(RADIATOR) NULL passwords in Radmin
Mike McCauley
mikem at open.com.au
Fri Jun 17 08:19:58 CDT 2005
Hello Nacho,
AuthBy RADMIN and AuthBy SQL behave differently to each other.
With AuthBy RADMIN, a NULL password in the database will only match an empty
password string entered by the user.
With AuthBy SQL , a NULL password in the database will match any password
string entered by the user.
Cheers.
On Thursday 16 June 2005 17:49, Nacho Paredes wrote:
> Hi again,
>
> First of all, excuse my dumbness, but I'm not able to make it work. In
> desperation I've done the following:
>
> The config file:
> ==========================================================================
> <AuthBy RADMIN>
> Identifier RadminAuth
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxx
>
> # Never look up the DEFAULT user
> NoDefault
>
> AuthSelect select PASS_WORD from RADUSERS where USERNAME=%0
> UserAttrQuery
>
> # You can add to or change these if you want, but you
> # will probably want to change the database schema first
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
> # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
>
> </AuthBy>
>
> <Handler>
> AuthBy RadminAuth
> </Handler>
> ===========================================================================
>= ===========
>
> The test (user TEST has a NULL password in the DB):
> radpwtst -s 127.0.0.1 -secret xxxx -noacct -user TEST -password asdf
> sending Access-Request...
> Rejected: Request Denied
>
> The log:
> ===========================================================================
>= ============
>
>
> Code: Access-Request
> Identifier: 32
> Authentic: 1234567890123456
> Attributes:
> User-Name = "TEST"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "|<242>t<178><140>tSDKKU<132><144><239><198>I"
>
> Thu Jun 16 09:57:47 2005: DEBUG: Handling request with Handler ''
> Thu Jun 16 09:57:47 2005: DEBUG: Deleting session for TEST, 203.63.154.1,
> 1234
> Thu Jun 16 09:57:47 2005: DEBUG: Handling with Radius::AuthRADMIN
> Thu Jun 16 09:57:47 2005: DEBUG: Handling with Radius::AuthRADMIN:
> RadminAuth
> Thu Jun 16 09:57:47 2005: DEBUG: Query is: 'select PASS_WORD from RADUSERS
> where USERNAME='TEST'':
> Thu Jun 16 09:57:47 2005: DEBUG: Radius::AuthRADMIN looks for match with
> TEST
> Thu Jun 16 09:57:47 2005: DEBUG: do query is: 'update RADUSERS set
> BADLOGINS=BADLOGINS+1 where USERNAME='TEST'':
> Thu Jun 16 09:57:47 2005: DEBUG: AuthBy RADMIN result: REJECT, Bad Password
> Thu Jun 16 09:57:47 2005: INFO: Access rejected for TEST: Bad Password
> Thu Jun 16 09:57:47 2005: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1025 ....
> Code: Access-Reject
> Identifier: 32
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
> ===========================================================================
>= ====
> Now the authselect query is doing the same as in <AuthBy SQL>, I've even
> taken out the UserAttrQuery, but still doesn't work.
>
> I really need this working, so any help will be appreciated.
>
> Thanks again.
>
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: domingo, 12 de junio de 2005 1:39
> > To: Nacho Paredes
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) NULL passwords in Radmin
> >
> >
> > Hello Nacho -
> >
> > As you can see in the debug the default AuthSelect for Radmin
> > does much more than just check the password.
> >
> > Hence when you define the query in an AuthBy SQL it works correctly.
> >
> > regards
> >
> > Hugh
> >
> > On 12 Jun 2005, at 01:04, Nacho Paredes wrote:
> > > Hi Hugh,
> > >
> > > That's what I thought, but...
> > >
> > > I've defined an user TEST with no password nor check or reply items
> > > through Radmin.
> > >
> > > And with this config:
> > > ================================================================
> > > <AuthBy RADMIN>
> > > Identifier RadminAuth
> > > DBSource dbi:mysql:radmin:localhost
> > > DBUsername radmin
> > > DBAuth xxxxx
> > > </AuthBy>
> > >
> > > <Handler>
> > > AuthBy RadminAuth
> > > </Handler
> >
> > ======================================================================
> >
> > > ====
> > > And for this test, since the user has a NULL password, should be
> > > accepted:
> > > $ radpwtst -s 127.0.0.1 -secret xxxxx -noacct -user TEST -password
> > > asdf
> > >
> > > I got this log:
> >
> > ======================================================================
> >
> > > ====
> > > *** Received from 127.0.0.1 port 1094 ....
