(RADIATOR) Radiator Not Getting Correct Attributes

Hugh Irvine hugh at open.com.au
Mon May 19 18:38:21 CDT 2003


Hello Al -

Thanks for sending the files.

Cisco's are very picky about the "Service-Type" reply attribute, which 
in general *must* match the "Service-Type" attribute contained in the 
access request. I notice in the trace there is no "Service-Type" reply 
attribute at all which is undoubtedly the problem. You will also use 
reply attributes to indicate what a user is allowed to do, ie. if it is 
a Framed-User, what Framed-Protocol to use, what Framed-IP-Address to 
use, etc.

For reference, radius is a "AAA" protocol, which stands for 
"Authentication", "Authorisation" and "Accounting".

The "Access-Request" is used for "Authentication".

The "Access-Accept" that is sent back to the NAS is used for 
"Authorisation".

And the "Accounting-Request" is used for "Accounting".

You will find a great deal of useful information regarding radius 
configuration on the Cisco web site, and there has been lots of 
discussion on this topic on the mailing list, so check the archive too:

	www.open.com.au/archives/radiator

regards

Hugh


On Tuesday, May 20, 2003, at 04:43 Australia/Melbourne, Charles 
Alexander McCain wrote:

> Hello,
>
> I'm running radiator with a cisco 7200 .
> I'm having a problem with attributes.
> For instance , a user has the attribute Administrative-User and he
> authenticates with radiator , he doesn't get admin rights to the 
> router.
> I cannot seem to figure this one out.  Another problem i am facing, is
> that users with the "Framed-User" attribute are also able to log on to 
> the
> router. i don't think this should be happening.
>
> Any ideas?
>
> Here is my config and output.
>
> Thanks,
> Al
>
> Foreground
> LogStdout
> LogDir		/usr/local/etc/
> DbDir		/usr/local/etc/
> SnmpgetProg /usr/local/bin/snmpget
> Trace 5
>
> <Client DEFAULT>
>
> 	Secret letMEin
> 	DupInterval 0
>
> </Client>
>
> <SessionDatabase SQL>
>
> 	DBSource dbi:mysql:radius
> 	DBUsername radius
> 	DBAuth xxxxxxxxxxx
> 	Identifier SQLS
>
> 		AddQuery insert into RADONLINE (USERNAME,\
> 		NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
> 		FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) \
> 		values ('%n', '%N',\
> 		%{NAS-Port}, '%{Acct-Session-Id}', '%o',\
> 		'%{Framed-IP-Address}', '%{NAS-Port-Type}', \
> 		'%{Service-Type}', '%c')
>
> </SessionDatabase>
>
>
> <ClientListSQL>
>
> 	DBSource	dbi:mysql:radius
>         DBUsername	radius
> 	DBAuth		xxxxxxxxxxxx
>
> </ClientListSQL>
> <Realm DEFAULT>
>
>
> <AuthBy UNIX>
>
>         Identifier System
>         Filename /etc/shadow
>
> </AuthBy>
>
> #<AuthBy PORTLIMITCHECK>
>
> #	DefaultSimultaneousUse 1
> #	Identifier checkport
> #        SessionLimit 1
>
> #</AuthBy PORTLIMITCHECK>
>
>
> <AuthBy LDAP2>
> 		#ServerChecksPassword
>                 Identifier LDAP
>                 Host    127.0.0.1
>                 Port    389
> 		AuthDN  cn=Replicator, dc=xxxxxxxxxx, dc=net
>                 AuthPassword    xxxxxxxxxxxxx
>                 BaseDN  %0=%1,ou=people,dc=xxxxxxxxxx,dc=net
>                 Scope   base
>                 UsernameAttr    uid
>                 PasswordAttr    userPassword
>                 HoldServerConnection
>                 SearchFilter (&(gecos=active)(uid=%1))
>                 AuthAttrDef gidNumber, gid-attr, request
> </AuthBy>
>
> <AuthBy SQL>
>       	NoDefault
>         DefaultSimultaneousUse 1
>         Identifier CheckSQL
>
>         DBSource        dbi:mysql:radius
>         DBUsername      radius
>         DBAuth          xxxxxxxxxxxx
>
>                 AccountingTable ACCOUNTING
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>
> </AuthBy>
>
> 	RewriteUsername 	s/^([^@]+).*/$1/
> 	RewriteUsername         s/\s+//g
> 	RewriteUsername         tr/A-Z/a-z/
>
> AuthByPolicy	ContinueUntilAccept
>
> 	AuthBy LDAP
> 	AuthBy CheckSQL
> 	AuthBy System
