(RADIATOR) NULL passwords in Radmin
Nacho Paredes
iparedes at eurocomercial.es
Sun Jun 19 10:52:28 CDT 2005
Thanks for your remark.
This was getting me mad.
Finally I've used this hook to solve it:
# This hook tries to simulate into <AuthBy Radmin> the default <AuthBy SQL>
behaviour
# respect NULL passwords
# If a user has a NULL password in the Radmin Database we want to accept
access
# whatever password he provides in the request
# The hook is called as a PreAuthHook in the <AuthBy Radmin> clause
# I ain't tested it so much, so handle with care :)
#
# Author: Ignacio Paredes (iparedes at gmail.com)
sub
{
use DBI;
my ($p, $rp, $handled, $reason) = @_;
# User yours
my $dbsource = 'dbi:mysql:radmin';
my $dbusername = 'radmin';
my $dbauth = 'xxxxx';
&main::log($main::LOG_DEBUG,"PreAuthHook");
my $dbh = DBI->connect_cached($dbsource, $dbusername, $dbauth)
|| die "connect_cached failed: $DBI::errstr";
if (${$p}->code() eq 'Access-Request'){
my $username = ${$p}->getUserName();
$username = $dbh->quote($username);
my ($pass) = $dbh->selectrow_array("select PASS_WORD from
RADUSERS where USERNAME=$username");
&main::log($main::LOG_DEBUG,"DB Pass: $pass");
if ($pass =~ /^$/){
&main::log($main::LOG_DEBUG,"Nullifying pass");
${$p}->{DecodedPassword} = '';
}
}
}
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: viernes, 17 de junio de 2005 15:20
> To: Nacho Paredes
> Cc: 'Hugh Irvine'; radiator at open.com.au
> Subject: Re: (RADIATOR) NULL passwords in Radmin
>
> Hello Nacho,
>
> AuthBy RADMIN and AuthBy SQL behave differently to each other.
>
> With AuthBy RADMIN, a NULL password in the database will only
> match an empty password string entered by the user.
>
> With AuthBy SQL , a NULL password in the database will match
> any password string entered by the user.
>
> Cheers.
>
> On Thursday 16 June 2005 17:49, Nacho Paredes wrote:
> > Hi again,
> >
> > First of all, excuse my dumbness, but I'm not able to make
> it work. In
> > desperation I've done the following:
> >
> > The config file:
> >
> ======================================================================
> > ====
> > <AuthBy RADMIN>
> > Identifier RadminAuth
> > # Change DBSource, DBUsername, DBAuth for your database
> > # See the reference manual. You will also have to
> > # change the one in <SessionDatabse SQL> below
> > # so its the same
> > DBSource dbi:mysql:radmin:localhost
> > DBUsername radmin
> > DBAuth xxxxx
> >
> > # Never look up the DEFAULT user
> > NoDefault
> >
> > AuthSelect select PASS_WORD from RADUSERS
> where USERNAME=%0
> > UserAttrQuery
> >
> > # You can add to or change these if you want, but you
> > # will probably want to change the database schema first
> > AccountingTable RADUSAGE
> > AcctColumnDef USERNAME,User-Name
> > AcctColumnDef TIME_STAMP,Timestamp,integer
> > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> > AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > AcctColumnDef NASPORT,NAS-Port,integer
> > AcctColumnDef DNIS,Called-Station-Id
> > # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> >
> > </AuthBy>
> >
> > <Handler>
> > AuthBy RadminAuth
> > </Handler>
> >
> >=============================================================
> ==========
> >====
> >= ===========
> >
> > The test (user TEST has a NULL password in the DB):
> > radpwtst -s 127.0.0.1 -secret xxxx -noacct -user TEST
> -password asdf
> > sending Access-Request...
