(RADIATOR) AuthenticateAttribute question
Markus Moeller
huaraz at moeller.plus.com
Fri Feb 8 14:40:24 CST 2008
Hugh,
I had another problem with AuthPAM.pm. The module expects that the PAM
prompt is password, which wasn't in my case. So I defined in AuthGeneric a
keyword PasswordPrompt and us it in AuthPAM.pm. Now I can use:
<AuthBy PAM>
Identifier PAMAuthentication
AuthenticateAttribute User-Mail
PasswordPrompt Code
Service rad_mail
</AuthBy>
Would it possible to integrate this patch too ?
Thank you
Markus
AuthGeneric.pm
%Radius::AuthGeneric::ConfigKeywords =
(
.
.
'PasswordPrompt' =>
['string',
'To allow authentication modules to adopt to different password prompts',
1],
);
sub initialize
{
.
>
$self->{PasswordPrompt} = 'password';
}
AuthPAM.pm
see attachment.
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Thursday, February 07, 2008 6:11 AM
Subject: Re: (RADIATOR) AuthenticateAttribute question
>
> Hello Markus -
>
> Your patch has now been added to the Radiator patches.
>
> many thanks
>
> regards
>
> Hugh
>
>
> On 7 Feb 2008, at 10:52, Markus Moeller wrote:
>
>> OK I just copied AuthPAM.pm as AuthPAM2.pm and added
>> $user_name = $p->get_attr($self->{AuthenticateAttribute})
>> if $self->{AuthenticateAttribute};
>>
>> after my $user_name = $p->getUserName;
>>
>>
>> which seems to work.
>>
>> Thank you
>> Markus
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Wednesday, February 06, 2008 9:47 AM
>> Subject: Re: (RADIATOR) AuthenticateAttribute question
>>
>>
>>> Hello Markus -
>>> Unfortunately the AuthBy PAM module does not currently support
>>> AuthenticateAttribute.
>>> regards
>>> Hugh
>>> On 6 Feb 2008, at 10:39, Markus Moeller wrote:
>>>> Hugh,
>>>>
>>>> Sorry, I had an error in my config why the <AuthBy File> check for
>>>> My-Mac-Address didn't work.
>>>>
>>>> But I have also the PAMAuthentication part which is:
>>>>
>>>> <AuthBy PAM>
>>>> Identifier PAMAuthentication
>>>> AuthenticateAttribute User-Mail
>>>> Service rad_mail
>>>> </AuthBy>
>>>>
>>>> and I still get fred as the user to authenticate. I added a
>>>> pam_syslog line to pam to log the arguments and I get
>>>> Feb 5 23:29:48 testbox pam_syslog[15401]: [ID 518756 auth.debug]
>>>> User: fred, Ruser: unknown, TTY: unknown/no tty, Service: rad_mail,
>>>> Rhost: unknown
>>>>
>>>> BTW I get the same when I use the test radius client.
>>>>
>>>> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg -
>>>> trace 5 -foreground -log_stdout
>>>> Tue Feb 5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
>>>> Tue Feb 5 22:56:28 2008: NOTICE: Reading clients file /etc/ raddb/
>>>> clients
>>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
>>>> Tue Feb 5 22:56:29 2008: DEBUG: Finished reading configuration file
>>>> '/etc/raddb/radius.cfg'
>>>> Tue Feb 5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/
>>>> raddb/dictionary'
>>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating authentication port
>>>> 0.0.0.0:1645
>>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating accounting port 0.0.0.0:1646
>>>> Tue Feb 5 22:56:29 2008: NOTICE: Server started: Radiator 4.0 on
>>>> testbox
>>>> Tue Feb 5 22:56:47 2008: DEBUG: New TacacsplusConnection created for
>>>> 192.168.10.1:11556
>>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection request 192, 1,
>>>> 1, 0, 2170462350, 25
>>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:
>>>> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390e cb
>>>> 6a94
>>>> Tue Feb 5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
>>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request decrypted body:
>>>> 0101010100050c01747479513831302e3132382e35352e3233
>>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication
>>>> START 1, 1, 1 for , tty18, 192.168.1.1
>>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication
>>>> REPLY 4, 0, Username: ,
>>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection request 192, 1,
>>>> 3, 0, 2170462350, 11
>>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:
>>>> c0010300815ea08e0002000be41fbb70affee870f13cca
>>>> Tue Feb 5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
>>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request decrypted body:
>>>> 00060000206d64656c6d61
>>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication
>>>> CONTINUE 0, fred,
>>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication
>>>> REPLY 5, 1, Password: ,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection request 192, 1,
>>>> 5, 0, 2170462350, 7
>>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:
>>>> c0010500815fa08e00020007ce5cd6a44a36d9
