(RADIATOR) AuthenticateAttribute question
Hugh Irvine
hugh at open.com.au
Thu Feb 7 00:11:25 CST 2008
Hello Markus -
Your patch has now been added to the Radiator patches.
many thanks
regards
Hugh
On 7 Feb 2008, at 10:52, Markus Moeller wrote:
> OK I just copied AuthPAM.pm as AuthPAM2.pm and added
> $user_name = $p->get_attr($self->{AuthenticateAttribute})
> if $self->{AuthenticateAttribute};
>
> after my $user_name = $p->getUserName;
>
>
> which seems to work.
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Wednesday, February 06, 2008 9:47 AM
> Subject: Re: (RADIATOR) AuthenticateAttribute question
>
>
>> Hello Markus -
>> Unfortunately the AuthBy PAM module does not currently support
>> AuthenticateAttribute.
>> regards
>> Hugh
>> On 6 Feb 2008, at 10:39, Markus Moeller wrote:
>>> Hugh,
>>>
>>> Sorry, I had an error in my config why the <AuthBy File> check
>>> for My-Mac-Address didn't work.
>>>
>>> But I have also the PAMAuthentication part which is:
>>>
>>> <AuthBy PAM>
>>> Identifier PAMAuthentication
>>> AuthenticateAttribute User-Mail
>>> Service rad_mail
>>> </AuthBy>
>>>
>>> and I still get fred as the user to authenticate. I added a
>>> pam_syslog line to pam to log the arguments and I get
>>> Feb 5 23:29:48 testbox pam_syslog[15401]: [ID 518756
>>> auth.debug] User: fred, Ruser: unknown, TTY: unknown/no tty,
>>> Service: rad_mail, Rhost: unknown
>>>
>>> BTW I get the same when I use the test radius client.
>>>
>>> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg
>>> - trace 5 -foreground -log_stdout
>>> Tue Feb 5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
>>> Tue Feb 5 22:56:28 2008: NOTICE: Reading clients file /etc/
>>> raddb/ clients
>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
>>> Tue Feb 5 22:56:29 2008: DEBUG: Finished reading configuration
>>> file '/etc/raddb/radius.cfg'
>>> Tue Feb 5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/
>>> raddb/dictionary'
>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating authentication port
>>> 0.0.0.0:1645
>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating accounting port
>>> 0.0.0.0:1646
>>> Tue Feb 5 22:56:29 2008: NOTICE: Server started: Radiator 4.0
>>> on testbox
>>> Tue Feb 5 22:56:47 2008: DEBUG: New TacacsplusConnection
>>> created for 192.168.10.1:11556
>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection request
>>> 192, 1, 1, 0, 2170462350, 25
>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:
>>> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390e
>>> cb 6a94
>>> Tue Feb 5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request decrypted
>>> body: 0101010100050c01747479513831302e3132382e35352e3233
>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection
>>> Authentication START 1, 1, 1 for , tty18, 192.168.1.1
>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection
>>> Authentication REPLY 4, 0, Username: ,
>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection request
>>> 192, 1, 3, 0, 2170462350, 11
>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:
>>> c0010300815ea08e0002000be41fbb70affee870f13cca
>>> Tue Feb 5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request decrypted
>>> body: 00060000206d64656c6d61
>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection
>>> Authentication CONTINUE 0, fred,
>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection
>>> Authentication REPLY 5, 1, Password: ,
>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection request
>>> 192, 1, 5, 0, 2170462350, 7
>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:
>>> c0010500815fa08e00020007ce5cd6a44a36d9
>>> Tue Feb 5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request decrypted
>>> body: 00021000004d6d
>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection
>>> Authentication CONTINUE 0, mm,
>>> Tue Feb 5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius
>>> request packet dump:
>>> Code: Access-Request
>>> Identifier: UNDEF
>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>> Attributes:
>>> NAS-IP-Address = 192.168.10.1
>>> NAS-Port-Id = "tty18"
>>> Calling-Station-Id = "192.168.1.1"
>>> Service-Type = Login-User
>>> Request-Protocol = TACACS+
>>> User-Name = "fred"
>>> User-Password = mm
>>>
>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling request with Handler ''
>>> Tue Feb 5 22:56:53 2008: DEBUG: Deleting session for fred,
>>> 192.168.10.1,
>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with
>>> Radius::AuthLDAP2: LDAPAuthorisation
>>> Tue Feb 5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
>>> Tue Feb 5 22:56:53 2008: INFO: Attempting to bind to LDAP
>>> server 192.168.2.1:5636
>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got result for
>>> uid=fred,dc=test,dc=com
>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got mail:
>>> huaraz at moeller.plus.com
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for
>>> match with fred [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: :
>>> fred [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:
>>> UserFilter
>>> Tue Feb 5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for
>>> match with fred [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No
>>> such user: fred [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for
>>> match with DEFAULT [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: :
>>> DEFAULT [fred]
>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
>>> Tue Feb 5 22:56:53 2008: DEBUG: Access accepted for fred
>>> Tue Feb 5 22:56:53 2008: DEBUG: Packet dump:
>>> *** Reply to TACACSPLUS request:
>>> Code: Access-Accept
>>> Identifier: UNDEF
>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>> Tue Feb 5 22:56:55 2008: DEBUG: TacacsplusConnection
>>> disconnected from 192.168.10.1:11559
>>>
>>>
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Tuesday, February 05, 2008 10:29 PM
>>> Subject: Re: (RADIATOR) AuthenticateAttribute question
>>>
>>>
>>>>
>>>> Hello Markus -
>>>>
>>>> It would be most helpful to see a trace 4 debug showing what is
>>>> happening.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I try to change the attribute to authenticate a user/system. I
>>>>> have the following setup where my LDAP connection fills an
>>>>> attribute My- MAC-Address, which then check against file
>>>>> entries. The problem I have is that I still get the User-Name
>>>>> as the compare value not My- MAC-Address. I did include a
>>>>> PostAuthHook sub { print ${$_[0]}-
>>>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-
>>>>> Address.
>>>>>
>>>>> What could be the reason that I still compare the User-Name
>>>>> attribute ?
>>>>>
>>>>> <AuthBy FILE>
>>>>> Identifier MacFilter
>>>>> AuthenticateAttribute My-MAC-Address
>>>>> Filename %D/macs
>>>>> </AuthBy>
>>>>>
>>>>> <Handler Device-Class=class1>
>>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>>> AuthByPolicy ContinueUntilReject
>>>>> AuthBy LDAPMACAuthorisation
>>>>> AuthBy MacFilter
>>>>> # Log accounting to the detail file in LogDir
>>>>> AcctLogFileName %L/detail
>>>>> </Handler>
>>>>> <Handler>
>>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>>> AuthByPolicy ContinueUntilReject
>>>>> AuthBy LDAPAuthorisation
>>>>> AuthBy UserFilter
>>>>> AuthBy PAMAuthentication
>>>>> AuthLog LogAuthentication
>>>>> # Log accounting to the detail file in LogDir
>>>>> AcctLogFileName %L/detail
>>>>> </Handler>
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>> NB:
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list