(RADIATOR) Airespace Mac-addr MySql problem

Hugh Irvine hugh at open.com.au
Thu May 31 00:24:10 CDT 2007


Hello Michael -

Can you please send me the shared secrets for the two cases?

The passwords in the two cases appear to be different.

You can also try testing with radpwtst to verify what is happening.

I see that you have defined an AuthSelect statement, but no  
AuthColumnDef's - is this what you mean to do?

By default Radiator will use the results of the AuthSelect to check  
the password against he first column, do check items against the  
second column and use the third column for reply attributes.

Can you also send us the results of the AuthSelect when it is run by  
hand?

regards

Hugh


On 30 May 2007, at 12:32, Michael Harlow wrote:

>
> Hi,
>
> I've been using Radiator for some years now, and perform both  
> username and
> mac address filtering. When I use a Cisco "stand-alone" access  
> point, things
> are just fine. Below is the Access Request, and MySQL lookup of my  
> mac-addr
> to validate my connection. After this (not shown) normal username/pass
> against LDAP is performed. All is well.
>
> However, when I try and use our new light-weight access points,  
> thru an
> Airespace/Cisco controller (WiSM), there are problems. If I disable  
> the
> mac-addr checks, the LDAP authentication works just fine. It is  
> when I add
> the mac-addr check in, that it is rejected. I have looked at log  
> files at
> high debug, and actual packet sniffs with wireshark, and the MySQL  
> requests
> are identical, and return the save value. However, the logic within  
> Radiator
> fails the comparison and rejects the request. I've attached below  
> debugs of
> this as well.
>
> Does anyone know what is going wrong?
>
> Thanks, Michael.
>
> (PS. I upgraded to Radiator 3.17.1, with no extra patches)
>
> #######################
>
> Valid/Successful mac-addr check from autonomous AP
> This is the handler
>
> <Handler User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR- 
> Testing">
>         <AuthBy SQL>
>                 DBSource dbi:mysql:database=xxx;host=xxx
>                 DBUsername xxx
>                 DBAuth xxx
>                 PostAuthSelectHook
> file:"/etc/radiator/mac_addr_case_change.pl"
>                 AuthSelect SELECT macaddr FROM uanaclientlist JOIN  
> apUser ON
> apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
> 'UANA-ITR-Testing' AND macaddr = %0
>         </AuthBy SQL>
> </Handler>
>
>
> Wed May 30 11:26:05 2007: DEBUG: Packet dump:
> *** Received from 172.31.7.11 port 1645 ....
>
> Packet length = 192
> 01 94 00 c0 4e c2 e7 be 5d 08 6b 0a b9 58 ea c0
> 64 c4 c9 0e 01 0e 30 30 31 39 64 32 64 36 36 61
> 37 32 02 12 95 2c cb 7b 3d 84 c1 2b c8 6b 62 2c
> 24 ef 22 d8 1e 13 30 30 2d 31 41 2d 33 30 2d 33
> 30 2d 42 33 2d 42 30 1f 13 30 30 2d 31 39 2d 44
> 32 2d 44 36 2d 36 41 2d 37 32 1a 1d 00 00 00 09
> 01 17 73 73 69 64 3d 55 41 4e 41 2d 49 54 52 2d
> 54 65 73 74 69 6e 67 1a 18 00 00 37 2a 02 12 55
> 4e 4b 4e 4f 57 4e 20 4c 4f 43 41 54 49 4f 4e 06
> 06 00 00 00 01 3d 06 00 00 00 13 1a 0b 00 00 00
> 09 02 05 36 32 39 05 06 00 00 02 75 04 06 ac 1f
> 07 0b 20 0e 73 62 2d 62 65 32 30 2d 34 2d 61 70
> Code:       Access-Request
> Identifier: 148
> Authentic:  N<194><231><190>]<8>k<10><185>X<234><192>d<196><201><14>
> Attributes:
>         User-Name = "0019d2d66a72"
>         User-Password = <149>,<203>{=<132><193>+<200>kb,$<239>"<216>
>         Called-Station-Id = "00-1A-30-30-B3-B0"
