[RADIATOR] check-items in chained authby queries
Linuxchuck
linuxchuck at n-force.com
Thu Feb 3 18:52:18 CST 2011
With the "called with 2 bind variables when 0 are needed" errors showing, I believe the initial problem I was experiencing has been solved, and a new, unrelated one has cropped up in it's place.
Let me provide a full unabridged version of my config file to avoid further confusion. I am using global variables, which are set at the top of an initial config file, and applied later in an included config file.
The only user entry in the SUBSCRIBERS table of the database is for a user named "testuser" who is a member of NetworkAccess15, and has an CHECKATTR entry of "AuthType=AuthHOTP"
The only client entry in the _radclientlist table of the database is for a testing switch with a defined secret of "switchsecret", and the appropriate network address.
The only token entry in the hotpkeys table of the database is set up (and validated to work) with a HOTP token assigned to the user "testuser"
Here are the unmodified evaluation config files -
*******************************************
switch.cfg:
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
DefineFormattedGlobalVar GRPLst NetworkAccess5 NetworkAccess7 NetworkAccess10 NetworkAccess15 MTJ_NetworkAccess5
DefineFormattedGlobalVar secret switchsecret
AuthPort 1645
AcctPort 1646
include base.config
*******************************************
base.config:
<ClientListSQL>
DBSource dbi:mysql:radius
DBUsername mikem
DBAuth fred
GetClientQuery select NASIDENTIFIER,'%{GlobalVar:secret}',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,\
NULL,NULL,NULL,NULL,NULL,NULL,NULL,ADDTOREPLY from _radclientlist
</ClientListSQL>
<AuthBy GROUP>
Identifier AuthSQLUSR
<AuthBy SQL>
DBSource dbi:mysql:radius
DBUsername mikem
DBAuth fred
GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
AuthSelect select PASSWORD, 'GroupList=%{GlobalVar:GRPLst}', CHECKATTR from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, Class, request
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, check
</AuthBy>
</AuthBy GROUP>
<AuthBy GROUP>
Identifier AuthHOTP
<AuthBy SQLHOTP>
DBSource dbi:mysql:radius
DBUsername mikem
DBAuth fred
ResyncWindow 50
</AuthBy>
</AuthBy GROUP>
<AuthBy GROUP>
Identifier AuthDIGIP
<AuthBy SQLDIGIPASS>
DBSource dbi:mysql:radius
DBUsername mikem
DBAuth fred
AuthSelect select DP_DATA, DIGIPASS from _tbl_vascodp where USER_ID=%0
UpdateQuery update _tbl_vascodp set DP_DATA='%0' where DIGIPASS='%1'
</AuthBy>
</AuthBy GROUP>
<Realm DEFAULT>
AuthBy AuthSQLUSR
</Realm>
*********************************************
Attempts to log onto the switch still result in errors as shown in the debug log below.
Thanks,
Chuck
On 02/03/2011 06:01 PM, Linuxchuck wrote:
> Michael,
>
> Ok, I gave it a shot, and got some completely different results. Thanks for the suggestion. The order of check items is certainly taken into account, which I should have thought of. However, the error I am receiving is a little strange. All I have done is changed the order of the two check items. Now I am getting an error that looks to be more of a Perl error than a Radiator error.
>
> Here is the debug log:
>
> Thu Feb 3 17:45:45 2011: DEBUG: Packet dump:
> *** Received from 192.168.xxx.xxx port 1645 ....
> Code: Access-Request
> Identifier: 47
> Authentic: ****************************************
> Attributes:
> User-Name = "testuser"
> User-Password = ******************************************
> NAS-Port = 1
> NAS-Port-Id = "tty1"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "192.168.yyy.yyy"
> NAS-IP-Address = 192.168.xxx.xxx
>
> Thu Feb 3 17:45:45 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Thu Feb 3 17:45:45 2011: DEBUG: Deleting session for testuser, 192.168.xxx.xxx, 1
> Thu Feb 3 17:45:45 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQLUSR
> Thu Feb 3 17:45:45 2011: DEBUG: Handling with Radius::AuthSQL:
> Thu Feb 3 17:45:45 2011: DEBUG: Handling with Radius::AuthSQL:
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'select PASSWORD, 'GroupList="group1 group2 group3 group4 group5"', 'AuthType=AuthHOTP' from SUBSCRIBERS where USERNAME='testuser'':
> Thu Feb 3 17:45:45 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser]
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': testuser group1
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group1'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': testuser group2
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group2'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': testuser group3
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group3'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': testuser group4
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group4'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': testuser group5
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: ERR: Execute failed for 'SELECT groupname FROM v_usergroups WHERE username='testuser' AND groupname='group5'': called with 2 bind variables when 0 are needed
> Thu Feb 3 17:45:45 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser]
> Thu Feb 3 17:45:45 2011: DEBUG: Query is: 'select PASSWORD, 'GroupList="group1 group2 group3 group4 group5"', 'AuthType=AuthHOTP' from SUBSCRIBERS where USERNAME='DEFAULT'':
> Thu Feb 3 17:45:45 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR result: REJECT, User testuser is not in any group in GroupList
> Thu Feb 3 17:45:45 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList
> Thu Feb 3 17:45:45 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList
>
>
> If I cut-and-paste the query from the debug logs into a database query, it returns "group1" as the sole result, indicating that testuser is indeed a member. However, it appears that Radiator does not agree.
