(RADIATOR) AuthenticateAttribute question
Mike McCauley
mikem at open.com.au
Fri Feb 8 18:05:27 CST 2008
Hello Markus,
On Saturday 09 February 2008 06:40, Markus Moeller wrote:
> Hugh,
>
> I had another problem with AuthPAM.pm. The module expects that the PAM
> prompt is password, which wasn't in my case. So I defined in AuthGeneric a
> keyword PasswordPrompt and us it in AuthPAM.pm. Now I can use:
>
> <AuthBy PAM>
> Identifier PAMAuthentication
> AuthenticateAttribute User-Mail
> PasswordPrompt Code
> Service rad_mail
> </AuthBy>
>
> Would it possible to integrate this patch too ?
Added to the latest patch set.
Thanks for your contribution.
Cheers.
>
> Thank you
> Markus
>
> AuthGeneric.pm
>
> %Radius::AuthGeneric::ConfigKeywords =
> (
> .
> .
>
> 'PasswordPrompt' =>
> ['string',
> 'To allow authentication modules to adopt to different password prompts',
> 1],
> );
>
>
> sub initialize
> {
> .
>
> $self->{PasswordPrompt} = 'password';
> }
>
> AuthPAM.pm
>
> see attachment.
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Thursday, February 07, 2008 6:11 AM
> Subject: Re: (RADIATOR) AuthenticateAttribute question
>
> > Hello Markus -
> >
> > Your patch has now been added to the Radiator patches.
> >
> > many thanks
> >
> > regards
> >
> > Hugh
> >
> > On 7 Feb 2008, at 10:52, Markus Moeller wrote:
> >> OK I just copied AuthPAM.pm as AuthPAM2.pm and added
> >> $user_name = $p->get_attr($self->{AuthenticateAttribute})
> >> if $self->{AuthenticateAttribute};
> >>
> >> after my $user_name = $p->getUserName;
> >>
> >>
> >> which seems to work.
> >>
> >> Thank you
> >> Markus
> >>
> >> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> >> To: "Markus Moeller" <huaraz at moeller.plus.com>
> >> Cc: <radiator at open.com.au>
> >> Sent: Wednesday, February 06, 2008 9:47 AM
> >> Subject: Re: (RADIATOR) AuthenticateAttribute question
> >>
> >>> Hello Markus -
> >>> Unfortunately the AuthBy PAM module does not currently support
> >>> AuthenticateAttribute.
> >>> regards
> >>> Hugh
> >>>
> >>> On 6 Feb 2008, at 10:39, Markus Moeller wrote:
> >>>> Hugh,
> >>>>
> >>>> Sorry, I had an error in my config why the <AuthBy File> check for
> >>>> My-Mac-Address didn't work.
> >>>>
> >>>> But I have also the PAMAuthentication part which is:
> >>>>
> >>>> <AuthBy PAM>
> >>>> Identifier PAMAuthentication
> >>>> AuthenticateAttribute User-Mail
> >>>> Service rad_mail
> >>>> </AuthBy>
> >>>>
> >>>> and I still get fred as the user to authenticate. I added a
> >>>> pam_syslog line to pam to log the arguments and I get
> >>>> Feb 5 23:29:48 testbox pam_syslog[15401]: [ID 518756 auth.debug]
> >>>> User: fred, Ruser: unknown, TTY: unknown/no tty, Service: rad_mail,
> >>>> Rhost: unknown
> >>>>
> >>>> BTW I get the same when I use the test radius client.
