(RADIATOR) Password not being checked.
Mike McCauley
mikem at open.com.au
Fri Feb 18 20:57:39 CST 2005
Hello Jason,
I think the problem is in your FilterAndAccounting AuthBy.
You have specified an AuthSelect query that gets a PASSWORD, IDLETIME,
MAXLOGTIME, but you only have AuthColumnDef entries for fields 1 and 2
(IDLETIME, MAXLOGTIME) not the password. Therfore there is no Password check
item being set up.
You will need to add a line like:
AuthColumnDef 0,Password,check
Cheers.
On Saturday 19 February 2005 10:43, Jason Haltom wrote:
> I am new to this product, and have been using it for less than a month
> now.
>
> When we were evaluating we had no problems, so we purchased a license
> and after installing the licensed version and running the latest patches
> (2005-2-17) we have problems with the password not being checked for one
> of our <AuthBy SQL> statements. (more notes and details at the bottom
> of email.)
>
> Our current cfg file is:
> #-----------------------------------------------------------------------
> -------------------------
> # Radiator configuration file.
> # Produced by /radconfig.pl Wed Jan 26 14:31:13 2005
> #REMOTE_USER: , REMOTE_ADDR: 10.0.0.10
>
> DbDir .
> DictionaryFile %L/dictionary
> Foreground
> LogDir /Program Files/Radiator
> LogStdout
> RewriteUsername tr/[A-Z]/[a-z]/
> RewriteUsername s/\s+//g
> RewriteUsername s/idk-//
> RewriteUsername s/pop.net/kansasi.net/
> Trace 3
>
> <AuthBy SQL>
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME, User-Name
> AcctColumnDef TIME_STAMP Timestamp, timestamp
> AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
> AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
> AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
> AcctColumnDef ACCTSESSIONID, Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
> AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER, NAS-IP-Address
> AcctColumnDef NASPORT, NAS-Port, integer
> AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
> AcctColumnDef CONNECTINFO, Connect-Info
> AcctColumnDef CALLERID, Calling-Station-Id
> AcctColumnDef CALLEDID, Called-Station-Id
> AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
> DBAuth ideatek
> DBSource dbi:mysql:radius
> DBUsername root
> FailureBackoffTime 30
> Identifier accounting
> Timeout 30
> </AuthBy>
>
> <AuthBy SQL>
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME, User-Name
> AcctColumnDef TIME_STAMP Timestamp, timestamp
> AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
> AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
> AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
> AcctColumnDef ACCTSESSIONID, Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
> AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER, NAS-IP-Address
> AcctColumnDef NASPORT, NAS-Port, integer
> AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
> AcctColumnDef CONNECTINFO, Connect-Info
> AcctColumnDef CALLERID, Calling-Station-Id
> AcctColumnDef CALLEDID, Called-Station-Id
> AuthSelect select PASSWORD, IDLETIME, MAXLOGTIME from SUBSCRIBERS
> where USERNAME='%n'
> AuthColumnDef 1, Idle-Timeout, reply
> AuthColumnDef 2, Session-Timeout, reply
> DBAuth ideatek
> DBSource dbi:mysql:radius
> DBUsername root
> FailureBackoffTime 30
> Identifier FilterAndAccounting
> Timeout 30
> </AuthBy>
>
> <Client 10.0.0.6>
> Description Portmaster
> DupInterval 2
> FramedGroupBaseAddress 10.0.0.100
> NasType Portmaster3
> Secret {removed}
> </Client>
>
> <Client 10.0.0.7>
> Description Portmaster
> DupInterval 2
> FramedGroupBaseAddress 10.0.0.150
> NasType Portmaster3
> Secret {removed}
> </Client>
>
> <Realm ideateksystems.com>
> AuthBy accounting
> AuthByPolicy ContinueWhileIgnore
> Description ideateksystems.com realm
> FramedGroup 0
> MaxSessions 5
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm kansasi.net>
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description kansasi.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm burrtonks.net>
> AccountingHandled
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description burrtonks.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm buhlerks.net>
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description buhlerks.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm havenks.net>
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description havenks.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm hesstonks.net>
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description hesstonks.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <Realm inmanks.net>
> AuthBy FilterAndAccounting
> AuthByPolicy ContinueWhileIgnore
> Description inmanks.net realm
> FramedGroup 0
> MaxSessions 1
> RejectHasReason
> SessionDatabase sessionDB
> </Realm>
>
> <SessionDatabase SQL>
> AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,
> CONNECTINFO, CALLERID, CALLEDID) values ('%u', '%N', 0%{NAS-Port},
> '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}',
> '%{NAS-Port-Type}', '%{Service-Type}', '%{Connect-Info}',
> '%{Calling-Station-Id}', '%{Called-Station-Id}')
> ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
> CountNasSessionsQuery select ACCTSESSIONID from RADONLINE where
> NASIDENTIFIER='%N'
> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE
> where USERNAME='%u'
> DBAuth ideatek
> DBSource dbi:mysql:radius
> DBUsername root
> DeleteQuery delete from RADONLINE where NASIDENTIFIER='%N' and
> NASPORT=0%{NAS-Port}
> Description The session Database
> FailureBackoffTime 30
> Identifier sessionDB
> Timeout 30
> </SessionDatabase>
> #======================================================================
>
> Anyone who is processed by the “AuthBy FilterAndAccounting” section is
> able to login regardless of the password they use. If someone is
> processed by the “AuthBy accounting” section their password is checked
> and everything works as it should. The “AuthBy accounting” section is
> only used for our own employees where we do not need to limit them on
> anything. Where “AuthBy FilterAndAccounting” is used by our customers
> and we need to limit them on some stuff.
>
> I set the logging to debug level and nothing of use was shown there, it
> appeared as if everything was ok. I am thinking this has to do with the
> patch.
> If anyone can help me out on this it would be great.
>
> Thanks,
> Jason
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list