(RADIATOR) Radiator Not Getting Correct Attributes
Charles Alexander McCain
mccain at unixatlas.com
Tue May 20 08:55:36 CDT 2003
Hugh,
Thank you !
- Al
On Tue, 20 May 2003, Hugh Irvine wrote:
>
> Hello Al -
>
> Thanks for sending the files.
>
> Cisco's are very picky about the "Service-Type" reply attribute, which
> in general *must* match the "Service-Type" attribute contained in the
> access request. I notice in the trace there is no "Service-Type" reply
> attribute at all which is undoubtedly the problem. You will also use
> reply attributes to indicate what a user is allowed to do, ie. if it is
> a Framed-User, what Framed-Protocol to use, what Framed-IP-Address to
> use, etc.
>
> For reference, radius is a "AAA" protocol, which stands for
> "Authentication", "Authorisation" and "Accounting".
>
> The "Access-Request" is used for "Authentication".
>
> The "Access-Accept" that is sent back to the NAS is used for
> "Authorisation".
>
> And the "Accounting-Request" is used for "Accounting".
>
> You will find a great deal of useful information regarding radius
> configuration on the Cisco web site, and there has been lots of
> discussion on this topic on the mailing list, so check the archive too:
>
> www.open.com.au/archives/radiator
>
> regards
>
> Hugh
>
>
> On Tuesday, May 20, 2003, at 04:43 Australia/Melbourne, Charles
> Alexander McCain wrote:
>
> > Hello,
> >
> > I'm running radiator with a cisco 7200 .
> > I'm having a problem with attributes.
> > For instance , a user has the attribute Administrative-User and he
> > authenticates with radiator , he doesn't get admin rights to the
> > router.
> > I cannot seem to figure this one out. Another problem i am facing, is
> > that users with the "Framed-User" attribute are also able to log on to
> > the
> > router. i don't think this should be happening.
> >
> > Any ideas?
> >
> > Here is my config and output.
> >
> > Thanks,
> > Al
> >
> > Foreground
> > LogStdout
> > LogDir /usr/local/etc/
> > DbDir /usr/local/etc/
> > SnmpgetProg /usr/local/bin/snmpget
> > Trace 5
> >
> > <Client DEFAULT>
> >
> > Secret letMEin
> > DupInterval 0
> >
> > </Client>
> >
> > <SessionDatabase SQL>
> >
> > DBSource dbi:mysql:radius
> > DBUsername radius
> > DBAuth xxxxxxxxxxx
> > Identifier SQLS
> >
> > AddQuery insert into RADONLINE (USERNAME,\
> > NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
> > FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) \
> > values ('%n', '%N',\
> > %{NAS-Port}, '%{Acct-Session-Id}', '%o',\
> > '%{Framed-IP-Address}', '%{NAS-Port-Type}', \
> > '%{Service-Type}', '%c')
> >
> > </SessionDatabase>
> >
> >
> > <ClientListSQL>
> >
> > DBSource dbi:mysql:radius
> > DBUsername radius
> > DBAuth xxxxxxxxxxxx
> >
> > </ClientListSQL>
> > <Realm DEFAULT>
> >
> >
> > <AuthBy UNIX>
> >
> > Identifier System
> > Filename /etc/shadow
> >
> > </AuthBy>
> >
> > #<AuthBy PORTLIMITCHECK>
> >
> > # DefaultSimultaneousUse 1
> > # Identifier checkport
> > # SessionLimit 1
> >
> > #</AuthBy PORTLIMITCHECK>
> >
> >
> > <AuthBy LDAP2>
> > #ServerChecksPassword
> > Identifier LDAP
> > Host 127.0.0.1
> > Port 389
> > AuthDN cn=Replicator, dc=xxxxxxxxxx, dc=net
> > AuthPassword xxxxxxxxxxxxx
> > BaseDN %0=%1,ou=people,dc=xxxxxxxxxx,dc=net
> > Scope base
> > UsernameAttr uid
