[RADIATOR] pam_radius_auth and Radiator
Chris Bland
chris at fdu.edu
Tue May 18 10:43:19 CDT 2010
*****************************Output using rewrite in client clause
*******************************
Tue May 18 11:40:01 2010: DEBUG: Finished reading configuration file
'/usr/local/adm/etc/radius.cfg.simple'
Tue May 18 11:40:01 2010: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Tue May 18 11:40:01 2010: DEBUG: Creating authentication port 0.0.0.0:5794
Tue May 18 11:40:01 2010: DEBUG: Creating accounting port 0.0.0.0:5795
Tue May 18 11:40:01 2010: NOTICE: Server started: Radiator 3.14 on xxxx
Tue May 18 11:40:10 2010: DEBUG: Packet dump:
*** Received from 132.238.3.172 port 12824 ....
Packet length = 97
01 52 00 61 ab eb 18 ca 97 f9 62 83 f8 e6 e2 4e
01 97 e0 e3 01 09 74 65 73 74 64 64 67 02 12 d8
34 a4 c9 20 1e 31 dd bb 67 9a 02 9a 75 e3 d1 04
06 84 ee 03 ac 20 07 61 6c 70 68 61 05 06 00 00
2e 17 3d 06 00 00 00 05 06 06 00 00 00 08 1f 13
65 6c 6c 73 77 6f 72 74 68 2e 66 64 75 2e 65 64
75
Code: Access-Request
Identifier: 82
Authentic:
<171><235><24><202><151><249>b<131><248><230><226>N<1><151><224><227>
Attributes:
User-Name = "test"
User-Password = <216>4<164><201>
<30>1<221><187>g<154><2><154>u<227><209>
NAS-IP-Address = 132.238.3.172
NAS-Identifier = "alpha"
NAS-Port = 11799
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "rolemodel.fdu.edu"
Tue May 18 11:40:10 2010: DEBUG: Rewrote user name to test
Tue May 18 11:40:10 2010: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue May 18 11:40:10 2010: DEBUG: Deleting session for test,
132.238.3.172, 11799
Tue May 18 11:40:10 2010: DEBUG: Handling with Radius::AuthFILE:
Tue May 18 11:40:10 2010: DEBUG: Reading users file ./users.alpha
Tue May 18 11:40:10 2010: DEBUG: Radius::AuthFILE looks for match with
test [test]
Tue May 18 11:40:10 2010: DEBUG: Radius::AuthFILE ACCEPT: : test [test]
Tue May 18 11:40:10 2010: DEBUG: AuthBy FILE result: ACCEPT,
Tue May 18 11:40:10 2010: DEBUG: Access accepted for test
Tue May 18 11:40:10 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.172 port 12824 ....
Packet length = 20
02 52 00 14 c4 05 96 01 8d 84 2e 74 80 79 85 e7
4a 7b 20 a2
Code: Access-Accept
Identifier: 82
Authentic:
<171><235><24><202><151><249>b<131><248><230><226>N<1><151><224><227>
Attributes:
Tue May 18 11:40:18 2010: DEBUG: Packet dump:
*** Received from 132.238.3.172 port 12849 ....
Packet length = 105
01 54 00 69 e6 6f 36 00 fb 12 60 0f e2 75 6a f4
12 5d 42 9f 01 11 74 65 73 74 64 64 67 40 66 64
75 2e 65 64 75 02 12 3d 48 78 c9 7d 99 cd 0d c0
40 84 21 27 0e f9 74 04 06 84 ee 03 ac 20 07 61
6c 70 68 61 05 06 00 00 2e 30 3d 06 00 00 00 05
06 06 00 00 00 08 1f 13 65 6c 6c 73 77 6f 72 74
68 2e 66 64 75 2e 65 64 75
Code: Access-Request
Identifier: 84
Authentic: <230>o6<0><251><18>`<15><226>uj<244><18>]B<159>
Attributes:
User-Name = "test at fdu.edu"
User-Password = =Hx<201>}<153><205><13><192>@<132>!'<14><249>t
NAS-IP-Address = 132.238.3.172
NAS-Identifier = "alpha"
NAS-Port = 11824
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "rolemodel.fdu.edu"
Tue May 18 11:40:18 2010: DEBUG: Rewrote user name to test
Tue May 18 11:40:18 2010: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue May 18 11:40:18 2010: DEBUG: Deleting session for test at fdu.edu,
132.238.3.172, 11824
Tue May 18 11:40:18 2010: DEBUG: Handling with Radius::AuthFILE:
Tue May 18 11:40:18 2010: DEBUG: Radius::AuthFILE looks for match with
test [test at fdu.edu]
Tue May 18 11:40:18 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password:
test [test at fdu.edu]
Tue May 18 11:40:18 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
Tue May 18 11:40:18 2010: INFO: Access rejected for test: Bad Password
Tue May 18 11:40:18 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.162 port 12849 ....
