(RADIATOR) User authentication problem
Hugh Irvine
hugh at open.com.au
Thu Jul 29 06:09:21 CDT 2004
Hello Peter -
This is quite strange.
Could you please try using just the default AuthSelect? And send me the
debug trace.
And could you also send me a copy of the database table structure and a
copy of this user record?
thanks and regards
Hugh
On 29 Jul 2004, at 20:54, Peter Lindeman wrote:
> Hugh Irvine wrote:
>
>> The debug output does not appear to correspond with what you show for
>> the configuration.
>> Could I please see your complete configuration file and a more
>> complete trace 4 debug from startup?
>> In general if the PASSWORD is NULL anything will be accepted.
>> BTW - have you restarted Radiator since changing the configuration
>> file?
>
> Hmm, I perhaps have gotten the wrong part from the log. I now clear
> the log and use the config as we want to use it. I have attached bot
> the log as our configuration attached to this message.
>
> The password used for the accepted session is definitly not the
> correct one. In fact I can choose whatever password on the client and
> it is accepted.
>
> Thanks
>
> --
>
> Peter Lindeman
> TPA traffic & parking automation bv
> # radius.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration as required.
> #
> # This example will authenticate from a standard users file in
> # DbDir/users and log accounting to LogDir/detail.
> #
> # It will accept requests from any client and try to handle request
> # for any realm.
> #
> # You should consider this file to be a starting point only
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
> #Foreground
> #LogStdout
> LogDir /var/log/radius
> #LogFile %d-%Y-radius.log
>
> # Look in /etc/radiator for username database
> DbDir /etc/radiator
>
> # Dictionary file is in /etc/dictionary
> DictionaryFile /etc/radiator/dictionary
>
> # need the old Ascend non-vendor-specific attribtues too
> #DictionaryFile %D/dictionary,%D/dictionary.ascend
>
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
>
>
> # Listen for authentication requests on port 1812 as per RFC
> # 2138
> AuthPort 1812
>
> # Listen for accounting requests on port 1813 as
> # per RFC 2139
> AcctPort 1813
>
> BindAddress 192.168.3.4
>
> # Run as user
> #User radiator
>
> # Run as group
> #Group radiator
>
> <AddressAllocator SQL>
> # This name allows us to refer to it from inside
> # an AuthBy DYNADDRESS
> Identifier myallocator
>
> # For mysql, use something like this
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth radiator
>
> # If SessionTimeout is set by a previous AuthBy
> # then that is used as the expiry time. Otherwise
> # DefaultLeasePeriod (in seconds) is used.
> # Defaults to 1 day
> #DefaultLeasePeriod 86400
>
> # How often we check the database for expired leases
> # leases can expire if an acounting stop is lost
> # or if the session goes longer than the lease
> # we originally asked for. Defaults to 1 day.
> #LeaseReclaimInterval 86400
>
> # Define the pools that are to be in our database
> # defining pools here will make AddressAllocator SQL
> # ensure that all the addresses are present in the database
> # at startup. You dont have to define pools here. If you dont,
> # AddressAllocator SQL will just use whatever addresses
> # it finds in the RADPOOL table.
> # Address ranges can be either in the form of lower and
> # upper addresses in a class C block, eg
> # Range 192.1.1.10 192.1.1.20
> # or a CIDR block eg
> # Range 192.1.2.0/24
> #
> <AddressPool pool1>
> Subnetmask 255.255.255.0
> Range 10.2.0.9 10.2.0.100
> DNSServer 192.168.3.4
> </AddressPool>
> <AddressPool pool2>
> Subnetmask 255.255.255.0
> Range 10.2.0.101 10.2.0.254
> DNSServer 192.168.3.4
> </AddressPool>
>
>
> # AddressAllocatorSQL supports DBI bind variables for improved SQL
> database performance.
> # You can specify any query with ?, marking the place where variables
> are to be bound,
> # and then specify the varaibles to be bound with
> # xxxBindVar parameters. The bind variables (marked by the ?s) will
> be replaced in the
> # order of the xxxBindVar parameters.
> # marking the place where variables are to be bound
> # Here are example queries using Bind Variables for improved
> performance
> # The following queries works exactly the same as the default queries
> # but (on some databases) will work much faster
> # Caution: not all databases support Bind Variables. See the
> documentation for
> # your database's Perl DBD module for details for more details
> # You do not need to do this if your database is going fast enough:
> it does not work
> # with all databases. The examples below work with Oracle.