> > > Code: Access-Request
> > > Identifier: 251
> > > Authentic: 1234567890123456
> > > Attributes:
> > > User-Name = "test"
> > > Service-Type = Framed-User
> > > NAS-IP-Address = 203.63.154.1
> > > NAS-Identifier = "203.63.154.1"
> > > NAS-Port = 1234
> > > Called-Station-Id = "123456789"
> > > Calling-Station-Id = "987654321"
> > > NAS-Port-Type = Async
> > > User-Password =
> >
> > "|<242>t<178><140>tSDKKU<132><144><239><198>I"
> >
> > > Sat Jun 11 16:58:26 2005: DEBUG: Handling request with Handler ''
> > > Sat Jun 11 16:58:26 2005: DEBUG: Deleting session for test,
> > > 203.63.154.1,
> > > 1234
> > > Sat Jun 11 16:58:26 2005: DEBUG: Handling with
> >
> > Radius::AuthRADMIN Sat
> >
> > > Jun 11 16:58:26 2005: DEBUG: Handling with Radius::AuthRADMIN:
> > > RadminAuth
> > > Sat Jun 11 16:58:26 2005: DEBUG: Query is: 'select PASS_WORD,
> > > STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
> >
> > VALIDFROM,
> >
> > > VALIDTO from RADUSERS where USERNAME='test'':
> > > Sat Jun 11 16:58:26 2005: DEBUG: Query is: 'select ATTR_ID,
> >
> > VENDOR_ID,
> >
> > > IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='test' order by
> > > ITEM_TYPE':
> > > Sat Jun 11 16:58:26 2005: DEBUG: Radius::AuthRADMIN looks for match
> > > with test Sat Jun 11 16:58:26 2005: DEBUG: do query is: 'update
> > > RADUSERS set
> > > BADLOGINS=BADLOGINS+1 where USERNAME='test'':
> > > Sat Jun 11 16:58:26 2005: DEBUG: AuthBy RADMIN result: REJECT, Bad
> > > Password Sat Jun 11 16:58:26 2005: INFO: Access rejected
> >
> > for test: Bad
> >
> > > Password Sat Jun 11 16:58:26 2005: DEBUG: Packet dump:
> > > *** Sending to 127.0.0.1 port 1094 ....
> > > Code: Access-Reject
> > > Identifier: 251
> > > Authentic: 1234567890123456
> > > Attributes:
> > > Reply-Message = "Request Denied"
> >
> > ======================================================================
> >
> > > ======
> > > ========
> > > Now, I've changed the config to:
> > > =========================================================
> > > <AuthBy SQL>
> > > Identifier AuthSQL
> > > DBSource dbi:mysql:radmin:localhost
> > > DBUsername radmin
> > > DBAuth xxxxx
> > > AuthSelect select PASS_WORD from RADUSERS where
> > > USERNAME=%0
> > > </AuthBy>
> > >
> > > <Handler>
> > > # AuthBy RadminAuth
> > > AuthBy AuthSQL
> > > </Handler>
> >
> > ======================================================================
> >
> > > And for the same test:
> > > $ radpwtst -s 127.0.0.1 -secret xxxxx -noacct -user TEST -password
> > > asdf
> > >
> > > I got:
> >
> > ======================================================================
> >
> > > Code: Access-Request
> > > Identifier: 27
> > > Authentic: 1234567890123456
> > > Attributes:
> > > User-Name = "TEST"
> > > Service-Type = Framed-User
> > > NAS-IP-Address = 203.63.154.1
> > > NAS-Identifier = "203.63.154.1"
> > > NAS-Port = 1234
> > > Called-Station-Id = "123456789"
> > > Calling-Station-Id = "987654321"
> > > NAS-Port-Type = Async
> > > User-Password =
> >
> > "|<242>t<178><140>tSDKKU<132><144><239><198>I"
> >
> > > Sat Jun 11 17:15:57 2005: DEBUG: Handling request with Handler ''
> > > Sat Jun 11 17:15:57 2005: DEBUG: Deleting session for TEST,
> > > 203.63.154.1,
> > > 1234
> > > Sat Jun 11 17:15:57 2005: DEBUG: Handling with
> >
> > Radius::AuthSQL Sat Jun
> >
> > > 11 17:15:57 2005: DEBUG: Handling with Radius::AuthSQL:
> > > AuthSQL
> > > Sat Jun 11 17:15:57 2005: DEBUG: Query is: 'select PASS_WORD from
> > > RADUSERS where USERNAME='TEST'':
> > > Sat Jun 11 17:15:57 2005: DEBUG: Radius::AuthSQL looks for
> >
> > match with
> >
> > > TEST Sat Jun 11 17:15:57 2005: DEBUG: Radius::AuthSQL ACCEPT:
> > > Sat Jun 11 17:15:57 2005: DEBUG: AuthBy SQL result: ACCEPT,
> >
> > Sat Jun 11
> >
> > > 17:15:57 2005: DEBUG: Access accepted for TEST Sat Jun 11 17:15:57
> > > 2005: DEBUG: Packet dump:
> > > *** Sending to 127.0.0.1 port 1094 ....