Packet length = 34
03 54 00 22 75 76 c8 b7 17 62 2e 1a cc 96 db cd
1e b9 a4 8a 12 0e 42 61 64 20 50 61 73 73 77 6f
72 64
Code: Access-Reject
Identifier: 84
Authentic: <230>o6<0><251><18>`<15><226>uj<244><18>]B<159>
Attributes:
Reply-Message = "Bad Password"
*****************************Output with both user names in
file********************************
Tue May 18 11:27:02 2010: DEBUG: Finished reading configuration file
'/usr/local/adm/etc/radius.cfg.simple'
Tue May 18 11:27:02 2010: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Tue May 18 11:27:02 2010: DEBUG: Creating authentication port 0.0.0.0:5794
Tue May 18 11:27:02 2010: DEBUG: Creating accounting port 0.0.0.0:5795
Tue May 18 11:27:02 2010: NOTICE: Server started: Radiator 3.14 on xxxxx
Tue May 18 11:27:35 2010: DEBUG: Packet dump:
*** Received from 132.238.3.162 port 12795 ....
Packet length = 97
01 aa 00 61 fa 00 cd 0f 34 0a c8 89 48 6b c6 3a
d4 24 22 71 01 09 74 65 73 74 64 64 67 02 12 39
b0 36 01 f1 1d 2a 39 23 e8 bf 22 ba 5c 4e a1 04
06 84 ee 03 ac 20 07 61 6c 70 68 61 05 06 00 00
2d fa 3d 06 00 00 00 05 06 06 00 00 00 08 1f 13
65 6c 6c 73 77 6f 72 74 68 2e 66 64 75 2e 65 64
75
Code: Access-Request
Identifier: 170
Authentic: <250><0><205><15>4<10><200><137>Hk<198>:<212>$"q
Attributes:
User-Name = "test"
User-Password = 9<176>6<1><241><29>*9#<232><191>"<186>\N<161>
NAS-IP-Address = 132.238.3.162
NAS-Identifier = "alpha"
NAS-Port = 11770
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "rolemodel.fdu.edu"
Tue May 18 11:27:35 2010: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue May 18 11:27:35 2010: DEBUG: Deleting session for test,
132.238.3.162, 11770
Tue May 18 11:27:35 2010: DEBUG: Handling with Radius::AuthFILE:
Tue May 18 11:27:35 2010: DEBUG: Reading users file ./users.alpha
Tue May 18 11:27:35 2010: DEBUG: Radius::AuthFILE looks for match with
test [test]
Tue May 18 11:27:35 2010: DEBUG: Radius::AuthFILE ACCEPT: : test [test]
Tue May 18 11:27:35 2010: DEBUG: AuthBy FILE result: ACCEPT,
Tue May 18 11:27:35 2010: DEBUG: Access accepted for test
Tue May 18 11:27:35 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.162 port 12795 ....
