(RADIATOR) Password not being checked.

Mike McCauley mikem at open.com.au
Fri Feb 18 20:57:39 CST 2005


Hello Jason,

I think the problem is in your FilterAndAccounting AuthBy.
You have specified an AuthSelect query that gets a PASSWORD, IDLETIME, 
MAXLOGTIME, but you only have AuthColumnDef entries for fields 1 and 2 
(IDLETIME, MAXLOGTIME) not the password. Therfore there is no Password check 
item being set up.

You will need to add a line like:
	AuthColumnDef 0,Password,check

Cheers.


On Saturday 19 February 2005 10:43, Jason Haltom wrote:
> I am new to this product, and have been using it for less than a month
> now.
>
> When we were evaluating we had no problems, so we purchased a license
> and after installing the licensed version and running the latest patches
> (2005-2-17) we have problems with the password not being checked for one
> of our <AuthBy SQL> statements.  (more notes and details at the bottom
> of email.)
>
> Our current cfg file is:
> #-----------------------------------------------------------------------
> -------------------------
> # Radiator configuration file.
> # Produced by /radconfig.pl Wed Jan 26 14:31:13 2005
> #REMOTE_USER: , REMOTE_ADDR: 10.0.0.10
>
> DbDir .
> DictionaryFile %L/dictionary
> Foreground
> LogDir /Program Files/Radiator
> LogStdout
> RewriteUsername tr/[A-Z]/[a-z]/
> RewriteUsername s/\s+//g
> RewriteUsername s/idk-//
> RewriteUsername s/pop.net/kansasi.net/
> Trace 3
>
> <AuthBy SQL>
>   AccountingTable ACCOUNTING
>   AcctColumnDef USERNAME, User-Name
>   AcctColumnDef TIME_STAMP Timestamp, timestamp
>   AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
>   AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
>   AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
>   AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
>   AcctColumnDef ACCTSESSIONID, Acct-Session-Id
>   AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
>   AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause
>   AcctColumnDef NASIDENTIFIER, NAS-IP-Address
>   AcctColumnDef NASPORT, NAS-Port, integer
>   AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
>   AcctColumnDef CONNECTINFO, Connect-Info
>   AcctColumnDef CALLERID, Calling-Station-Id
>   AcctColumnDef CALLEDID, Called-Station-Id
>   AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
>   DBAuth ideatek
>   DBSource dbi:mysql:radius
>   DBUsername root
>   FailureBackoffTime 30
>   Identifier accounting
>   Timeout 30
> </AuthBy>
>
> <AuthBy SQL>
>   AccountingTable ACCOUNTING
>   AcctColumnDef USERNAME, User-Name
>   AcctColumnDef TIME_STAMP Timestamp, timestamp
>   AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
>   AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
>   AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
>   AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
>   AcctColumnDef ACCTSESSIONID, Acct-Session-Id
>   AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
>   AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause
>   AcctColumnDef NASIDENTIFIER, NAS-IP-Address
>   AcctColumnDef NASPORT, NAS-Port, integer
>   AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
>   AcctColumnDef CONNECTINFO, Connect-Info
>   AcctColumnDef CALLERID, Calling-Station-Id
>   AcctColumnDef CALLEDID, Called-Station-Id
>   AuthSelect select PASSWORD, IDLETIME, MAXLOGTIME from SUBSCRIBERS
> where USERNAME='%n'
>   AuthColumnDef 1, Idle-Timeout, reply
>   AuthColumnDef 2, Session-Timeout, reply
>   DBAuth ideatek
>   DBSource dbi:mysql:radius
>   DBUsername root
>   FailureBackoffTime 30
>   Identifier FilterAndAccounting
>   Timeout 30
> </AuthBy>
>
> <Client 10.0.0.6>
>   Description Portmaster
>   DupInterval 2
>   FramedGroupBaseAddress 10.0.0.100
>   NasType Portmaster3
>   Secret {removed}
> </Client>
>
> <Client 10.0.0.7>
>   Description Portmaster
>   DupInterval 2
>   FramedGroupBaseAddress 10.0.0.150
>   NasType Portmaster3
>   Secret {removed}
> </Client>
>
> <Realm ideateksystems.com>
>   AuthBy accounting
>   AuthByPolicy ContinueWhileIgnore
>   Description ideateksystems.com realm
>   FramedGroup 0
>   MaxSessions 5
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm kansasi.net>
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description kansasi.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm burrtonks.net>
>   AccountingHandled
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description burrtonks.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm buhlerks.net>
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description buhlerks.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm havenks.net>
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description havenks.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm hesstonks.net>
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description hesstonks.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <Realm inmanks.net>
>   AuthBy FilterAndAccounting
>   AuthByPolicy ContinueWhileIgnore
>   Description inmanks.net realm
>   FramedGroup 0
>   MaxSessions 1
>   RejectHasReason
>   SessionDatabase sessionDB
> </Realm>
>
> <SessionDatabase SQL>
>   AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,
> CONNECTINFO, CALLERID, CALLEDID) values ('%u', '%N', 0%{NAS-Port},
> '%{Acct-Session-Id}', %{Timestamp}, '%{Framed-IP-Address}',
> '%{NAS-Port-Type}', '%{Service-Type}', '%{Connect-Info}',
> '%{Calling-Station-Id}', '%{Called-Station-Id}')
>   ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
>   CountNasSessionsQuery select ACCTSESSIONID from RADONLINE where
> NASIDENTIFIER='%N'
>   CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE
> where USERNAME='%u'
>   DBAuth ideatek
>   DBSource dbi:mysql:radius
>   DBUsername root
>   DeleteQuery delete from RADONLINE where NASIDENTIFIER='%N' and
> NASPORT=0%{NAS-Port}
>   Description The session Database
>   FailureBackoffTime 30
>   Identifier sessionDB
>   Timeout 30
> </SessionDatabase>
> #======================================================================
>
> Anyone who is processed by the “AuthBy FilterAndAccounting” section is
> able to login regardless of the password they use.  If someone is
> processed by the “AuthBy accounting” section their password is checked
> and everything works as it should.  The “AuthBy accounting” section is
> only used for our own employees where we do not need to limit them on
> anything.  Where  “AuthBy FilterAndAccounting” is used by our customers
> and we need to limit them on some stuff.
>
> I set the logging to debug level and nothing of use was shown there, it
> appeared as if everything was ok.  I am thinking this has to do with the
> patch.
> If anyone can help me out on this it would be great.
>
> Thanks,
> Jason

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list