> > PasswordAttr userPassword
> > HoldServerConnection
> > SearchFilter (&(gecos=active)(uid=%1))
> > AuthAttrDef gidNumber, gid-attr, request
> > </AuthBy>
> >
> > <AuthBy SQL>
> > NoDefault
> > DefaultSimultaneousUse 1
> > Identifier CheckSQL
> >
> > DBSource dbi:mysql:radius
> > DBUsername radius
> > DBAuth xxxxxxxxxxxx
> >
> > AccountingTable ACCOUNTING
> > AcctColumnDef USERNAME,User-Name
> > AcctColumnDef TIME_STAMP,Timestamp,integer
> > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef
> > ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef
> > ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef
> > ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > AcctColumnDef NASPORT,NAS-Port,integer
> > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> >
> > </AuthBy>
> >
> > RewriteUsername s/^([^@]+).*/$1/
> > RewriteUsername s/\s+//g
> > RewriteUsername tr/A-Z/a-z/
> >
> > AuthByPolicy ContinueUntilAccept
> >
> > AuthBy LDAP
> > AuthBy CheckSQL
> > AuthBy System
> >
> > PostAuthHook file:"/usr/local/etc/postHook"
> > AcctLogFileName /usr/local/etc/detail
> > </Realm>
> >
> > -------------------------------------------------------
> >
> > Mon May 19 13:28:47 2003: DEBUG: Packet dump:
> > *** Received from 209.142.136.170 port 21646 ....
> >
> > Packet length = 90
> > 01 0b 00 5a 52 ae 23 7c 12 d0 da 81 dc 2d 57 96
> > 39 d3 5b 77 01 06 64 65 76 31 02 12 c1 1e b0 5f
> > 95 1e cd d8 75 c5 e2 ac 39 44 db 7b 1a 0c 00 00
> > 00 09 02 06 74 74 79 32 05 06 00 00 00 02 3d 06
> > 00 00 00 05 1f 10 32 30 39 2e 31 34 32 2e 31 33
> > 36 2e 39 31 04 06 d1 8e 88 aa
> > Code: Access-Request
> > Identifier: 11
> > Authentic: R<174>#|<18><208><218><129><220>-W<150>9<211>[w
> > Attributes:
> > User-Name = "dev1"
> > User-Password =
> > "<193><30><176>_<149><30><205><216>u<197><226><172>9D<219>{"
> > Cisco-NAS-Port = "tty2"
> > NAS-Port = 2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "209.142.136.91"
> > NAS-IP-Address = 209.142.136.170
> >
> > Mon May 19 13:28:47 2003: ERR: Error while rewriting username
> > dev1: syntax error at (eval 29) line 2, at EOF
> >
> > Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:47 2003: DEBUG: Handling request with
> > Handler 'Realm=DEFAULT'
> > Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:47 2003: DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:47 2003: DEBUG: SQLS Deleting session for
> > dev1, 209.142.136.170, 2
> > Mon May 19 13:28:47 2003: DEBUG: do query is: delete from
> > RADONLINE where NASIDENTIFIER='209.142.136.170' and NASPORT=2
> >
> > Mon May 19 13:28:47 2003: DEBUG: Handling with
> > Radius::AuthUNIX: System
> > Mon May 19 13:28:47 2003: DEBUG: Radius::AuthUNIX looks for
> > match with dev1
> > Mon May 19 13:28:47 2003: DEBUG: Handling with
> > Radius::AuthLDAP2: LDAP
> > Mon May 19 13:28:47 2003: INFO: Connecting to 127.0.0.1,
> > port 389
> > Mon May 19 13:28:47 2003: INFO: Attempting to bind with
> > cn=Replicator, dc=xxxxxxxxxx, dc=net, xxxxxxx (server 127.0.0.1:389)
> > Mon May 19 13:28:47 2003: ERR: ldap search failed with
> > error LDAP_NO_SUCH_OBJECT.
> > Mon May 19 13:28:47 2003: DEBUG: Radius::AuthLDAP2 looks
> > for match with dev1
> > Mon May 19 13:28:47 2003: ERR: ldap search failed with
> > error LDAP_NO_SUCH_OBJECT.