>
> Any further thoughts? I appear to be getting closer to my goals, and appreciate your input.
>
> Chuck
>
>
> On 02/03/2011 04:58 PM, Michael wrote:
>> ah ok, i see. the AuthSQL specifies "Auth-Type=AuthHOTP". Never done this type of setup before, but maybe the 'Auth-Type=AuthHOTP' in the sql query should be after the 'GroupList="Group1 Group2 Group3"?? Again, not sure, but I would think the 'check' is done in order. it sounds like you want to do the group list check first before checking the AuthHOTP. I don't see any config in the AuthHOTP section though.
>>
>> Sorry, I'm reaching/guessing a little.
>>
>>
>> Michael
>>
>>
>> On 11-02-03 03:11 PM, Linuxchuck wrote:
>>> Hi Michael, Thanks for the response.
>>>
>>> Actually, it does hit the AuthHOTP section. I should have put a little more emphasis on the fact that there is an "AuthType=AuthHOTP" for the user when it is looked up in the database. I did mention that, but it was kind of jammed into the beginning, and was probably easy to miss.
>>>
>>> Here is the "slightly sanitized" debug output indicating AuthHOTP was indeed used:
>>>
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
>>> Thu Feb 3 13:54:57 2011: DEBUG: Deleting session for testuser, 192.168.xxx.xxx, 1
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQL
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Thu Feb 3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, 'AuthType=AuthHOTP', 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='testuser'':
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser]
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthHOTP
>>> Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQLHOTP:
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP looks for match with testuser [testuser]
>>> Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP REJECT: User testuser is not in any group in GroupList: testuser [testuser]
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthHOTP result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser]
>>> Thu Feb 3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, 'AuthType=AuthHOTP', 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='DEFAULT'':
>>> Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb 3 13:54:57 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList
>>> Thu Feb 3 13:54:57 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList
>>>
>>> Thanks!
>>>
>>> On 02/03/2011 01:43 PM, Michael wrote:
>>>>
>>>> your "AuthBy GROUP AuthSQL" will not flow down into the "AuthBy GROUP AuthHOTP". I don't think the AuthHOTP will be used at all in this config.
>>>>
>>>> Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
>>>>> <AuthBy GROUP>
>>>>> Identifier AuthSQL
>>>>> AuthByPolicy ContinueWhileAccept
>>>>> <AuthBy SQL>
>>>>> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>>> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>>> AuthColumnDef 0, Class, request
>>>>> AuthColumnDef 1, GENERIC, check
>>>>> AuthColumnDef 2, GENERIC, check
>>>>> </AuthBy>
>>>>
>>>> # now call the AuthHOTP
>>>> AuthBy AuthHOTP
>>>>
>>>>> </AuthBy GROUP>
>>>>
>>>>
>>>> Michael
>>>>
>>>>
>>>> On 11-02-03 02:34 PM, Linuxchuck wrote:
>>>>> Hello again,
>>>>>
>>>>> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided. If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>>>>>
>>>>> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups. I would like for the group check to occur prior to the HOTP check.
>>>>>
>>>>> Here is my config layout so far:
>>>>>
>>>>> FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>>>>>
>>>>> <AuthBy GROUP>
>>>>> Identifier AuthSQL
>>>>> AuthByPolicy ContinueWhileAccept
>>>>> <AuthBy SQL>
>>>>> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>>> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>>> AuthColumnDef 0, Class, request
>>>>> AuthColumnDef 1, GENERIC, check
>>>>> AuthColumnDef 2, GENERIC, check
>>>>> </AuthBy>
>>>>> </AuthBy GROUP>
>>>>>
>>>>> <AuthBy GROUP>
>>>>> Identifier AuthHOTP
>>>>> <AuthBy SQLHOTP>
>>>>> ...
>>>>> </AuthBy>
>>>>> </AuthBy GROUP>
>>>>>
>>>>> <Realm DEFAULT>
>>>>> AuthBy AuthSQL
>>>>> </Realm>
>>>>>
>>>>> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>>>>>
>>>>> Is there a way to accomplish what I'm after?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Chuck
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>
>>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list