>         Calling-Station-Id = "00-19-D2-D6-6A-72"
>         cisco-avpair = "ssid=UANA-ITR-Testing"
>         WISPr-Location-Name = "UNKNOWN LOCATION"
>         Service-Type = Login-User
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Cisco-NAS-Port = "629"
>         NAS-Port = 629
>         NAS-IP-Address = 172.31.7.11
>         NAS-Identifier = "sb-be20-4-ap"
>
> Wed May 30 11:26:05 2007: DEBUG: Handling request with Handler
> 'User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR-Testing"'
> Wed May 30 11:26:05 2007: DEBUG:  Deleting session for 0019d2d66a72,
> 172.31.7.11, 629
> Wed May 30 11:26:05 2007: DEBUG: do query is: 'delete from  
> RADONLINE where
> NASIDENTIFIER='172.31.7.11' and NASPORT=0629':
> Wed May 30 11:26:05 2007: DEBUG: Handling with Radius::AuthSQL
> Wed May 30 11:26:05 2007: DEBUG: Handling with Radius::AuthSQL:
> Wed May 30 11:26:05 2007: DEBUG: Query is: 'SELECT macaddr FROM
> uanaclientlist JOIN apUser ON  
> apUser.username=uanaclientlist.username WHERE
> apUser.accesspoint = 'UANA-ITR-Testing' AND macaddr = '0019d2d66a72'':
> Wed May 30 11:26:05 2007: DEBUG: Radius::AuthSQL looks for match with
> 0019d2d66a72 [0019d2d66a72]
> Wed May 30 11:26:05 2007: DEBUG: Radius::AuthSQL ACCEPT: :  
> 0019d2d66a72
> [0019d2d66a72]
> Wed May 30 11:26:05 2007: DEBUG: AuthBy SQL result: ACCEPT,
> Wed May 30 11:26:05 2007: DEBUG: Access accepted for 0019d2d66a72
> Wed May 30 11:26:05 2007: DEBUG: Packet dump:
> *** Sending to 172.31.7.11 port 1645 ....
>
> Packet length = 20
> 02 94 00 14 40 c0 c4 0d 46 7d 61 7c 49 80 dc 36
> 17 9a 36 82
> Code:       Access-Accept
> Identifier: 148
> Authentic:  N<194><231><190>]<8>k<10><185>X<234><192>d<196><201><14>
> Attributes:
>
>
> #########################################
>
> This is a request from a lightweight access point controller:
> The handler:
>
> <Handler User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR- 
> Testing$/>
>         <AuthBy SQL>
>                 DBSource dbi:mysql:database=xxx;host=xxx
>                 DBUsername xxx
>                 DBAuth xxx
>                 PostAuthSelectHook
> file:"/etc/radiator/mac_addr_case_change.pl"
>                 AuthSelect SELECT macaddr FROM uanaclientlist JOIN  
> apUser ON
> apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
> 'UANA-ITR-Testing' AND macaddr = %0
>         </AuthBy SQL>
> </Handler>
>
>
>
> Packet length = 172
> 01 63 00 ac 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 01 0e 30 30 31 39 64 32 64 36 36 61
> 37 32 1e 24 30 30 2d 31 61 2d 33 30 2d 33 30 2d
> 37 32 2d 63 30 3a 55 41 4e 41 2d 49 54 52 2d 54
> 65 73 74 69 6e 67 1f 13 30 30 2d 31 39 2d 64 32
> 2d 64 36 2d 36 61 2d 37 32 05 06 00 00 00 1d 04
> 06 ac 1f 03 02 20 08 57 69 73 6d 42 31 1a 0c 00
> 00 37 63 01 06 00 00 00 04 02 12 92 23 35 5b b6
> 9f ef 23 03 b7 4c 94 b2 f8 e4 0d 06 06 00 00 00
> 0a 0c 06 00 00 05 14 3d 06 00 00 00 13 40 06 00
> 00 00 0d 41 06 00 00 00 06 51 03 32
> Code:       Access-Request
> Identifier: 99
> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
>         User-Name = "0019d2d66a72"
>         Called-Station-Id = "00-1a-30-30-72-c0:UANA-ITR-Testing"
>         Calling-Station-Id = "00-19-d2-d6-6a-72"
>         NAS-Port = 29
>         NAS-IP-Address = 172.31.3.2
>         NAS-Identifier = "WismB1"
>         Airespace-WLAN-Id = 4
>         User-Password =
> <146>#5[<182><159><239>#<3><183>L<148><178><248><228><13>
>         Service-Type = Call-Check
