(RADIATOR) radiator not padding out short passowrd fields

Mike McCauley mikem at open.com.au
Wed Sep 1 05:33:32 CDT 2004 

Hello Tariq,

Thanks for the sample packets and keys.

I have tested them against the latest Radiator 3.9 and also 3.5, and both 
versions work fine with these short passwords. I think you have to look 
elsewhere for the solution.

Cheers.

On Wednesday 01 September 2004 19:22, Tariq Rashid wrote:
> as requested... he are two exchanges ... the first one to a server which
> seems to work fine from the problem stinger, and the second to the live
> radius server which exhibits the problem:
>
> ps - the client password (shared secret) and the username login password
> (stored in ldap) is fine too as it workd when the request is sent from the
> same stinger to other servers (eg test lab radius servers, same
> configuration) or to different code (eg freeradius, old livingston derived
> code).
>
> i can supply the secret kets and passwords to mike if required - but i know
> they are correct - and freeradius will output the decoded password init
> logs - even with the suspected short password fields...
>
>
> this one works:....
>
> *** Received from 217.206.246.231 port 9123 ....
>
> Packet length = 74
> 01 9e 00 4a 1f b1 ef 71 3c 81 d3 9d 3d c7 14 76
> 74 ad c6 bc 01 1b 61 64 73 6c 32 34 40 6c 6c 75
> 2e 65 61 73 79 6e 65 74 2e 63 6f 2e 75 6b 00 02
> 09 31 1d e6 33 84 fc 24 04 06 d9 ce f6 e7 05 06
> 00 00 00 00 3d 06 00 00 00 05
> Code:       Access-Request
> Identifier: 158
> Authentic:  <31><177><239>q<<129><211><157>=<199><20>vt<173><198><188>
> Attributes:
>         User-Name = "adsl24 at llu.easynet.co.uk"
>         Password = "1<29><230>3<132><252>$"
>         NAS-Identifier = "217.206.246.231"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>
> Tue Aug 31 10:53:21 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Handling request with Handler
> 'Realm=llu.easynet.co.uk'
> Tue Aug 31 10:53:21 2004: DEBUG: SDB1 Deleting session for
> adsl24 at llu.easynet.co.uk, 217.206.246.231, 0
> Tue Aug 31 10:53:21 2004: DEBUG: do query is: 'delete from RADONLINE where
> NASIDENTIFIER='217.206.246.231' and ACCTSESSIONID=''':
>
> Tue Aug 31 10:53:21 2004: DEBUG: Query is: 'select NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='ad
> sl24 at llu.easynet.co.uk'':
>
> Tue Aug 31 10:53:21 2004: DEBUG: Handling with Radius::AuthLDAP2: ldap-dial
> Tue Aug 31 10:53:21 2004: INFO: Connecting to 127.0.0.1, port 389
> Tue Aug 31 10:53:21 2004: INFO: Attempting to bind to LDAP server
> 127.0.0.1:389)
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got result for
> uid=adsl24 at llu.easynet.co.uk,ou=users,domain=llu.easynet.co.uk,vip=easynet-
>u k,o=easyne
> t.net
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got ipAddr: 195.172.200.249
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got ipNetmask: 255.255.255.248
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got protocol: PPP
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got userPassword: adsl24
> Tue Aug 31 10:53:21 2004: DEBUG: LDAP got services: pstn isdn dial
> Tue Aug 31 10:53:21 2004: ERR: Bad attribute=value pair: pstn,isdn,dial
> Tue Aug 31 10:53:21 2004: DEBUG: POST Search Hook -- Start Processing
> Tue Aug 31 10:53:21 2004: DEBUG: Time of Day Restriction Check
> Tue Aug 31 10:53:21 2004: DEBUG: No time checking done or required
> Tue Aug 31 10:53:21 2004: ERR: ************ post search hook test
> ********** 1
> Tue Aug 31 10:53:21 2004: ERR: ************ post search hook test
> ********** 2
> Tue Aug 31 10:53:21 2004: ERR: ************ post search hook stringer ip in
> range - NOT found!  **********
> Tue Aug 31 10:53:21 2004: DEBUG: Timeout -1
> Tue Aug 31 10:53:21 2004: DEBUG: Radius::AuthLDAP2 looks for match with
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Aug 31 10:53:21 2004: DEBUG: Access accepted for
> adsl24 at llu.easynet.co.uk
> Tue Aug 31 10:53:21 2004: DEBUG: Packet dump:
> *** Sending to 217.206.246.231 port 9123 ....
>
> Packet length = 44
> 02 9e 00 2c 39 27 9a 75 5a 0d ee f6 d2 e3 1d d6
> 19 a8 ea be 08 06 c3 ac c8 f9 09 06 ff ff ff f8
> 07 06 00 00 00 01 06 06 00 00 00 02
> Code:       Access-Accept
> Identifier: 158
> Authentic:  <31><177><239>q<<129><211><157>=<199><20>vt<173><198><188>
> Attributes:
>         Framed-Address = 195.172.200.249