Packet length = 20
02 aa 00 14 79 ca 35 0b f7 aa c9 63 8c a4 59 3d
36 4b 93 d0
Code: Access-Accept
Identifier: 170
Authentic: <250><0><205><15>4<10><200><137>Hk<198>:<212>$"q
Attributes:
Tue May 18 11:27:44 2010: DEBUG: Packet dump:
*** Received from 132.238.3.162 port 12820 ....
Packet length = 105
01 0e 00 69 85 3f b8 bf 63 ee 64 1d 5d ea bf 92
fa bf f8 c4 01 11 74 65 73 74 64 64 67 40 66 64
75 2e 65 64 75 02 12 1e b4 8e 74 0b 0e ac b1 c5
71 5e 1b f6 c7 09 1a 04 06 84 ee 03 ac 20 07 61
6c 70 68 61 05 06 00 00 2e 13 3d 06 00 00 00 05
06 06 00 00 00 08 1f 13 65 6c 6c 73 77 6f 72 74
68 2e 66 64 75 2e 65 64 75
Code: Access-Request
Identifier: 14
Authentic: <133>?<184><191>c<238>d<29>]<234><191><146><250><191><248><196>
Attributes:
User-Name = "test at fdu.edu"
User-Password =
<30><180><142>t<11><14><172><177><197>q^<27><246><199><9><26>
NAS-IP-Address = 132.238.3.162
NAS-Identifier = "alpha"
NAS-Port = 11795
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "rolemodel.fdu.edu"
Tue May 18 11:27:44 2010: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue May 18 11:27:44 2010: DEBUG: Deleting session for test at fdu.edu,
132.238.3.162, 11795
Tue May 18 11:27:44 2010: DEBUG: Handling with Radius::AuthFILE:
Tue May 18 11:27:44 2010: DEBUG: Radius::AuthFILE looks for match with
test at fdu.edu [test at fdu.edu]
Tue May 18 11:27:44 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password:
test at fdu.edu [test at fdu.edu]
Tue May 18 11:27:44 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
Tue May 18 11:27:44 2010: INFO: Access rejected for test at fdu.edu: Bad
Password
Tue May 18 11:27:44 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.162 port 12820 ....
Packet length = 34
03 0e 00 22 a7 8f 55 e8 1b 01 2e 84 37 31 07 25
2c e0 25 20 12 0e 42 61 64 20 50 61 73 73 77 6f
72 64
Code: Access-Reject
Identifier: 14
Authentic: <133>?<184><191>c<238>d<29>]<234><191><146><250><191><248><196>
Attributes:
Reply-Message = "Bad Password"
Hugh Irvine wrote:
> Hello Chris -
>
> This is very strange - can you please send me a trace 5 debug with the packet dumps so we can see what is happening?
>
> thanks and regards
>
> Hugh
>
>
> On 15 May 2010, at 10:22, Chris Bland wrote:
>
>
>> Hugh,
>>
>> My users file looks like this
>> ctest Password = ctest
>> test Password = tuesday
>> test at fdu.edu Password = tuesday
>>
>> My config looks like this
>>
>> Foreground
>> #DefineGlobalVar Max 7200
>>
>> # Set up
>> LogStdout
>> LogDir /var/log/radius-alpha DbDir .
>> PidFile /var/log/radius-alpha/radiusd.pid
>> AuthPort 5794
>> AcctPort 5795
>> DictionaryFile /etc/radiator/dictionary
>>
>>
>> # User a lower trace level in production systems:
>> Trace 4
>>
>> #
>> #***********************************************************************
>> # Authorized Clients
>> #***********************************************************************
>> #
>> <Client 132.238.3.162>
>> Secret mysecret
>> DupInterval 0
>> # RewriteUsername s/^([^@]+).*/$1/
>> </Client>
>>
>> <Client DEFAULT>
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>> #
>> #***********************************************************************
>> # Log file for authentication requests
>> #***********************************************************************
>> #
>> <AuthLog FILE>
>> Identifier LOCALFILE
>> Filename %L/authlog.alpha
>> LogSuccess 1
>> LogFailure 1
>> SuccessFormat %1:%U:%P:OK
>> </AuthLog FILE>
>> #
>> #***********************************************************************
>> # Default authentication for users
>> #***********************************************************************
>> #
>> <Realm DEFAULT>
>> AuthByPolicy ContinueAlways
>> <AuthBy FILE>
>> Filename ./users.alpha
>> </AuthBy>
>> AuthLog LOCALFILE
>> RejectHasReason
>> </Realm>
>>
>>
>>
>> -Chris
>>
>> Hugh Irvine wrote:
>>
>>> Hello Chris -
>>>
>>> I will need to see a copy of the configuration file together with the contents of the users file.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 15 May 2010, at 10:11, Chris Bland wrote:
>>>
>>>
>>>
>>>> Hi guys,
>>>>
>>>> I am using pam_radius-1.3.17 on a Fedora 11 box and Radiator 3.14 for development. I am having password authentication issues for users at realm. I started with the radius.cfg.simple. It works fine with non realm usernames. I intend to ultimately have users authenticate with their email address. I have tried two approaches and I keep getting
>>>>
>>>> Fri May 14 19:59:49 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password: test [test at fdu.edu]
>>>> Fri May 14 19:59:49 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
>>>>
>>>> My first attempt was put user at realm in the my users file. I get Bad Password error. I also tried to putting a rewrite in the client clause to see if I could authenticate against the working user name. I still get Bad Password error
>>>>
>>>> *************************Using rewrite******************************************
>>>>
>>>> <Client 132.238.3.162>
>>>> Secret mysecret
>>>> DupInterval 0
>>>> RewriteUsername s/^([^@]+).*/$1/
>>>> </Client>
>>>>
>>>> Fri May 14 19:58:57 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 3878 ....
