(RADIATOR) User authentication problem
Peter Lindeman
peter.lindeman at tpa-nl.com
Thu Jul 29 10:13:55 CDT 2004
Hugh Irvine wrote:
It is really strange. I had a mobile pcmcia card with which this
occurred. I had to return this card this afternoon to the owner and with
our own gprs modems we cannot generate this problem. I therefore first
have to get hold on this card again.
With this card I allready did try to authenticate with the default
AuthSelect and it gave me the same result.
This is how our table looks :
mysql> SHOW FIELDS FROM SUBSCRIBERS;
+----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| USERNAME | varchar(50) | | PRI | | |
| PASSWORD | varchar(50) | | | | |
| POOLHINT | varchar(15) | | | | |
+----------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
>
> Hello Peter -
>
> This is quite strange.
>
> Could you please try using just the default AuthSelect? And send me the
> debug trace.
>
> And could you also send me a copy of the database table structure and a
> copy of this user record?
>
> thanks and regards
>
> Hugh
>
>
> On 29 Jul 2004, at 20:54, Peter Lindeman wrote:
>
>> Hugh Irvine wrote:
>>
>>> The debug output does not appear to correspond with what you show
>>> for the configuration.
>>> Could I please see your complete configuration file and a more
>>> complete trace 4 debug from startup?
>>> In general if the PASSWORD is NULL anything will be accepted.
>>> BTW - have you restarted Radiator since changing the configuration
>>> file?
>>
>>
>> Hmm, I perhaps have gotten the wrong part from the log. I now clear
>> the log and use the config as we want to use it. I have attached bot
>> the log as our configuration attached to this message.
>>
>> The password used for the accepted session is definitly not the
>> correct one. In fact I can choose whatever password on the client and
>> it is accepted.
>>
>> Thanks
>>
>> --
>> Peter Lindeman
>> TPA traffic & parking automation bv
>> # radius.cfg
>> #
>> # Example Radiator configuration file.
>> # This very simple file will allow you to get started with
>> # a simple system. You can then add and change features.
>> # We suggest you start simple, prove to yourself that it
>> # works and then develop a more complicated configuration as required.
>> #
>> # This example will authenticate from a standard users file in
>> # DbDir/users and log accounting to LogDir/detail.
>> #
>> # It will accept requests from any client and try to handle request
>> # for any realm.
>> #
>> # You should consider this file to be a starting point only
>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>
>> #Foreground
>> #LogStdout
>> LogDir /var/log/radius
>> #LogFile %d-%Y-radius.log
>>
>> # Look in /etc/radiator for username database
>> DbDir /etc/radiator
>>
>> # Dictionary file is in /etc/dictionary
>> DictionaryFile /etc/radiator/dictionary
>>
>> # need the old Ascend non-vendor-specific attribtues too
>> #DictionaryFile %D/dictionary,%D/dictionary.ascend
>>
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> Trace 4
>>
>>
>> # Listen for authentication requests on port 1812 as per RFC
>> # 2138
>> AuthPort 1812
>>
>> # Listen for accounting requests on port 1813 as
>> # per RFC 2139
>> AcctPort 1813
>>
>> BindAddress 192.168.3.4
>>
>> # Run as user
>> #User radiator
>>
>> # Run as group
>> #Group radiator
>>
>> <AddressAllocator SQL>
>> # This name allows us to refer to it from inside
>> # an AuthBy DYNADDRESS
>> Identifier myallocator
>>
>> # For mysql, use something like this
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth radiator
>>
>> # If SessionTimeout is set by a previous AuthBy
>> # then that is used as the expiry time. Otherwise
>> # DefaultLeasePeriod (in seconds) is used.
>> # Defaults to 1 day
>> #DefaultLeasePeriod 86400
>>
>> # How often we check the database for expired leases
>> # leases can expire if an acounting stop is lost
>> # or if the session goes longer than the lease
>> # we originally asked for. Defaults to 1 day.