>         Framed-Netmask = 255.255.255.248
>         Framed-Protocol = PPP
>         User-Service = Framed-User
>
>
>
> and here is one that doesn't work....  same lucent stinger ... but the
> issue is on the live radius servers...
>
>
> *** Received from 217.206.246.231 port 9123 ....
>
> Packet length = 74
> 01 12 00 4a 7c 4a 29 74 d1 d9 66 7d ec 45 73 b3
> 19 a2 4d 68 01 1b 61 64 73 6c 32 34 40 6c 6c 75
> 2e 65 61 73 79 6e 65 74 2e 63 6f 2e 75 6b 00 02
> 09 d7 32 b7 00 de 85 2e 04 06 d9 ce f6 e7 05 06
> 00 00 00 00 3d 06 00 00 00 05
> Code:       Access-Request
> Identifier: 18
> Authentic:  |J)t<209><217>f}<236>Es<179><25><162>Mh
> Attributes:
>         User-Name = "adsl24 at llu.easynet.co.uk"
>         Password = "<215>2<183><0><222><133>."
>         NAS-Identifier = "217.206.246.231"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>
> Wed Sep  1 10:15:36 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Wed Sep  1 10:15:36 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Wed Sep  1 10:15:36 2004: DEBUG: Rewrote user name to
> adsl24 at llu.easynet.co.uk
> Wed Sep  1 10:15:36 2004: DEBUG: Handling request with Handler
> 'Realm=llu.easynet.co.uk'
> Wed Sep  1 10:15:36 2004: DEBUG: SDB1 Deleting session for
> adsl24 at llu.easynet.co.uk, 217.206.246.231, 0
> Wed Sep  1 10:15:36 2004: DEBUG: do query is: delete from RADONLINE where
> NASIDENTIFIER='217.206.246.231' and ACCTSESSIONID=''
>
> Wed Sep  1 10:15:36 2004: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USE
> RNAME='adsl24 at llu.easynet.co.uk'
>
> Wed Sep  1 10:15:36 2004: DEBUG: Handling with Radius::AuthLDAP2: ldap-dial
> Wed Sep  1 10:15:36 2004: INFO: Connecting to 212.135.1.207, port 389
> Wed Sep  1 10:15:36 2004: INFO: Attempting to bind with
> cn=radiusd,ou=accounts,company=EasynetUK,o=easynet.net, h3lld4p (server 2
> 12.135.1.207:389)
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got result for
> uid=adsl24 at llu.easynet.co.uk,ou=users,domain=llu.easynet.co.uk,vip=easynet-
>u k,o=easynet.net
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got ipAddr: 195.172.200.249
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got ipNetmask: 255.255.255.248
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got protocol: PPP
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got userPassword: adsl24
> Wed Sep  1 10:15:36 2004: DEBUG: LDAP got services: pstn isdn dial
> Wed Sep  1 10:15:36 2004: ERR: Bad attribute=value pair: pstn,isdn,dial
> Wed Sep  1 10:15:36 2004: DEBUG: POST Search Hook -- Start Processing
> Wed Sep  1 10:15:37 2004: DEBUG: Time of Day Restriction Check
> Wed Sep  1 10:15:37 2004: DEBUG: No time checking done or required
> Wed Sep  1 10:15:37 2004: DEBUG: Timeout -1
> Wed Sep  1 10:15:37 2004: DEBUG: Radius::AuthLDAP2 looks for match with
> adsl24 at llu.easynet.co.uk
> Wed Sep  1 10:15:37 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Wed Sep  1 10:15:37 2004: INFO: Connecting to 212.135.1.207, port 389
> Wed Sep  1 10:15:37 2004: INFO: Attempting to bind with
> cn=radiusd,ou=accounts,company=EasynetUK,o=easynet.net, h3lld4p (server 2
> 12.135.1.207:389)
> Wed Sep  1 10:15:37 2004: DEBUG: No entries for DEFAULT found in LDAP
> database
> Wed Sep  1 10:15:37 2004: INFO: Access rejected for
> adsl24 at llu.easynet.co.uk: Bad Password
> Wed Sep  1 10:15:37 2004: DEBUG: Packet dump:
> *** Sending to 217.206.246.231 port 9123 ....
>
> Packet length = 36
> 03 12 00 24 d3 1c f4 48 f2 bb 45 51 79 37 75 54
> 2f de 45 7f 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 18
> Authentic:  |J)t<209><217>f}<236>Es<179><25><162>Mh
> Attributes:
>         Reply-Message = "Request Denied"
>
>
>
> and if you know about lucent stingers... here is the debug output for that
> machine...
>
> EXTERNAL-AUTH written
> RADIF: _radiusReinit: reinitializing.
> RADIF:_radiusReinit: clearing extended retry counters
> RADIF: radiusServerReinit: reinitializing.
> RADIF: radius type Auth ID = 14
> RADIF 09:15:28> _radiusRequest: id 14, user name <20:route-Chertsey_STN-1>
> RADIF: _radiusReq: socket 14 len 76 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 14 <20:route-Chertsey_STN-1>, starting timer (50 sec)
> RADIF: radius type Auth ID = 15
> RADIF 09:15:28> _radiusRequest: id 15, user name <18:pools-Chertsey_STN>
