(RADIATOR) Radiator doesn't reject on reject. ;-)
Terry Simons
galimore at mac.com
Mon Jun 14 17:16:10 CDT 2004
Hi Hugh,
I have tested this in a non-EAP environment to see if that was the
problem.
Things are broken in the "simpler" case too.
Here's the configuration for my simpler handler:
# Test realm for authorization purposes.
<Handler Realm=/authorization.utah.edu/>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
AcceptIfMissing
Filename
%D/users-authorization
</AuthBy>
<AuthBy FILE>
Filename
%D/users-authentication
</AuthBy>
</AuthBy>
</Handler>
And here's the log file for the simpler case:
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 55718 ....
Code: Access-Request
Identifier: 212
Authentic: 1234567890123456
Attributes:
User-Name = "bob0 at authorization.utah.edu"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
".<228>:z5<246><22><8><213><177><221>6<239><0><30>J"
Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler
'Realm=/authorization.utah.edu/'
Mon Jun 14 16:16:02 2004: DEBUG: Deleting session for
bob0 at authorization.utah.edu, 127.0.0.1, 1234
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match with
bob0 at authorization.utah.edu
Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match with
bob0 at authorization.utah.edu
Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE ACCEPT:
Mon Jun 14 16:16:02 2004: DEBUG: Access accepted for
bob0 at authorization.utah.edu
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 55718 ....
Code: Access-Accept
Identifier: 212
Authentic: 1234567890123456
Attributes:
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 55718 ....
Code: Accounting-Request
Identifier: 213
Authentic: <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
Attributes:
User-Name = "bob0 at authorization.utah.edu"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler
'Realm=/authorization.utah.edu/'
Mon Jun 14 16:16:02 2004: DEBUG: Adding session for
bob0 at authorization.utah.edu, 127.0.0.1, 1234
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 55718 ....
Code: Accounting-Response
Identifier: 213
Authentic: <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
Attributes:
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 55718 ....
Code: Accounting-Request
Identifier: 214
Authentic: <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
Attributes:
User-Name = "bob0 at authorization.utah.edu"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler
'Realm=/authorization.utah.edu/'
Mon Jun 14 16:16:02 2004: DEBUG: Deleting session for
bob0 at authorization.utah.edu, 127.0.0.1, 1234
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 55718 ....
Code: Accounting-Response
Identifier: 214
Authentic: <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
Attributes:
As you can see, although I get a reject on the first AuthBy, the second
AuthBy is also executed. I think this at least rules out EAP as the
culprit.
I don't know how to make this any simpler for the test I am trying to
perform... any suggestions?
My %D/users-authorization:
bob0 at authorization.utah.edu User-Password = "invalid!"
My %D/users-authentication:
bob0 at authorization.utah.edu User-Password = "thebuilder"
My radpwtst line:
/opt/uofu/perl-5.8.0/bin/perl ./radpwtst -user
bob0 at authorization.utah.edu -password thebuilder -nas_ip_address
127.0.0.1 -s 127.0.0.1 -secret mysecret -auth_port 1812 -acct_port 1813
Is this enough information to categorize the behavior as a bug?
Let me know if I can help further.
- Terry
On Jun 12, 2004, at 1:45 AM, Hugh Irvine wrote:
>
> Hi Terry -
>
> This does look curious, however I would have thought the "AuthByPolicy
> ContinueWhileAccept" more appropriate in this case.
>
> I would be inclined to do a more simple test with a single Handler and
> just use radpwtst before moving on to a more complex configuration.
>
> regards
>
> Hugh
>
>
> On 12 Jun 2004, at 04:18, Terry Simons wrote:
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list