(RADIATOR) AuthenticateAttribute question
Markus Moeller
huaraz at moeller.plus.com
Wed Feb 6 17:52:15 CST 2008
OK I just copied AuthPAM.pm as AuthPAM2.pm and added
$user_name = $p->get_attr($self->{AuthenticateAttribute})
if $self->{AuthenticateAttribute};
after
my $user_name = $p->getUserName;
which seems to work.
Thank you
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Wednesday, February 06, 2008 9:47 AM
Subject: Re: (RADIATOR) AuthenticateAttribute question
>
> Hello Markus -
>
> Unfortunately the AuthBy PAM module does not currently support
> AuthenticateAttribute.
>
> regards
>
> Hugh
>
>
> On 6 Feb 2008, at 10:39, Markus Moeller wrote:
>
>> Hugh,
>>
>> Sorry, I had an error in my config why the <AuthBy File> check for
>> My-Mac-Address didn't work.
>>
>> But I have also the PAMAuthentication part which is:
>>
>> <AuthBy PAM>
>> Identifier PAMAuthentication
>> AuthenticateAttribute User-Mail
>> Service rad_mail
>> </AuthBy>
>>
>> and I still get fred as the user to authenticate. I added a
>> pam_syslog line to pam to log the arguments and I get
>> Feb 5 23:29:48 testbox pam_syslog[15401]: [ID 518756 auth.debug]
>> User: fred, Ruser: unknown, TTY: unknown/no tty, Service: rad_mail,
>> Rhost: unknown
>>
>> BTW I get the same when I use the test radius client.
>>
>> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg -
>> trace 5 -foreground -log_stdout
>> Tue Feb 5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
>> Tue Feb 5 22:56:28 2008: NOTICE: Reading clients file /etc/raddb/
>> clients
>> Tue Feb 5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
>> Tue Feb 5 22:56:29 2008: DEBUG: Finished reading configuration
>> file '/etc/raddb/radius.cfg'
>> Tue Feb 5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/
>> raddb/dictionary'
>> Tue Feb 5 22:56:29 2008: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Tue Feb 5 22:56:29 2008: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Feb 5 22:56:29 2008: NOTICE: Server started: Radiator 4.0 on
>> testbox
>> Tue Feb 5 22:56:47 2008: DEBUG: New TacacsplusConnection created
>> for 192.168.10.1:11556
>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection request 192,
>> 1, 1, 0, 2170462350, 25
>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:
>> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390ecb
>> 6a94
>> Tue Feb 5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request decrypted body:
>> 0101010100050c01747479513831302e3132382e35352e3233
>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection
>> Authentication START 1, 1, 1 for , tty18, 192.168.1.1
>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection
>> Authentication REPLY 4, 0, Username: ,
>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection request 192,
>> 1, 3, 0, 2170462350, 11
>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:
>> c0010300815ea08e0002000be41fbb70affee870f13cca
>> Tue Feb 5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request decrypted body:
>> 00060000206d64656c6d61
>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection
>> Authentication CONTINUE 0, fred,
>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection
>> Authentication REPLY 5, 1, Password: ,
>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection request 192,
>> 1, 5, 0, 2170462350, 7
>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:
>> c0010500815fa08e00020007ce5cd6a44a36d9
>> Tue Feb 5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request decrypted body:
>> 00021000004d6d
>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection
>> Authentication CONTINUE 0, mm,
>> Tue Feb 5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius request
>> packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>> Attributes:
>> NAS-IP-Address = 192.168.10.1
>> NAS-Port-Id = "tty18"
>> Calling-Station-Id = "192.168.1.1"
>> Service-Type = Login-User
>> Request-Protocol = TACACS+
>> User-Name = "fred"
>> User-Password = mm
>>
>> Tue Feb 5 22:56:53 2008: DEBUG: Handling request with Handler ''
>> Tue Feb 5 22:56:53 2008: DEBUG: Deleting session for fred,
>> 192.168.10.1,
>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthLDAP2:
>> LDAPAuthorisation
>> Tue Feb 5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
>> Tue Feb 5 22:56:53 2008: INFO: Attempting to bind to LDAP server
>> 192.168.2.1:5636
>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got result for
>> uid=fred,dc=test,dc=com
>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got mail:
>> huaraz at moeller.plus.com
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for match
>> with fred [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fred
>> [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:
>> UserFilter
>> Tue Feb 5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
>> with fred [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No such
>> user: fred [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
>> [fred]
>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
>> Tue Feb 5 22:56:53 2008: DEBUG: Access accepted for fred
>> Tue Feb 5 22:56:53 2008: DEBUG: Packet dump:
>> *** Reply to TACACSPLUS request:
>> Code: Access-Accept
>> Identifier: UNDEF
>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>> Tue Feb 5 22:56:55 2008: DEBUG: TacacsplusConnection disconnected
>> from 192.168.10.1:11559
>>
>>
>>
>> Thank you
>> Markus
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Tuesday, February 05, 2008 10:29 PM
>> Subject: Re: (RADIATOR) AuthenticateAttribute question
>>
>>
>>>
>>> Hello Markus -
>>>
>>> It would be most helpful to see a trace 4 debug showing what is
>>> happening.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>>>
>>>> Hi
>>>>
>>>> I try to change the attribute to authenticate a user/system. I
>>>> have the following setup where my LDAP connection fills an
>>>> attribute My- MAC-Address, which then check against file entries.
>>>> The problem I have is that I still get the User-Name as the
>>>> compare value not My- MAC-Address. I did include a PostAuthHook
>>>> sub { print ${$_[0]}-
>>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-Address.
>>>>
>>>> What could be the reason that I still compare the User-Name
>>>> attribute ?
>>>>
>>>> <AuthBy FILE>
>>>> Identifier MacFilter
>>>> AuthenticateAttribute My-MAC-Address
>>>> Filename %D/macs
>>>> </AuthBy>
>>>>
>>>> <Handler Device-Class=class1>
>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>> AuthByPolicy ContinueUntilReject
>>>> AuthBy LDAPMACAuthorisation
>>>> AuthBy MacFilter
>>>> # Log accounting to the detail file in LogDir
>>>> AcctLogFileName %L/detail
>>>> </Handler>
>>>> <Handler>
>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>> AuthByPolicy ContinueUntilReject
>>>> AuthBy LDAPAuthorisation
>>>> AuthBy UserFilter
>>>> AuthBy PAMAuthentication
>>>> AuthLog LogAuthentication
>>>> # Log accounting to the detail file in LogDir
>>>> AcctLogFileName %L/detail
>>>> </Handler>
>>>>
>>>> Thank you
>>>> Markus
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/
>>> archives/ radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list