> >>>>
> >>>> # /usr/perl5/5.8.4/bin/radiusd -config_file /etc/raddb/radius.cfg -
> >>>> trace 5 -foreground -log_stdout
> >>>> Tue Feb 5 22:56:28 2008: DEBUG: include /etc/raddb/readclients.pl|
> >>>> Tue Feb 5 22:56:28 2008: NOTICE: Reading clients file /etc/ raddb/
> >>>> clients
> >>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
> >>>> Tue Feb 5 22:56:29 2008: DEBUG: Finished reading configuration file
> >>>> '/etc/raddb/radius.cfg'
> >>>> Tue Feb 5 22:56:29 2008: DEBUG: Reading dictionary file '/etc/
> >>>> raddb/dictionary'
> >>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating authentication port
> >>>> 0.0.0.0:1645
> >>>> Tue Feb 5 22:56:29 2008: DEBUG: Creating accounting port
> >>>> 0.0.0.0:1646 Tue Feb 5 22:56:29 2008: NOTICE: Server started:
> >>>> Radiator 4.0 on testbox
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: New TacacsplusConnection created
> >>>> for 192.168.10.1:11556
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection request 192,
> >>>> 1, 1, 0, 2170462350, 25
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request packet dump:
> >>>> c0010100815ea08e000000195732db16725f8c66746527dcea76f8c606ffdbd6390e
> >>>> cb 6a94
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: Decrypting TacacsPlus request
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsPlus request decrypted body:
> >>>> 0101010100050c01747479513831302e3132382e35352e3233
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication
> >>>> START 1, 1, 1 for , tty18, 192.168.1.1
> >>>> Tue Feb 5 22:56:47 2008: DEBUG: TacacsplusConnection Authentication
> >>>> REPLY 4, 0, Username: ,
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection request 192,
> >>>> 1, 3, 0, 2170462350, 11
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request packet dump:
> >>>> c0010300815ea08e0002000be41fbb70affee870f13cca
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: Decrypting TacacsPlus request
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsPlus request decrypted body:
> >>>> 00060000206d64656c6d61
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication
> >>>> CONTINUE 0, fred,
> >>>> Tue Feb 5 22:56:51 2008: DEBUG: TacacsplusConnection Authentication
> >>>> REPLY 5, 1, Password: ,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection request 192,
> >>>> 1, 5, 0, 2170462350, 7
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request packet dump:
> >>>> c0010500815fa08e00020007ce5cd6a44a36d9
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Decrypting TacacsPlus request
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsPlus request decrypted body:
> >>>> 00021000004d6d
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: TacacsplusConnection Authentication
> >>>> CONTINUE 0, mm,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: TACACSPLUS derived Radius request
> >>>> packet dump:
> >>>> Code: Access-Request
> >>>> Identifier: UNDEF
> >>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
> >>>> Attributes:
> >>>> NAS-IP-Address = 192.168.10.1
> >>>> NAS-Port-Id = "tty18"
> >>>> Calling-Station-Id = "192.168.1.1"
> >>>> Service-Type = Login-User
> >>>> Request-Protocol = TACACS+
> >>>> User-Name = "fred"
> >>>> User-Password = mm
> >>>>
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling request with Handler ''
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Deleting session for fred,
> >>>> 192.168.10.1,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthLDAP2:
> >>>> LDAPAuthorisation
> >>>> Tue Feb 5 22:56:53 2008: INFO: Connecting to 192.168.2.1:5636
> >>>> Tue Feb 5 22:56:53 2008: INFO: Attempting to bind to LDAP server
> >>>> 192.168.2.1:5636
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got result for
> >>>> uid=fred,dc=test,dc=com
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: LDAP got mail:
> >>>> huaraz at moeller.plus.com
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 looks for match
> >>>> with fred [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fred
> >>>> [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy LDAP2 result: ACCEPT,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with Radius::AuthFILE:
> >>>> UserFilter
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Reading users file /etc/raddb/users
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
> >>>> with fred [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE REJECT: No such
> >>>> user: fred [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE looks for match
> >>>> with DEFAULT [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
> >>>> [fred]
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy FILE result: ACCEPT,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Handling with PAM service rad_mail
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: AuthBy PAM result: ACCEPT,
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Access accepted for fred
> >>>> Tue Feb 5 22:56:53 2008: DEBUG: Packet dump:
> >>>> *** Reply to TACACSPLUS request:
> >>>> Code: Access-Accept
> >>>> Identifier: UNDEF
> >>>> Authentic: <29>Ix;?wb<170>s<254>(<240>G<237><203>u
> >>>> Tue Feb 5 22:56:55 2008: DEBUG: TacacsplusConnection disconnected
> >>>> from 192.168.10.1:11559
> >>>>
> >>>>
> >>>>
> >>>> Thank you
> >>>> Markus
> >>>>
> >>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> >>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
> >>>> Cc: <radiator at open.com.au>
> >>>> Sent: Tuesday, February 05, 2008 10:29 PM
> >>>> Subject: Re: (RADIATOR) AuthenticateAttribute question
> >>>>
> >>>>> Hello Markus -
> >>>>>
> >>>>> It would be most helpful to see a trace 4 debug showing what is
> >>>>> happening.