>> #LeaseReclaimInterval 86400
>>
>> # Define the pools that are to be in our database
>> # defining pools here will make AddressAllocator SQL
>> # ensure that all the addresses are present in the database
>> # at startup. You dont have to define pools here. If you dont,
>> # AddressAllocator SQL will just use whatever addresses
>> # it finds in the RADPOOL table.
>> # Address ranges can be either in the form of lower and
>> # upper addresses in a class C block, eg
>> # Range 192.1.1.10 192.1.1.20
>> # or a CIDR block eg
>> # Range 192.1.2.0/24
>> #
>> <AddressPool pool1>
>> Subnetmask 255.255.255.0
>> Range 10.2.0.9 10.2.0.100
>> DNSServer 192.168.3.4
>> </AddressPool>
>> <AddressPool pool2>
>> Subnetmask 255.255.255.0
>> Range 10.2.0.101 10.2.0.254
>> DNSServer 192.168.3.4
>> </AddressPool>
>>
>>
>> # AddressAllocatorSQL supports DBI bind variables for improved SQL
>> database performance.
>> # You can specify any query with ?, marking the place where
>> variables are to be bound,
>> # and then specify the varaibles to be bound with
>> # xxxBindVar parameters. The bind variables (marked by the ?s)
>> will be replaced in the
>> # order of the xxxBindVar parameters.
>> # marking the place where variables are to be bound
>> # Here are example queries using Bind Variables for improved
>> performance
>> # The following queries works exactly the same as the default queries
>> # but (on some databases) will work much faster
>> # Caution: not all databases support Bind Variables. See the
>> documentation for
>> # your database's Perl DBD module for details for more details
>> # You do not need to do this if your database is going fast
>> enough: it does not work
>> # with all databases. The examples below work with Oracle.
>> #FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
>> RADPOOL where POOLHINT=? and STATE=0 order by TIME_STAMP
>> #FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
>> RADPOOL where STATIONID='%{Calling-Station-Id}' or (STATIONID='' and
>> STATE = 0) limit 1
>> FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from
>> RADPOOL where (STATIONID='%{Calling-Station-Id}' AND
>> POOLHINT='%{Reply:PoolHint}') OR (STATIONID='' AND STATE = 0 AND
>> POOLHINT='%{Reply:PoolHint}') order by STATIONID desc limit 1;
>> #FindQueryBindVar %0
>> AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=?,EXPIRY=?,
>> USERNAME=?, STATIONID=? where YIADDR=? and TIME_STAMP =?
>> AllocateQueryBindVar %0
>> AllocateQueryBindVar %1
>> AllocateQueryBindVar %2
>> AllocateQueryBindVar %{Calling-Station-Id}
>> AllocateQueryBindVar %3
>> AllocateQueryBindVar %4
>> #DeallocateQuery update RADPOOL set STATE=0, TIME_STAMP=? where
>> YIADDR=?
>> #DeallocateQueryBindVar %t
>> #DeallocateQueryBindVar %0
>> #CheckPoolQuery select STATE from RADPOOL where YIADDR=?
>> #CheckPoolQueryBindVar %0
>> #AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP,POOLHINT,
>> YIADDR, SUBNETMASK, DNSSERVER, STATIONID) values (0, ?, ?, ?, ?, ?,
>> %{Calling-Station-Id})
>> #AddAddressQuery insert into RADPOOL (STATE, TIME_STAMP,POOLHINT,
>> YIADDR, SUBNETMASK, DNSSERVER) values (0, ?, ?, ?, ?, ?)
>> #AddAddressQueryBindVar %t
>> #AddAddressQueryBindVar %0
>> #AddAddressQueryBindVar %1
>> #AddAddressQueryBindVar %2
>> #AddAddressQueryBindVar %3
>> # Empty reclaim query so it will *not* be executed
>> ReclaimQuery
>> #ReclaimQuery update RADPOOL set STATE=0 where STATE!=0 and EXPIRY
>> < ?