>
>  	PostAuthHook file:"/usr/local/etc/postHook"
>         AcctLogFileName /usr/local/etc/detail
> </Realm>
>
> -------------------------------------------------------
>
> Mon May 19 13:28:47 2003: DEBUG: Packet dump:
> *** Received from 209.142.136.170 port 21646 ....
>
>  Packet length = 90
>  01 0b 00 5a 52 ae 23 7c 12 d0 da 81 dc 2d 57 96
>  39 d3 5b 77 01 06 64 65 76 31 02 12 c1 1e b0 5f
>  95 1e cd d8 75 c5 e2 ac 39 44 db 7b 1a 0c 00 00
>  00 09 02 06 74 74 79 32 05 06 00 00 00 02 3d 06
>  00 00 00 05 1f 10 32 30 39 2e 31 34 32 2e 31 33
>  36 2e 39 31 04 06 d1 8e 88 aa
>  Code:       Access-Request
>  Identifier: 11
>  Authentic:  R<174>#|<18><208><218><129><220>-W<150>9<211>[w
>  Attributes:
>          User-Name = "dev1"
> 	         User-Password = 
> "<193><30><176>_<149><30><205><216>u<197><226><172>9D<219>{"
> 		         Cisco-NAS-Port = "tty2"
> 			         NAS-Port = 2
> 				         NAS-Port-Type = Virtual
> 					         Calling-Station-Id = "209.142.136.91"
> 						         NAS-IP-Address = 209.142.136.170
> 							
> 							  Mon May 19 13:28:47 2003: ERR: Error while rewriting username 
> dev1: syntax error at (eval 29) line 2, at EOF
> 							
> 							   Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> 							   Mon May 19 13:28:47 2003: DEBUG: Handling request with 
> Handler 'Realm=DEFAULT'
> 							   Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> 							   Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> 							   Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> 							   Mon May 19 13:28:47 2003: DEBUG: SQLS Deleting session for 
> dev1, 209.142.136.170, 2
> 							   Mon May 19 13:28:47 2003: DEBUG: do query is: delete from 
> RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
> 							
> 							    Mon May 19 13:28:47 2003: DEBUG: Handling with 
> Radius::AuthUNIX: System
> 							    Mon May 19 13:28:47 2003: DEBUG: Radius::AuthUNIX looks for 
> match with dev1
> 							    Mon May 19 13:28:47 2003: DEBUG: Handling with 
> Radius::AuthLDAP2: LDAP
> 							    Mon May 19 13:28:47 2003: INFO: Connecting to 127.0.0.1, 
> port 389
> 							    Mon May 19 13:28:47 2003: INFO: Attempting to bind with 
> cn=Replicator, dc=xxxxxxxxxx, dc=net, xxxxxxx (server 127.0.0.1:389)
> 							    Mon May 19 13:28:47 2003: ERR: ldap search failed with 
> error LDAP_NO_SUCH_OBJECT.
> 							    Mon May 19 13:28:47 2003: DEBUG: Radius::AuthLDAP2 looks 
> for match with dev1
> 							    Mon May 19 13:28:47 2003: ERR: ldap search failed with 
> error LDAP_NO_SUCH_OBJECT.
> 							    Mon May 19 13:28:47 2003: DEBUG: Handling with 
> Radius::AuthSQL
> 							    Mon May 19 13:28:47 2003: DEBUG: Handling with 
> Radius::AuthSQL: CheckSQL
> 							    Mon May 19 13:28:47 2003: DEBUG: Query is: select PASSWORD 
> from SUBSCRIBERS where USERNAME='dev1'
> 							
> 							     Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL looks for 
> match with dev1
> 							     Mon May 19 13:28:47 2003: DEBUG: Query is: select 
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE 
> where USERNAME='dev1'
> 							
> 							      Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL ACCEPT:
> 							      Mon May 19 13:28:47 2003: DEBUG: Access accepted for dev1
> 							      Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> 							      *** Sending to 209.142.136.170 port 21646 ....
> 							
> 							       Packet length = 20
> 							       02 0b 00 14 63 8d 28 50 aa 2d c1 7d 0a 41 87 ca
> 							       59 27 f3 76
> 							       Code:       Access-Accept
> 							       Identifier: 11
> 							       Authentic:  
> R<174>#|<18><208><218><129><220>-W<150>9<211>[w
> 							       Attributes:
> 							
> 								Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> 								*** Received from 209.142.136.170 port 21646 ....
> 								
> 								 Packet length = 106
> 								 04 0c 00 6a e4 d9 c7 41 f9 08 b8 20 5d fd 66 55
