(RADIATOR) Question in <AuthBy EXTERNAL>
Hugh Irvine
hugh at open.com.au
Wed Oct 1 21:23:41 CDT 2003
Hello Man Meng Fei -
I suspect that Radiator is not able to run the external command.
What happens when you run the following in a MS-DOS window:
C:\Perl\bin\testcommand.pl
There is probably something wrong with either the path or the contents
of the file.
regards
Hugh
On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei
wrote:
> Hi
> Currently i am using a sample configuration (external.cfg) and perl
> script (testcommand.pl) which can be retrieved from goodies directory
> to
> understand the implementation of <AuthBy EXTERNAL>.
> But after i executed it, i can't get the expected test result. I got No
> Reply at Radius client. I hope someone can help me to make this <AuthBy
> EXTERNAL> sample working.
>
> Lastly i attached Radius Configration file which i used for the testing
> and Radius Server and Radius Client's output result
>
> Man Meng Fei
>
>
>
> ----------radius.cfg-----------
> # external.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # EXTERNAL authentication.
> #
> # There is an example external program called testcommand.pl
> # in the goodies directory, whichthe example below uses. It
> # will accept the request if the username is "fred" otherwise reject
> # it.
> #
> # So if you run Radiator with this config file, then do
> # radpwtst -noacct -trace -user fred
> # you will see something like:
> # sending Access-Request...
> # OK
> # Code: Access-Accept
> # Identifier: 109
> # Authentic: <12>_B<215><2>=<149><140>kBM<130><221><10>.S
> # Attributes:
> # Reply-Message = "you are fred"
> #
> #
> # And if you do:
> # radpwtst -noacct -trace -user someoneelse
> # you will see something like:
> # sending Access-Request...
> # Rejected
> # Code: Access-Reject
> # Identifier: 70
> # Authentic: <165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
> # Attributes:
> # Reply-Message = "you are NOT fred, you are 'someoneelse'"
> # Reply-Message = "Request Denied"
>
>
> #
> # You should consider this file to be a starting point only
> # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
>
> Trace 4
>
> # You will probably want to change this to suit your site.
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> <AuthBy EXTERNAL>
> # For NT, you might want something like this
> Command C:\Perl\bin\testcommand.pl
>
> # For Unix, maybe something like this
> # #Command ./goodies/testcommand.pl
>
> # This will cause the User-Password
> # to be decrypted before being passed to the
> # external program
> DecryptPassword
>
> # You migFrom owner-radiator at open.com.au Wed Oct 1 21:26:49 2003
Received: (from majordomo at localhost)
by server1.open.com.au (8.11.6/8.11.0) id h922QnB08044
for radiatorzz-list; Wed, 1 Oct 2003 21:26:49 -0500
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from irvine.com.au (qmailr at hughirvine.gw.connect.com.au [203.63.47.196] (may be forged))
by server1.open.com.au (8.11.6/8.11.0) with SMTP id h922Qm708041
for <radiator at open.com.au>; Wed, 1 Oct 2003 21:26:48 -0500
Received: (qmail 3062 invoked from network); 2 Oct 2003 02:26:40 -0000
Received: from pc-00011.irvine.com.au (HELO open.com.au) (10.1.1.11)
by toast.irvine.com.au (10.1.1.254) with ESMTP; 02 Oct 2003 02:26:40 -0000
Date: Thu, 2 Oct 2003 12:26:40 +1000
Subject: Re: (RADIATOR) NULL usernames in Radius Packets
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
Cc: <radiator at open.com.au>
To: "Mahesh Neelakanta" <Mahesh at ifxcorp.com>
From: Hugh Irvine <hugh at open.com.au>
In-Reply-To: <1B749324CBF05545A8B05B92CC0EDFCE041859 at mailsrv.ifxcorp.com>
Message-Id: <DB5E3074-F47F-11D7-A0BD-000393CFE1CA at open.com.au>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>
Hello Mahesh -
Yes it does look like the NAS has been trying to send this accounting
for a long time.
What does the trace 4 debug from Radiator show? Perhaps your
configuration file is not processing the request and it is simply being
being ignored and retried forever.
regards
Hugh
On Thursday, Oct 2, 2003, at 02:20 Australia/Melbourne, Mahesh
Neelakanta wrote:
> Elias and Hugh,
> Thanks for your responses. We had though about this but what we are
> getting is a Start Accounting packet (captured from radstock):
>
> NAS-IP-Address Len 6 XX.XX.XX.XX
> NAS-Port-Id Len 6 111
> NAS-Port-Type Len 6 Async
> Acct-Status-Type Len 6 Start
> Acct-Delay-Time Len 6 75841
> Acct-Session-Id Len 12 "432625102*"
> Acct-Authentic Len 6 Local
> Idle-Timeout Len 6 0
> Ascend-Modem-PortNo Len 6 21
> Ascend-Modem-SlotNo Len 6 7
> Ascend-Modem-ShelfNo Len 6 1
> Calling-Station-Id Len 12 "2122859024"
> Called-Station-Id Len 6 "1111"
>
> What is strange is the "Acct-Autentic" (Local?) and the
> "Acct-Delay-Time" (over 21 hours). We believe this is definitely a
> local
> RAS issue but are not sure what it could be. It's almost as if the RAS
> has a HUGE backlog of old accounting which it is trying to re-send but
> only sends a portion of the full information.
