(RADIATOR) AuthenticateAttribute question

Hugh Irvine hugh at open.com.au
Wed Feb 6 03:47:57 CST 2008 

Hello Markus -

Unfortunately the AuthBy PAM module does not currently support  
AuthenticateAttribute.

regards

Hugh


On 6 Feb 2008, at 10:39, Markus Moeller wrote:

> Hugh,
>
> Sorry, I had an error in my config why the <AuthBy File> check for  
> My-Mac-Address didn't work.
>
> But I have also the PAMAuthentication part which  is:
>
> <AuthBy PAM>
>        Identifier PAMAuthentication
>        AuthenticateAttribute User-Mail
>        Service rad_mail
> </AuthBy>
>
> and I still get fred as the user to authenticate. I added a  
> pam_syslog line to pam to log the arguments and I get
> Feb  5 23:29:48 testbox pam_syslog[15401]: [ID 518756 auth.debug]  
> User: fred, Ruser: unknown, TTY: unknown/no tty, Service: rad_mail,  
> Rhost: unknown
>
> BTW I get the same when I use the test radius client.
>
> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg - 
> trace 5 -foreground -log_stdout
> Tue Feb  5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
> Tue Feb  5 22:56:28 2008: NOTICE: Reading clients file /etc/raddb/ 
> clients
> Tue Feb  5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
> Tue Feb  5 22:56:29 2008: DEBUG: Finished reading configuration  
> file '/etc/raddb/radius.cfg'
> Tue Feb  5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/ 
> raddb/dictionary'
> Tue Feb  5 22:56:29 2008: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Tue Feb  5 22:56:29 2008: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Feb  5 22:56:29 2008: NOTICE: Server started: Radiator 4.0 on  
> testbox
> Tue Feb  5 22:56:47 2008: DEBUG: New TacacsplusConnection created  
> for 192.168.10.1:11556
> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 1, 0, 2170462350, 25
> Tue Feb  5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:  
> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390ecb 
> 6a94
> Tue Feb  5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
> Tue Feb  5 22:56:47 2008: DEBUG: TacacsPlus request decrypted body:  
> 0101010100050c01747479513831302e3132382e35352e3233
> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection  
> Authentication START 1, 1, 1 for , tty18, 192.168.1.1
> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 4, 0, Username: ,
> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 3, 0, 2170462350, 11
> Tue Feb  5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:  
> c0010300815ea08e0002000be41fbb70affee870f13cca
> Tue Feb  5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
> Tue Feb  5 22:56:51 2008: DEBUG: TacacsPlus request decrypted body:  
> 00060000206d64656c6d61
> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection  
> Authentication CONTINUE 0, fred,
> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 5, 1, Password: ,
> Tue Feb  5 22:56:53 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 5, 0, 2170462350, 7
> Tue Feb  5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:  
> c0010500815fa08e00020007ce5cd6a44a36d9
> Tue Feb  5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
> Tue Feb  5 22:56:53 2008: DEBUG: TacacsPlus request decrypted body:  
> 00021000004d6d
> Tue Feb  5 22:56:53 2008: DEBUG: TacacsplusConnection  
> Authentication CONTINUE 0, mm,
> Tue Feb  5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius request  
> packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <29>Ix;?wb<170>s<254>(<240>G<237><203>u
> Attributes:
>        NAS-IP-Address = 192.168.10.1
>        NAS-Port-Id = "tty18"
>        Calling-Station-Id = "192.168.1.1"
>        Service-Type = Login-User
>        Request-Protocol = TACACS+
>        User-Name = "fred"
>        User-Password = mm
>
> Tue Feb  5 22:56:53 2008: DEBUG: Handling request with Handler ''
> Tue Feb  5 22:56:53 2008: DEBUG:  Deleting session for fred,  
> 192.168.10.1,
> Tue Feb  5 22:56:53 2008: DEBUG: Handling with Radius::AuthLDAP2:  
> LDAPAuthorisation
> Tue Feb  5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
> Tue Feb  5 22:56:53 2008: INFO: Attempting to bind to LDAP server  
> 192.168.2.1:5636
> Tue Feb  5 22:56:53 2008: DEBUG: LDAP got result for  
> uid=fred,dc=test,dc=com
> Tue Feb  5 22:56:53 2008: DEBUG: LDAP got mail:  
> huaraz at moeller.plus.com
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for match  
> with fred [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fred  
> [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Tue Feb  5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:  
> UserFilter
> Tue Feb  5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match  
> with fred [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No such  
> user: fred [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT  
> [fred]
> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Feb  5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
> Tue Feb  5 22:56:53 2008: DEBUG: Access accepted for fred
> Tue Feb  5 22:56:53 2008: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <29>Ix;?wb<170>s<254>(<240>G<237><203>u
> Tue Feb  5 22:56:55 2008: DEBUG: TacacsplusConnection disconnected  
> from 192.168.10.1:11559
>
>
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Tuesday, February 05, 2008 10:29 PM
> Subject: Re: (RADIATOR) AuthenticateAttribute question
>
>
>>
>> Hello Markus -
>>
>> It would be most helpful to see a trace 4 debug showing what is  
>> happening.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>>
>>> Hi
>>>
>>> I try to change the attribute to authenticate a user/system. I  
>>> have  the following setup where my LDAP connection fills an  
>>> attribute My- MAC-Address, which then check against file entries.  
>>> The problem I  have is that I still get the User-Name as the  
>>> compare value not My- MAC-Address.  I did include a PostAuthHook  
>>> sub { print ${$_[0]}-
>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-Address.
>>>
>>> What could be the reason that I still compare the User-Name   
>>> attribute ?
>>>
>>> <AuthBy FILE>
>>>         Identifier MacFilter
>>>         AuthenticateAttribute My-MAC-Address
>>>         Filename %D/macs
>>> </AuthBy>
>>>
>>> <Handler Device-Class=class1>
>>>         AddToRequestIfNotExist Request-Protocol=Radius
>>>         AuthByPolicy ContinueUntilReject
>>>         AuthBy LDAPMACAuthorisation
>>>         AuthBy MacFilter
>>>         # Log accounting to the detail file in LogDir
>>>         AcctLogFileName %L/detail
>>> </Handler>
>>> <Handler>
>>>         AddToRequestIfNotExist Request-Protocol=Radius
>>>         AuthByPolicy ContinueUntilReject
>>>         AuthBy LDAPAuthorisation
>>>         AuthBy UserFilter
>>>         AuthBy PAMAuthentication
>>>         AuthLog LogAuthentication
>>>         # Log accounting to the detail file in LogDir
>>>         AcctLogFileName %L/detail
>>> </Handler>
>>>
>>> Thank you
>>> Markus
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list