> 								 8a 94 06 8c 2c 0a 30 30 30 30 30 30 36 42 2d 06
> 								 00 00 00 01 01 06 64 65 76 31 28 06 00 00 00 01
> 								 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00 00
> 								 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31 34
> 								 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04 06
> 								 d1 8e 88 aa 29 06 00 00 00 00
> 								 Code:       Accounting-Request
> 								 Identifier: 12
> 								 Authentic:  <228><217><199>A<249><8><184> 
> ]<253>fU<138><148><6><140>
> 								 Attributes:
> 								         Acct-Session-Id = "0000006B"
> 									         Acct-Authentic = RADIUS
> 										         User-Name = "dev1"
> 											         Acct-Status-Type = Start
> 												         Cisco-NAS-Port = "tty2"
> 													         NAS-Port = 2
> 														         NAS-Port-Type = Virtual
> 															         Calling-Station-Id = "209.142.136.91"
> 																         Service-Type = NAS-Prompt-User
> 																	         NAS-IP-Address = 209.142.136.170
> 																		         Acct-Delay-Time = 0
> 																			
> 																			  Mon May 19 13:28:48 2003: ERR: Error while 
> rewriting username dev1: syntax error at (eval 33) line 2, at EOF
> 																			
> 																			   Mon May 19 13:28:48 2003: DEBUG: Rewrote user 
> name to dev1
> 																			   Mon May 19 13:28:48 2003: DEBUG: Handling 
> request with Handler 'Realm=DEFAULT'
> 																			   Mon May 19 13:28:48 2003: DEBUG: Rewrote user 
> name to dev1
> 																			   Mon May 19 13:28:48 2003: DEBUG: Rewrote user 
> name to dev1
> 																			   Mon May 19 13:28:48 2003: DEBUG: Rewrote user 
> name to dev1
> 																			   Mon May 19 13:28:48 2003: DEBUG: SQLS Adding 
> session for dev1, 209.142.136.170,
> 																			   2
> 																			   Mon May 19 13:28:48 2003: DEBUG: do query is: 
> delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and 
> NASPORT=2
> 																			
> 																			    Mon May 19 13:28:48 2003: DEBUG: do query is: 
> insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID, 
> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values 
> ('dev1', '209.142.136.170',2, '0000006B', 'Mon May 19 13:28:48 
> 2003','', 'Virtual', 'NAS-Prompt-User', '209.142.136.170')
> 																			
> 																			     Mon May 19 13:28:48 2003: DEBUG: Handling with 
> Radius::AuthUNIX: System
> 																			     Mon May 19 13:28:48 2003: DEBUG: Accounting 
> accepted
> 																			     Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> 																			     *** Sending to 209.142.136.170 port 21646 ....
> 																			
> 																			      Packet length = 20
> 																			      05 0c 00 14 be b5 0d 10 c8 82 55 f3 76 ee 7c 
> e8
> 																			      c1 11 6f 37
> 																			      Code:       Accounting-Response
> 																			      Identifier: 12
> 																			      Authentic:  <228><217><199>A<249><8><184> 
> ]<253>fU<138><148><6><140>
> 																			      Attributes:
> 																			
> 																			       Mon May 19 13:28:56 2003: DEBUG: Packet dump:
> 																			       *** Received from 209.142.136.170 port 21646 
> ....
> 																			
> 																				Packet length = 203
> 																				04 0d 00 cb 0a 6d 3a 6c 3b 44 a0 bf 84 54 8f 20
> 																				92 9c b4 a3 2c 0a 30 30 30 30 30 30 36 42 2d 06
> 																				00 00 00 01 31 06 00 00 00 01 c3 06 00 00 00 14
> 																				1a 23 00 00 00 09 01 1d 64 69 73 63 2d 63 61 75
> 																				73 65 2d 65 78 74 3d 54 53 20 55 73 65 72 20 45
> 																				78 69 74 c4 06 00 00 00 0a 1a 20 00 00 00 09 01
> 																				1a 63 6f 6e 6e 65 63 74 2d 70 72 6f 67 72 65 73
> 																				73 3d 43 61 6c 6c 20 55 70 c6 06 00 00 00 04 2e
