(RADIATOR) dumb question about "Radius::AuthFILE looks for match with []"

Andrew Fort afort at choqolat.org
Mon Jan 9 18:27:12 CST 2006 

Okay so I have a dumb question, but I can't work this out.

I'm trying to test a very basic AuthFILE based <ServerTACACPLUS> stanza. 
  I have a much more complex configuration, using {Auth,Acct}BySQL 
working on other hosts.

I'm using the Radiator-3.13 included goodies/tacacsplusserver.cfg file 
(ONLY change is the tacacs+ shared Key), and the included two users from 
the demo users file, just incase i'm being extra dumb.  I've removed the 
'tacacsgroup' reply attribute as it's not defined in the dictionary 
(though it appears that internally added attributes don't need to be 
defined in the dictionary?).

--users file--
tacuser1 User-Password=tacuser1
tacuser2 User-Password=tacuser2
--users file--

So, when I run the radiusd, and attempt to login from the cisco using 
'tacuser1' and 'tacuser1', I get this:

--log--
# /usr/local/bin/radiusd -config_file /tmp/tacacsplusserver.cfg
Tue Jan 10 11:19:19 2006: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Tue Jan 10 11:19:19 2006: DEBUG: Finished reading configuration file 
'/tmp/tacacsplusserver.cfg'
Tue Jan 10 11:19:19 2006: DEBUG: Reading dictionary file './dictionary'
Tue Jan 10 11:19:20 2006: NOTICE: Server started: Radiator 3.13 on box3.lab
Tue Jan 10 11:19:22 2006: DEBUG: New TacacsplusConnection created for 
192.168.1.34:62098
Tue Jan 10 11:19:22 2006: DEBUG: TacacsplusConnection request 192, 1, 1, 
0, 1803428813, 25
Tue Jan 10 11:19:22 2006: DEBUG: TacacsplusConnection Authentication 
START 1, 1, 1 for , tty2, 192.168.1.253
Tue Jan 10 11:19:22 2006: DEBUG: TacacsplusConnection Authentication 
REPLY 4, 0, Username: ,
Tue Jan 10 11:19:27 2006: DEBUG: TacacsplusConnection request 192, 1, 3, 
0, 1803428813, 13
Tue Jan 10 11:19:27 2006: DEBUG: TacacsplusConnection Authentication 
CONTINUE 0, tacuser1,
Tue Jan 10 11:19:27 2006: DEBUG: TacacsplusConnection Authentication 
REPLY 5, 1, Password: ,
Tue Jan 10 11:19:28 2006: DEBUG: TacacsplusConnection request 192, 1, 5, 
0, 1803428813, 13
Tue Jan 10 11:19:28 2006: DEBUG: TacacsplusConnection Authentication 
CONTINUE 0, tacuser1,
Tue Jan 10 11:19:28 2006: DEBUG: TACACSPLUS derived Radius request 
packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <243>J<217>F<210><0>)a<129>?;<154>n<220><131><25>
Attributes:
         NAS-IP-Address = 192.168.1.34
         NAS-Port-Id = "tty2"
         Calling-Station-Id = "192.168.1.253"
         Service-Type = Login-User
         NAS-Identifier = "TACACS"
         User-Name = "tacuser1"
         User-Password = tacuser1

Tue Jan 10 11:19:28 2006: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Jan 10 11:19:28 2006: DEBUG:  Deleting session for , 192.168.1.34,
Tue Jan 10 11:19:28 2006: DEBUG: Handling with Radius::AuthFILE:
Tue Jan 10 11:19:28 2006: DEBUG: Radius::AuthFILE looks for match with  []
Tue Jan 10 11:19:28 2006: DEBUG: Radius::AuthFILE REJECT: No such user:  []
Tue Jan 10 11:19:28 2006: DEBUG: Reading users file ./users
Tue Jan 10 11:19:28 2006: DEBUG: AuthBy FILE result: REJECT, No such user
Tue Jan 10 11:19:28 2006: INFO: Access rejected for : No such user
Tue Jan 10 11:19:28 2006: DEBUG: TacacsplusConnection result Access-Reject
Tue Jan 10 11:19:28 2006: DEBUG: TacacsplusConnection Authentication 
REPLY 2, 0, ,
Tue Jan 10 11:19:28 2006: DEBUG: TacacsplusConnection disconnected from 
192.168.1.34:62098
Tue Jan 10 11:19:30 2006: DEBUG: New TacacsplusConnection created for 
192.168.1.34:11338
Tue Jan 10 11:19:30 2006: DEBUG: TacacsplusConnection request 192, 1, 1, 
0, 1102023088, 25
Tue Jan 10 11:19:30 2006: DEBUG: TacacsplusConnection Authentication 
START 1, 1, 1 for , tty2, 192.168.1.253
Tue Jan 10 11:19:30 2006: DEBUG: TacacsplusConnection Authentication 
REPLY 4, 0, Username: ,
Tue Jan 10 11:20:01 2006: DEBUG: TacacsplusConnection disconnected from 
192.168.1.34:11338
--log--

Note the line "Tue Jan 10 11:19:28 2006: DEBUG: Radius::AuthFILE looks 
for match with  []".

What's going wrong?  Why isn't AuthFILE seeing the username?

Using AuthTEST works fine.

Cheers,
Andrew

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list