(RADIATOR) Authorization Problem
Hugh Irvine
hugh at open.com.au
Thu Jun 1 23:12:36 CDT 2006
Hello Uday -
The debug that you have sent shows that you are using the default
Handler, not either of the ones you show below.
Thu Jun 1 13:13:35 2006: DEBUG: Handling request with Handler ''
Thu Jun 1 13:13:35 2006: DEBUG: dialupsessiondb Deleting session for
qsdfqsdf, 213.x.1x.62, 227
Thu Jun 1 13:13:35 2006: DEBUG: do query is: 'delete from
RADONLINEDIALUP where username = 'qsdfqsdf'':
Thu Jun 1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL
Thu Jun 1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL:
Thu Jun 1 13:13:35 2006: DEBUG: Query is: 'select '' as password, ''
as checkattr,'' as replyattr from SUBSCRIBERS limit 1':
This is because there is no Realm suffix on your username.
You will either need to have the correct Realm suffix on the
usernames, or change the Handler definitions.
hope that helps
regards
Hugh
On 1 Jun 2006, at 11:02, Uday K. MOORJANI wrote:
> Hi Again,
>
> I want to configure radiator in such a way that it would recongnize
> two different numbers, being two different types accounts.
> The problem is when I type anything as user and password it still
> authenticates with a positive answer.
>
> The goal is to authenticate users from the "free" realm, with any
> password and login, but the "forfait" realm should check for
> authentication.
> On the cisco AS5300, I configured the Group-Async corresponding the
> the number, with a : ppp authentication chap free, which is
> configured as :
> aaa authentication ppp free none. (I have a feeling that this
> config is not good) With this config I can connect with any
> username and password as
> free and forfait so I change back the Group-Async realted to the
> realm "free" to : ppp authentication chap ppp_auth_mth (which is
> radius list).
>
> Do you know how I can configure radiator to accept any login and
> password from the called station id number xx60572624 and to check
> authentication credentials from the called station id xx68572624,
> and reject any other type of username and password that is not
> related to a realm ? Because we have
> other realms as well, so we want to let the other realms work, but
> a user from another realm cannot access antoher realm but the realm
> he belongs to.
>
> Now here is how I configured the Handler and the Realm :
>
> Handler Called-Station-Id=xx68572624,Realm=forfait>
> <AuthBy SQL>
> DBSource dbi:mysql:radius:sql3-x.x.net
> DBUsername root
> DBAuth xxxxxxx
> FailureBackoffTime 60
> AuthSelect select password,checkattr,replyattr from
> SUBSCRIBERS where username='%U' and status=1 and services like '%%
> forfait%%'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> # On retire le realm du username
> RewriteUsername s/^([^@]+).*/$1/
> # Par defaut, ils peuvent faire du 128K (ca decompte leur
> forfait 2 fois plus vite)
> DefaultSimultaneousUse 2
> # On renvoie les attributs par defaut (repris du fichier de radfsp)
> DefaultReply Port-Limit=2,Service-Type=Framed-User,Framed-
> Protocol=PPP,Ascend-Assign-IP-Pool=0,Framed-MTU=1500,Framed-
> Routing=None,Idle-Timeout=720,Framed-Compression=Van-Jacobsen-TCP-IP
> # Definition de l'accounting
> # -- On logge en SQL (table ACCOUNTING)
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,%U,formatted
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef TIME_STAMPHR,%o,formatted
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIPADDRESS,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef NASPORTTYPE,NAS-Port-Type
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> AcctColumnDef CALLEDSTATIONID,Called-Station-Id
> AcctColumnDef CONNECTINFO,Connect-Info
> AcctColumnDef CLIENTIPADDRESS,Client-IP-Address
> AcctColumnDef DISCONNECTCAUSE,Ascend-Disconnect-Cause
> AcctColumnDef SERVICE,'forfait',literal
>
> # --- avec une sauvegarde en fichier plat et en requete SQL
> SQLRecoveryFile %L/acct-forfaits-sqlrecovery-213.188.x.33
> # --- et une sauvegarde des requetes echouees pour les rejouer
> apres
> AcctFailedLogFileName %L/acct-forfaits-213.188.x.33
> </AuthBy>
> SessionDatabase dialupsessiondb
> AcctLogFileName /var/log/radius/acct-forfaits-213-188-x-33.log
> # AuthLog AuthForfaits-NAS-MSV
> AuthLog LogAuthForfaitSQL
> <Log FILE>
> Filename /var/log/radius/debug-forfaits-213-188-
> x-33.log
> Trace 5
> </Log>
> </Handler>
>
>
>
> # ----------========[ AUTH NAS FREE xx6072624 ]===========---------
