[RADIATOR] pam_radius_auth and Radiator
Hugh Irvine
hugh at open.com.au
Mon Mar 1 23:37:41 CST 2010
Hello Chris -
Here is a simple test with the correct shared secret, then an incorrect shared secret:
Radiator-4.6 hugh$ perl radpwtst -auth_port 11645 -acct_port 11646 -user ctest -password ctest -noacct
sending Access-Request...
Tue Mar 2 16:27:04 2010: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 55303 ....
Code: Access-Request
Identifier: 34
Authentic: <202><196>w}<13><131><136><255>*Z<253><181><15>J<175><196>
Attributes:
User-Name = "ctest"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = <21>C<131><<224><167><231><128><231><255><27>F$UL
Tue Mar 2 16:27:04 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Mar 2 16:27:04 2010: DEBUG: Deleting session for ctest, 203.63.154.1, 1234
Tue Mar 2 16:27:04 2010: DEBUG: Handling with Radius::AuthFILE:
Tue Mar 2 16:27:04 2010: DEBUG: Radius::AuthFILE looks for match with ctest [ctest]
Tue Mar 2 16:27:04 2010: DEBUG: Radius::AuthFILE ACCEPT: : ctest [ctest]
Tue Mar 2 16:27:04 2010: DEBUG: AuthBy FILE result: ACCEPT,
Tue Mar 2 16:27:04 2010: DEBUG: Access accepted for ctest
Tue Mar 2 16:27:04 2010: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 55303 ....
Code: Access-Accept
Identifier: 34
Authentic: <239><156><129>D<233>-J<248><31><138>G7<136><150>|P
Attributes:
OK
Radiator-4.6 hugh$ perl radpwtst -auth_port 11645 -acct_port 11646 -user ctest -password ctest -noacct -secret blahblah
sending Access-Request...
Tue Mar 2 16:29:48 2010: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 56248 ....
Code: Access-Request
Identifier: 198
Authentic: <152>)<204>#kf<188><132><10>ypE<192>%<2><141>
Attributes:
User-Name = "ctest"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = c<209><211>Y<159><236><229>6<152><190>b<148><136><135><131><2>
Tue Mar 2 16:29:48 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Mar 2 16:29:48 2010: DEBUG: Deleting session for ctest, 203.63.154.1, 1234
Tue Mar 2 16:29:48 2010: DEBUG: Handling with Radius::AuthFILE:
Tue Mar 2 16:29:48 2010: DEBUG: Radius::AuthFILE looks for match with ctest [ctest]
Tue Mar 2 16:29:48 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password: ctest [ctest]
Tue Mar 2 16:29:48 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
Tue Mar 2 16:29:48 2010: INFO: Access rejected for ctest: Bad Password
Tue Mar 2 16:29:48 2010: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 56248 ....
Code: Access-Reject
Identifier: 198
Authentic: <16>p<139><2>FJ<4>{FM<174>dD9<201>]
Attributes:
Reply-Message = "Request Denied"
here is the configuration file:
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 5
AuthPort 11645
AcctPort 11646
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy FILE>
Filename ./users.ctest
</AuthBy>
</Realm>
here is the users file:
ctest Password = ctest
My conclusion is still that there is a problem with the shared secret.
regards
Hugh
On 2 Mar 2010, at 15:00, Chris Bland wrote:
> Hugh Irvine wrote:
>> Hello Chris -
>>
>> If the same test with the same username and the same password works for radpwtst, then the only difference is the shared secrets.
>>
>> Can you send me the contents of the user record and a trace 5 debug showing both tests?
>>
>> regards
>>
>> Hugh
>>
> Hugh,
>
> For testing I created a user ctest stored in a database . The sqlauth statement returns password 'ctest' in clear text.
>
> Mon Mar 1 22:40:46 2010: DEBUG: Finished reading configuration file '/usr/local/adm/etc/radius.cfg.test'
> Mon Mar 1 22:40:46 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> Mon Mar 1 22:40:46 2010: DEBUG: Creating authentication port 0.0.0.0:5794
> Mon Mar 1 22:40:46 2010: DEBUG: Creating accounting port 0.0.0.0:5795
> Mon Mar 1 22:40:46 2010: NOTICE: Server started: Radiator 3.14 on rolemodel
> Mon Mar 1 22:43:23 2010: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 34369 ....
