(RADIATOR) Radiator Not Getting Correct Attributes
Hugh Irvine
hugh at open.com.au
Mon May 19 18:38:21 CDT 2003
Hello Al -
Thanks for sending the files.
Cisco's are very picky about the "Service-Type" reply attribute, which
in general *must* match the "Service-Type" attribute contained in the
access request. I notice in the trace there is no "Service-Type" reply
attribute at all which is undoubtedly the problem. You will also use
reply attributes to indicate what a user is allowed to do, ie. if it is
a Framed-User, what Framed-Protocol to use, what Framed-IP-Address to
use, etc.
For reference, radius is a "AAA" protocol, which stands for
"Authentication", "Authorisation" and "Accounting".
The "Access-Request" is used for "Authentication".
The "Access-Accept" that is sent back to the NAS is used for
"Authorisation".
And the "Accounting-Request" is used for "Accounting".
You will find a great deal of useful information regarding radius
configuration on the Cisco web site, and there has been lots of
discussion on this topic on the mailing list, so check the archive too:
www.open.com.au/archives/radiator
regards
Hugh
On Tuesday, May 20, 2003, at 04:43 Australia/Melbourne, Charles
Alexander McCain wrote:
> Hello,
>
> I'm running radiator with a cisco 7200 .
> I'm having a problem with attributes.
> For instance , a user has the attribute Administrative-User and he
> authenticates with radiator , he doesn't get admin rights to the
> router.
> I cannot seem to figure this one out. Another problem i am facing, is
> that users with the "Framed-User" attribute are also able to log on to
> the
> router. i don't think this should be happening.
>
> Any ideas?
>
> Here is my config and output.
>
> Thanks,
> Al
>
> Foreground
> LogStdout
> LogDir /usr/local/etc/
> DbDir /usr/local/etc/
> SnmpgetProg /usr/local/bin/snmpget
> Trace 5
>
> <Client DEFAULT>
>
> Secret letMEin
> DupInterval 0
>
> </Client>
>
> <SessionDatabase SQL>
>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth xxxxxxxxxxx
> Identifier SQLS
>
> AddQuery insert into RADONLINE (USERNAME,\
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) \
> values ('%n', '%N',\
> %{NAS-Port}, '%{Acct-Session-Id}', '%o',\
> '%{Framed-IP-Address}', '%{NAS-Port-Type}', \
> '%{Service-Type}', '%c')
>
> </SessionDatabase>
>
>
> <ClientListSQL>
>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth xxxxxxxxxxxx
>
> </ClientListSQL>
> <Realm DEFAULT>
>
>
> <AuthBy UNIX>
>
> Identifier System
> Filename /etc/shadow
>
> </AuthBy>
>
> #<AuthBy PORTLIMITCHECK>
>
> # DefaultSimultaneousUse 1
> # Identifier checkport
> # SessionLimit 1
>
> #</AuthBy PORTLIMITCHECK>
>
>
> <AuthBy LDAP2>
> #ServerChecksPassword
> Identifier LDAP
> Host 127.0.0.1
> Port 389
> AuthDN cn=Replicator, dc=xxxxxxxxxx, dc=net
> AuthPassword xxxxxxxxxxxxx
> BaseDN %0=%1,ou=people,dc=xxxxxxxxxx,dc=net
> Scope base
> UsernameAttr uid
> PasswordAttr userPassword
> HoldServerConnection
> SearchFilter (&(gecos=active)(uid=%1))
> AuthAttrDef gidNumber, gid-attr, request
> </AuthBy>
>
> <AuthBy SQL>
> NoDefault
> DefaultSimultaneousUse 1
> Identifier CheckSQL
>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth xxxxxxxxxxxx
>
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef
> ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> </AuthBy>
>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/\s+//g
> RewriteUsername tr/A-Z/a-z/
>
> AuthByPolicy ContinueUntilAccept
>
> AuthBy LDAP
> AuthBy CheckSQL
> AuthBy System
>
> PostAuthHook file:"/usr/local/etc/postHook"
> AcctLogFileName /usr/local/etc/detail
> </Realm>
>
> -------------------------------------------------------
>
> Mon May 19 13:28:47 2003: DEBUG: Packet dump:
> *** Received from 209.142.136.170 port 21646 ....
