(RADIATOR) Radiator Not Getting Correct Attributes
Charles Alexander McCain
mccain at unixatlas.com
Mon May 19 13:43:49 CDT 2003
Hello,
I'm running radiator with a cisco 7200 .
I'm having a problem with attributes.
For instance , a user has the attribute Administrative-User and he
authenticates with radiator , he doesn't get admin rights to the router.
I cannot seem to figure this one out. Another problem i am facing, is
that users with the "Framed-User" attribute are also able to log on to the
router. i don't think this should be happening.
Any ideas?
Here is my config and output.
Thanks,
Al
Foreground
LogStdout
LogDir /usr/local/etc/
DbDir /usr/local/etc/
SnmpgetProg /usr/local/bin/snmpget
Trace 5
<Client DEFAULT>
Secret letMEin
DupInterval 0
</Client>
<SessionDatabase SQL>
DBSource dbi:mysql:radius
DBUsername radius
DBAuth xxxxxxxxxxx
Identifier SQLS
AddQuery insert into RADONLINE (USERNAME,\
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) \
values ('%n', '%N',\
%{NAS-Port}, '%{Acct-Session-Id}', '%o',\
'%{Framed-IP-Address}', '%{NAS-Port-Type}', \
'%{Service-Type}', '%c')
</SessionDatabase>
<ClientListSQL>
DBSource dbi:mysql:radius
DBUsername radius
DBAuth xxxxxxxxxxxx
</ClientListSQL>
<Realm DEFAULT>
<AuthBy UNIX>
Identifier System
Filename /etc/shadow
</AuthBy>
#<AuthBy PORTLIMITCHECK>
# DefaultSimultaneousUse 1
# Identifier checkport
# SessionLimit 1
#</AuthBy PORTLIMITCHECK>
<AuthBy LDAP2>
#ServerChecksPassword
Identifier LDAP
Host 127.0.0.1
Port 389
AuthDN cn=Replicator, dc=xxxxxxxxxx, dc=net
AuthPassword xxxxxxxxxxxxx
BaseDN %0=%1,ou=people,dc=xxxxxxxxxx,dc=net
Scope base
UsernameAttr uid
PasswordAttr userPassword
HoldServerConnection
SearchFilter (&(gecos=active)(uid=%1))
AuthAttrDef gidNumber, gid-attr, request
</AuthBy>
<AuthBy SQL>
NoDefault
DefaultSimultaneousUse 1
Identifier CheckSQL
DBSource dbi:mysql:radius
DBUsername radius
DBAuth xxxxxxxxxxxx
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
</AuthBy>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/\s+//g
RewriteUsername tr/A-Z/a-z/
AuthByPolicy ContinueUntilAccept
AuthBy LDAP
AuthBy CheckSQL
AuthBy System
PostAuthHook file:"/usr/local/etc/postHook"
AcctLogFileName /usr/local/etc/detail
</Realm>
-------------------------------------------------------
Mon May 19 13:28:47 2003: DEBUG: Packet dump:
*** Received from 209.142.136.170 port 21646 ....
Packet length = 90
01 0b 00 5a 52 ae 23 7c 12 d0 da 81 dc 2d 57 96
39 d3 5b 77 01 06 64 65 76 31 02 12 c1 1e b0 5f
95 1e cd d8 75 c5 e2 ac 39 44 db 7b 1a 0c 00 00
00 09 02 06 74 74 79 32 05 06 00 00 00 02 3d 06
00 00 00 05 1f 10 32 30 39 2e 31 34 32 2e 31 33
36 2e 39 31 04 06 d1 8e 88 aa
Code: Access-Request
Identifier: 11
Authentic: R<174>#|<18><208><218><129><220>-W<150>9<211>[w
Attributes:
User-Name = "dev1"
User-Password = "<193><30><176>_<149><30><205><216>u<197><226><172>9D<219>{"
Cisco-NAS-Port = "tty2"
NAS-Port = 2
NAS-Port-Type = Virtual
Calling-Station-Id = "209.142.136.91"
NAS-IP-Address = 209.142.136.170
Mon May 19 13:28:47 2003: ERR: Error while rewriting username dev1: syntax error at (eval 29) line 2, at EOF
Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:47 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:47 2003: DEBUG: SQLS Deleting session for dev1, 209.142.136.170, 2
Mon May 19 13:28:47 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
Mon May 19 13:28:47 2003: DEBUG: Handling with Radius::AuthUNIX: System
Mon May 19 13:28:47 2003: DEBUG: Radius::AuthUNIX looks for match with dev1
Mon May 19 13:28:47 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Mon May 19 13:28:47 2003: INFO: Connecting to 127.0.0.1, port 389
Mon May 19 13:28:47 2003: INFO: Attempting to bind with cn=Replicator, dc=xxxxxxxxxx, dc=net, xxxxxxx (server 127.0.0.1:389)
Mon May 19 13:28:47 2003: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Mon May 19 13:28:47 2003: DEBUG: Radius::AuthLDAP2 looks for match with dev1
Mon May 19 13:28:47 2003: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Mon May 19 13:28:47 2003: DEBUG: Handling with Radius::AuthSQL
Mon May 19 13:28:47 2003: DEBUG: Handling with Radius::AuthSQL: CheckSQL
Mon May 19 13:28:47 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='dev1'
Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL looks for match with dev1
Mon May 19 13:28:47 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='dev1'
Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL ACCEPT:
Mon May 19 13:28:47 2003: DEBUG: Access accepted for dev1
Mon May 19 13:28:48 2003: DEBUG: Packet dump:
*** Sending to 209.142.136.170 port 21646 ....
Packet length = 20
02 0b 00 14 63 8d 28 50 aa 2d c1 7d 0a 41 87 ca
59 27 f3 76
Code: Access-Accept
Identifier: 11
Authentic: R<174>#|<18><208><218><129><220>-W<150>9<211>[w
Attributes:
Mon May 19 13:28:48 2003: DEBUG: Packet dump:
*** Received from 209.142.136.170 port 21646 ....
Packet length = 106
04 0c 00 6a e4 d9 c7 41 f9 08 b8 20 5d fd 66 55
8a 94 06 8c 2c 0a 30 30 30 30 30 30 36 42 2d 06
00 00 00 01 01 06 64 65 76 31 28 06 00 00 00 01
1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00 00
00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31 34
32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04 06
d1 8e 88 aa 29 06 00 00 00 00
Code: Accounting-Request
Identifier: 12
Authentic: <228><217><199>A<249><8><184> ]<253>fU<138><148><6><140>
Attributes:
Acct-Session-Id = "0000006B"
Acct-Authentic = RADIUS
User-Name = "dev1"
Acct-Status-Type = Start
Cisco-NAS-Port = "tty2"
NAS-Port = 2
NAS-Port-Type = Virtual
Calling-Station-Id = "209.142.136.91"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 209.142.136.170
Acct-Delay-Time = 0
Mon May 19 13:28:48 2003: ERR: Error while rewriting username dev1: syntax error at (eval 33) line 2, at EOF
Mon May 19 13:28:48 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:48 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon May 19 13:28:48 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:48 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:48 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:48 2003: DEBUG: SQLS Adding session for dev1, 209.142.136.170,
2
Mon May 19 13:28:48 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
Mon May 19 13:28:48 2003: DEBUG: do query is: insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values ('dev1', '209.142.136.170',2, '0000006B', 'Mon May 19 13:28:48 2003','', 'Virtual', 'NAS-Prompt-User', '209.142.136.170')
Mon May 19 13:28:48 2003: DEBUG: Handling with Radius::AuthUNIX: System
Mon May 19 13:28:48 2003: DEBUG: Accounting accepted
Mon May 19 13:28:48 2003: DEBUG: Packet dump:
*** Sending to 209.142.136.170 port 21646 ....
Packet length = 20
05 0c 00 14 be b5 0d 10 c8 82 55 f3 76 ee 7c e8
c1 11 6f 37
Code: Accounting-Response
Identifier: 12
Authentic: <228><217><199>A<249><8><184> ]<253>fU<138><148><6><140>
Attributes:
Mon May 19 13:28:56 2003: DEBUG: Packet dump:
*** Received from 209.142.136.170 port 21646 ....
Packet length = 203
04 0d 00 cb 0a 6d 3a 6c 3b 44 a0 bf 84 54 8f 20
92 9c b4 a3 2c 0a 30 30 30 30 30 30 36 42 2d 06
00 00 00 01 31 06 00 00 00 01 c3 06 00 00 00 14
1a 23 00 00 00 09 01 1d 64 69 73 63 2d 63 61 75
73 65 2d 65 78 74 3d 54 53 20 55 73 65 72 20 45
78 69 74 c4 06 00 00 00 0a 1a 20 00 00 00 09 01
1a 63 6f 6e 6e 65 63 74 2d 70 72 6f 67 72 65 73
73 3d 43 61 6c 6c 20 55 70 c6 06 00 00 00 04 2e
06 00 00 00 08 01 06 64 65 76 31 28 06 00 00 00
02 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00
00 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31
34 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04
06 d1 8e 88 aa 29 06 00 00 00 00
Code: Accounting-Request
Identifier: 13
Authentic: <10>m:l;D<160><191><132>T<143> <146><156><180><163>
Attributes:
Acct-Session-Id = "0000006B"
Acct-Authentic = RADIUS
Acct-Terminate-Cause = User-Request
Ascend-Disconnect-Cause = tsUserExit
cisco-avpair = "disc-cause-ext=TS User Exit"
Ascend-Connect-Progress = prCallUp
cisco-avpair = "connect-progress=Call Up"
Ascend-PreSession-Time = 4
Acct-Session-Time = 8
User-Name = "dev1"
Acct-Status-Type = Stop
Cisco-NAS-Port = "tty2"
NAS-Port = 2
NAS-Port-Type = Virtual
Calling-Station-Id = "209.142.136.91"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 209.142.136.170
Acct-Delay-Time = 0
Mon May 19 13:28:56 2003: ERR: Error while rewriting username dev1: syntax error at (eval 37) line 2, at EOF
Mon May 19 13:28:56 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:56 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon May 19 13:28:56 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:56 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:56 2003: DEBUG: Rewrote user name to dev1
Mon May 19 13:28:56 2003: DEBUG: SQLS Deleting session for dev1, 209.142.136.170, 2
Mon May 19 13:28:56 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
Mon May 19 13:28:56 2003: DEBUG: Handling with Radius::AuthUNIX: System
Mon May 19 13:28:56 2003: DEBUG: Accounting accepted
Mon May 19 13:28:56 2003: DEBUG: Packet dump:
*** Sending to 209.142.136.170 port 21646 ....
Packet length = 20
05 0d 00 14 6a 4b 50 6f 8d 31 75 bd 84 52 7b 46
45 42 db bf
Code: Accounting-Response
Identifier: 13
Authentic: <10>m:l;D<160><191><132>T<143> <146><156><180><163>
Attributes:
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list