(RADIATOR) Re: (Radiator)User can login successfully even with wrong password
ScottXiao
scottxiao at antlabs.com
Fri Oct 29 20:55:56 CDT 2004
Hello Mike McCauley,
Thanks!Sorry that I might have sent the wrong part of the config file ,Here is the complete config file,please advise what could be my wrong configuration,thanks!!
Rgds
Scott
#Foreground
LogStdout
LogDir /var/log/radius
#DbDir /etc/radiator
DbDir /usr/src/802/radiator/Radiator-3.9
AuthPort 1812
AcctPort 1813
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret pass
DupInterval 0
</Client>
<Client 192.168.1.1>
Secret xxxxx
DupInterval 0
</Client>
# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
# Windows XP when configured for a workgroup might send tunnelled user names
# in the format COMPUTERNAME\username (eg BAKER\mikem). This
# will strip the computer name leaving just the user name
RewriteUsername s/(.*)\\(.*)/$2/
# <AuthBy FILE>
# Filename %D/users
#
# # This tells the PEAP client what types of inner EAP requests
# # we will honour
# EAPType MSCHAP-V2
# </AuthBy>
# This hook fixes the problem with some implementations of PEAP, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in
#<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource aa:bb:cc
DBUsername usern
DBAuth password
AcctColumnDef USERNAME,User-Name
AcctColumnDef PASSWORD,User-Password
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
# EAPType MSCHAP-V2
# EAPType PEAP,MSCHAP-V2
EAPType MSCHAP-V2
# Only one session per user at a time
DefaultSimultaneousUse 1
# Let the user in if they have any time left, set
# the Session-timeout to the time left
AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where USERNAME=%0 and TIMELEFT > 0
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,Session-Timeout,reply
# Adjust the time left when they log out
AccountingStopsOnly
AcctSQLStatement update SUBSCRIBERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'
</AuthBy>
#<AuthBy FILE>
# Filename defuser
# </AuthBy>
#</Realm>
</Handler>
<Handler>
# <AuthBy FILE>
# <AuthBy SQL>
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard username
# in the outer requests, and it also requires an entry for the
#EAPType PEAP
<AuthBy SQL>
DBSource a:b:c
DBUsername ddd
DBAuth eeeee
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
# EAPType PEAP
# EAPType MSCHAP-V2,PEAP
EAPType PEAP,MSCHAP-V2
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
# #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAFile %D/certificates/UTN.pem
# EAPTLS_CAFile %D/certificates/VerisignRootCA.pem
EAPTLS_CAFile %D/certificates/verisignca.pem
# EAPTLS_CAFile %D/certificates/ezxcess.antlabs.com.pem
#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAFile %D/certificates/demoCA/cacert-thawte.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
#EAPTLS_CertificateFile %D/certificates/ezxcess.antlabs.com.pem
EAPTLS_CertificateFile %D/certificates/radius.antlabs.com.pem
#EAPTLS_CertificateFile /etc/radiator/certificates/ezxcess.antlabs.com.pem
EAPTLS_CertificateType PEM
#EAPTLS_CertificateType CRT
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
#EAPTLS_PrivateKeyFile %D/certificates/1.key
EAPTLS_PrivateKeyFile %D/certificates/2.pem
# EAPTLS_PrivateKeyFile %D/certificates/3.pem
#EAPTLS_PrivateKeyPassword whatever
EAPTLS_PrivateKeyPassword passsss
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
EAPTLS_PEAPVersion 1
AuthSelect select TIMELEFT from SUBSCRIBERS where USERNAME=%0 and TIMELEFT > 0
AuthColumnDef 0,Session-Timeout,reply
# Adjuct the time left to "0" when they log out ,in order to force the user to register again on USR terminal
# AuthSelect update SUBSCRIBERS set TIMELEFT='0' USERNAME='%n'
AccountingStopsOnly
AcctSQLStatement update SUBSCRIBERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'
# Only one session per user at a time
DefaultSimultaneousUse 1
</AuthBy>
# This hook fixes the problem with some implementations of PEAP, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in
# accounting requests with the
# real user name that was previously cached for the NAS and NAS-Port.
# You can see the correct real User-Name logged in the AcctLogFileName
# Must be used in conjunction with PostAuthHook above
# PreProcessingHook file:"goodies/eap_anon_hook.pl"
</Handler>
Best regards,
======= At 2004-10-29, 13:21:53 you wrote: =======
>Hello Scott,
>
>I dont think you have sent the right part of the config file that corresponds
>to the log you sent:
>
>The config file you sent says:
>
>AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where USERNAME=%0 and
>TIMELEFT > 0
>
>but Radiator is executing:
>
>select TIMELEFT from SUBSCRIBERS where USERNAME='kt' and TIMELEFT > 0
>
>(ie no PASSWORD is being fetched)
>
>so it must be that Radiator is using a different config file, or a different
>part of the config file.
