(RADIATOR) Airespace Mac-addr MySql problem

Michael Harlow Michael.Harlow at utas.edu.au
Tue May 29 21:32:10 CDT 2007 

Hi,

I've been using Radiator for some years now, and perform both username and
mac address filtering. When I use a Cisco "stand-alone" access point, things
are just fine. Below is the Access Request, and MySQL lookup of my mac-addr
to validate my connection. After this (not shown) normal username/pass
against LDAP is performed. All is well.

However, when I try and use our new light-weight access points, thru an
Airespace/Cisco controller (WiSM), there are problems. If I disable the
mac-addr checks, the LDAP authentication works just fine. It is when I add
the mac-addr check in, that it is rejected. I have looked at log files at
high debug, and actual packet sniffs with wireshark, and the MySQL requests
are identical, and return the save value. However, the logic within Radiator
fails the comparison and rejects the request. I've attached below debugs of
this as well.

Does anyone know what is going wrong?

Thanks, Michael.

(PS. I upgraded to Radiator 3.17.1, with no extra patches)

#######################

Valid/Successful mac-addr check from autonomous AP
This is the handler

<Handler User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR-Testing">
        <AuthBy SQL>
                DBSource dbi:mysql:database=xxx;host=xxx
                DBUsername xxx
                DBAuth xxx
                PostAuthSelectHook
file:"/etc/radiator/mac_addr_case_change.pl"
                AuthSelect SELECT macaddr FROM uanaclientlist JOIN apUser ON
apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
'UANA-ITR-Testing' AND macaddr = %0
        </AuthBy SQL>
</Handler>


Wed May 30 11:26:05 2007: DEBUG: Packet dump:
*** Received from 172.31.7.11 port 1645 ....

Packet length = 192
01 94 00 c0 4e c2 e7 be 5d 08 6b 0a b9 58 ea c0
64 c4 c9 0e 01 0e 30 30 31 39 64 32 64 36 36 61
37 32 02 12 95 2c cb 7b 3d 84 c1 2b c8 6b 62 2c
24 ef 22 d8 1e 13 30 30 2d 31 41 2d 33 30 2d 33
30 2d 42 33 2d 42 30 1f 13 30 30 2d 31 39 2d 44
32 2d 44 36 2d 36 41 2d 37 32 1a 1d 00 00 00 09
01 17 73 73 69 64 3d 55 41 4e 41 2d 49 54 52 2d
54 65 73 74 69 6e 67 1a 18 00 00 37 2a 02 12 55
4e 4b 4e 4f 57 4e 20 4c 4f 43 41 54 49 4f 4e 06
06 00 00 00 01 3d 06 00 00 00 13 1a 0b 00 00 00
09 02 05 36 32 39 05 06 00 00 02 75 04 06 ac 1f
07 0b 20 0e 73 62 2d 62 65 32 30 2d 34 2d 61 70
Code:       Access-Request
Identifier: 148
Authentic:  N<194><231><190>]<8>k<10><185>X<234><192>d<196><201><14>
Attributes:
        User-Name = "0019d2d66a72"
        User-Password = <149>,<203>{=<132><193>+<200>kb,$<239>"<216>
        Called-Station-Id = "00-1A-30-30-B3-B0"
        Calling-Station-Id = "00-19-D2-D6-6A-72"
        cisco-avpair = "ssid=UANA-ITR-Testing"
        WISPr-Location-Name = "UNKNOWN LOCATION"
        Service-Type = Login-User
        NAS-Port-Type = Wireless-IEEE-802-11
        Cisco-NAS-Port = "629"
        NAS-Port = 629
        NAS-IP-Address = 172.31.7.11
        NAS-Identifier = "sb-be20-4-ap"

Wed May 30 11:26:05 2007: DEBUG: Handling request with Handler
'User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR-Testing"'
Wed May 30 11:26:05 2007: DEBUG:  Deleting session for 0019d2d66a72,
172.31.7.11, 629
Wed May 30 11:26:05 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.7.11' and NASPORT=0629':
Wed May 30 11:26:05 2007: DEBUG: Handling with Radius::AuthSQL
Wed May 30 11:26:05 2007: DEBUG: Handling with Radius::AuthSQL:
Wed May 30 11:26:05 2007: DEBUG: Query is: 'SELECT macaddr FROM
uanaclientlist JOIN apUser ON apUser.username=uanaclientlist.username WHERE
apUser.accesspoint = 'UANA-ITR-Testing' AND macaddr = '0019d2d66a72'':
Wed May 30 11:26:05 2007: DEBUG: Radius::AuthSQL looks for match with
0019d2d66a72 [0019d2d66a72]
Wed May 30 11:26:05 2007: DEBUG: Radius::AuthSQL ACCEPT: : 0019d2d66a72
[0019d2d66a72]
Wed May 30 11:26:05 2007: DEBUG: AuthBy SQL result: ACCEPT,
Wed May 30 11:26:05 2007: DEBUG: Access accepted for 0019d2d66a72
Wed May 30 11:26:05 2007: DEBUG: Packet dump:
*** Sending to 172.31.7.11 port 1645 ....

