[RADIATOR] check-items in chained authby queries

Linuxchuck linuxchuck at n-force.com
Thu Feb 3 18:52:18 CST 2011


With the "called with 2 bind variables when 0 are needed" errors showing, I believe the initial problem I was experiencing has been solved, and a new, unrelated one has cropped up in it's place.

Let me provide a full unabridged version of my config file to avoid further confusion.  I am using global variables, which are set at the top of an initial config file, and applied later in an included config file.  

The only user entry in the SUBSCRIBERS table of the database is for a user named "testuser" who is a member of NetworkAccess15, and has an CHECKATTR entry of "AuthType=AuthHOTP" 
The only client entry in the _radclientlist table of the database is for a testing switch with a defined secret of "switchsecret", and the appropriate network address.
The only token entry in the hotpkeys table of the database is set up (and validated to work) with a HOTP token assigned to the user "testuser"


Here are the unmodified evaluation config files -

*******************************************
switch.cfg:

Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4

DefineFormattedGlobalVar        GRPLst  NetworkAccess5 NetworkAccess7 NetworkAccess10 NetworkAccess15 MTJ_NetworkAccess5
DefineFormattedGlobalVar        secret  switchsecret
AuthPort        1645
AcctPort        1646

include base.config

*******************************************
base.config:

<ClientListSQL>
        DBSource        dbi:mysql:radius
        DBUsername      mikem
        DBAuth          fred
        GetClientQuery  select NASIDENTIFIER,'%{GlobalVar:secret}',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,\
                        NULL,NULL,NULL,NULL,NULL,NULL,NULL,ADDTOREPLY from _radclientlist
</ClientListSQL>

<AuthBy GROUP>
        Identifier      AuthSQLUSR
        <AuthBy SQL>
                DBSource        dbi:mysql:radius
                DBUsername      mikem
                DBAuth          fred
                GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
                AuthSelect      select PASSWORD, 'GroupList=%{GlobalVar:GRPLst}', CHECKATTR from SUBSCRIBERS where USERNAME=%0
                AuthColumnDef   0, Class, request
                AuthColumnDef   1, GENERIC, check
                AuthColumnDef   2, GENERIC, check
        </AuthBy>
</AuthBy GROUP>

<AuthBy GROUP>
        Identifier              AuthHOTP
        <AuthBy SQLHOTP>
                DBSource        dbi:mysql:radius
                DBUsername      mikem
                DBAuth          fred
                ResyncWindow    50
        </AuthBy>
</AuthBy GROUP>

<AuthBy GROUP>
        Identifier              AuthDIGIP
        <AuthBy SQLDIGIPASS>
                DBSource        dbi:mysql:radius
                DBUsername      mikem
                DBAuth          fred
                AuthSelect      select DP_DATA, DIGIPASS from _tbl_vascodp where USER_ID=%0
                UpdateQuery     update _tbl_vascodp set DP_DATA='%0' where DIGIPASS='%1'
        </AuthBy>
</AuthBy GROUP>

<Realm DEFAULT>
        AuthBy AuthSQLUSR
</Realm>

*********************************************

Attempts to log onto the switch still result in errors as shown in the debug log below.

