(RADIATOR) Authorization Problem

Uday K. MOORJANI umoorjani at mediaserv.net
Thu Jun 1 13:02:34 CDT 2006 

Hi Again,

I want to configure radiator in such a way that it would recongnize two 
different numbers, being two different types accounts.
The problem is when I type anything as user and password it still 
authenticates with a positive answer.

The goal is to authenticate users from the "free" realm, with any 
password and login, but the "forfait" realm should check for authentication.
On the cisco AS5300, I configured the Group-Async corresponding the the 
number, with a : ppp authentication chap free, which is configured as :
aaa authentication ppp free none. (I have a feeling that this config is 
not good) With this config I can connect with any username and password as
free and forfait so I change back the Group-Async realted to the realm 
"free" to : ppp authentication chap ppp_auth_mth (which is radius list).

Do you know how I can configure radiator to accept any login and 
password from the called station id number xx60572624 and to check 
authentication credentials from the called station id xx68572624, and 
reject any other type of username and password that is not related to a 
realm ? Because we have
other realms as well, so we want to let the other realms work, but a 
user from another realm cannot access antoher realm but the realm he 
belongs to.

Now here is how I configured the Handler and the Realm :

Handler Called-Station-Id=xx68572624,Realm=forfait>
    <AuthBy SQL>
        DBSource    dbi:mysql:radius:sql3-x.x.net
        DBUsername    root
        DBAuth        xxxxxxx
        FailureBackoffTime    60
        AuthSelect    select password,checkattr,replyattr from 
SUBSCRIBERS where username='%U' and status=1 and services like '%%forfait%%'
        AuthColumnDef    0, User-Password, check
        AuthColumnDef    1, GENERIC, check
        AuthColumnDef    2, GENERIC, reply
    # On retire le realm du username
        RewriteUsername         s/^([^@]+).*/$1/
    # Par defaut, ils peuvent faire du 128K (ca decompte leur forfait 2 
fois plus vite)
        DefaultSimultaneousUse    2
    # On renvoie les attributs par defaut (repris du fichier de radfsp)
        DefaultReply    
Port-Limit=2,Service-Type=Framed-User,Framed-Protocol=PPP,Ascend-Assign-IP-Pool=0,Framed-MTU=1500,Framed-Routing=None,Idle-Timeout=720,Framed-Compression=Van-Jacobsen-TCP-IP 

    # Definition de l'accounting
    # -- On logge en SQL (table ACCOUNTING)
        AccountingTable    ACCOUNTING
        AcctColumnDef    USERNAME,%U,formatted
        AcctColumnDef    TIME_STAMP,Timestamp,integer
        AcctColumnDef    TIME_STAMPHR,%o,formatted
        AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
        AcctColumnDef    ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef     ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef    ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate-Cause
        AcctColumnDef    NASIDENTIFIER,NAS-Identifier
        AcctColumnDef    NASIPADDRESS,NAS-IP-Address
        AcctColumnDef    NASPORT,NAS-Port,integer
        AcctColumnDef    NASPORTTYPE,NAS-Port-Type
        AcctColumnDef    FRAMEDIPADDRESS,Framed-IP-Address
        AcctColumnDef    CALLINGSTATIONID,Calling-Station-Id
        AcctColumnDef    CALLEDSTATIONID,Called-Station-Id
        AcctColumnDef    CONNECTINFO,Connect-Info
        AcctColumnDef    CLIENTIPADDRESS,Client-IP-Address
        AcctColumnDef    DISCONNECTCAUSE,Ascend-Disconnect-Cause
        AcctColumnDef    SERVICE,'forfait',literal

    # --- avec une sauvegarde en fichier plat et en requete SQL
        SQLRecoveryFile    %L/acct-forfaits-sqlrecovery-213.188.x.33
    # --- et une sauvegarde des requetes echouees pour les rejouer apres
        AcctFailedLogFileName    %L/acct-forfaits-213.188.x.33
    </AuthBy>
    SessionDatabase dialupsessiondb
    AcctLogFileName /var/log/radius/acct-forfaits-213-188-x-33.log
#    AuthLog AuthForfaits-NAS-MSV
    AuthLog    LogAuthForfaitSQL
    <Log FILE>
                Filename /var/log/radius/debug-forfaits-213-188-x-33.log
        Trace 5
        </Log>
</Handler>



# ----------========[ AUTH NAS FREE xx6072624 ]===========--------- 
umoorjani 30052006
<Handler Called-Station-Id=xx60572624,Realm=free>
    <AuthBy SQL>
        DBSource    dbi:mysql:radius:sql3x.x.net
        DBUsername    root
        DBAuth        xxxxxxx
        FailureBackoffTime    60
        AuthSelect    select password,checkattr,replyattr from 
SUBSCRIBERS where username='%U' and status=1 and services like '%%free%%'
        AuthColumnDef    0, User-Password, check
        AuthColumnDef    1, GENERIC, check
        AuthColumnDef    2, GENERIC, reply
    # On retire le realm du username
        RewriteUsername         s/^([^@]+).*/$1/
    # Par defaut, ils peuvent faire du 128K (ca decompte leur forfait 2 
fois plus vite)
        DefaultSimultaneousUse    4
    # On renvoie les attributs par defaut (repris du fichier de radfsp)
        DefaultReply    
Port-Limit=2,Service-Type=Framed-User,Framed-Protocol=PPP,Ascend-Assign-IP-Pool=0,Framed-MTU=1500,Framed-Routing=None,Idle-Timeout=720,Framed-Compression=Van-Jacobsen-TCP-IP 