>
> Packet length = 90
> 01 0b 00 5a 52 ae 23 7c 12 d0 da 81 dc 2d 57 96
> 39 d3 5b 77 01 06 64 65 76 31 02 12 c1 1e b0 5f
> 95 1e cd d8 75 c5 e2 ac 39 44 db 7b 1a 0c 00 00
> 00 09 02 06 74 74 79 32 05 06 00 00 00 02 3d 06
> 00 00 00 05 1f 10 32 30 39 2e 31 34 32 2e 31 33
> 36 2e 39 31 04 06 d1 8e 88 aa
> Code: Access-Request
> Identifier: 11
> Authentic: R<174>#|<18><208><218><129><220>-W<150>9<211>[w
> Attributes:
> User-Name = "dev1"
> User-Password =
> "<193><30><176>_<149><30><205><216>u<197><226><172>9D<219>{"
> Cisco-NAS-Port = "tty2"
> NAS-Port = 2
> NAS-Port-Type = Virtual
> Calling-Station-Id = "209.142.136.91"
> NAS-IP-Address = 209.142.136.170
>
> Mon May 19 13:28:47 2003: ERR: Error while rewriting username
> dev1: syntax error at (eval 29) line 2, at EOF
>
> Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:47 2003: DEBUG: Handling request with
> Handler 'Realm=DEFAULT'
> Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:47 2003: DEBUG: SQLS Deleting session for
> dev1, 209.142.136.170, 2
> Mon May 19 13:28:47 2003: DEBUG: do query is: delete from
> RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
>
> Mon May 19 13:28:47 2003: DEBUG: Handling with
> Radius::AuthUNIX: System
> Mon May 19 13:28:47 2003: DEBUG: Radius::AuthUNIX looks for
> match with dev1
> Mon May 19 13:28:47 2003: DEBUG: Handling with
> Radius::AuthLDAP2: LDAP
> Mon May 19 13:28:47 2003: INFO: Connecting to 127.0.0.1,
> port 389
> Mon May 19 13:28:47 2003: INFO: Attempting to bind with
> cn=Replicator, dc=xxxxxxxxxx, dc=net, xxxxxxx (server 127.0.0.1:389)
> Mon May 19 13:28:47 2003: ERR: ldap search failed with
> error LDAP_NO_SUCH_OBJECT.
> Mon May 19 13:28:47 2003: DEBUG: Radius::AuthLDAP2 looks
> for match with dev1
> Mon May 19 13:28:47 2003: ERR: ldap search failed with
> error LDAP_NO_SUCH_OBJECT.
> Mon May 19 13:28:47 2003: DEBUG: Handling with
> Radius::AuthSQL
> Mon May 19 13:28:47 2003: DEBUG: Handling with
> Radius::AuthSQL: CheckSQL
> Mon May 19 13:28:47 2003: DEBUG: Query is: select PASSWORD
> from SUBSCRIBERS where USERNAME='dev1'
>
> Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL looks for
> match with dev1
> Mon May 19 13:28:47 2003: DEBUG: Query is: select
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE
> where USERNAME='dev1'
>
> Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon May 19 13:28:47 2003: DEBUG: Access accepted for dev1
> Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> *** Sending to 209.142.136.170 port 21646 ....
>
> Packet length = 20
> 02 0b 00 14 63 8d 28 50 aa 2d c1 7d 0a 41 87 ca
> 59 27 f3 76
> Code: Access-Accept
> Identifier: 11
> Authentic:
> R<174>#|<18><208><218><129><220>-W<150>9<211>[w
> Attributes:
>
> Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> *** Received from 209.142.136.170 port 21646 ....
>
> Packet length = 106
> 04 0c 00 6a e4 d9 c7 41 f9 08 b8 20 5d fd 66 55
> 8a 94 06 8c 2c 0a 30 30 30 30 30 30 36 42 2d 06
> 00 00 00 01 01 06 64 65 76 31 28 06 00 00 00 01
> 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00 00
> 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31 34
> 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04 06
> d1 8e 88 aa 29 06 00 00 00 00
> Code: Accounting-Request
> Identifier: 12
> Authentic: <228><217><199>A<249><8><184>
> ]<253>fU<138><148><6><140>
> Attributes:
> Acct-Session-Id = "0000006B"
> Acct-Authentic = RADIUS
> User-Name = "dev1"
> Acct-Status-Type = Start
> Cisco-NAS-Port = "tty2"
> NAS-Port = 2
> NAS-Port-Type = Virtual
> Calling-Station-Id = "209.142.136.91"
> Service-Type = NAS-Prompt-User
> NAS-IP-Address = 209.142.136.170
> Acct-Delay-Time = 0
>
> Mon May 19 13:28:48 2003: ERR: Error while
> rewriting username dev1: syntax error at (eval 33) line 2, at EOF
>
> Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> name to dev1
> Mon May 19 13:28:48 2003: DEBUG: Handling
> request with Handler 'Realm=DEFAULT'
> Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> name to dev1
> Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> name to dev1
> Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> name to dev1
> Mon May 19 13:28:48 2003: DEBUG: SQLS Adding
> session for dev1, 209.142.136.170,
> 2
> Mon May 19 13:28:48 2003: DEBUG: do query is:
> delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and
> NASPORT=2
>
> Mon May 19 13:28:48 2003: DEBUG: do query is:
> insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values
> ('dev1', '209.142.136.170',2, '0000006B', 'Mon May 19 13:28:48
> 2003','', 'Virtual', 'NAS-Prompt-User', '209.142.136.170')
>
> Mon May 19 13:28:48 2003: DEBUG: Handling with
> Radius::AuthUNIX: System
> Mon May 19 13:28:48 2003: DEBUG: Accounting
> accepted
> Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> *** Sending to 209.142.136.170 port 21646 ....