> > Rejected: Request Denied
> >
> > The log:
> >
> >=============================================================
> ==========
> >====
> >= ============
> >
> >
> > Code: Access-Request
> > Identifier: 32
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "TEST"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Identifier = "203.63.154.1"
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> "|<242>t<178><140>tSDKKU<132><144><239><198>I"
> >
> > Thu Jun 16 09:57:47 2005: DEBUG: Handling request with Handler ''
> > Thu Jun 16 09:57:47 2005: DEBUG: Deleting session for TEST,
> >203.63.154.1,
> > 1234
> > Thu Jun 16 09:57:47 2005: DEBUG: Handling with
> Radius::AuthRADMIN Thu
> >Jun 16 09:57:47 2005: DEBUG: Handling with Radius::AuthRADMIN:
> > RadminAuth
> > Thu Jun 16 09:57:47 2005: DEBUG: Query is: 'select PASS_WORD from
> >RADUSERS where USERNAME='TEST'':
> > Thu Jun 16 09:57:47 2005: DEBUG: Radius::AuthRADMIN looks for match
> >with TEST Thu Jun 16 09:57:47 2005: DEBUG: do query is: 'update
> >RADUSERS set
> > BADLOGINS=BADLOGINS+1 where USERNAME='TEST'':
> > Thu Jun 16 09:57:47 2005: DEBUG: AuthBy RADMIN result: REJECT, Bad
> >Password Thu Jun 16 09:57:47 2005: INFO: Access rejected
> for TEST: Bad
> >Password Thu Jun 16 09:57:47 2005: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 1025 ....
> > Code: Access-Reject
> > Identifier: 32
> > Authentic: 1234567890123456
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> >=============================================================
> ==========
> >====
> >= ====
> > Now the authselect query is doing the same as in <AuthBy SQL>, I've
> >even taken out the UserAttrQuery, but still doesn't work.
> >
> > I really need this working, so any help will be appreciated.
> >
> > Thanks again.
> >
> > > -----Original Message-----
> > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > Sent: domingo, 12 de junio de 2005 1:39
> > > To: Nacho Paredes
> > > Cc: radiator at open.com.au
> > > Subject: Re: (RADIATOR) NULL passwords in Radmin
> > >
> > >
> > > Hello Nacho -
> > >
> > > As you can see in the debug the default AuthSelect for
> Radmin does
> > > much more than just check the password.
> > >
> > > Hence when you define the query in an AuthBy SQL it works
> correctly.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > On 12 Jun 2005, at 01:04, Nacho Paredes wrote:
> > > > Hi Hugh,
> > > >
> > > > That's what I thought, but...
> > > >
> > > > I've defined an user TEST with no password nor check or reply
> > > > items through Radmin.
> > > >
> > > > And with this config:
> > > > ================================================================
> > > > <AuthBy RADMIN>
> > > > Identifier RadminAuth
> > > > DBSource dbi:mysql:radmin:localhost
> > > > DBUsername radmin
> > > > DBAuth xxxxx
> > > > </AuthBy>
> > > >
> > > > <Handler>
> > > > AuthBy RadminAuth
> > > > </Handler
> > >
> > >
> ====================================================================
> > > ==
> > >
> > > > ====
> > > > And for this test, since the user has a NULL password, should be
> > > > accepted:
> > > > $ radpwtst -s 127.0.0.1 -secret xxxxx -noacct -user
> TEST -password
> > > > asdf
> > > >
> > > > I got this log:
> > >
> > >
> ====================================================================
> > > ==
> > >
> > > > ====
> > > > *** Received from 127.0.0.1 port 1094 ....
> > > > Code: Access-Request
> > > > Identifier: 251
> > > > Authentic: 1234567890123456
> > > > Attributes:
> > > > User-Name = "test"
> > > > Service-Type = Framed-User
> > > > NAS-IP-Address = 203.63.154.1
> > > > NAS-Identifier = "203.63.154.1"
> > > > NAS-Port = 1234
> > > > Called-Station-Id = "123456789"
> > > > Calling-Station-Id = "987654321"
> > > > NAS-Port-Type = Async
> > > > User-Password =
> > >
> > > "|<242>t<178><140>tSDKKU<132><144><239><198>I"
> > >
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Handling request with
> Handler ''
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Deleting session for test,
> > > > 203.63.154.1,
> > > > 1234
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Handling with
> > >
> > > Radius::AuthRADMIN Sat
> > >
> > > > Jun 11 16:58:26 2005: DEBUG: Handling with Radius::AuthRADMIN:
> > > > RadminAuth
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Query is: 'select PASS_WORD,
> > > > STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
> > >
> > > VALIDFROM,
> > >
> > > > VALIDTO from RADUSERS where USERNAME='test'':
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Query is: 'select ATTR_ID,
> > >
> > > VENDOR_ID,
> > >
> > > > IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where
> NAME='test' order
> > > > by
> > > > ITEM_TYPE':
> > > > Sat Jun 11 16:58:26 2005: DEBUG: Radius::AuthRADMIN looks for
> > > > match with test Sat Jun 11 16:58:26 2005: DEBUG: do query is:
> > > > 'update RADUSERS set
> > > > BADLOGINS=BADLOGINS+1 where USERNAME='test'':
> > > > Sat Jun 11 16:58:26 2005: DEBUG: AuthBy RADMIN result:
> REJECT, Bad
> > > > Password Sat Jun 11 16:58:26 2005: INFO: Access rejected
> > >
> > > for test: Bad
> > >
> > > > Password Sat Jun 11 16:58:26 2005: DEBUG: Packet dump:
> > > > *** Sending to 127.0.0.1 port 1094 ....