> 																				06 00 00 00 08 01 06 64 65 76 31 28 06 00 00 00
> 																				02 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00
> 																				00 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31
> 																				34 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04
> 																				06 d1 8e 88 aa 29 06 00 00 00 00
> 																				Code:       Accounting-Request
> 																				Identifier: 13
> 																				Authentic:  <10>m:l;D<160><191><132>T<143> 
> <146><156><180><163>
> 																				Attributes:
> 																				        Acct-Session-Id = "0000006B"
> 																					        Acct-Authentic = RADIUS
> 																						        Acct-Terminate-Cause = User-Request
> 																							        Ascend-Disconnect-Cause = tsUserExit
> 																								        cisco-avpair = "disc-cause-ext=TS User 
> Exit"
> 																									        Ascend-Connect-Progress = prCallUp
> 																										        cisco-avpair = 
> "connect-progress=Call Up"
> 																											        Ascend-PreSession-Time = 4
> 																												        Acct-Session-Time = 8
> 																													        User-Name = "dev1"
> 																														        Acct-Status-Type = Stop
> 																															        Cisco-NAS-Port = "tty2"
> 																																        NAS-Port = 2
> 																																	        NAS-Port-Type = Virtual
> 																																		        Calling-Station-Id = 
> "209.142.136.91"
> 																																			        Service-Type = 
> NAS-Prompt-User
> 																																				        NAS-IP-Address = 
> 209.142.136.170
> 																																					        Acct-Delay-Time = 0
> 																																						
> 																																						 Mon May 19 13:28:56 2003: ERR: 
> Error while rewriting username dev1: syntax error at (eval 37) line 2, 
> at EOF
> 																																						
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: Rewrote user name to dev1
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: Handling request with Handler 'Realm=DEFAULT'
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: Rewrote user name to dev1
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: Rewrote user name to dev1
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: Rewrote user name to dev1
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: SQLS Deleting session for dev1, 209.142.136.170, 2
> 																																						  Mon May 19 13:28:56 2003: 
> DEBUG: do query is: delete from RADONLINE where 
> NASIDENTIFIER='209.142.136.170' and NASPORT=2
> 																																						
> 																																						   Mon May 19 13:28:56 2003: 
> DEBUG: Handling with Radius::AuthUNIX: System
> 																																						   Mon May 19 13:28:56 2003: 
> DEBUG: Accounting accepted
> 																																						   Mon May 19 13:28:56 2003: 
> DEBUG: Packet dump:
> 																																						   *** Sending to 
> 209.142.136.170 port 21646 ....
> 																																						
> 																																						    Packet length = 20
> 																																						    05 0d 00 14 6a 4b 50 6f 8d 
> 31 75 bd 84 52 7b 46
> 																																						    45 42 db bf
> 																																						    Code:       
> Accounting-Response
> 																																						    Identifier: 13
> 																																						    Authentic:  
> <10>m:l;D<160><191><132>T<143> <146><156><180><163>
> 																																						    Attributes:
> 																																						
> 																																						
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list