> umoorjani 30052006
> <Handler Called-Station-Id=xx60572624,Realm=free>
> <AuthBy SQL>
> DBSource dbi:mysql:radius:sql3x.x.net
> DBUsername root
> DBAuth xxxxxxx
> FailureBackoffTime 60
> AuthSelect select password,checkattr,replyattr from
> SUBSCRIBERS where username='%U' and status=1 and services like '%%
> free%%'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> # On retire le realm du username
> RewriteUsername s/^([^@]+).*/$1/
> # Par defaut, ils peuvent faire du 128K (ca decompte leur
> forfait 2 fois plus vite)
> DefaultSimultaneousUse 4
> # On renvoie les attributs par defaut (repris du fichier de radfsp)
> DefaultReply Port-Limit=2,Service-Type=Framed-User,Framed-
> Protocol=PPP,Ascend-Assign-IP-Pool=0,Framed-MTU=1500,Framed-
> Routing=None,Idle-Timeout=720,Framed-Compression=Van-Jacobsen-TCP-IP
> # Definition de l'accounting
> # -- On logge en SQL (table ACCOUNTING)
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,%U,formatted
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef TIME_STAMPHR,%o,formatted
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIPADDRESS,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef NASPORTTYPE,NAS-Port-Type
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> AcctColumnDef CALLEDSTATIONID,Called-Station-Id
> AcctColumnDef CONNECTINFO,Connect-Info
> AcctColumnDef CLIENTIPADDRESS,Client-IP-Address
> AcctColumnDef DISCONNECTCAUSE,Ascend-Disconnect-Cause
> AcctColumnDef SERVICE,'forfait',literal
>
> # --- avec une sauvegarde en fichier plat et en requete SQL
> SQLRecoveryFile %L/acct-free-sqlrecovery-213.188.x.33-nas-
> msv
> # --- et une sauvegarde des requetes echouees pour les rejouer
> apres
> AcctFailedLogFileName %L/acct-free-213.188.x.33-nas-msv
> </AuthBy>
> SessionDatabase dialupsessiondb
> AcctLogFileName /var/log/radius/acct-free-213-188-x-33.log
> # AuthLog AuthFree-NAS-MSV
> AuthLog LogAuthFreeSQL
> <Log FILE>
> Filename /var/log/radius/debug-free-213-188-x-33.log
> Trace 5
> </Log>
> </Handler>
>
>
> THIS IS THE RESPONSE I GET FROM RADIATOR USING ANY LOGIN AND
> PASSWORD FROM ANY NUMBER:
>
> Thu Jun 1 13:13:35 2006: DEBUG: Packet dump:
> *** Received from 213.x.x.33 port 1645 ....
> Code: Access-Request
> Identifier: 41
> Authentic: <147><248><182><3>?<127><200><29>h<202><174>?<139>"<160>R
> Attributes:
> NAS-IP-Address = 213.x.x.62
> NAS-Port = 227
> NAS-Port-Type = Async
> User-Name = "qsdfqsdf"
> Called-Station-Id = "xx68572624"
> Calling-Station-Id = "590571015"
> CHAP-Password = <1><213>
> +<198><<131><26><133><130><170><235><209><213>nrP<238>
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Session-Id = "0000002F"
>
> Thu Jun 1 13:13:35 2006: DEBUG: Handling request with Handler ''
> Thu Jun 1 13:13:35 2006: DEBUG: dialupsessiondb Deleting session
> for qsdfqsdf, 213.x.1x.62, 227
> Thu Jun 1 13:13:35 2006: DEBUG: do query is: 'delete from
> RADONLINEDIALUP where username = 'qsdfqsdf'':
>
> Thu Jun 1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL
> Thu Jun 1 13:13:35 2006: DEBUG: Handling with Radius::AuthSQL:
> Thu Jun 1 13:13:35 2006: DEBUG: Query is: 'select '' as password,
> '' as checkattr,'' as replyattr from SUBSCRIBERS limit 1':
>
> Thu Jun 1 13:13:35 2006: DEBUG: Radius::AuthSQL looks for match
> with qsdfqsdf
> Thu Jun 1 13:13:35 2006: DEBUG: Query is: 'select nasidentifier,
> nasport, acctsessionid, framedipaddress from RADONLINEDIALUP where
> username='qsdfqsdf'':
>
> Thu Jun 1 13:13:35 2006: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Jun 1 13:13:35 2006: DEBUG: Access accepted for qsdfqsdf
> Thu Jun 1 13:13:35 2006: DEBUG: do query is: 'insert into
> RADAUTHLOG (time_stamp, username, password, type, typemsg, reason,
> service, time_stamphr, severity, clientipaddress, nasipaddress)
> VALUES (1149182015, 'qsdfqsdf', '', 1, 'OK', NULL, 'free', 'Jun 1,
> 2006 13:13:35', 0,'213.x.x.33','213.x.x.62')':
>
> Thu Jun 1 13:13:35 2006: DEBUG: Packet dump:
> *** Sending to 213.x.160.33 port 1645 ....
> Code: Access-Accept
> Identifier: 41
> Authentic: <147><248><182><3>?<127><200><29>h<202><174>?<139>"<160>R
> Attributes:
>
> --
>
> Cordialement,
> Sincerely Yours,
>
> Uday K. MOORJANI
> Systems Technician
> -------------------
> MEDIASERV.NET SARL
> 6,Tour Cécid
> Place de la Rénovation
> 97110 POINTE A PITRE
> GUADELOUPE (F.W.I)
> -------------------
> 00(590)590571015
> umoorjani at mediaserv.net
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list