> > > > Code: Access-Reject
> > > > Identifier: 251
> > > > Authentic: 1234567890123456
> > > > Attributes:
> > > > Reply-Message = "Request Denied"
> > >
> > >
> ====================================================================
> > > ==
> > >
> > > > ======
> > > > ========
> > > > Now, I've changed the config to:
> > > > =========================================================
> > > > <AuthBy SQL>
> > > > Identifier AuthSQL
> > > > DBSource dbi:mysql:radmin:localhost
> > > > DBUsername radmin
> > > > DBAuth xxxxx
> > > > AuthSelect select PASS_WORD from RADUSERS where
> > > > USERNAME=%0
> > > > </AuthBy>
> > > >
> > > > <Handler>
> > > > # AuthBy RadminAuth
> > > > AuthBy AuthSQL
> > > > </Handler>
> > >
> > >
> ====================================================================
> > > ==
> > >
> > > > And for the same test:
> > > > $ radpwtst -s 127.0.0.1 -secret xxxxx -noacct -user
> TEST -password
> > > > asdf
> > > >
> > > > I got:
> > >
> > >
> ====================================================================
> > > ==
> > >
> > > > Code: Access-Request
> > > > Identifier: 27
> > > > Authentic: 1234567890123456
> > > > Attributes:
> > > > User-Name = "TEST"
> > > > Service-Type = Framed-User
> > > > NAS-IP-Address = 203.63.154.1
> > > > NAS-Identifier = "203.63.154.1"
> > > > NAS-Port = 1234
> > > > Called-Station-Id = "123456789"
> > > > Calling-Station-Id = "987654321"
> > > > NAS-Port-Type = Async
> > > > User-Password =
> > >
> > > "|<242>t<178><140>tSDKKU<132><144><239><198>I"
> > >
> > > > Sat Jun 11 17:15:57 2005: DEBUG: Handling request with
> Handler ''
> > > > Sat Jun 11 17:15:57 2005: DEBUG: Deleting session for TEST,
> > > > 203.63.154.1,
> > > > 1234
> > > > Sat Jun 11 17:15:57 2005: DEBUG: Handling with
> > >
> > > Radius::AuthSQL Sat Jun
> > >
> > > > 11 17:15:57 2005: DEBUG: Handling with Radius::AuthSQL:
> > > > AuthSQL
> > > > Sat Jun 11 17:15:57 2005: DEBUG: Query is: 'select
> PASS_WORD from
> > > > RADUSERS where USERNAME='TEST'':
> > > > Sat Jun 11 17:15:57 2005: DEBUG: Radius::AuthSQL looks for
> > >
> > > match with
> > >
> > > > TEST Sat Jun 11 17:15:57 2005: DEBUG: Radius::AuthSQL ACCEPT:
> > > > Sat Jun 11 17:15:57 2005: DEBUG: AuthBy SQL result: ACCEPT,
> > >
> > > Sat Jun 11
> > >
> > > > 17:15:57 2005: DEBUG: Access accepted for TEST Sat Jun
> 11 17:15:57
> > > > 2005: DEBUG: Packet dump:
> > > > *** Sending to 127.0.0.1 port 1094 ....
> > > > Code: Access-Accept
> > > > Identifier: 27
> > > > Authentic: 1234567890123456
> > > > Attributes:
> > >
> > >
> ====================================================================
> > > =
> > >
> > > > Any ideas why is this happening?
> > > >
> > > > Thanks on advance.