> > > Code: Access-Accept
> > > Identifier: 27
> > > Authentic: 1234567890123456
> > > Attributes:
> >
> > =====================================================================
> >
> > > Any ideas why is this happening?
> > >
> > > Thanks on advance.
> > >
> > >> -----Original Message-----
> > >> From: owner-radiator at open.com.au
> > >> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> > >> Sent: sábado, 11 de junio de 2005 2:18
> > >> To: Nacho Paredes
> > >> Cc: radiator at open.com.au
> > >> Subject: Re: (RADIATOR) NULL passwords in Radmin
> > >>
> > >>
> > >> Hello Nacho -
> > >>
> > >> As the AuthBy RADMIN clause is based on the AuthBy SQL clause, I
> > >> would expect it to behave the same with NULL passwords.
> > >>
> > >> regards
> > >>
> > >> Hugh
> > >>
> > >> On 10 Jun 2005, at 20:37, Nacho Paredes wrote:
> > >>> Hi all,
> > >>>
> > >>> I've read in the <AuthBy SQL> that when a user has a NULL in the
> > >>> PASSWORD column, Radiator accepts any password the user
> > >>
> > >> provides. I've
> > >>
> > >>> tested it, and works fine, but I wonder if is it possible
> > >>
> > >> to have the
> > >>
> > >>> same feature in <AuthBy RADMIN> (I havent been able to
> >
> > reproduce it
> >
> > >>> with Radmin)
> > >>>
> > >>> Thanks on advance.
> > >>>
> > >>> Regards
> >
> > --------------------------------------------------------------------
> >
> > >>> Ignacio Paredes | email: iparedes at eurocomercial.es
> > >>> Eurocomercial I&C, S.A. | Tel: +34 98 5195703
> > >>> Ezcurdia, 194 - Gijon (AS) | Fax: +34 98 5132596
> >
> > --------------------------------------------------------------------
> >
> > >>> --
> > >>> Archive at http://www.open.com.au/archives/radiator/
> > >>> Announcements on radiator-announce at open.com.au To
> > >>
> > >> unsubscribe, email
> > >>
> > >>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the
> > >>
> > >> body of the
> > >>
> > >>> message.
> > >>
> > >> NB:
> > >>
> > >> Have you read the reference manual ("doc/ref.html")?
> > >> Have you searched the mailing list archive
> >
> > (www.open.com.au/archives/
> >
> > >> radiator)?
> > >> Have you had a quick look on Google (www.google.com)?
> > >> Have you included a copy of your configuration file (no secrets),
> > >> together with a trace 4 debug showing what is happening?
> > >>
> > >> --
> > >> Radiator: the most portable, flexible and configurable
> >
> > RADIUS server
> >
> > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > >> -
> > >> Nets: internetwork inventory and management - graphical,
> >
> > extensible,
> >
> > >> flexible with hardware, software, platform and database
> >
> > independence.
> >
> > >> -
> > >> CATool: Private Certificate Authority for Unix and
> >
> > Unix-like systems.
> >
> > >> --
> > >> Archive at http://www.open.com.au/archives/radiator/
> > >> Announcements on radiator-announce at open.com.au To
> >
> > unsubscribe, email
> >
> > >> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of
> > >> the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/ radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no
> > secrets), together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS
> > server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical,
> > extensible, flexible with hardware, software, platform and
> > database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list