>
> ======================= radpwtst =======================
> Packet length = 105
> 01 bc 00 69 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 07 63 74 65 73 74 06 06 00 00 00
> 02 04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e
> 31 35 34 2e 31 05 06 00 00 04 d2 1e 0b 31 32 33
> 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
> 31 3d 06 00 00 00 00 02 12 d0 5c 24 cf f2 99 77
> 54 c4 14 0b 0e d3 47 80 dc
> Code: Access-Request
> Identifier: 188
> Authentic: 1234567890123456
> Attributes:
> User-Name = "ctest"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <208>\$<207><242><153>wT<196><20><11><14><211>G<128><220>
>
> Mon Mar 1 22:43:23 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Mar 1 22:43:23 2010: DEBUG: Deleting session for ctest, 203.63.154.1, 1234
> Mon Mar 1 22:43:23 2010: DEBUG: Handling with Radius::AuthSQL
> Mon Mar 1 22:43:23 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
> Mon Mar 1 22:43:23 2010: DEBUG: Query is: 'select password from subscribers where username='ctest'':
> Mon Mar 1 22:43:23 2010: DEBUG: Radius::AuthSQL looks for match with ctest [ctest]
> Mon Mar 1 22:43:23 2010: DEBUG: Radius::AuthSQL ACCEPT: : ctest [ctest]
> Mon Mar 1 22:43:23 2010: DEBUG: AuthBy SQL result: ACCEPT,
> Mon Mar 1 22:43:23 2010: DEBUG: Access accepted for ctest
> Mon Mar 1 22:43:23 2010: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 34369 ....
>
> Packet length = 20
> 02 bc 00 14 fa df d1 fe 02 c7 ed 59 c6 b5 ff b7
> 60 9b 03 e8
> Code: Access-Accept
> Identifier: 188
> Authentic: 1234567890123456
> Attributes:
>
> Mon Mar 1 22:43:24 2010: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 34369 ....
>
> Packet length = 109
> 04 bd 00 6d 29 09 d9 7d 8a c3 3e 14 1d e6 55 82
> 6b d4 23 e1 01 07 63 74 65 73 74 06 06 00 00 00
> 02 04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e
> 31 35 34 2e 31 05 06 00 00 04 d2 3d 06 00 00 00
> 00 2c 0a 30 30 30 30 31 32 33 34 28 06 00 00 00
> 01 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38
> 37 36 35 34 33 32 31 29 06 00 00 00 00
> Code: Accounting-Request
> Identifier: 189
> Authentic: )<9><217>}<138><195>><20><29><230>U<130>k<212>#<225>
> Attributes:
> User-Name = "ctest"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
>
> Mon Mar 1 22:43:24 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Mar 1 22:43:24 2010: DEBUG: Adding session for ctest, 203.63.154.1, 1234
> Mon Mar 1 22:43:24 2010: DEBUG: Handling with Radius::AuthSQL
> Mon Mar 1 22:43:24 2010: DEBUG: Handling accounting with Radius::AuthSQL
> Mon Mar 1 22:43:24 2010: DEBUG: AuthBy SQL result: ACCEPT,
> Mon Mar 1 22:43:24 2010: DEBUG: Accounting accepted
> Mon Mar 1 22:43:24 2010: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 34369 ....
>
> Packet length = 20
> 05 bd 00 14 20 ad 65 94 3d 27 8e d4 b6 9e d7 42
> fa cb 28 f4
> Code: Accounting-Response
> Identifier: 189
> Authentic: )<9><217>}<138><195>><20><29><230>U<130>k<212>#<225>
> Attributes:
>
> Mon Mar 1 22:43:24 2010: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 34369 ....
