(RADIATOR) Radiator doesn't reject on reject. ;-)

Hugh Irvine hugh at open.com.au
Tue Jun 15 10:36:14 CDT 2004 

Hi Terry -

I wonder if you could do something for me (I'm on the road at the 
moment).

Try the same test without the "AcceptIfMissing" to see if that works 
correctly.

If so, add a second user to your first users file like this:

DEFAULT Auth-Type = Accept

and also add "NoDefaultIfFound" to the AuthBy clause.

At this stage I am guessing that there is something strange happening 
with AcceptIfMissing.

thanks

Hugh


On 15 Jun 2004, at 00:16, Terry Simons wrote:

> Hi Hugh,
>
> I have tested this in a non-EAP environment to see if that was the 
> problem.
>
> Things are broken in the "simpler" case too.
>
> Here's the configuration for my simpler handler:
>
> # Test realm for authorization purposes.
> <Handler Realm=/authorization.utah.edu/>
>    <AuthBy GROUP>
>                 AuthByPolicy ContinueWhileAccept
>                 <AuthBy FILE>
>                         AcceptIfMissing
>                         Filename                        
> %D/users-authorization
>                 </AuthBy>
>
>                 <AuthBy FILE>
>                         Filename                        
> %D/users-authentication
>                 </AuthBy>
>     </AuthBy>
> </Handler>
>
> And here's the log file for the simpler case:
>
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 55718 ....
> Code:       Access-Request
> Identifier: 212
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "bob0 at authorization.utah.edu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password = 
> ".<228>:z5<246><22><8><213><177><221>6<239><0><30>J"
>
> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
> 'Realm=/authorization.utah.edu/'
> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
> bob0 at authorization.utah.edu, 127.0.0.1, 1234
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match with 
> bob0 at authorization.utah.edu
> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match with 
> bob0 at authorization.utah.edu
> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Jun 14 16:16:02 2004: DEBUG: Access accepted for 
> bob0 at authorization.utah.edu
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 55718 ....
> Code:       Access-Accept
> Identifier: 212
> Authentic:  1234567890123456
> Attributes:
>
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 55718 ....
> Code:       Accounting-Request
> Identifier: 213
> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
> Attributes:
>         User-Name = "bob0 at authorization.utah.edu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Start
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>
> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
> 'Realm=/authorization.utah.edu/'
> Mon Jun 14 16:16:02 2004: DEBUG:  Adding session for 
> bob0 at authorization.utah.edu, 127.0.0.1, 1234
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 55718 ....
> Code:       Accounting-Response
> Identifier: 213
> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
> Attributes:
>
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 55718 ....
> Code:       Accounting-Request
> Identifier: 214
> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
> Attributes:
>         User-Name = "bob0 at authorization.utah.edu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Stop
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>         Acct-Session-Time = 1000
>         Acct-Input-Octets = 20000
>         Acct-Output-Octets = 30000
>
> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
> 'Realm=/authorization.utah.edu/'
> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
> bob0 at authorization.utah.edu, 127.0.0.1, 1234
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 55718 ....
> Code:       Accounting-Response
> Identifier: 214
> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
> Attributes:
>
>
> As you can see, although I get a reject on the first AuthBy, the 
> second AuthBy is also executed.  I think this at least rules out EAP 
> as the culprit.
>
> I don't know how to  make this any simpler for the test I am trying to 
> perform... any suggestions?
>
> My %D/users-authorization:
>
> bob0 at authorization.utah.edu     User-Password = "invalid!"
>
>
> My %D/users-authentication:
>
> bob0 at authorization.utah.edu     User-Password = "thebuilder"
>
> My radpwtst line:
>
> /opt/uofu/perl-5.8.0/bin/perl ./radpwtst -user 
> bob0 at authorization.utah.edu -password thebuilder -nas_ip_address 
> 127.0.0.1 -s 127.0.0.1 -secret mysecret -auth_port 1812 -acct_port 
> 1813
>
>
> Is this enough information to categorize the behavior as a bug?
>
> Let me know if I can help further.
>
> - Terry
>
>
> On Jun 12, 2004, at 1:45 AM, Hugh Irvine wrote:
>
>>
>> Hi Terry -
>>
>> This does look curious, however I would have thought the 
>> "AuthByPolicy ContinueWhileAccept" more appropriate in this case.
>>
>> I would be inclined to do a more simple test with a single Handler 
>> and just use radpwtst before moving on to a more complex 
>> configuration.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 12 Jun 2004, at 04:18, Terry Simons wrote:
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list