Packet length = 20
02 94 00 14 40 c0 c4 0d 46 7d 61 7c 49 80 dc 36
17 9a 36 82
Code:       Access-Accept
Identifier: 148
Authentic:  N<194><231><190>]<8>k<10><185>X<234><192>d<196><201><14>
Attributes:


#########################################

This is a request from a lightweight access point controller:
The handler:

<Handler User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR-Testing$/>
        <AuthBy SQL>
                DBSource dbi:mysql:database=xxx;host=xxx
                DBUsername xxx
                DBAuth xxx
                PostAuthSelectHook
file:"/etc/radiator/mac_addr_case_change.pl"
                AuthSelect SELECT macaddr FROM uanaclientlist JOIN apUser ON
apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
'UANA-ITR-Testing' AND macaddr = %0
        </AuthBy SQL>
</Handler>



Packet length = 172
01 63 00 ac 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 01 0e 30 30 31 39 64 32 64 36 36 61
37 32 1e 24 30 30 2d 31 61 2d 33 30 2d 33 30 2d
37 32 2d 63 30 3a 55 41 4e 41 2d 49 54 52 2d 54
65 73 74 69 6e 67 1f 13 30 30 2d 31 39 2d 64 32
2d 64 36 2d 36 61 2d 37 32 05 06 00 00 00 1d 04
06 ac 1f 03 02 20 08 57 69 73 6d 42 31 1a 0c 00
00 37 63 01 06 00 00 00 04 02 12 92 23 35 5b b6
9f ef 23 03 b7 4c 94 b2 f8 e4 0d 06 06 00 00 00
0a 0c 06 00 00 05 14 3d 06 00 00 00 13 40 06 00
00 00 0d 41 06 00 00 00 06 51 03 32
Code:       Access-Request
Identifier: 99
Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
        User-Name = "0019d2d66a72"
        Called-Station-Id = "00-1a-30-30-72-c0:UANA-ITR-Testing"
        Calling-Station-Id = "00-19-d2-d6-6a-72"
        NAS-Port = 29
        NAS-IP-Address = 172.31.3.2
        NAS-Identifier = "WismB1"
        Airespace-WLAN-Id = 4
        User-Password =
<146>#5[<182><159><239>#<3><183>L<148><178><248><228><13>
        Service-Type = Call-Check
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 2

Wed May 30 12:05:09 2007: DEBUG: Handling request with Handler
'User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR-Testing$/'
Wed May 30 12:05:09 2007: DEBUG:  Deleting session for 0019d2d66a72,
172.31.3.2, 29
Wed May 30 12:05:09 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.2' and NASPORT=029':
Wed May 30 12:05:09 2007: DEBUG: Handling with Radius::AuthSQL
Wed May 30 12:05:09 2007: DEBUG: Handling with Radius::AuthSQL:
Wed May 30 12:05:09 2007: DEBUG: Query is: 'SELECT macaddr FROM
uanaclientlist JOIN apUser ON apUser.username=uanaclientlist.username WHERE
apUser.accesspoint = 'UANA-ITR-Testing' AND macaddr = '0019d2d66a72'':
Wed May 30 12:05:09 2007: DEBUG: Radius::AuthSQL looks for match with
0019d2d66a72 [0019d2d66a72]
Wed May 30 12:05:09 2007: DEBUG: Radius::AuthSQL REJECT: Bad Password:
0019d2d66a72 [0019d2d66a72]
Wed May 30 12:05:09 2007: DEBUG: Query is: 'SELECT macaddr FROM
uanaclientlist JOIN apUser ON apUser.username=uanaclientlist.username WHERE
apUser.accesspoin
t = 'UANA-ITR-Testing' AND macaddr = 'DEFAULT'':
Wed May 30 12:05:09 2007: DEBUG: AuthBy SQL result: REJECT, Bad Password
Wed May 30 12:05:09 2007: INFO: Access rejected for 0019d2d66a72: Bad
Password
Wed May 30 12:05:09 2007: DEBUG: Packet dump:
*** Sending to 172.31.3.2 port 32769 ....

Packet length = 36
03 63 00 24 65 83 c2 da c0 69 17 f0 50 98 dd 46
b1 9d 34 e9 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 99
Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
        Reply-Message = "Request Denied"



############################################

Again, this is the two handlers, side by side for comparison.
The SQL atatements are identical, and return the same value (from direct
calls of the SQL, and packet traces)


<Handler User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR-Testing">
        <AuthBy SQL>
                DBSource
dbi:mysql:database=uanareplicateddev;host=mysql.its.utas.edu.au
                DBUsername radiator
                DBAuth r at d!at0r
                PostAuthSelectHook
file:"/etc/radiator/mac_addr_case_change.pl"
                AuthSelect SELECT macaddr FROM uanaclientlist JOIN apUser ON
apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
'UANA-ITR-Testing' AND macaddr = %0
        </AuthBy SQL>
</Handler>


<Handler User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR-Testing$/>
        <AuthBy SQL>
                DBSource
dbi:mysql:database=uanareplicateddev;host=mysql.its.utas.edu.au
                DBUsername radiator
                DBAuth r at d!at0r
                PostAuthSelectHook
file:"/etc/radiator/mac_addr_case_change.pl"
                AuthSelect SELECT macaddr FROM uanaclientlist JOIN apUser ON
apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
'UANA-ITR-Testing' AND macaddr = %0
        </AuthBy SQL>
</Handler>



--------------------------------------------
Michael Harlow                Private Bag 69
Network Engineer        Hobart Tasmania 7001
IT Resources                Ph  03 6226 1812
University of Tasmania      Mob 0438 26 1812
Michael.Harlow at utas.edu.au  Fx  03 6226 7171
--------------------------------------------
 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list