(RADIATOR) Radiator doesn't reject on reject. ;-)

Terry Simons galimore at mac.com
Tue Jun 15 11:34:00 CDT 2004


Hi Hugh,

That fixed it for the flat file case, so it seems you may be correct 
about AcceptIfMissing.

Thanks!

- Terry

On Jun 15, 2004, at 9:36 AM, Hugh Irvine wrote:

>
> Hi Terry -
>
> I wonder if you could do something for me (I'm on the road at the 
> moment).
>
> Try the same test without the "AcceptIfMissing" to see if that works 
> correctly.
>
> If so, add a second user to your first users file like this:
>
> DEFAULT Auth-Type = Accept
>
> and also add "NoDefaultIfFound" to the AuthBy clause.
>
> At this stage I am guessing that there is something strange happening 
> with AcceptIfMissing.
>
> thanks
>
> Hugh
>
>
> On 15 Jun 2004, at 00:16, Terry Simons wrote:
>
>> Hi Hugh,
>>
>> I have tested this in a non-EAP environment to see if that was the 
>> problem.
>>
>> Things are broken in the "simpler" case too.
>>
>> Here's the configuration for my simpler handler:
>>
>> # Test realm for authorization purposes.
>> <Handler Realm=/authorization.utah.edu/>
>>    <AuthBy GROUP>
>>                 AuthByPolicy ContinueWhileAccept
>>                 <AuthBy FILE>
>>                         AcceptIfMissing
>>                         Filename                        
>> %D/users-authorization
>>                 </AuthBy>
>>
>>                 <AuthBy FILE>
>>                         Filename                        
>> %D/users-authentication
>>                 </AuthBy>
>>     </AuthBy>
>> </Handler>
>>
>> And here's the log file for the simpler case:
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 55718 ....
>> Code:       Access-Request
>> Identifier: 212
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "bob0 at authorization.utah.edu"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 127.0.0.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password = 
>> ".<228>:z5<246><22><8><213><177><221>6<239><0><30>J"
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>> 'Realm=/authorization.utah.edu/'
>> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match 
>> with bob0 at authorization.utah.edu
>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match 
>> with bob0 at authorization.utah.edu
>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE ACCEPT:
>> Mon Jun 14 16:16:02 2004: DEBUG: Access accepted for 
>> bob0 at authorization.utah.edu
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 55718 ....
>> Code:       Access-Accept
>> Identifier: 212
>> Authentic:  1234567890123456
>> Attributes:
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 55718 ....
>> Code:       Accounting-Request
>> Identifier: 213
>> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
>> Attributes:
>>         User-Name = "bob0 at authorization.utah.edu"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 127.0.0.1
>>         NAS-Port = 1234
>>         NAS-Port-Type = Async
>>         Acct-Session-Id = "00001234"
>>         Acct-Status-Type = Start
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         Acct-Delay-Time = 0
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>> 'Realm=/authorization.utah.edu/'
>> Mon Jun 14 16:16:02 2004: DEBUG:  Adding session for 
>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 55718 ....
>> Code:       Accounting-Response
>> Identifier: 213
>> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
>> Attributes:
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 55718 ....
>> Code:       Accounting-Request
>> Identifier: 214
>> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
>> Attributes:
>>         User-Name = "bob0 at authorization.utah.edu"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 127.0.0.1
>>         NAS-Port = 1234
>>         NAS-Port-Type = Async
>>         Acct-Session-Id = "00001234"
>>         Acct-Status-Type = Stop
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         Acct-Delay-Time = 0
>>         Acct-Session-Time = 1000
>>         Acct-Input-Octets = 20000
>>         Acct-Output-Octets = 30000
>>
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>> 'Realm=/authorization.utah.edu/'
>> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 55718 ....
>> Code:       Accounting-Response
>> Identifier: 214
>> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
>> Attributes:
>>
>>
>> As you can see, although I get a reject on the first AuthBy, the 
>> second AuthBy is also executed.  I think this at least rules out EAP 
>> as the culprit.
>>
>> I don't know how to  make this any simpler for the test I am trying 
>> to perform... any suggestions?
>>
>> My %D/users-authorization:
>>
>> bob0 at authorization.utah.edu     User-Password = "invalid!"
>>
>>
>> My %D/users-authentication:
>>
>> bob0 at authorization.utah.edu     User-Password = "thebuilder"
>>
>> My radpwtst line:
>>
>> /opt/uofu/perl-5.8.0/bin/perl ./radpwtst -user 
>> bob0 at authorization.utah.edu -password thebuilder -nas_ip_address 
>> 127.0.0.1 -s 127.0.0.1 -secret mysecret -auth_port 1812 -acct_port 
>> 1813
>>
>>
>> Is this enough information to categorize the behavior as a bug?
>>
>> Let me know if I can help further.
>>
>> - Terry
>>
>>
>> On Jun 12, 2004, at 1:45 AM, Hugh Irvine wrote:
>>
>>>
>>> Hi Terry -
>>>
>>> This does look curious, however I would have thought the 
>>> "AuthByPolicy ContinueWhileAccept" more appropriate in this case.
>>>
>>> I would be inclined to do a more simple test with a single Handler 
>>> and just use radpwtst before moving on to a more complex 
>>> configuration.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 12 Jun 2004, at 04:18, Terry Simons wrote:
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list