>> #ReclaimQueryBindVar %0
>> </AddressAllocator>
>>
>> # We put client details in a database table
>> <ClientListSQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth radiator
>> </ClientListSQL>
>>
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>> Secret xxxxxxxxxxxxxx
>> DupInterval 0
>> </Client>
>>
>>
>> # This will authenticate users from SUBSCRIBERS
>> <Realm DEFAULT>
>> AuthByPolicy ContinueWhileAccept
>>
>> #<AuthBy FILE>
>> # Filename %D/users
>> #</AuthBy>
>> <AuthBy SQL>
>> DBSource dbi:mysql:radius
>> DBUsername radius
>> DBAuth radiator
>>
>>
>> # You may want to tailor these for your ACCOUNTING table
>> # You can add your own columns to store whatever you like
>> AccountingTable ACCOUNTING
>> AcctColumnDef USERNAME,User-Name
>> AcctColumnDef TIME_STAMP,Timestamp,integer
>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>> AcctColumnDef CALLINGSTATIONID, Calling-Station-Id
>>
>> # Alternatively, you can arrange to save failed SQL
>> accounting insert queries to a text
>> # file with SQLRecoveryFile
>> SQLRecoveryFile /var/log/radius/missedaccounting
>>
>>
>> AuthSelect select PASSWORD,POOLHINT from SUBSCRIBERS where
>> BINARY USERNAME=%0
>> AuthColumnDef 0, User-Password, check
>> AuthColumnDef 1, PoolHint, reply
>>
>> </AuthBy>
>>
>>
>> <AuthBy DYNADDRESS>
>> # This refers to the AddressAllocator
>> # defined below. IT says tyo us that allocator
>> # to get an address. Insterad ofg this, you can
>> # put the <AddressAllocator xxx> clause directly
>> # in here
>> AddressAllocator myallocator
>>
>> # This specifies how to form the pool hint, that
>> # the allocator uses to specifiy which pool
>> # to allocate an address from. The default
>> # is %{Reply:PoolHint}, ie a pseudo
>> # attribute in teh current reply,
>> # presumably set by an earlier
>> # AuthBy, but it could be for example
>> # the NAS IP address or similar, or a hardwired
>> # string.
>> #PoolHint %{Reply:PoolHint}
>> #PoolHint %1
>>
>> # These parameters tell us how to set reply
>> # attribtues from the result of the allocation.
>> # The left hand side of each pair is
>> # the "name" of the data item. The right hand
>> # side is the Radius attribute name to use
>> # in the reply. The valid data item names are:
>> # yiaddr - The allocated address
>> # subnetmask - The subnet mask to use
>> # dnsserver - the IP address of the DNS server
>> # The defualt mappings are:
>> #MapAttribute yiaddr, Framed-IP-Address
>> #MapAttribute subnetmask, Framed-IP-Netmask
>>
>> MapAttribute dnsserver, Primary-Dns-Server
>>
>> # The AuthBy FILE above sets the pseudo reply attribute
>> # PoolHint as the clue to the address allocator
>> # need to strip it out at the end of processing
>> StripFromReply PoolHint, Framed-IP-Netmask
>> </AuthBy>
>> </Realm>
>>
>>
>>
>> #<Realm DEFAULT>
>> # <AuthBy FILE>
>> # Filename %D/users
>> # </AuthBy>
>> # # Log accounting to a detail file
>> # AcctLogFileName %L/detail
>> #</Realm>
>>
>>
>> <Monitor>
>> Username peter
>> Password radarpw
>> </Monitor>
>>
>>
>> Thu Jul 29 12:52:57 2004: ERR: Attribute number 14 (vendor 10923) is
>> not defined in your dictionary
>> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
>> *** Received from 10.2.0.2 port 40019 ....