>
>Anyway, the reason why your password is not being checked is that your config
>is not fetching a password from the SUBSCRIBERS table.
>
>Cheers.
>
>
>On Friday 29 October 2004 15:09, ScottXiao wrote:
>> Hello Mike,
>> As you mentioned,here is the debug file and configuration of the
>> authentication part,it seems it only check if the user name exist and
>> timeleft >0 and then let the user get in ,even password is wrong.What I
>> need to modify to resolve this problem?Thanks!! Scott
>>
>>
>>
>> Fri Oct 29 12:48:48 2004: DEBUG: Packet dump:
>> *** Received from 219.238.x.y port 27163 ....
>> Code: Access-Request
>> Identifier: 118
>> Authentic: <201>42)3<134>0N;CW<9>}<196><237>w
>> Attributes:
>> User-Name = "kt"
>> User-Password = "|r{<148><145><8><142>"#G<223><174>|&<244><220>"
>> NAS-IP-Address = 219.238.255.85
>> NAS-Port = 0
>> Service-Type = Authenticate-Only
>> Framed-IP-Address = 192.168.123.7
>> Calling-Station-Id = "00:0C:F1:07:27:DD"
>> NAS-Identifier = "Ezxcess108"
>> NAS-Port-Type = Virtual
>>
>> Fri Oct 29 12:48:48 2004: DEBUG: Handling request with Handler ''
>> Fri Oct 29 12:48:48 2004: DEBUG: Deleting session for kt, 219.238.x.y, 0
>> Fri Oct 29 12:48:48 2004: DEBUG: Handling with Radius::AuthSQL
>> Fri Oct 29 12:48:48 2004: DEBUG: Handling with Radius::AuthSQL:
>> Fri Oct 29 12:48:48 2004: DEBUG: Query is: 'select TIMELEFT from
>> SUBSCRIBERS whe re USERNAME='kt' and TIMELEFT > 0':
>>
>> Fri Oct 29 12:48:48 2004: DEBUG: Radius::AuthSQL looks for match with kt
>> Fri Oct 29 12:48:48 2004: DEBUG: Radius::AuthSQL ACCEPT:
>> Fri Oct 29 12:48:48 2004: DEBUG: Access accepted for kt
>> Fri Oct 29 12:48:48 2004: DEBUG: Packet dump:
>> *** Sending to 219.238.255.85 port 27163 ....
>> Code: Access-Accept
>> Identifier: 118
>> Authentic: <201>42)3<134>0N;CW<9>}<196><237>w
>> Attributes:
>> Session-Timeout = 124586
>>
>> Fri Oct 29 12:48:48 2004: DEBUG: Packet dump:
>>
>>
>>
>>
>> # Adjust DBSource, DBUsername, DBAuth to suit your DB
>> # DBSource dbi:mysql:radius
>> # DBUsername mikem
>> # DBAuth fred
>>
>> # Only one session per user at a time
>> DefaultSimultaneousUse 1
>> # Let the user in if they have any time left, set
>> # the Session-timeout to the time left
>> AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where
>> USERNAME=%0 and TIMELEFT > 0 AuthColumnDef 0,User-Password,check
>> AuthColumnDef 1,Session-Timeout,reply
>>
>> # Adjust the time left when they log out
>> AccountingStopsOnly
>> AcctSQLStatement update SUBSCRIBERS set
>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'
>>
>>
>> </AuthBy>
>> #<AuthBy FILE>
>>
>>
>> Best regards,
>>
>> ScottXiao
>> scottxiao at antlabs.com
>> 2004-10-29
>
>--
>Mike McCauley mikem at open.com.au
>Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
>9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
>Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP etc on Unix, Windows, MacOS etc.
>.
= = = = = = = = = = = = = = = = = = = =
ScottXiao
scottxiao at antlabs.com
2004-10-30
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list