> > Mon May 19 13:28:47 2003: DEBUG: Handling with
> > Radius::AuthSQL
> > Mon May 19 13:28:47 2003: DEBUG: Handling with
> > Radius::AuthSQL: CheckSQL
> > Mon May 19 13:28:47 2003: DEBUG: Query is: select PASSWORD
> > from SUBSCRIBERS where USERNAME='dev1'
> >
> > Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL looks for
> > match with dev1
> > Mon May 19 13:28:47 2003: DEBUG: Query is: select
> > NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE
> > where USERNAME='dev1'
> >
> > Mon May 19 13:28:47 2003: DEBUG: Radius::AuthSQL ACCEPT:
> > Mon May 19 13:28:47 2003: DEBUG: Access accepted for dev1
> > Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> > *** Sending to 209.142.136.170 port 21646 ....
> >
> > Packet length = 20
> > 02 0b 00 14 63 8d 28 50 aa 2d c1 7d 0a 41 87 ca
> > 59 27 f3 76
> > Code: Access-Accept
> > Identifier: 11
> > Authentic:
> > R<174>#|<18><208><218><129><220>-W<150>9<211>[w
> > Attributes:
> >
> > Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> > *** Received from 209.142.136.170 port 21646 ....
> >
> > Packet length = 106
> > 04 0c 00 6a e4 d9 c7 41 f9 08 b8 20 5d fd 66 55
> > 8a 94 06 8c 2c 0a 30 30 30 30 30 30 36 42 2d 06
> > 00 00 00 01 01 06 64 65 76 31 28 06 00 00 00 01
> > 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00 00
> > 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31 34
> > 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04 06
> > d1 8e 88 aa 29 06 00 00 00 00
> > Code: Accounting-Request
> > Identifier: 12
> > Authentic: <228><217><199>A<249><8><184>
> > ]<253>fU<138><148><6><140>
> > Attributes:
> > Acct-Session-Id = "0000006B"
> > Acct-Authentic = RADIUS
> > User-Name = "dev1"
> > Acct-Status-Type = Start
> > Cisco-NAS-Port = "tty2"
> > NAS-Port = 2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "209.142.136.91"
> > Service-Type = NAS-Prompt-User
> > NAS-IP-Address = 209.142.136.170
> > Acct-Delay-Time = 0
> >
> > Mon May 19 13:28:48 2003: ERR: Error while
> > rewriting username dev1: syntax error at (eval 33) line 2, at EOF
> >
> > Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> > name to dev1
> > Mon May 19 13:28:48 2003: DEBUG: Handling
> > request with Handler 'Realm=DEFAULT'
> > Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> > name to dev1
> > Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> > name to dev1
> > Mon May 19 13:28:48 2003: DEBUG: Rewrote user
> > name to dev1
> > Mon May 19 13:28:48 2003: DEBUG: SQLS Adding
> > session for dev1, 209.142.136.170,
> > 2
> > Mon May 19 13:28:48 2003: DEBUG: do query is:
> > delete from RADONLINE where NASIDENTIFIER='209.142.136.170' and
> > NASPORT=2
> >
> > Mon May 19 13:28:48 2003: DEBUG: do query is:
> > insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
> > TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values
> > ('dev1', '209.142.136.170',2, '0000006B', 'Mon May 19 13:28:48
> > 2003','', 'Virtual', 'NAS-Prompt-User', '209.142.136.170')
> >
> > Mon May 19 13:28:48 2003: DEBUG: Handling with
> > Radius::AuthUNIX: System
> > Mon May 19 13:28:48 2003: DEBUG: Accounting
> > accepted
> > Mon May 19 13:28:48 2003: DEBUG: Packet dump:
> > *** Sending to 209.142.136.170 port 21646 ....
> >
> > Packet length = 20
> > 05 0c 00 14 be b5 0d 10 c8 82 55 f3 76 ee 7c
> > e8
> > c1 11 6f 37
> > Code: Accounting-Response
> > Identifier: 12
> > Authentic: <228><217><199>A<249><8><184>
> > ]<253>fU<138><148><6><140>
> > Attributes:
> >
> > Mon May 19 13:28:56 2003: DEBUG: Packet dump:
> > *** Received from 209.142.136.170 port 21646
> > ....