> #FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
> RADPOOL where POOLHINT=? and STATE=0 order by TIME_STAMP
> #FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
> RADPOOL where STATIONID='%{Calling-Station-Id}' or (STATIONID='' and
> STATE = 0) limit 1
> FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
> RADPOOL where (STATIONID='%{Calling-Station-Id}' AND
> POOLHINT='%{Reply:PoolHint}') OR (STATIONID='' AND STATE = 0 AND
> POOLHINT='%{Reply:PoolHint}') order by STATIONID desc limit 1;
> #FindQueryBindVar %0
> AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=?,EXPIRY=?,
> USERNAME=?, STATIONID=? where YIADDR=? and TIME_STAMP =?
> AllocateQueryBindVar %0
> AllocateQueryBindVar %1
> AllocateQueryBindVar %2
> AllocateQueryBindVar %{Calling-Station-Id}
> AllocateQueryBindVar %3
> AllocateQueryBindVar %4
> #DeallocateQuery update RADPOOL set STATE=0, TIME_STAMP=? where
> YIADDR=?
> #DeallocateQueryBindVar %t
> #DeallocateQueryBindVar %0
> #CheckPoolQuery select STATE from RADPOOL where YIADDR=?
> #CheckPoolQueryBindVar %0
> #AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP,POOLHINT,
> YIADDR, SUBNETMASK, DNSSERVER, STATIONID) values (0, ?, ?, ?, ?, ?,
> %{Calling-Station-Id})
> #AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP,POOLHINT,
> YIADDR, SUBNETMASK, DNSSERVER) values (0, ?, ?, ?, ?, ?)
> #AddAddressQueryBindVar %t
> #AddAddressQueryBindVar %0
> #AddAddressQueryBindVar %1
> #AddAddressQueryBindVar %2
> #AddAddressQueryBindVar %3
> # Empty reclaim query so it will *not* be executed
> ReclaimQuery
> #ReclaimQuery update RADPOOL set STATE=0 where STATE!=0 and EXPIRY < ?
> #ReclaimQueryBindVar %0
> </AddressAllocator>
>
> # We put client details in a database table
> <ClientListSQL>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth radiator
> </ClientListSQL>
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret xxxxxxxxxxxxxx
> DupInterval 0
> </Client>
>
>
> # This will authenticate users from SUBSCRIBERS
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
>
> #<AuthBy FILE>
> # Filename %D/users
> #</AuthBy>
> <AuthBy SQL>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth radiator
>
>
> # You may want to tailor these for your ACCOUNTING table
> # You can add your own columns to store whatever you like
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef CALLINGSTATIONID, Calling-Station-Id
>
> # Alternatively, you can arrange to save failed SQL accounting
> insert queries to a text
> # file with SQLRecoveryFile
> SQLRecoveryFile /var/log/radius/missedaccounting
>
>
> AuthSelect select PASSWORD,POOLHINT from SUBSCRIBERS where BINARY
> USERNAME=%0
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, PoolHint, reply
>
> </AuthBy>
>
>
> <AuthBy DYNADDRESS>
> # This refers to the AddressAllocator
> # defined below. IT says tyo us that allocator
> # to get an address. Insterad ofg this, you can
> # put the <AddressAllocator xxx> clause directly
> # in here
> AddressAllocator myallocator
>
> # This specifies how to form the pool hint, that
> # the allocator uses to specifiy which pool
> # to allocate an address from. The default
> # is %{Reply:PoolHint}, ie a pseudo
> # attribute in teh current reply,
> # presumably set by an earlier
> # AuthBy, but it could be for example
> # the NAS IP address or similar, or a hardwired
> # string.
> #PoolHint %{Reply:PoolHint}
> #PoolHint %1
>
> # These parameters tell us how to set reply
> # attribtues from the result of the allocation.
> # The left hand side of each pair is
> # the "name" of the data item. The right hand
> # side is the Radius attribute name to use
> # in the reply. The valid data item names are:
> # yiaddr - The allocated address
> # subnetmask - The subnet mask to use
> # dnsserver - the IP address of the DNS server
> # The defualt mappings are:
> #MapAttribute yiaddr, Framed-IP-Address
> #MapAttribute subnetmask, Framed-IP-Netmask
>
> MapAttribute dnsserver, Primary-Dns-Server
>
> # The AuthBy FILE above sets the pseudo reply attribute
> # PoolHint as the clue to the address allocator
> # need to strip it out at the end of processing
> StripFromReply PoolHint, Framed-IP-Netmask
> </AuthBy>
> </Realm>
>
>
>
> #<Realm DEFAULT>
> # <AuthBy FILE>
> # Filename %D/users
> # </AuthBy>
> # # Log accounting to a detail file
> # AcctLogFileName %L/detail
> #</Realm>
>
>
> <Monitor>
> Username peter
> Password radarpw
> </Monitor>
>
>
> Thu Jul 29 12:52:57 2004: ERR: Attribute number 14 (vendor 10923) is
> not defined in your dictionary
> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
> *** Received from 10.2.0.2 port 40019 ....