>>>> Code: Access-Request
>>>> Identifier: 223
>>>> Authentic: <147><229>%<171><31>Lm/<178><160><13><228><10><128><29>8
>>>> Attributes:
>>>> User-Name = "test"
>>>> User-Password = b5<161><164><238>!<174><7><146>+V<18>n<208><132><146>
>>>> NAS-IP-Address = 132.238.3.162
>>>> NAS-Identifier = "alpha"
>>>> NAS-Port = 2853
>>>> NAS-Port-Type = Virtual
>>>> Service-Type = Authenticate-Only
>>>> Calling-Station-Id = "rolemodel.fdu.edu"
>>>>
>>>> Fri May 14 19:58:57 2010: DEBUG: Rewrote user name to test
>>>> Fri May 14 19:58:57 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
>>>> Fri May 14 19:58:57 2010: DEBUG: Deleting session for test, 132.238.3.162, 2853
>>>> Fri May 14 19:58:57 2010: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri May 14 19:58:57 2010: DEBUG: Reading users file ./users.alpha
>>>> Fri May 14 19:58:57 2010: DEBUG: Radius::AuthFILE looks for match with test [test]
>>>> Fri May 14 19:58:57 2010: DEBUG: Radius::AuthFILE ACCEPT: : test [test]
>>>> Fri May 14 19:58:57 2010: DEBUG: AuthBy FILE result: ACCEPT,
>>>> Fri May 14 19:58:57 2010: DEBUG: Access accepted for test
>>>> Fri May 14 19:58:57 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 3878 ....
>>>> Code: Access-Accept
>>>> Identifier: 223
>>>> Authentic: <147><229>%<171><31>Lm/<178><160><13><228><10><128><29>8
>>>> Attributes:
>>>>
>>>>
>>>> Fri May 14 19:59:49 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 3902 ....
>>>> Code: Access-Request
>>>> Identifier: 8
>>>> Authentic: a<178><R<9>7<208>r<130><148><8><144><6><165><222><27>
>>>> Attributes:
>>>> User-Name = "test at fdu.edu"
>>>> User-Password = <166>NE<171><242><155>H<216>")<7><255><185><137><176><249>
>>>> NAS-IP-Address = 132.238.3.162
>>>> NAS-Identifier = "alpha"
>>>> NAS-Port = 2877
>>>> NAS-Port-Type = Virtual
>>>> Service-Type = Authenticate-Only
>>>> Calling-Station-Id = "rolemodel.fdu.edu"
>>>>
>>>> Fri May 14 19:59:49 2010: DEBUG: Rewrote user name to test
>>>> Fri May 14 19:59:49 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
>>>> Fri May 14 19:59:49 2010: DEBUG: Deleting session for test at fdu.edu, 132.238.3.162, 2877
>>>> Fri May 14 19:59:49 2010: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri May 14 19:59:49 2010: DEBUG: Radius::AuthFILE looks for match with test [test at fdu.edu]
>>>> Fri May 14 19:59:49 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password: test [test at fdu.edu]
>>>> Fri May 14 19:59:49 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
>>>> Fri May 14 19:59:49 2010: INFO: Access rejected for test: Bad Password
>>>> Fri May 14 19:59:49 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 3902 ....
