(RADIATOR) AuthenticateAttribute question
Markus Moeller
huaraz at moeller.plus.com
Tue Feb 5 17:39:21 CST 2008
Hugh,
Sorry, I had an error in my config why the <AuthBy File> check for
My-Mac-Address didn't work.
But I have also the PAMAuthentication part which is:
<AuthBy PAM>
Identifier PAMAuthentication
AuthenticateAttribute User-Mail
Service rad_mail
</AuthBy>
and I still get fred as the user to authenticate. I added a pam_syslog line
to pam to log the arguments and I get
Feb 5 23:29:48 testbox pam_syslog[15401]: [ID 518756 auth.debug] User:
fred, Ruser: unknown, TTY: unknown/no tty, Service: rad_mail, Rhost: unknown
BTW I get the same when I use the test radius client.
# /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg -trace
5 -foreground -log_stdout
Tue Feb 5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
Tue Feb 5 22:56:28 2008: NOTICE: Reading clients file /etc/raddb/clients
Tue Feb 5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Tue Feb 5 22:56:29 2008: DEBUG: Finished reading configuration file
'/etc/raddb/radius.cfg'
Tue Feb 5 22:56:29 2008: DEBUG: Reading dictionary file
'/etc/raddb/dictionary'
Tue Feb 5 22:56:29 2008: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Feb 5 22:56:29 2008: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Feb 5 22:56:29 2008: NOTICE: Server started: Radiator 4.0 on testbox
Tue Feb 5 22:56:47 2008: DEBUG: New TacacsplusConnection created for
192.168.10.1:11556
Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
2170462350, 25
Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:
c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390ecb6a94
Tue Feb 5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request decrypted body:
0101010100050c01747479513831302e3132382e35352e3233
Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication START
1, 1, 1 for , tty18, 192.168.1.1
Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication REPLY
4, 0, Username: ,
Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
2170462350, 11
Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:
c0010300815ea08e0002000be41fbb70affee870f13cca
Tue Feb 5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request decrypted body:
00060000206d64656c6d61
Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, fred,
Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: ,
Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
2170462350, 7
Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:
c0010500815fa08e00020007ce5cd6a44a36d9
Tue Feb 5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request decrypted body:
00021000004d6d
Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, mm,
Tue Feb 5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
Attributes:
NAS-IP-Address = 192.168.10.1
NAS-Port-Id = "tty18"
Calling-Station-Id = "192.168.1.1"
Service-Type = Login-User
Request-Protocol = TACACS+
User-Name = "fred"
User-Password = mm
Tue Feb 5 22:56:53 2008: DEBUG: Handling request with Handler ''
Tue Feb 5 22:56:53 2008: DEBUG: Deleting session for fred, 192.168.10.1,
Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthLDAP2:
LDAPAuthorisation
Tue Feb 5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
Tue Feb 5 22:56:53 2008: INFO: Attempting to bind to LDAP server
192.168.2.1:5636
Tue Feb 5 22:56:53 2008: DEBUG: LDAP got result for uid=fred,dc=test,dc=com
Tue Feb 5 22:56:53 2008: DEBUG: LDAP got mail: huaraz at moeller.plus.com
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for match with fred
[fred]
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fred [fred]
Tue Feb 5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE: UserFilter
Tue Feb 5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match with fred
[fred]
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No such user: fred
[fred]
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match with
DEFAULT [fred]
Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [fred]
Tue Feb 5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
Tue Feb 5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
Tue Feb 5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
Tue Feb 5 22:56:53 2008: DEBUG: Access accepted for fred
Tue Feb 5 22:56:53 2008: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
Tue Feb 5 22:56:55 2008: DEBUG: TacacsplusConnection disconnected from
192.168.10.1:11559
Thank you
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, February 05, 2008 10:29 PM
Subject: Re: (RADIATOR) AuthenticateAttribute question
>
> Hello Markus -
>
> It would be most helpful to see a trace 4 debug showing what is
> happening.
>
> regards
>
> Hugh
>
>
> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>
>> Hi
>>
>> I try to change the attribute to authenticate a user/system. I have the
>> following setup where my LDAP connection fills an attribute My-
>> MAC-Address, which then check against file entries. The problem I have
>> is that I still get the User-Name as the compare value not My-
>> MAC-Address. I did include a PostAuthHook sub { print ${$_[0]}-
>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-Address.
>>
>> What could be the reason that I still compare the User-Name attribute ?
>>
>> <AuthBy FILE>
>> Identifier MacFilter
>> AuthenticateAttribute My-MAC-Address
>> Filename %D/macs
>> </AuthBy>
>>
>> <Handler Device-Class=class1>
>> AddToRequestIfNotExist Request-Protocol=Radius
>> AuthByPolicy ContinueUntilReject
>> AuthBy LDAPMACAuthorisation
>> AuthBy MacFilter
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>> </Handler>
>> <Handler>
>> AddToRequestIfNotExist Request-Protocol=Radius
>> AuthByPolicy ContinueUntilReject
>> AuthBy LDAPAuthorisation
>> AuthBy UserFilter
>> AuthBy PAMAuthentication
>> AuthLog LogAuthentication
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>> </Handler>
>>
>> Thank you
>> Markus
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list