(RADIATOR) Radiator doesn't reject on reject. ;-)

Hugh Irvine hugh at open.com.au
Wed Jun 16 06:55:35 CDT 2004


Hi Terry -

I'm going to be on a plane for the next 20 hours or so - if I don't get 
back to you on Friday please remind me about this.

regards

Hugh


On 15 Jun 2004, at 18:34, Terry Simons wrote:

> Hi Hugh,
>
> That fixed it for the flat file case, so it seems you may be correct 
> about AcceptIfMissing.
>
> Thanks!
>
> - Terry
>
> On Jun 15, 2004, at 9:36 AM, Hugh Irvine wrote:
>
>>
>> Hi Terry -
>>
>> I wonder if you could do something for me (I'm on the road at the 
>> moment).
>>
>> Try the same test without the "AcceptIfMissing" to see if that works 
>> correctly.
>>
>> If so, add a second user to your first users file like this:
>>
>> DEFAULT Auth-Type = Accept
>>
>> and also add "NoDefaultIfFound" to the AuthBy clause.
>>
>> At this stage I am guessing that there is something strange happening 
>> with AcceptIfMissing.
>>
>> thanks
>>
>> Hugh
>>
>>
>> On 15 Jun 2004, at 00:16, Terry Simons wrote:
>>
>>> Hi Hugh,
>>>
>>> I have tested this in a non-EAP environment to see if that was the 
>>> problem.
>>>
>>> Things are broken in the "simpler" case too.
>>>
>>> Here's the configuration for my simpler handler:
>>>
>>> # Test realm for authorization purposes.
>>> <Handler Realm=/authorization.utah.edu/>
>>>    <AuthBy GROUP>
>>>                 AuthByPolicy ContinueWhileAccept
>>>                 <AuthBy FILE>
>>>                         AcceptIfMissing
>>>                         Filename                        
>>> %D/users-authorization
>>>                 </AuthBy>
>>>
>>>                 <AuthBy FILE>
>>>                         Filename                        
>>> %D/users-authentication
>>>                 </AuthBy>
>>>     </AuthBy>
>>> </Handler>
>>>
>>> And here's the log file for the simpler case:
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 55718 ....
>>> Code:       Access-Request
>>> Identifier: 212
>>> Authentic:  1234567890123456
>>> Attributes:
>>>         User-Name = "bob0 at authorization.utah.edu"
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = 127.0.0.1
>>>         NAS-Port = 1234
>>>         Called-Station-Id = "123456789"
>>>         Calling-Station-Id = "987654321"
>>>         NAS-Port-Type = Async
>>>         User-Password = 
>>> ".<228>:z5<246><22><8><213><177><221>6<239><0><30>J"
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>>> 'Realm=/authorization.utah.edu/'
>>> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
>>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match 
>>> with bob0 at authorization.utah.edu
>>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE REJECT: Bad 
>>> Password
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE looks for match 
>>> with bob0 at authorization.utah.edu
>>> Mon Jun 14 16:16:02 2004: DEBUG: Radius::AuthFILE ACCEPT:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Access accepted for 
>>> bob0 at authorization.utah.edu
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 55718 ....
>>> Code:       Access-Accept
>>> Identifier: 212
>>> Authentic:  1234567890123456
>>> Attributes:
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 55718 ....
>>> Code:       Accounting-Request
>>> Identifier: 213
>>> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
>>> Attributes:
>>>         User-Name = "bob0 at authorization.utah.edu"
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = 127.0.0.1
>>>         NAS-Port = 1234
>>>         NAS-Port-Type = Async
>>>         Acct-Session-Id = "00001234"
>>>         Acct-Status-Type = Start
>>>         Called-Station-Id = "123456789"
>>>         Calling-Station-Id = "987654321"
>>>         Acct-Delay-Time = 0
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>>> 'Realm=/authorization.utah.edu/'
>>> Mon Jun 14 16:16:02 2004: DEBUG:  Adding session for 
>>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 55718 ....
>>> Code:       Accounting-Response
>>> Identifier: 213
>>> Authentic:  <135><10><225>&<189><16>@V<166><222><211>!D><13><213>
>>> Attributes:
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 55718 ....
>>> Code:       Accounting-Request
>>> Identifier: 214
>>> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
>>> Attributes:
>>>         User-Name = "bob0 at authorization.utah.edu"
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = 127.0.0.1
>>>         NAS-Port = 1234
>>>         NAS-Port-Type = Async
>>>         Acct-Session-Id = "00001234"
>>>         Acct-Status-Type = Stop
>>>         Called-Station-Id = "123456789"
>>>         Calling-Station-Id = "987654321"
>>>         Acct-Delay-Time = 0
>>>         Acct-Session-Time = 1000
>>>         Acct-Input-Octets = 20000
>>>         Acct-Output-Octets = 30000
>>>
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling request with Handler 
>>> 'Realm=/authorization.utah.edu/'
>>> Mon Jun 14 16:16:02 2004: DEBUG:  Deleting session for 
>>> bob0 at authorization.utah.edu, 127.0.0.1, 1234
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthGROUP
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Jun 14 16:16:02 2004: DEBUG: Accounting accepted
>>> Mon Jun 14 16:16:02 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 55718 ....
>>> Code:       Accounting-Response
>>> Identifier: 214
>>> Authentic:  <152>6\<240>}<182><<1>%S<166><224>{<201><30>k
>>> Attributes:
>>>
>>>
>>> As you can see, although I get a reject on the first AuthBy, the 
>>> second AuthBy is also executed.  I think this at least rules out EAP 
>>> as the culprit.
>>>
>>> I don't know how to  make this any simpler for the test I am trying 
>>> to perform... any suggestions?
>>>
>>> My %D/users-authorization:
>>>
>>> bob0 at authorization.utah.edu     User-Password = "invalid!"
>>>
>>>
>>> My %D/users-authentication:
>>>
>>> bob0 at authorization.utah.edu     User-Password = "thebuilder"
>>>
>>> My radpwtst line:
>>>
>>> /opt/uofu/perl-5.8.0/bin/perl ./radpwtst -user 
>>> bob0 at authorization.utah.edu -password thebuilder -nas_ip_address 
>>> 127.0.0.1 -s 127.0.0.1 -secret mysecret -auth_port 1812 -acct_port 
>>> 1813
>>>
>>>
>>> Is this enough information to categorize the behavior as a bug?
>>>
>>> Let me know if I can help further.
>>>
>>> - Terry
>>>
>>>
>>> On Jun 12, 2004, at 1:45 AM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hi Terry -
>>>>
>>>> This does look curious, however I would have thought the 
>>>> "AuthByPolicy ContinueWhileAccept" more appropriate in this case.
>>>>
>>>> I would be inclined to do a more simple test with a single Handler 
>>>> and just use radpwtst before moving on to a more complex 
>>>> configuration.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 12 Jun 2004, at 04:18, Terry Simons wrote:
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list