>>>> Code: Access-Reject
>>>> Identifier: 8
>>>> Authentic: a<178><R<9>7<208>r<130><148><8><144><6><165><222><27>
>>>> Attributes:
>>>> Reply-Message = "Bad Password"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ********************Removing rewrite and adding test at fdu.edu to uses file****************
>>>>
>>>> Fri May 14 20:03:02 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 3920 ....
>>>> Code: Access-Request
>>>> Identifier: 60
>>>> Authentic: <226><191><25><189>pJ{<238>4<155><188><1><179><18>A<
>>>> Attributes:
>>>> User-Name = "test"
>>>> User-Password = 9O<23>Z<134><169><163><7>V<209><160>n<130><178>Fi
>>>> NAS-IP-Address = 132.238.3.162
>>>> NAS-Identifier = "alpha"
>>>> NAS-Port = 2895
>>>> NAS-Port-Type = Virtual
>>>> Service-Type = Authenticate-Only
>>>> Calling-Station-Id = "rolemodel.fdu.edu"
>>>>
>>>> Fri May 14 20:03:02 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
>>>> Fri May 14 20:03:02 2010: DEBUG: Deleting session for test, 132.238.3.162, 2895
>>>> Fri May 14 20:03:02 2010: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri May 14 20:03:02 2010: DEBUG: Reading users file ./users.alpha
>>>> Fri May 14 20:03:02 2010: DEBUG: Radius::AuthFILE looks for match with test [test]
>>>> Fri May 14 20:03:02 2010: DEBUG: Radius::AuthFILE ACCEPT: : test [test]
>>>> Fri May 14 20:03:02 2010: DEBUG: AuthBy FILE result: ACCEPT,
>>>> Fri May 14 20:03:02 2010: DEBUG: Access accepted for test
>>>> Fri May 14 20:03:02 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 3920 ....
>>>> Code: Access-Accept
>>>> Identifier: 60
>>>> Authentic: <226><191><25><189>pJ{<238>4<155><188><1><179><18>A<
>>>> Attributes:
>>>>
>>>> Fri May 14 20:03:10 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 3945 ....
>>>> Code: Access-Request
>>>> Identifier: 98
>>>> Authentic: @B<215><195><202><136>aq<141><197><144><31><131><12><249><154>
>>>> Attributes:
>>>> User-Name = "test at fdu.edu"
>>>> User-Password = <17><134><222><212><30><16><185>FJu<210><223>EU<203><143>
>>>> NAS-IP-Address = 132.238.3.162
>>>> NAS-Identifier = "alpha"
>>>> NAS-Port = 2920
>>>> NAS-Port-Type = Virtual
>>>> Service-Type = Authenticate-Only
>>>> Calling-Station-Id = "rolemodel.fdu.edu"
>>>>
>>>> Fri May 14 20:03:10 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT'
>>>> Fri May 14 20:03:10 2010: DEBUG: Deleting session for test at fdu.edu, 132.238.3.162, 2920
>>>> Fri May 14 20:03:10 2010: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri May 14 20:03:10 2010: DEBUG: Radius::AuthFILE looks for match with test at fdu.edu [test at fdu.edu]
>>>> Fri May 14 20:03:10 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password: test at fdu.edu [test at fdu.edu]
>>>> Fri May 14 20:03:10 2010: DEBUG: AuthBy FILE result: REJECT, Bad Password
>>>> Fri May 14 20:03:10 2010: INFO: Access rejected for test at fdu.edu: Bad Password
>>>> Fri May 14 20:03:10 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 3945 ....
>>>> Code: Access-Reject
>>>> Identifier: 98
>>>> Authentic: @B<215><195><202><136>aq<141><197><144><31><131><12><249><154>
>>>> Attributes:
>>>> Reply-Message = "Bad Password"
>>>>
>>>>
>>>> -Chris
>>>>
>>>> --
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>
>>> NB:
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
>>>
>>>
>>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
>
More information about the radiator
mailing list