>
> Packet length = 127
> 04 be 00 7f 8d 2e 7f 44 01 37 37 c4 1b fc 2a d3
> 66 44 b1 ec 01 07 63 74 65 73 74 06 06 00 00 00
> 02 04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e
> 31 35 34 2e 31 05 06 00 00 04 d2 3d 06 00 00 00
> 00 2c 0a 30 30 30 30 31 32 33 34 28 06 00 00 00
> 02 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38
> 37 36 35 34 33 32 31 29 06 00 00 00 00 2e 06 00
> 00 03 e8 2a 06 00 00 4e 20 2b 06 00 00 75 30
> Code: Accounting-Request
> Identifier: 190
> Authentic: <141>.<127>D<1>77<196><27><252>*<211>fD<177><236>
> Attributes:
> User-Name = "ctest"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
> Mon Mar 1 22:43:24 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Mar 1 22:43:24 2010: DEBUG: Deleting session for ctest, 203.63.154.1, 1234
> Mon Mar 1 22:43:24 2010: DEBUG: Handling with Radius::AuthSQL
> Mon Mar 1 22:43:24 2010: DEBUG: Handling accounting with Radius::AuthSQL
> Mon Mar 1 22:43:24 2010: DEBUG: AuthBy SQL result: ACCEPT,
> Mon Mar 1 22:43:24 2010: DEBUG: Accounting accepted
> Mon Mar 1 22:43:24 2010: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 34369 ....
>
> Packet length = 20
> 05 be 00 14 49 9e 05 a3 c8 63 c7 2e 59 e6 f8 d4
> c8 43 e9 de
> Code: Accounting-Response
> Identifier: 190
> Authentic: <141>.<127>D<1>77<196><27><252>*<211>fD<177><236>
> Attributes:
>
> ==================== pam_radius_auth ====================
>
> Mon Mar 1 22:44:15 2010: DEBUG: Packet dump:
> *** Received from 132.238.3.162 port 29573 ....
>
> Packet length = 94
> 01 32 00 5e ad d9 12 6a 40 14 e8 07 cf be 18 2b
> f8 4a c0 b0 01 07 63 74 65 73 74 02 12 d7 b4 01
> d6 c7 de 53 23 db 91 dd 4f 14 53 a7 53 04 06 84
> ee 03 ac 20 06 73 73 68 64 05 06 00 00 6f 84 3d
> 06 00 00 00 05 06 06 00 00 00 08 1f 13 65 6c 6c
> 73 77 6f 72 74 68 2e 66 64 75 2e 65 64 75
> Code: Access-Request
> Identifier: 50
> Authentic: <173><217><18>j@<20><232><7><207><190><24>+<248>J<192><176>
> Attributes:
> User-Name = "ctest"
> User-Password = <215><180><1><214><199><222>S#<219><145><221>O<20>S<167>S
> NAS-IP-Address = 132.238.3.162
> NAS-Identifier = "sshd"
> NAS-Port = 28548
> NAS-Port-Type = Virtual
> Service-Type = Authenticate-Only
> Calling-Station-Id = "bancroft-usas-246t.fdu.edu"
>
> Mon Mar 1 22:44:15 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Mar 1 22:44:15 2010: DEBUG: Deleting session for ctest, 132.238.3.162, 28548
> Mon Mar 1 22:44:15 2010: DEBUG: Handling with Radius::AuthSQL
> Mon Mar 1 22:44:15 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
> Mon Mar 1 22:44:15 2010: DEBUG: Query is: 'select password from subscribers where username='ctest'':
> Mon Mar 1 22:44:15 2010: DEBUG: Radius::AuthSQL looks for match with ctest [ctest]
> Mon Mar 1 22:44:15 2010: DEBUG: Radius::AuthSQL REJECT: Bad Password: ctest [ctest]
> Mon Mar 1 22:44:15 2010: DEBUG: Query is: 'select password from subscribers where username='DEFAULT'':
> Mon Mar 1 22:44:15 2010: DEBUG: AuthBy SQL result: REJECT, Bad Password
> Mon Mar 1 22:44:15 2010: INFO: Access rejected for ctest: Bad Password
> Mon Mar 1 22:44:15 2010: DEBUG: Packet dump:
> *** Sending to 132.238.3.162 port 29573 ....
>
> Packet length = 36
> 03 32 00 24 46 2a 7d 0b de 8d f6 7c d2 39 2f 22
> 9d a9 23 ca 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 50
> Authentic: <173><217><18>j@<20><232><7><207><190><24>+<248>J<192><176>
> Attributes:
> Reply-Message = "Request Denied"
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list