> Code: Access-Request
> Identifier: 243
> Authentic: <135>H"3#&~<10>A<162><25><151><16>p<216>%
> Attributes:
> User-Name = "vodafone"
> User-Password = "]<18><153><1><132>\a<30><248><194><10><151>y<30>2~"
> NAS-IP-Address = 10.2.0.2
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Calling-Station-Id = "31646331589"
> Called-Station-Id = "gprs.xtrac.nl"
> NAS-Identifier = "gprs.xtrac.nl"
>
> Thu Jul 29 12:52:57 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jul 29 12:52:57 2004: DEBUG: Deleting session for vodafone,
> 10.2.0.2,
> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL
> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL:
> Thu Jul 29 12:52:57 2004: DEBUG: Query is: 'select PASSWORD,POOLHINT
> from SUBSCRIBERS where BINARY USERNAME='vodafone'':
>
> Thu Jul 29 12:52:57 2004: DEBUG: Radius::AuthSQL looks for match with
> vodafone
> Thu Jul 29 12:52:57 2004: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthDYNADDRESS
> Thu Jul 29 12:52:57 2004: DEBUG: Query is: 'select TIME_STAMP, YIADDR,
> SUBNETMASK, DNSSERVER from RADPOOL where (STATIONID='31646331589' AND
> POOLHINT='pool1') OR (STATIONID='' AND STATE = 0 AND POOLHINT='pool1')
> order by STATIONID desc limit 1;':
>
> Thu Jul 29 12:52:57 2004: DEBUG: do query is: 'update RADPOOL set
> STATE=1,TIME_STAMP=?,EXPIRY=?, USERNAME=?, STATIONID=? where YIADDR=?
> and TIME_STAMP =?': 1091098377 1091184777 vodafone 31646331589
> 10.2.0.9 1091098342
>
> Thu Jul 29 12:52:57 2004: DEBUG: Access accepted for vodafone
> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
> *** Sending to 10.2.0.2 port 40019 ....
> Code: Access-Accept
> Identifier: 243
> Authentic: <135>H"3#&~<10>A<162><25><151><16>p<216>%
> Attributes:
> Primary-Dns-Server = 192.168.3.4
> Framed-IP-Address = 10.2.0.9
>
> Thu Jul 29 12:52:57 2004: ERR: Attribute number 14 (vendor 10923) is
> not defined in your dictionary
> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
> *** Received from 10.2.0.2 port 40120 ....
> Code: Accounting-Request
> Identifier: 252
> Authentic:
> <142>C<23><237><202><128><245>K<133><181><240><244><143><!<189>
> Attributes:
> Acct-Status-Type = Start
> Acct-Session-Id = "00000000013456"
> User-Name = "vodafone"
> NAS-IP-Address = 10.2.0.2
> Service-Type = Framed-User
> Acct-Authentic = RADIUS
> Framed-Protocol = PPP
> Calling-Station-Id = "31646331589"
> Called-Station-Id = "gprs.xtrac.nl"
> NAS-Identifier = "gprs.xtrac.nl"
> Framed-IP-Address = 10.2.0.9
>
> Thu Jul 29 12:52:57 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jul 29 12:52:57 2004: DEBUG: Adding session for vodafone,
> 10.2.0.2,
> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL
> Thu Jul 29 12:52:57 2004: DEBUG: Handling accounting with
> Radius::AuthSQL
> Thu Jul 29 12:52:57 2004: DEBUG: do query is: 'insert into ACCOUNTING
> (ACCTSESSIONID,ACCTSTATUSTYPE,CALLINGSTATIONID,FRAMEDIPADDRESS,NASIDENT
> IFIER,TIME_STAMP,USERNAME) values
> ('00000000013456','Start','31646331589','10.2.0.9','gprs.xtrac.nl',1091
> 098377,'vodafone')':
>
> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthDYNADDRESS
> Thu Jul 29 12:52:57 2004: DEBUG: Accounting accepted
> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
> *** Sending to 10.2.0.2 port 40120 ....
> Code: Accounting-Response
> Identifier: 252
> Authentic:
> <142>C<23><237><202><128><245>K<133><181><240><244><143><!<189>
> Attributes:
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list