>> Code: Access-Request
>> Identifier: 243
>> Authentic: <135>H"3#&~<10>A<162><25><151><16>p<216>%
>> Attributes:
>> User-Name = "vodafone"
>> User-Password = "]<18><153><1><132>\a<30><248><194><10><151>y<30>2~"
>> NAS-IP-Address = 10.2.0.2
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Calling-Station-Id = "31646331589"
>> Called-Station-Id = "gprs.xtrac.nl"
>> NAS-Identifier = "gprs.xtrac.nl"
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Thu Jul 29 12:52:57 2004: DEBUG: Deleting session for vodafone,
>> 10.2.0.2,
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL:
>> Thu Jul 29 12:52:57 2004: DEBUG: Query is: 'select PASSWORD,POOLHINT
>> from SUBSCRIBERS where BINARY USERNAME='vodafone'':
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: Radius::AuthSQL looks for match with
>> vodafone
>> Thu Jul 29 12:52:57 2004: DEBUG: Radius::AuthSQL ACCEPT:
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthDYNADDRESS
>> Thu Jul 29 12:52:57 2004: DEBUG: Query is: 'select TIME_STAMP,
>> YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where
>> (STATIONID='31646331589' AND POOLHINT='pool1') OR (STATIONID='' AND
>> STATE = 0 AND POOLHINT='pool1') order by STATIONID desc limit 1;':
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: do query is: 'update RADPOOL set
>> STATE=1,TIME_STAMP=?,EXPIRY=?, USERNAME=?, STATIONID=? where YIADDR=?
>> and TIME_STAMP =?': 1091098377 1091184777 vodafone 31646331589
>> 10.2.0.9 1091098342
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: Access accepted for vodafone
>> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
>> *** Sending to 10.2.0.2 port 40019 ....
>> Code: Access-Accept
>> Identifier: 243
>> Authentic: <135>H"3#&~<10>A<162><25><151><16>p<216>%
>> Attributes:
>> Primary-Dns-Server = 192.168.3.4
>> Framed-IP-Address = 10.2.0.9
>>
>> Thu Jul 29 12:52:57 2004: ERR: Attribute number 14 (vendor 10923) is
>> not defined in your dictionary
>> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
>> *** Received from 10.2.0.2 port 40120 ....
>> Code: Accounting-Request
>> Identifier: 252
>> Authentic:
>> <142>C<23><237><202><128><245>K<133><181><240><244><143><!<189>
>> Attributes:
>> Acct-Status-Type = Start
>> Acct-Session-Id = "00000000013456"
>> User-Name = "vodafone"
>> NAS-IP-Address = 10.2.0.2
>> Service-Type = Framed-User
>> Acct-Authentic = RADIUS
>> Framed-Protocol = PPP
>> Calling-Station-Id = "31646331589"
>> Called-Station-Id = "gprs.xtrac.nl"
>> NAS-Identifier = "gprs.xtrac.nl"
>> Framed-IP-Address = 10.2.0.9
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Thu Jul 29 12:52:57 2004: DEBUG: Adding session for vodafone, 10.2.0.2,
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthSQL
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling accounting with
>> Radius::AuthSQL
>> Thu Jul 29 12:52:57 2004: DEBUG: do query is: 'insert into ACCOUNTING
>> (ACCTSESSIONID,ACCTSTATUSTYPE,CALLINGSTATIONID,FRAMEDIPADDRESS,NASIDENT
>> IFIER,TIME_STAMP,USERNAME) values
>> ('00000000013456','Start','31646331589','10.2.0.9','gprs.xtrac.nl',1091
>> 098377,'vodafone')':
>>
>> Thu Jul 29 12:52:57 2004: DEBUG: Handling with Radius::AuthDYNADDRESS
>> Thu Jul 29 12:52:57 2004: DEBUG: Accounting accepted
>> Thu Jul 29 12:52:57 2004: DEBUG: Packet dump:
>> *** Sending to 10.2.0.2 port 40120 ....
>> Code: Accounting-Response
>> Identifier: 252
>> Authentic:
>> <142>C<23><237><202><128><245>K<133><181><240><244><143><!<189>
>> Attributes:
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
--
Peter Lindeman
TPA traffic & parking automation bv
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list