(RADIATOR) some questions

Matteo Jurman matteoj at libero.it
Thu Sep 18 10:40:34 CDT 2003 

Hi everyone,
and thanks in advice for any kind of help;
I have few questions, I'm using mysql auth on a server where both Radius and
MySql servers runs;

I have to grant permission to a single user (or a user who belong to a GROUP
of users) to access on a single machine (or on a machine who belong to a
GROUP of machin, but this is ininfluent).
I have 3 main tables (users, groupofusers, links) and a link table
(user2groupofuser, aka u2gu)...
when a user requests authorization and access account on a specific machine,
the server has to check if that user belongs to a group or if he's 'alone'
(not linked to any group) and according to the answer, grants the access
with these (single user) or those (group user) attributes... so, the way is
this:

after the user has provided his username and pwd (from table "user"), the
server looks in the table "links"; if there it is found a direct link
between the machine and the user, the radiator goes ahead and grant access
on the machine to the user;
if the direct link is not found, it looks in the table "groupofuser" to
check if the user belongs to a group and from there then looks in the table
"links" to check the link between the group and the machine and (obviously)
grant him access...

after this 'little' (I'm really sorry, I'm very very VERBOSE) summary, here
come the answers:

1) I suppose the query in the AuthSelect clause is not correct at 100%...
followin' my speech, may someone correct it?
2) How can I force the radiator to 'read' (the AuthBy clause) the attributes
that I want, from the fields that I indicate him in the query? (in the log,
user "einstein" have all those attribute modified to %1111111111111111, but
they are shown in wrong format)

I have included at EOF, of course, radius.cfg and a trace5 of the log plus
an attachment of a graphical rapresentation of the tables I have to use...

thank you,



MaTTeo JuRMaN
matteoj at libero.it
http://www.matteo-ale.org/


----- radius.cfg --------------------------------
AuthPort 5001
AcctPort 5002

DbDir  c:/Programmi/Radiator

Foreground
LogStdout
LogDir  c:/Programmi/Radiator/LOG

# Complete log file
LogFile  %L/%Y%m%d-%H%M.log

Trace   5

<ClientListSQL>
DBSource dbi:mysql:radius
DBUsername   radius
DBAuth
</ClientListSQL>


<Client DEFAULT>
 Secret mysecret
 DupInterval 0
</Client>

<Realm DEFAULT>
 <Log SQL>
 DBSource dbi:mysql:radius
 DBUsername   radius
 DBAuth
 Trace 4
 Table RADLOG
 </Log>

 <AuthBy SQL>

 AuthColumnDef 0, User-Password, check
 AuthColumnDef 1, GENERIC, reply
 AuthColumnDef 2, GENERIC, reply

 DBSource dbi:mysql:radius
 DBUsername   radius

 AccountingTable DGILINKS

 AuthSelect select distinct password,cameramask,userrights from dgiusers,
dgilinks, dgiu2gu where username = %0 and (dgiusers.id = dgilinks.user_id or
((dgiusers.id = dgiu2gu.user_id) and (dgilinks.usersgroup_id =
dgiu2gu.usersgroup_id)))

 </AuthBy>
</Realm>

----- default.log --------------------------------
Thu Sep 18 14:50:22 2003: DEBUG: Adding Clients from SQL database
Thu Sep 18 14:50:22 2003: DEBUG: Query is: 'select
 NASIDENTIFIER,
 SECRET,
 IGNOREACCTSIGNATURE,
 DUPINTERVAL,
 DEFAULTREALM,
 NASTYPE,
 SNMPCOMMUNITY,
 LIVINGSTONOFFS,
 LIVINGSTONHOLE,
 FRAMEDGROUPBASEADDRESS,
 FRAMEDGROUPMAXPORTSPERCLASSC,
 REWRITEUSERNAME,
 NOIGNOREDUPLICATES,
 PREHANDLERHOOK from RADCLIENTLIST':

Thu Sep 18 14:50:23 2003: DEBUG: Finished reading configuration file
'C:\programmi\Radiator\radius.cfg'
Thu Sep 18 14:50:23 2003: DEBUG: Reading dictionary file
'c:/Programmi/Radiator/dictionary'
Thu Sep 18 14:50:23 2003: DEBUG: Creating authentication port 0.0.0.0:5001
Thu Sep 18 14:50:23 2003: DEBUG: Creating accounting port 0.0.0.0:5002
Thu Sep 18 14:50:23 2003: NOTICE: Server started: Radiator 3.6 on
pcdevelop-mj
Thu Sep 18 14:50:28 2003: DEBUG: Packet dump:
*** Received from 192.168.2.89 port 1032 ....

Packet length = 60
01 a4 00 3c 00 00 32 fc 00 00 61 8c 00 00 67 bb
00 00 0c 2d 06 06 00 00 00 0c 01 0a 65 69 6e 73
74 65 69 6e 02 12 4e 43 a4 c4 63 ab cb d5 2e 99
2e ea 18 29 04 53 05 06 00 00 00 00
Code:       Access-Request
Identifier: 164
Authentic:  <0><0>2<252><0><0>a<140><0><0>g<187><0><0><12>-
Attributes:
 Service-Type = Digieye-User
 User-Name = "einstein"
 User-Password = "NC<164><196>c<171><203><213>.<153>.<234><24>)<4>S"
 NAS-Port = 0

Thu Sep 18 14:50:28 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Sep 18 14:50:28 2003: DEBUG:  Deleting session for einstein,
192.168.2.89, 0
Thu Sep 18 14:50:28 2003: DEBUG: Handling with Radius::AuthSQL
Thu Sep 18 14:50:28 2003: DEBUG: Handling with Radius::AuthSQL:
Thu Sep 18 14:50:28 2003: DEBUG: Query is: 'select distinct
password,cameramask,userrights from dgiusers, dgilinks, dgiu2gu where
username = 'einstein' and dgiusers.id = dgilinks.user_id':

Thu Sep 18 14:50:29 2003: ERR: Bad attribute=value pair: %0000000000000000
Thu Sep 18 14:50:29 2003: ERR: Bad attribute=value pair: %1100001000001100
Thu Sep 18 14:50:29 2003: DEBUG: Radius::AuthSQL looks for match with
einstein
Thu Sep 18 14:50:29 2003: DEBUG: Radius::AuthSQL ACCEPT:
Thu Sep 18 14:50:29 2003: DEBUG: Access accepted for einstein
Thu Sep 18 14:50:29 2003: DEBUG: Packet dump:
*** Sending to 192.168.2.89 port 1032 ....

Packet length = 20
02 a4 00 14 3c 42 c0 27 74 c9 0d 73 27 a3 29 60
6b 1b dd 8e
Code:       Access-Accept
Identifier: 164
Authentic:  <0><0>2<252><0><0>a<140><0><0>g<187><0><0><12>-
Attributes:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: links.jpg
Type: image/jpeg
Size: 53902 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030918/39fec499/attachment.jpg>

More information about the radiator mailing list