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
>>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request decrypted body:
>>>> 00021000004d6d
>>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection Authentication
>>>> CONTINUE 0, mm,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius request
>>>> packet dump:
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>>> Attributes:
>>>> NAS-IP-Address = 192.168.10.1
>>>> NAS-Port-Id = "tty18"
>>>> Calling-Station-Id = "192.168.1.1"
>>>> Service-Type = Login-User
>>>> Request-Protocol = TACACS+
>>>> User-Name = "fred"
>>>> User-Password = mm
>>>>
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling request with Handler ''
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Deleting session for fred,
>>>> 192.168.10.1,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthLDAP2:
>>>> LDAPAuthorisation
>>>> Tue Feb 5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
>>>> Tue Feb 5 22:56:53 2008: INFO: Attempting to bind to LDAP server
>>>> 192.168.2.1:5636
>>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got result for
>>>> uid=fred,dc=test,dc=com
>>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got mail:
>>>> huaraz at moeller.plus.com
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for match
>>>> with fred [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fred
>>>> [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:
>>>> UserFilter
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
>>>> with fred [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No such
>>>> user: fred [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
>>>> with DEFAULT [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
>>>> [fred]
>>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
>>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Access accepted for fred
>>>> Tue Feb 5 22:56:53 2008: DEBUG: Packet dump:
>>>> *** Reply to TACACSPLUS request:
>>>> Code: Access-Accept
>>>> Identifier: UNDEF
>>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
>>>> Tue Feb 5 22:56:55 2008: DEBUG: TacacsplusConnection disconnected
>>>> from 192.168.10.1:11559
>>>>
>>>>
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>>> Cc: <radiator at open.com.au>
>>>> Sent: Tuesday, February 05, 2008 10:29 PM
>>>> Subject: Re: (RADIATOR) AuthenticateAttribute question
>>>>
>>>>
>>>>>
>>>>> Hello Markus -
>>>>>
>>>>> It would be most helpful to see a trace 4 debug showing what is
>>>>> happening.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> I try to change the attribute to authenticate a user/system. I have
>>>>>> the following setup where my LDAP connection fills an attribute My-
>>>>>> MAC-Address, which then check against file entries. The problem I
>>>>>> have is that I still get the User-Name as the compare value not My-
>>>>>> MAC-Address. I did include a PostAuthHook sub { print ${$_[0]}-
>>>>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-
>>>>>> Address.
>>>>>>
>>>>>> What could be the reason that I still compare the User-Name
>>>>>> attribute ?
>>>>>>
>>>>>> <AuthBy FILE>
>>>>>> Identifier MacFilter
>>>>>> AuthenticateAttribute My-MAC-Address
>>>>>> Filename %D/macs
>>>>>> </AuthBy>
>>>>>>
>>>>>> <Handler Device-Class=class1>
>>>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>>>> AuthByPolicy ContinueUntilReject
>>>>>> AuthBy LDAPMACAuthorisation
>>>>>> AuthBy MacFilter
>>>>>> # Log accounting to the detail file in LogDir
>>>>>> AcctLogFileName %L/detail
>>>>>> </Handler>
>>>>>> <Handler>
>>>>>> AddToRequestIfNotExist Request-Protocol=Radius
>>>>>> AuthByPolicy ContinueUntilReject
>>>>>> AuthBy LDAPAuthorisation
>>>>>> AuthBy UserFilter
>>>>>> AuthBy PAMAuthentication
>>>>>> AuthLog LogAuthentication
>>>>>> # Log accounting to the detail file in LogDir
>>>>>> AcctLogFileName %L/detail
>>>>>> </Handler>
>>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>> archives/ radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>> Have you checked the RadiusExpert wiki:
>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>> and DIAMETER translation agent.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>>> flexible with hardware, software, platform and database independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>>>
>>>>>
>>> NB:
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/ archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AuthPAM.pm
Type: application/octet-stream
Size: 8685 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080208/933da997/attachment.obj>
More information about the radiator
mailing list