(RADIATOR) AuthenticateAttribute question

Hugh Irvine hugh at open.com.au
Thu Feb 7 00:11:25 CST 2008


Hello Markus -

Your patch has now been added to the Radiator patches.

many thanks

regards

Hugh


On 7 Feb 2008, at 10:52, Markus Moeller wrote:

> OK I just copied AuthPAM.pm as AuthPAM2.pm and added                
> $user_name = $p->get_attr($self->{AuthenticateAttribute})
>            if $self->{AuthenticateAttribute};
>
> after        my $user_name = $p->getUserName;
>
>
> which seems to work.
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Wednesday, February 06, 2008 9:47 AM
> Subject: Re: (RADIATOR) AuthenticateAttribute question
>
>
>> Hello Markus -
>> Unfortunately the AuthBy PAM module does not currently support   
>> AuthenticateAttribute.
>> regards
>> Hugh
>> On 6 Feb 2008, at 10:39, Markus Moeller wrote:
>>> Hugh,
>>>
>>> Sorry, I had an error in my config why the <AuthBy File> check  
>>> for  My-Mac-Address didn't work.
>>>
>>> But I have also the PAMAuthentication part which  is:
>>>
>>> <AuthBy PAM>
>>>        Identifier PAMAuthentication
>>>        AuthenticateAttribute User-Mail
>>>        Service rad_mail
>>> </AuthBy>
>>>
>>> and I still get fred as the user to authenticate. I added a   
>>> pam_syslog line to pam to log the arguments and I get
>>> Feb  5 23:29:48 testbox pam_syslog[15401]: [ID 518756  
>>> auth.debug]  User: fred, Ruser: unknown, TTY: unknown/no tty,  
>>> Service: rad_mail,  Rhost: unknown
>>>
>>> BTW I get the same when I use the test radius client.
>>>
>>> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg  
>>> - trace 5 -foreground -log_stdout
>>> Tue Feb  5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
>>> Tue Feb  5 22:56:28 2008: NOTICE: Reading clients file /etc/ 
>>> raddb/ clients
>>> Tue Feb  5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
>>> Tue Feb  5 22:56:29 2008: DEBUG: Finished reading configuration   
>>> file '/etc/raddb/radius.cfg'
>>> Tue Feb  5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/  
>>> raddb/dictionary'
>>> Tue Feb  5 22:56:29 2008: DEBUG: Creating authentication port   
>>> 0.0.0.0:1645
>>> Tue Feb  5 22:56:29 2008: DEBUG: Creating accounting port  
>>> 0.0.0.0:1646
>>> Tue Feb  5 22:56:29 2008: NOTICE: Server started: Radiator 4.0  
>>> on  testbox
>>> Tue Feb  5 22:56:47 2008: DEBUG: New TacacsplusConnection  
>>> created  for 192.168.10.1:11556
>>> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection request  
>>> 192,  1, 1, 0, 2170462350, 25
>>> Tue Feb  5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:   
>>> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390e 
>>> cb 6a94
>>> Tue Feb  5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb  5 22:56:47 2008: DEBUG: TacacsPlus request decrypted  
>>> body:  0101010100050c01747479513831302e3132382e35352e3233
>>> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection   
>>> Authentication START 1, 1, 1 for , tty18, 192.168.1.1
>>> Tue Feb  5 22:56:47 2008: DEBUG: TacacsplusConnection   
>>> Authentication REPLY 4, 0, Username: ,
>>> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection request  
>>> 192,  1, 3, 0, 2170462350, 11
>>> Tue Feb  5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:   
>>> c0010300815ea08e0002000be41fbb70affee870f13cca
>>> Tue Feb  5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb  5 22:56:51 2008: DEBUG: TacacsPlus request decrypted  
>>> body:  00060000206d64656c6d61
>>> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection   
>>> Authentication CONTINUE 0, fred,
>>> Tue Feb  5 22:56:51 2008: DEBUG: TacacsplusConnection   
>>> Authentication REPLY 5, 1, Password: ,
>>> Tue Feb  5 22:56:53 2008: DEBUG: TacacsplusConnection request  
>>> 192,  1, 5, 0, 2170462350, 7
>>> Tue Feb  5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:   
>>> c0010500815fa08e00020007ce5cd6a44a36d9
>>> Tue Feb  5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
>>> Tue Feb  5 22:56:53 2008: DEBUG: TacacsPlus request decrypted  
>>> body:  00021000004d6d
>>> Tue Feb  5 22:56:53 2008: DEBUG: TacacsplusConnection   
>>> Authentication CONTINUE 0, mm,
>>> Tue Feb  5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius  