>
> We did set "acct-drop-stop-on-auth-fail = no" to no avail.
>
> mahesh
>
> -----Original Message-----
> From: Elias [mailto:elias at tmnet.com.my]
> Sent: Tuesday, September 30, 2003 11:10 PM
> To: Mahesh Neelakanta
> Cc: Hugh Irvine
> Subject: Re: (RADIATOR) NULL usernames in Radius Packets
>
>
> ***********************
> Your mail has been scanned by TMnet VirusWall.
> ***********************
>
>
> Hi Mahesh,
>
> We've had the same thing happen to us before. Its actually a
> configuration
> on the tnt boxes. If I remember correctly it will send an Stop
> accounting
> packet with a blank username if the line gets dropped prematurely
> (before a
> proper connection gets established).
>
>
> - Elias -
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Mahesh Neelakanta" <Mahesh at ifxcorp.com>
> Cc: <radiator at open.com.au>
> Sent: Wednesday, October 01, 2003 6:41 AM
> Subject: Re: (RADIATOR) NULL usernames in Radius Packets
>
>
>> ***********************
>> Your mail has been scanned by TMnet VirusWall.
>> ***********************
>>
>>
>>
>> Hello Mahesh -
>>
>> Unless you are using a RewriteUsername, Radiator does not do anything
>> with the username. I suspect that the NAS is sending an empty
> username,
>> but without seeing a copy of your configuration file (no secrets) and
> a
>> trace 4 debug from Radiator showing what is happening it is not
>> possible to say any more.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Wednesday, Oct 1, 2003, at 07:02 Australia/Melbourne, Mahesh
>> Neelakanta wrote:
>>
>>> Hello,
>>> We are seeing the following error in radiator.log:
>>>
>>> Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE
>>> (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP,
>>> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS)
>>> values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003
>>> 16:56:20', 'DD MM YYYY HH24:MI:SS'), '','Async',
>>> '','2126823450','5000')': ORA-01400: cannot insert NULL into
>>> ("RADIUS"."RADONLINE"."USERNAME") (DBD ERROR: OCIStmtExecute)
>>>
>>> From what we can tell, the RAS XX.XX.XX.XX is sending us start or
> stop
>>> packets with no username. Is there something in the configuration
> (on
>>> the radiator side or the ras, which is a lucent tnt) which could
> cause
>>> this. My guess is that it is a RAS issue but we are not sure
> what/why
>>> this is occuring.
>>>
>>> mahesh
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
ht prefer use this to tell AuthBy EXTERNAL
> # to get the result from the first line of the
> # output. The permitted values are ACCEPT, REJECT
> # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
> # its the only way to get it to work.
> # We recommend you use this method
> ResultInOutput
> </AuthBy>
> </Realm>
>
>
>
>
>
> -------Radius Server Output--------------------------
>
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\Documents and Settings\man\Desktop>PERL c:\perl\bin\radiusd
> Thu Oct 2 01:16:58 2003: DEBUG: Finished reading configuration file
> 'C:\Program
> Files\Radiator\radius.cfg'
> This Radiator license will expire on 2004-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contact admin at open.com.au
>
> Thu Oct 2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
> Files/Radia
> tor/dictionary'
> Thu Oct 2 01:16:58 2003: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Thu Oct 2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> Thu Oct 2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
> (EVALUATIO
> N)
> Thu Oct 2 01:18:52 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 3006 ....
> Code: Access-Request
> Identifier: 67
> Authentic: 1234567890123456
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Thu Oct 2 01:18:52 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Oct 2 01:18:52 2003: DEBUG: Deleting session for mikem,
> 203.63.154.1, 1234
> Thu Oct 2 01:18:52 2003: DEBUG: Running command:
> C:\Perl\bin\testcommand.pl
> Thu Oct 2 01:25:09 2003: ERR: ResultInOutput is enabled, but the first
> line of from the E
> XTRNAL command is an unknown result code
> Thu Oct 2 01:25:09 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 3006 ....
> Code: Accounting-Request
> Identifier: 68
> Authentic: <30>Z<190><154>(<20><153><30><10>c<24><237><243><176>V<236>
> Attributes:
> User-Name = "mikem"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
>
> Thu Oct 2 01:25:09 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Oct 2 01:25:09 2003: DEBUG: Adding session for mikem,
> 203.63.154.1, 1234
> Thu Oct 2 01:25:09 2003: DEBUG: Running command:
> C:\Perl\bin\testcommand.pl
>
>
> -------Radius Client Output--------------------------
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\Documents and Settings\man\Desktop>perl c:\perl\bin\radpwtst -user
> mikem -password fred
>
> sending Access-Request...
> No reply
> sending Accounting-Request Start...
> No reply
> sending Accounting-Request Stop...
> No reply
>
> C:\Documents and Settings\man\Desktop>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list