>
> Packet length = 20
> 05 0c 00 14 be b5 0d 10 c8 82 55 f3 76 ee 7c
> e8
> c1 11 6f 37
> Code: Accounting-Response
> Identifier: 12
> Authentic: <228><217><199>A<249><8><184>
> ]<253>fU<138><148><6><140>
> Attributes:
>
> Mon May 19 13:28:56 2003: DEBUG: Packet dump:
> *** Received from 209.142.136.170 port 21646
> ....
>
> Packet length = 203
> 04 0d 00 cb 0a 6d 3a 6c 3b 44 a0 bf 84 54 8f 20
> 92 9c b4 a3 2c 0a 30 30 30 30 30 30 36 42 2d 06
> 00 00 00 01 31 06 00 00 00 01 c3 06 00 00 00 14
> 1a 23 00 00 00 09 01 1d 64 69 73 63 2d 63 61 75
> 73 65 2d 65 78 74 3d 54 53 20 55 73 65 72 20 45
> 78 69 74 c4 06 00 00 00 0a 1a 20 00 00 00 09 01
> 1a 63 6f 6e 6e 65 63 74 2d 70 72 6f 67 72 65 73
> 73 3d 43 61 6c 6c 20 55 70 c6 06 00 00 00 04 2e
> 06 00 00 00 08 01 06 64 65 76 31 28 06 00 00 00
> 02 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00
> 00 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31
> 34 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04
> 06 d1 8e 88 aa 29 06 00 00 00 00
> Code: Accounting-Request
> Identifier: 13
> Authentic: <10>m:l;D<160><191><132>T<143>
> <146><156><180><163>
> Attributes:
> Acct-Session-Id = "0000006B"
> Acct-Authentic = RADIUS
> Acct-Terminate-Cause = User-Request
> Ascend-Disconnect-Cause = tsUserExit
> cisco-avpair = "disc-cause-ext=TS User
> Exit"
> Ascend-Connect-Progress = prCallUp
> cisco-avpair =
> "connect-progress=Call Up"
> Ascend-PreSession-Time = 4
> Acct-Session-Time = 8
> User-Name = "dev1"
> Acct-Status-Type = Stop
> Cisco-NAS-Port = "tty2"
> NAS-Port = 2
> NAS-Port-Type = Virtual
> Calling-Station-Id =
> "209.142.136.91"
> Service-Type =
> NAS-Prompt-User
> NAS-IP-Address =
> 209.142.136.170
> Acct-Delay-Time = 0
>
> Mon May 19 13:28:56 2003: ERR:
> Error while rewriting username dev1: syntax error at (eval 37) line 2,
> at EOF
>
> Mon May 19 13:28:56 2003:
> DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:56 2003:
> DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon May 19 13:28:56 2003:
> DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:56 2003:
> DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:56 2003:
> DEBUG: Rewrote user name to dev1
> Mon May 19 13:28:56 2003:
> DEBUG: SQLS Deleting session for dev1, 209.142.136.170, 2
> Mon May 19 13:28:56 2003:
> DEBUG: do query is: delete from RADONLINE where
> NASIDENTIFIER='209.142.136.170' and NASPORT=2
>
> Mon May 19 13:28:56 2003:
> DEBUG: Handling with Radius::AuthUNIX: System
> Mon May 19 13:28:56 2003:
> DEBUG: Accounting accepted
> Mon May 19 13:28:56 2003:
> DEBUG: Packet dump:
> *** Sending to
> 209.142.136.170 port 21646 ....
>
> Packet length = 20
> 05 0d 00 14 6a 4b 50 6f 8d
> 31 75 bd 84 52 7b 46
> 45 42 db bf
> Code:
> Accounting-Response
> Identifier: 13
> Authentic:
> <10>m:l;D<160><191><132>T<143> <146><156><180><163>
> Attributes:
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list