> >
> > Packet length = 203
> > 04 0d 00 cb 0a 6d 3a 6c 3b 44 a0 bf 84 54 8f 20
> > 92 9c b4 a3 2c 0a 30 30 30 30 30 30 36 42 2d 06
> > 00 00 00 01 31 06 00 00 00 01 c3 06 00 00 00 14
> > 1a 23 00 00 00 09 01 1d 64 69 73 63 2d 63 61 75
> > 73 65 2d 65 78 74 3d 54 53 20 55 73 65 72 20 45
> > 78 69 74 c4 06 00 00 00 0a 1a 20 00 00 00 09 01
> > 1a 63 6f 6e 6e 65 63 74 2d 70 72 6f 67 72 65 73
> > 73 3d 43 61 6c 6c 20 55 70 c6 06 00 00 00 04 2e
> > 06 00 00 00 08 01 06 64 65 76 31 28 06 00 00 00
> > 02 1a 0c 00 00 00 09 02 06 74 74 79 32 05 06 00
> > 00 00 02 3d 06 00 00 00 05 1f 10 32 30 39 2e 31
> > 34 32 2e 31 33 36 2e 39 31 06 06 00 00 00 07 04
> > 06 d1 8e 88 aa 29 06 00 00 00 00
> > Code: Accounting-Request
> > Identifier: 13
> > Authentic: <10>m:l;D<160><191><132>T<143>
> > <146><156><180><163>
> > Attributes:
> > Acct-Session-Id = "0000006B"
> > Acct-Authentic = RADIUS
> > Acct-Terminate-Cause = User-Request
> > Ascend-Disconnect-Cause = tsUserExit
> > cisco-avpair = "disc-cause-ext=TS User
> > Exit"
> > Ascend-Connect-Progress = prCallUp
> > cisco-avpair =
> > "connect-progress=Call Up"
> > Ascend-PreSession-Time = 4
> > Acct-Session-Time = 8
> > User-Name = "dev1"
> > Acct-Status-Type = Stop
> > Cisco-NAS-Port = "tty2"
> > NAS-Port = 2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id =
> > "209.142.136.91"
> > Service-Type =
> > NAS-Prompt-User
> > NAS-IP-Address =
> > 209.142.136.170
> > Acct-Delay-Time = 0
> >
> > Mon May 19 13:28:56 2003: ERR:
> > Error while rewriting username dev1: syntax error at (eval 37) line 2,
> > at EOF
> >
> > Mon May 19 13:28:56 2003:
> > DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:56 2003:
> > DEBUG: Handling request with Handler 'Realm=DEFAULT'
> > Mon May 19 13:28:56 2003:
> > DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:56 2003:
> > DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:56 2003:
> > DEBUG: Rewrote user name to dev1
> > Mon May 19 13:28:56 2003:
> > DEBUG: SQLS Deleting session for dev1, 209.142.136.170, 2
> > Mon May 19 13:28:56 2003:
> > DEBUG: do query is: delete from RADONLINE where
> > NASIDENTIFIER='209.142.136.170' and NASPORT=2
> >
> > Mon May 19 13:28:56 2003:
> > DEBUG: Handling with Radius::AuthUNIX: System
> > Mon May 19 13:28:56 2003:
> > DEBUG: Accounting accepted
> > Mon May 19 13:28:56 2003:
> > DEBUG: Packet dump:
> > *** Sending to
> > 209.142.136.170 port 21646 ....
> >
> > Packet length = 20
> > 05 0d 00 14 6a 4b 50 6f 8d
> > 31 75 bd 84 52 7b 46
> > 45 42 db bf
> > Code:
> > Accounting-Response
> > Identifier: 13
> > Authentic:
> > <10>m:l;D<160><191><132>T<143> <146><156><180><163>
> > Attributes:
> >
> >
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list