> >>>>>
> >>>>> regards
> >>>>>
> >>>>> Hugh
> >>>>>
> >>>>> On 6 Feb 2008, at 08:33, Markus Moeller wrote:
> >>>>>> Hi
> >>>>>>
> >>>>>> I try to change the attribute to authenticate a user/system. I
> >>>>>> have the following setup where my LDAP connection fills an
> >>>>>> attribute My- MAC-Address, which then check against file entries.
> >>>>>> The problem I have is that I still get the User-Name as the
> >>>>>> compare value not My- MAC-Address. I did include a PostAuthHook
> >>>>>> sub { print ${$_[0]}-
> >>>>>>
> >>>>>> >get_attr('My-MAC-Address') ; } and it has the correct MAC-
> >>>>>>
> >>>>>> Address.
> >>>>>>
> >>>>>> What could be the reason that I still compare the User-Name
> >>>>>> attribute ?
> >>>>>>
> >>>>>> <AuthBy FILE>
> >>>>>> Identifier MacFilter
> >>>>>> AuthenticateAttribute My-MAC-Address
> >>>>>> Filename %D/macs
> >>>>>> </AuthBy>
> >>>>>>
> >>>>>> <Handler Device-Class=class1>
> >>>>>> AddToRequestIfNotExist Request-Protocol=Radius
> >>>>>> AuthByPolicy ContinueUntilReject
> >>>>>> AuthBy LDAPMACAuthorisation
> >>>>>> AuthBy MacFilter
> >>>>>> # Log accounting to the detail file in LogDir
> >>>>>> AcctLogFileName %L/detail
> >>>>>> </Handler>
> >>>>>> <Handler>
> >>>>>> AddToRequestIfNotExist Request-Protocol=Radius
> >>>>>> AuthByPolicy ContinueUntilReject
> >>>>>> AuthBy LDAPAuthorisation
> >>>>>> AuthBy UserFilter
> >>>>>> AuthBy PAMAuthentication
> >>>>>> AuthLog LogAuthentication
> >>>>>> # Log accounting to the detail file in LogDir
> >>>>>> AcctLogFileName %L/detail
> >>>>>> </Handler>
> >>>>>>
> >>>>>> Thank you
> >>>>>> Markus
> >>>>>
> >>>>> NB:
> >>>>>
> >>>>> Have you read the reference manual ("doc/ref.html")?
> >>>>> Have you searched the mailing list archive (www.open.com.au/
> >>>>> archives/ radiator)?
> >>>>> Have you had a quick look on Google (www.google.com)?
> >>>>> Have you included a copy of your configuration file (no secrets),
> >>>>> together with a trace 4 debug showing what is happening?
> >>>>> Have you checked the RadiusExpert wiki:
> >>>>> http://www.open.com.au/wiki/index.php/Main_Page
> >>>>>
> >>>>> --
> >>>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>>>> Includes support for reliable RADIUS transport (RadSec),
> >>>>> and DIAMETER translation agent.
> >>>>> -
> >>>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>>> flexible with hardware, software, platform and database
> >>>>> independence. -
> >>>>> CATool: Private Certificate Authority for Unix and Unix-like
> >>>>> systems.
> >>>
> >>> NB:
> >>> Have you read the reference manual ("doc/ref.html")?
> >>> Have you searched the mailing list archive (www.open.com.au/ archives/
> >>> radiator)?
> >>> Have you had a quick look on Google (www.google.com)?
> >>> Have you included a copy of your configuration file (no secrets),
> >>> together with a trace 4 debug showing what is happening?
> >>> Have you checked the RadiusExpert wiki:
> >>> http://www.open.com.au/wiki/index.php/Main_Page
> >>> --
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> Includes support for reliable RADIUS transport (RadSec),
> >>> and DIAMETER translation agent.
> >>> -
> >>> Nets: internetwork inventory and management - graphical, extensible,
> >>> flexible with hardware, software, platform and database independence.
> >>> -
> >>> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list