(RADIATOR) Radmin setup question with Autenthication

Wed May 4 20:45:07 CDT 2005

Hello Ryko -

The problem here is that you have created an endless loop in the 
configuration file by putting the "Identifier Network-Devices" in the 
AuthBy RADMIN clause which itself is inside the Handler. The 
"Auth-Type=Network-Devices" in the check item tells Radiator to execute 
the AuthBy clause with the same Identifier, so each time the AuthBy 
RADMIN clause executes, it then calls itself, and so on in an endless 
loop.

You should remove the "Identifier Network-Devices" from the AuthBy 
RADMIN clause.

regards

Hugh

On 4 May 2005, at 18:33, Prins, R. wrote:

>
>
> I try to implement user authorization with Radmin.
>
> In Radmin I have created a service profile called "Network-Devices".
> (Quotes aren't part of the configuraton text anywhere)
>
> In Radmin I have created a check item Auth-Type="Network-Devices"
>
> In Radmin I have created a user with the service profile
> "Network-Devices".
>
> In Radiator I have created a Realm "radmin" using the default
> configuration from "goodies".
>
> In the Authby RADMIN clause I have added an identifier 
> "Network-Devices"
>
> It works very well without the Auth-Type set as a check item
>
> If I define the check item I get an endless loop in Radiator
>
> What did I do wrong"?
>
> ------------------------------- Piece of radius.cfg
> # Handle everyone with RADMIN
> <Handler Realm=radmin>
> 	RewriteUsername s/^([^@]+).*/$1/
> 	<AuthBy RADMIN>
> 		Identifier Network-Devices
> 		# Change DBSource, DBUsername, DBAuth for your database
> 		# See the reference manual. You will also have to
> 		# change the one in <SessionDatabse SQL> below
> 		# so its the same
> 		DBSource	dbi:mysql:radmin:localhost
> 		DBUsername	radmin
> 		DBAuth		radminpw
>
> 		# Never look up the DEFAULT user
> 		NoDefault
>
> 		# You can add to or change these if you want, but you
> 		# will probably want to change the database schema first
> 		AccountingTable	RADUSAGE
> 		AcctColumnDef	USERNAME,User-Name
> 		AcctColumnDef	TIME_STAMP,Timestamp,integer
> 		AcctColumnDef	ACCTSTATUSTYPE,Acct-Status-Type,integer
> 		AcctColumnDef	ACCTDELAYTIME,Acct-Delay-Time,integer
> 		AcctColumnDef
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> 		AcctColumnDef
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> 		AcctColumnDef	ACCTSESSIONID,Acct-Session-Id
> 		AcctColumnDef
> ACCTSESSIONTIME,Acct-Session-Time,integer
> 		AcctColumnDef
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> 		AcctColumnDef	FRAMEDIPADDRESS,Framed-IP-Address
> 		AcctColumnDef	NASIDENTIFIER,NAS-IP-Address
> 		AcctColumnDef	NASIDENTIFIER,NAS-Identifier
> 		AcctColumnDef	NASPORT,NAS-Port,integer
> 		AcctColumnDef	DNIS,Called-Station-Id
> #		AcctColumnDef	CALLINGSTATIONID,Calling-Station-Id
>
> 		# This updates the time and octets left
> 		# for this user
> 		AcctSQLStatement update RADUSERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>
> 		# These are the classic things to add to each users
> 		# reply to allow a PPP dialup session. It may be
> 		# different for your NAS. This will add some
> 		# reply items to everyone's reply
> 		AddToReply Framed-Protocol = PPP,\
>         		Framed-IP-Netmask = 255.255.255.255,\
>         		Framed-Routing = None,\
>         		Framed-MTU = 1500,\
> 			Framed-Compression = Van-Jacobson-TCP-IP
>
> 		# If you intend to use rcrypt reversible encryption
> 		# for passwords in your Radmin database, you must
> 		# RcryptKey here to be the same secret key you
> 		# defined in your Radmin Site.pm, and also set
> 		# PasswordFormat in your Site.pm.
> 		# RcryptKey mysecret
>
> 		# If you intend to use Unix encryption in your database,
> 		# you will need to set EncryptedPasssword here,
> 		# as well as setting PasswordFormat in your Site.pm
> 		# EncryptedPassword
>
> 		# You can change the max bad login count from the
> default
> 		# of 5 with something like
> 		# MaxBadLogins 10
> 	</AuthBy>
>
> 	# This clause logs all authentication successes and failures to
> the RADAUTHLOG table
> 	# Suitable for use with RAdmin version 1.6 or later
> 	<AuthLog SQL>
> 		# This database spec usually should be exactly the same
> 		# as in <AuthBy RADMIN> above
> 		DBSource	dbi:mysql:radmin:localhost
> 		DBUsername	radmin
> 		DBAuth		radminpw
>
> 		LogSuccess
> 		SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
> USERNAME, TYPE) values (%t, '%n', 1)
> 		LogFailure
> 		FailureQuery insert into RADAUTHLOG (TIME_STAMP,
> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
> 	</AuthLog>
>
> </Handler>
> ------------------------------- Piece of log file
> *** Received from 127.0.0.1 port 47990 ....
> Code:       Access-Request
> Identifier: 146
> Authentic:  1234567890123456
> Attributes:
> 	User-Name = "tnb at radmin"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password =
> "<173><238>,<217><197>9<4><246><188>8<9><160><216>}x<153>"
>
> Tue May  3 17:31:11 2005: DEBUG: Rewrote user name to tnb at radmin Tue 
> May
> 3 17:31:11 2005: DEBUG: Handling request with Handler 'Realm=radmin' 
> Tue
> May  3 17:31:11 2005: DEBUG: Rewrote user name to tnb Tue May  3
> 17:31:11 2005: DEBUG:  Deleting session for tnb at radmin, 203.63.154.1,
> 1234 Tue May  3 17:31:11 2005: DEBUG: do query is: 'delete from
> RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=01234':
>
> Tue May  3 17:31:11 2005: DEBUG: Handling with Radius::AuthRADMIN Tue
> May  3 17:31:11 2005: DEBUG: Handling with Radius::AuthRADMIN:
> Network-Devices Tue May  3 17:31:11 2005: DEBUG: Query is: 'select
> PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
> VALIDFROM, VALIDTO from RADUSERS where USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200 Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN Tue May  3 17:31:11 2005: DEBUG: Handling with
> Radius::AuthRADMIN: Network-Devices Tue May  3 17:31:11 2005: DEBUG:
> Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS,
> SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
> USERNAME='tnb'':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADSTCONFIG where NAME='Network-Devices'
> order by ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID,
> IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='tnb' order by
> ITEM_TYPE':
>
> Tue May  3 17:31:11 2005: DEBUG: Radius::AuthRADMIN looks for match 
> with
> tnb Tue May  3 17:31:11 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='tnb at radmin'':
>
> Tue May  3 17:31:11 2005: DEBUG: ValidFrom date converted to: 
> 1114702620
> Tue May  3 17:31:11 2005: DEBUG: Expiration date converted to:
> 1146175200
>
>
> -- 
> I am using the free version of SPAMfighter for private users. It has
> removed 13891 spam emails to date. Paying users do not have this 
> message
> in their emails. Try www.SPAMfighter.com for free now!
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.