user blah -password blah -calling_station_id 1524848611)
>
> With 2.19, I get -
>
> Code: Access-Request
> Identifier: 51
> Authentic: 1234567890123456
> Attributes:
> User-Name = "blah"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "1524848611"
> NAS-Port-Type = Async
> User-Password = "<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Wed Jan 15 12:30:51 2003: DEBUG: Check if Handler Client-Identifier = BT-FRIACO-Radius should be used to handle this request
>
> Wed Jan 15 12:30:51 2003: DEBUG: Handling request with Handler 'Client-Identifier = BT-FRIACO-Radius'
> Wed Jan 15 12:30:51 2003: DEBUG: FRIACO-SessDB Deleting session for blah, 203.63.154.1, 1234
> Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthGROUP
> Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *********
> Wed Jan 15 12:30:51 2003: DEBUG: No entries for blah found in LDAP database
> Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
> Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *********
> Wed Jan 15 12:30:51 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve>
>
> .net, o=internet
> Wed Jan 15 12:30:51 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400
> Wed Jan 15 12:30:51 2003: ERR: There was no password attribute found for blah. Check your LDAP database.
> Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
> Wed Jan 15 12:30:51 2003: DEBUG: Handling with EAP
> Wed Jan 15 12:30:51 2003: DEBUG: EAP code 49, ,
> Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jan 15 12:30:51 2003: DEBUG: Access accepted for blah
> Wed Jan 15 12:30:51 2003: DEBUG: Packet dump:
>
> With 3.5, I get -
>
> Code: Access-Request
> Identifier: 31
> Authentic: 1234567890123456
> Attributes:
> User-Name = "blah"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "1524848611"
> NAS-Port-Type = Async
> User-Password = "<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Wed Jan 15 09:40:31 2003: DEBUG: Handling request with Handler 'Client-Identifier = BT-FRIACO-Radius'
> Wed Jan 15 09:40:31 2003: DEBUG: FRIACO-SessDB Deleting session for blah, 203.63.154.1, 1234
> Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthGROUP
> Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jan 15 09:40:31 2003: DEBUG: No entries for blah found in LDAP database
> Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
> Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jan 15 09:40:31 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
>
> .net, o=internet
> Wed Jan 15 09:40:31 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400
> Wed Jan 15 09:40:31 2003: ERR: There was no password attribute found for blah. Check your LDAP database.
> Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
> Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
> Wed Jan 15 09:40:31 2003: INFO: Access rejected for blah: Bad Encrypted password
> Wed Jan 15 09:40:31 2003: DEBUG: Packet dump:
>
> - Matt S Trout
> Internet Systems Developer
> Business Serve plc
> E-mail : matthewtrout at businessserve.co.uk
> Tel : 0870 759 2041
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list