    # Definition de l'accounting
    # -- On logge en SQL (table ACCOUNTING)
        AccountingTable    ACCOUNTING
        AcctColumnDef    USERNAME,%U,formatted
        AcctColumnDef    TIME_STAMP,Timestamp,integer
        AcctColumnDef    TIME_STAMPHR,%o,formatted
        AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
        AcctColumnDef    ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef     ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef    ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate-Cause
        AcctColumnDef    NASIDENTIFIER,NAS-Identifier
        AcctColumnDef    NASIPADDRESS,NAS-IP-Address
        AcctColumnDef    NASPORT,NAS-Port,integer
        AcctColumnDef    NASPORTTYPE,NAS-Port-Type
        AcctColumnDef    FRAMEDIPADDRESS,Framed-IP-Address
        AcctColumnDef    CALLINGSTATIONID,Calling-Station-Id
        AcctColumnDef    CALLEDSTATIONID,Called-Station-Id
        AcctColumnDef    CONNECTINFO,Connect-Info
        AcctColumnDef    CLIENTIPADDRESS,Client-IP-Address
        AcctColumnDef    DISCONNECTCAUSE,Ascend-Disconnect-Cause
        AcctColumnDef    SERVICE,'forfait',literal

    # --- avec une sauvegarde en fichier plat et en requete SQL
        SQLRecoveryFile    %L/acct-free-sqlrecovery-213.188.x.33-nas-msv
    # --- et une sauvegarde des requetes echouees pour les rejouer apres
        AcctFailedLogFileName    %L/acct-free-213.188.x.33-nas-msv
    </AuthBy>
    SessionDatabase dialupsessiondb
    AcctLogFileName /var/log/radius/acct-free-213-188-x-33.log
#    AuthLog AuthFree-NAS-MSV
    AuthLog    LogAuthFreeSQL
    <Log FILE>
                Filename /var/log/radius/debug-free-213-188-x-33.log
        Trace 5
        </Log>
</Handler>


THIS IS THE RESPONSE I GET FROM RADIATOR USING ANY LOGIN AND PASSWORD 
FROM ANY NUMBER:

Thu Jun  1 13:13:35 2006: DEBUG: Packet dump:
*** Received from 213.x.x.33 port 1645 ....
Code:       Access-Request
Identifier: 41
Authentic:  <147><248><182><3>?<127><200><29>h<202><174>?<139>"<160>R
Attributes:
        NAS-IP-Address = 213.x.x.62
        NAS-Port = 227
        NAS-Port-Type = Async
        User-Name = "qsdfqsdf"
        Called-Station-Id = "xx68572624"
        Calling-Station-Id = "590571015"
        CHAP-Password = 
<1><213>+<198><<131><26><133><130><170><235><209><213>nrP<238>
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Session-Id = "0000002F"

Thu Jun  1 13:13:35 2006: DEBUG: Handling request with Handler ''
Thu Jun  1 13:13:35 2006: DEBUG: dialupsessiondb Deleting session for 
qsdfqsdf, 213.x.1x.62, 227
Thu Jun  1 13:13:35 2006: DEBUG: do query is: 'delete from 
RADONLINEDIALUP where username = 'qsdfqsdf'':

Thu Jun  1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL
Thu Jun  1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL:
Thu Jun  1 13:13:35 2006: DEBUG: Query is: 'select '' as password, '' as 
checkattr,'' as replyattr from SUBSCRIBERS limit 1':

Thu Jun  1 13:13:35 2006: DEBUG: Radius::AuthSQL looks for match with 
qsdfqsdf
Thu Jun  1 13:13:35 2006: DEBUG: Query is: 'select nasidentifier, 
nasport, acctsessionid, framedipaddress from RADONLINEDIALUP where 
username='qsdfqsdf'':

Thu Jun  1 13:13:35 2006: DEBUG: Radius::AuthSQL ACCEPT:
Thu Jun  1 13:13:35 2006: DEBUG: Access accepted for qsdfqsdf
Thu Jun  1 13:13:35 2006: DEBUG: do query is: 'insert into RADAUTHLOG 
(time_stamp, username, password, type, typemsg, reason, service, 
time_stamphr, severity, clientipaddress, nasipaddress)  VALUES 
(1149182015, 'qsdfqsdf', '', 1, 'OK', NULL, 'free', 'Jun  1, 2006 
13:13:35', 0,'213.x.x.33','213.x.x.62')':

Thu Jun  1 13:13:35 2006: DEBUG: Packet dump:
*** Sending to 213.x.160.33 port 1645 ....
Code:       Access-Accept
Identifier: 41
Authentic:  <147><248><182><3>?<127><200><29>h<202><174>?<139>"<160>R
Attributes:

-- 

Cordialement,
Sincerely Yours,

Uday K. MOORJANI
Systems Technician
-------------------
MEDIASERV.NET SARL
6,Tour Cécid
Place de la Rénovation
97110 POINTE A PITRE
GUADELOUPE (F.W.I)
-------------------
00(590)590571015
umoorjani at mediaserv.net

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list