> > > >
> > > >> -----Original Message-----
> > > >> From: owner-radiator at open.com.au
> > > >> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> > > >> Sent: sábado, 11 de junio de 2005 2:18
> > > >> To: Nacho Paredes
> > > >> Cc: radiator at open.com.au
> > > >> Subject: Re: (RADIATOR) NULL passwords in Radmin
> > > >>
> > > >>
> > > >> Hello Nacho -
> > > >>
> > > >> As the AuthBy RADMIN clause is based on the AuthBy SQL
> clause, I
> > > >> would expect it to behave the same with NULL passwords.
> > > >>
> > > >> regards
> > > >>
> > > >> Hugh
> > > >>
> > > >> On 10 Jun 2005, at 20:37, Nacho Paredes wrote:
> > > >>> Hi all,
> > > >>>
> > > >>> I've read in the <AuthBy SQL> that when a user has a
> NULL in the
> > > >>> PASSWORD column, Radiator accepts any password the user
> > > >>
> > > >> provides. I've
> > > >>
> > > >>> tested it, and works fine, but I wonder if is it possible
> > > >>
> > > >> to have the
> > > >>
> > > >>> same feature in <AuthBy RADMIN> (I havent been able to
> > >
> > > reproduce it
> > >
> > > >>> with Radmin)
> > > >>>
> > > >>> Thanks on advance.
> > > >>>
> > > >>> Regards
> > >
> > >
> --------------------------------------------------------------------
> > >
> > > >>> Ignacio Paredes | email:
> iparedes at eurocomercial.es
> > > >>> Eurocomercial I&C, S.A. | Tel: +34 98 5195703
> > > >>> Ezcurdia, 194 - Gijon (AS) | Fax: +34 98 5132596
> > >
> > >
> --------------------------------------------------------------------
> > >
> > > >>> --
> > > >>> Archive at http://www.open.com.au/archives/radiator/
> > > >>> Announcements on radiator-announce at open.com.au To
> > > >>
> > > >> unsubscribe, email
> > > >>
> > > >>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the
> > > >>
> > > >> body of the
> > > >>
> > > >>> message.
> > > >>
> > > >> NB:
> > > >>
> > > >> Have you read the reference manual ("doc/ref.html")?
> > > >> Have you searched the mailing list archive
> > >
> > > (www.open.com.au/archives/
> > >
> > > >> radiator)?
> > > >> Have you had a quick look on Google (www.google.com)?
> > > >> Have you included a copy of your configuration file
> (no secrets),
> > > >> together with a trace 4 debug showing what is happening?
> > > >>
> > > >> --
> > > >> Radiator: the most portable, flexible and configurable
> > >
> > > RADIUS server
> > >
> > > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > >> -
> > > >> Nets: internetwork inventory and management - graphical,
> > >
> > > extensible,
> > >
> > > >> flexible with hardware, software, platform and database
> > >
> > > independence.
> > >
> > > >> -
> > > >> CATool: Private Certificate Authority for Unix and
> > >
> > > Unix-like systems.
> > >
> > > >> --
> > > >> Archive at http://www.open.com.au/archives/radiator/
> > > >> Announcements on radiator-announce at open.com.au To
> > >
> > > unsubscribe, email
> > >
> > > >> 'majordomo at open.com.au' with 'unsubscribe radiator' in
> the body
> > > >> of the message.
> > >
> > > NB:
> > >
> > > Have you read the reference manual ("doc/ref.html")?
> > > Have you searched the mailing list archive
> > > (www.open.com.au/archives/ radiator)?
> > > Have you had a quick look on Google (www.google.com)?
> > > Have you included a copy of your configuration file (no secrets),
> > > together with a trace 4 debug showing what is happening?
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable
> RADIUS server
> > > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > -
> > > Nets: internetwork inventory and management - graphical,
> extensible,
> > > flexible with hardware, software, platform and database
> > > independence.
> > > -
> > > CATool: Private Certificate Authority for Unix and
> Unix-like systems.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au To
> unsubscribe, email
> > 'majordomo at open.com.au' with 'unsubscribe radiator' in the
> body of the
> > message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl,
> Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS
> server anywhere. SQL, proxy, DBM, files, LDAP, NIS+,
> password, NT, Emerald, Platypus, Freeside, TACACS+, PAM,
> external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix,
> Windows, MacOS etc.
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list