> RADIF: _radiusReq: socket 14 len 74 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 15 <18:pools-Chertsey_STN>, starting timer (50 sec)
> RADIF: radius type Auth ID = 16
> RADIF 09:15:28> _radiusRequest: id 16, user name
> <23:permconn-Chertsey_STN-1>
> RADIF: _radiusReq: challenge len = <0>
> RADIF: _radiusReq: socket 14 len 81 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 16 <23:permconn-Chertsey_STN-1>, starting timer (50
> sec)
> RADIF: radius type Auth ID = 17
> RADIF 09:15:28> _radiusRequest: id 17, user name
> <22:frdlink-Chertsey_STN-1> RADIF: _radiusReq: challenge len = <0>
> RADIF: _radiusReq: socket 14 len 80 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 17 <22:frdlink-Chertsey_STN-1>, starting timer (50
> sec) <cs0.lscher>_receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=81920330 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 81920330
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833b30f0 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833b30f0
> RADIF: _radiusAcctReinit: reinitializing.
> _radiusAcctReinit: profile index = 0 timeractive = 0, host-1 0
> RADIF: _radiusAcctReinit: reinitializing.
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833ac600 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833ac600
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833a9cc0 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833a9cc0
>
> <cs0.lscher>radauth adsl24 at llu.easynet.co.uk adsl24
> RADIF: radius type Auth ID = 18
> RADIF: authenticating <24:adsl24 at llu.easynet.co.uk> with PAP
> RADIF 09:15:36> _radiusRequest: id 18, user name
> <24:adsl24 at llu.easynet.co.uk>
> RADIF: _radiusReq: socket 14 len 74 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 18 <24:adsl24 at llu.easynet.co.uk>, starting timer (50
> sec)
> ...radauth request queued, awaiting response
> <cs0.lscher>_receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833a9660 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833a9660
>
>
> then....
>
>
> RADIF 09:16:17> Timeout: retry #1 of 3, id 15 <pools-Chertsey_STN>
> RADIF 09:16:17> _radiusRequest: id 15, user name <18:pools-Chertsey_STN>
> RADIF: _radiusReq: socket 14 len 74 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 15 <18:pools-Chertsey_STN>, starting timer (50 sec)
> RADIF 09:16:17> Timeout: retry #1 of 3, id 17 <frdlink-Chertsey_STN-1>
> RADIF 09:16:17> _radiusRequest: id 17, user name
> <22:frdlink-Chertsey_STN-1> RADIF: _radiusReq: challenge len = <0>
> RADIF: _radiusReq: socket 14 len 80 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 17 <22:frdlink-Chertsey_STN-1>, starting timer (50
> sec) RADIF 09:16:17> Timeout: retry #1 of 3, id 16
> <permconn-Chertsey_STN-1> RADIF 09:16:17> _radiusRequest: id 16, user name
> <23:permconn-Chertsey_STN-1>
> RADIF: _radiusReq: challenge len = <0>
> RADIF: _radiusReq: socket 14 len 81 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 16 <23:permconn-Chertsey_STN-1>, starting timer (50
> sec)
> RADIF 09:16:17> Timeout: retry #1 of 3, id 14 <route-Chertsey_STN-1>
> RADIF 09:16:17> _radiusRequest: id 14, user name <20:route-Chertsey_STN-1>
> RADIF: _radiusReq: socket 14 len 76 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 14 <20:route-Chertsey_STN-1>, starting timer (50 sec)
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833ad790 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833ad790
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833c1550 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833c1550
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833ac600 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833ac600
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=833b0e10 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 833b0e10
> RADIF 09:16:26> Timeout: retry #1 of 3, id 18 <adsl24 at llu.easynet.co.uk>
> RADIF 09:16:26> _radiusRequest: id 18, user name
> <24:adsl24 at llu.easynet.co.uk>
> RADIF: _radiusReq: socket 14 len 74 ipaddr 212.135.1.110 port 65534->1645
> RADIF:_radiusReq: id 18 <24:adsl24 at llu.easynet.co.uk>, starting timer (50
> sec)
> _receivedResponse :1, addrPoolAcked : 0
> RADIF: _radCallback: buf=83368950 from 212.135.1.110 1645
> RADIF: _radCallback, bad authenticator for buffer 83368950
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list