Thanks,
Chuck


On 02/03/2011 06:01 PM, Linuxchuck wrote:
> Michael,
> 
> Ok, I gave it a shot, and got some completely different results.  Thanks for the suggestion.  The order of check items is certainly taken into account, which I should have thought of.  However, the error I am receiving is a little strange.  All I have done is changed the order of the two check items.  Now I am getting an error that looks to be more of a Perl error than a Radiator error.
> 
> Here is the debug log:
> 
> Thu Feb  3 17:45:45 2011: DEBUG: Packet dump:
> *** Received from 192.168.xxx.xxx port 1645 ....
> Code:       Access-Request
> Identifier: 47
> Authentic:  ****************************************
> Attributes:
>         User-Name = "testuser"
>         User-Password = ******************************************
>         NAS-Port = 1
>         NAS-Port-Id = "tty1"
>         NAS-Port-Type = Virtual
>         Calling-Station-Id = "192.168.yyy.yyy"
>         NAS-IP-Address = 192.168.xxx.xxx
> 
> Thu Feb  3 17:45:45 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Thu Feb  3 17:45:45 2011: DEBUG:  Deleting session for testuser, 192.168.xxx.xxx, 1
> Thu Feb  3 17:45:45 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQLUSR
> Thu Feb  3 17:45:45 2011: DEBUG: Handling with Radius::AuthSQL:
> Thu Feb  3 17:45:45 2011: DEBUG: Handling with Radius::AuthSQL:
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'select PASSWORD, 'GroupList="group1 group2 group3 group4 group5"', 'AuthType=AuthHOTP' from SUBSCRIBERS where USERNAME='testuser'':
> Thu Feb  3 17:45:45 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser]
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': testuser group1
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': testuser group2
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': testuser group3
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': testuser group4
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': testuser group5
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': called with 2 bind variables when 0 are needed
> Thu Feb  3 17:45:45 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser]
> Thu Feb  3 17:45:45 2011: DEBUG: Query is: 'select PASSWORD, 'GroupList="group1 group2 group3 group4 group5"', 'AuthType=AuthHOTP' from SUBSCRIBERS where USERNAME='DEFAULT'':
> Thu Feb  3 17:45:45 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR  result: REJECT, User testuser is not in any group in GroupList
> Thu Feb  3 17:45:45 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList
> Thu Feb  3 17:45:45 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList
> 
> 
> If I cut-and-paste the query from the debug logs into a database query, it returns "group1" as the sole result, indicating that testuser is indeed a member.  However, it appears that Radiator does not agree.
> 
> Any further thoughts?  I appear to be getting closer to my goals, and appreciate your input.
> 
> Chuck
> 
> 
> On 02/03/2011 04:58 PM, Michael wrote:
>> ah ok, i see.  the  AuthSQL specifies "Auth-Type=AuthHOTP". Never done this type of setup before, but maybe the 'Auth-Type=AuthHOTP' in the sql query should be after the 'GroupList="Group1 Group2 Group3"??  Again, not sure, but I would think the 'check' is done in order.  it sounds like you want to do the group list check first before checking the AuthHOTP. I don't see any config in the AuthHOTP section though.
>>
>> Sorry, I'm reaching/guessing a little.
>>
>>
>> Michael
>>
>>
>> On 11-02-03 03:11 PM, Linuxchuck wrote:
>>> Hi Michael, Thanks for the response.
>>>
>>> Actually, it does hit the AuthHOTP section.  I should have put a little more emphasis on the fact that there is an "AuthType=AuthHOTP" for the user when it is looked up in the database.  I did mention that, but it was kind of jammed into the beginning, and was probably easy to miss.
>>>
>>> Here is the "slightly sanitized" debug output indicating AuthHOTP was indeed used:
>>>
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
>>> Thu Feb  3 13:54:57 2011: DEBUG:  Deleting session for testuser, 192.168.xxx.xxx, 1
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQL
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Thu Feb  3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, 'AuthType=AuthHOTP', 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='testuser'':
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser]
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthHOTP
>>> Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQLHOTP:
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP looks for match with testuser [testuser]
>>> Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP REJECT: User testuser is not in any group in GroupList: testuser [testuser]
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthHOTP  result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser]
>>> Thu Feb  3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, 'AuthType=AuthHOTP', 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='DEFAULT'':
>>> Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR  result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb  3 13:54:57 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb  3 13:54:57 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList
>>>
>>> Thanks!
>>>
>>> On 02/03/2011 01:43 PM, Michael wrote:
>>>>
>>>> your "AuthBy GROUP AuthSQL" will not flow down into  the "AuthBy GROUP AuthHOTP".  I don't think the AuthHOTP will be used at all in this config.
>>>>
>>>> Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
>>>>> <AuthBy GROUP>
>>>>>           Identifier      AuthSQL
>>>>>           AuthByPolicy    ContinueWhileAccept
>>>>>           <AuthBy SQL>
>>>>>                   GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>>>                   AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>>>                   AuthColumnDef   0, Class, request
>>>>>                   AuthColumnDef   1, GENERIC, check
>>>>>                   AuthColumnDef   2, GENERIC, check
>>>>>           </AuthBy>
>>>>
>>>> # now call the AuthHOTP
>>>>      AuthBy AuthHOTP
>>>>
>>>>> </AuthBy GROUP>
>>>>
>>>>
>>>> Michael
>>>>
>>>>
>>>> On 11-02-03 02:34 PM, Linuxchuck wrote:
>>>>> Hello again,
>>>>>
>>>>> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided.  If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>>>>>
>>>>> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups.  I would like for the group check to occur prior to the HOTP check.
>>>>>
>>>>> Here is my config layout so far:
>>>>>
>>>>> FYI:  The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>>>>>
>>>>> <AuthBy GROUP>
>>>>>           Identifier      AuthSQL
>>>>>           AuthByPolicy    ContinueWhileAccept
>>>>>           <AuthBy SQL>
>>>>>                   GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>>>                   AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>>>                   AuthColumnDef   0, Class, request
>>>>>                   AuthColumnDef   1, GENERIC, check
>>>>>                   AuthColumnDef   2, GENERIC, check
>>>>>           </AuthBy>
>>>>> </AuthBy GROUP>
>>>>>
>>>>> <AuthBy GROUP>
>>>>>           Identifier              AuthHOTP
>>>>>           <AuthBy SQLHOTP>
>>>>>                   ...
>>>>>           </AuthBy>
>>>>> </AuthBy GROUP>
>>>>>
>>>>> <Realm DEFAULT>
>>>>>           AuthBy AuthSQL
>>>>> </Realm>
>>>>>
>>>>> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>>>>>
>>>>> Is there a way to accomplish what I'm after?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Chuck
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>
>>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list