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 2
>
> Wed May 30 12:05:09 2007: DEBUG: Handling request with Handler
> 'User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR-Testing$/'
> Wed May 30 12:05:09 2007: DEBUG:  Deleting session for 0019d2d66a72,
> 172.31.3.2, 29
> Wed May 30 12:05:09 2007: DEBUG: do query is: 'delete from  
> RADONLINE where
> NASIDENTIFIER='172.31.3.2' and NASPORT=029':
> Wed May 30 12:05:09 2007: DEBUG: Handling with Radius::AuthSQL
> Wed May 30 12:05:09 2007: DEBUG: Handling with Radius::AuthSQL:
> Wed May 30 12:05:09 2007: DEBUG: Query is: 'SELECT macaddr FROM
> uanaclientlist JOIN apUser ON  
> apUser.username=uanaclientlist.username WHERE
> apUser.accesspoint = 'UANA-ITR-Testing' AND macaddr = '0019d2d66a72'':
> Wed May 30 12:05:09 2007: DEBUG: Radius::AuthSQL looks for match with
> 0019d2d66a72 [0019d2d66a72]
> Wed May 30 12:05:09 2007: DEBUG: Radius::AuthSQL REJECT: Bad Password:
> 0019d2d66a72 [0019d2d66a72]
> Wed May 30 12:05:09 2007: DEBUG: Query is: 'SELECT macaddr FROM
> uanaclientlist JOIN apUser ON  
> apUser.username=uanaclientlist.username WHERE
> apUser.accesspoin
> t = 'UANA-ITR-Testing' AND macaddr = 'DEFAULT'':
> Wed May 30 12:05:09 2007: DEBUG: AuthBy SQL result: REJECT, Bad  
> Password
> Wed May 30 12:05:09 2007: INFO: Access rejected for 0019d2d66a72: Bad
> Password
> Wed May 30 12:05:09 2007: DEBUG: Packet dump:
> *** Sending to 172.31.3.2 port 32769 ....
>
> Packet length = 36
> 03 63 00 24 65 83 c2 da c0 69 17 f0 50 98 dd 46
> b1 9d 34 e9 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 99
> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
>         Reply-Message = "Request Denied"
>
>
>
> ############################################
>
> Again, this is the two handlers, side by side for comparison.
> The SQL atatements are identical, and return the same value (from  
> direct
> calls of the SQL, and packet traces)
>
>
> <Handler User-Name=/[0-9a-f]{12}/,cisco-avpair="ssid=UANA-ITR- 
> Testing">
>         <AuthBy SQL>
>                 DBSource
> dbi:mysql:database=uanareplicateddev;host=mysql.its.utas.edu.au
>                 DBUsername radiator
>                 DBAuth r at d!at0r
>                 PostAuthSelectHook
> file:"/etc/radiator/mac_addr_case_change.pl"
>                 AuthSelect SELECT macaddr FROM uanaclientlist JOIN  
> apUser ON
> apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
> 'UANA-ITR-Testing' AND macaddr = %0
>         </AuthBy SQL>
> </Handler>
>
>
> <Handler User-Name=/[0-9a-f]{12}/,Called-Station-Id=/:UANA-ITR- 
> Testing$/>
>         <AuthBy SQL>
>                 DBSource
> dbi:mysql:database=uanareplicateddev;host=mysql.its.utas.edu.au
>                 DBUsername radiator
>                 DBAuth r at d!at0r
>                 PostAuthSelectHook
> file:"/etc/radiator/mac_addr_case_change.pl"
>                 AuthSelect SELECT macaddr FROM uanaclientlist JOIN  
> apUser ON
> apUser.username=uanaclientlist.username WHERE apUser.accesspoint =
> 'UANA-ITR-Testing' AND macaddr = %0
>         </AuthBy SQL>
> </Handler>
>
>
>
> --------------------------------------------
> Michael Harlow                Private Bag 69
> Network Engineer        Hobart Tasmania 7001
> IT Resources                Ph  03 6226 1812
> University of Tasmania      Mob 0438 26 1812
> Michael.Harlow at utas.edu.au  Fx  03 6226 7171
> --------------------------------------------
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list