>>> request  packet dump:
>>> Code:       Access-Request
>>> Identifier: UNDEF
>>> Authentic:  <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>> Attributes:
>>>        NAS-IP-Address = 192.168.10.1
>>>        NAS-Port-Id = "tty18"
>>>        Calling-Station-Id = "192.168.1.1"
>>>        Service-Type = Login-User
>>>        Request-Protocol = TACACS+
>>>        User-Name = "fred"
>>>        User-Password = mm
>>>
>>> Tue Feb  5 22:56:53 2008: DEBUG: Handling request with Handler ''
>>> Tue Feb  5 22:56:53 2008: DEBUG:  Deleting session for fred,   
>>> 192.168.10.1,
>>> Tue Feb  5 22:56:53 2008: DEBUG: Handling with  
>>> Radius::AuthLDAP2:  LDAPAuthorisation
>>> Tue Feb  5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
>>> Tue Feb  5 22:56:53 2008: INFO: Attempting to bind to LDAP  
>>> server  192.168.2.1:5636
>>> Tue Feb  5 22:56:53 2008: DEBUG: LDAP got result for   
>>> uid=fred,dc=test,dc=com
>>> Tue Feb  5 22:56:53 2008: DEBUG: LDAP got mail:   
>>> huaraz at moeller.plus.com
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for  
>>> match  with fred [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: :  
>>> fred  [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>> Tue Feb  5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:   
>>> UserFilter
>>> Tue Feb  5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for  
>>> match  with fred [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No  
>>> such  user: fred [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for  
>>> match  with DEFAULT [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: :  
>>> DEFAULT  [fred]
>>> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
>>> Tue Feb  5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
>>> Tue Feb  5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
>>> Tue Feb  5 22:56:53 2008: DEBUG: Access accepted for fred
>>> Tue Feb  5 22:56:53 2008: DEBUG: Packet dump:
>>> *** Reply to TACACSPLUS request:
>>> Code:       Access-Accept
>>> Identifier: UNDEF
>>> Authentic:  <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>> Tue Feb  5 22:56:55 2008: DEBUG: TacacsplusConnection  
>>> disconnected  from 192.168.10.1:11559
>>>
>>>
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Tuesday, February 05, 2008 10:29 PM
>>> Subject: Re: (RADIATOR) AuthenticateAttribute question
>>>
>>>
>>>>
>>>> Hello Markus -
>>>>
>>>> It would be most helpful to see a trace 4 debug showing what is   
>>>> happening.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I try to change the attribute to authenticate a user/system. I   
>>>>> have  the following setup where my LDAP connection fills an   
>>>>> attribute My- MAC-Address, which then check against file  
>>>>> entries.  The problem I  have is that I still get the User-Name  
>>>>> as the  compare value not My- MAC-Address.  I did include a  
>>>>> PostAuthHook  sub { print ${$_[0]}-
>>>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC- 
>>>>> Address.
>>>>>
>>>>> What could be the reason that I still compare the User-Name    
>>>>> attribute ?
>>>>>
>>>>> <AuthBy FILE>
>>>>>         Identifier MacFilter
>>>>>         AuthenticateAttribute My-MAC-Address
>>>>>         Filename %D/macs
>>>>> </AuthBy>
>>>>>
>>>>> <Handler Device-Class=class1>
>>>>>         AddToRequestIfNotExist Request-Protocol=Radius
>>>>>         AuthByPolicy ContinueUntilReject
>>>>>         AuthBy LDAPMACAuthorisation
>>>>>         AuthBy MacFilter
>>>>>         # Log accounting to the detail file in LogDir
>>>>>         AcctLogFileName %L/detail
>>>>> </Handler>
>>>>> <Handler>
>>>>>         AddToRequestIfNotExist Request-Protocol=Radius
>>>>>         AuthByPolicy ContinueUntilReject
>>>>>         AuthBy LDAPAuthorisation
>>>>>         AuthBy UserFilter
>>>>>         AuthBy PAMAuthentication
>>>>>         AuthLog LogAuthentication
>>>>>         # Log accounting to the detail file in LogDir
>>>>>         AcctLogFileName %L/detail
>>>>> </Handler>
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/  
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>> NB:
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list