[RADIATOR] Problem with pam_radius

Christian Kratzer ck-lists at cksoft.de
Wed Mar 30 06:39:23 CDT 2011 

Hi,

On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:

> Hi,
>
> My SQL connection is OK, for other reasons the connection between the SQL server and Radiator is not been use for 20 seconds, the SQL servers drops it down.
>
> On the other hand, I have stated before that the secret is not the problem; the config of the secret at radius:

let me summarize:

1. The password in a radius request from pam_radius shows up garbled
     in the trace 4 log of your radius server.

2. The password in a radius request from radpwtst on the same server
     as above gets through fine in the trace 4 log of your radius server.

That means you have no problem in your radiator config and there is
nothing to fix on the radius server.

You need to look into why pam_radius is incorrectly encrypting the
password.  This is most certainly a secret issue.  Search for the
problem on the pam_radius side.

As a next step you might want to use tcpdump to capture the radius requests
from pam_radius and from radpwtst and compare them in wireshark.

You can have wireshark decode udp/1940 traffic as radius and you can
specify your specific secret so wireshark can decode the password.

This will allow you to verify if pam_radius is doing what it is supposed to.

Greetings
Christian



>
> <Client 10.0.124.53>
>        Secret laboratorio
>        Identifier BBDD_Labo
> </Client>
>
> The config at the server:
>
> 10.0.124.52:1940 laboratorio
>
>
> They are the same, and the password is correctly configured at the database, because i can test it from the radpwtst utility and is ok. The config of the authby SQL:
>
> <AuthBy SQL>
>        Identifier SERVERS
>        DBSource dbi:mysql:auth_oss:127.0.0.1:3306
>        DBUsername  root
>        DBAuth root
>        NoDefault
>        NoDefaultIfFound
>        Timeout 10
>        FailureBackoffTime 20
>        AuthSelect SELECT password FROM usuarios WHERE username='%{User-Name}'
>        AuthColumnDef 0, Password, check
>        AccountingTable
> </AuthBy>
>
>
>
>
> The radpwtst command is being sent from the server im also trying to connect to using pam_radius, and that is not the radius server.
>
> Any ideas?
>
> -----Mensaje original-----
> De: Christian Kratzer [mailto:ck-lists at cksoft.de]
> Enviado el: miércoles, 30 de marzo de 2011 9:23
> Para: Francisco Rodrigo Cortinas Maseda
> CC: radiator at open.com.au
> Asunto: Re: [RADIATOR] Problem with pam_radius
>
> Hi,
>
> On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:
> <snipp/>
>> Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler 'NAS-Identifier="sshd"'
>> Tue Mar 22 09:19:00 2011: DEBUG:  Deleting session for frcm, 127.0.0.1, 26576
>> Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* uVf<204><1>w<227>-<190>V..<15>
>> Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL
>> Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS
>> Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios WHERE username='frcm'':
>> Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM usuarios WHERE username='frcm'': Lost connection to MySQL server during query
>
> you have a problem with the connection to your sql server.
>
>
>> Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm [frcm]
>> Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* uVf<204><1>w<227>-<190>V..<15>
>
> this still looks a lot like a mismatched secret.
>
>> Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm [frcm]
>> Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password
>> Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password
>> Tue Mar 22 09:19:00 2011: DEBUG: Packet dump:
>> *** Sending to 10.0.124.53 port 27601 ....
>> Code:       Access-Reject
>> Identifier: 108
>> Authentic:  7<22><216>m<171>zD<191><238>@<181>[zl=<253>
>> Attributes:
>>        Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>"
>>        Reply-Message = "Bad Password"
>>
>> If I use the radpwtst utility on the server where I am trying to authenticate from using pam_radius, the password is correctly decoded and is showed up correctly on the trace4.
>
> you secret is ok for the Client from 127.0.0.1 but mismatched for the Client clause that the server with pam_radius is using.
>
> Greetings
> Christian
>
> --
> Christian Kratzer                      CK Software GmbH
> Email:   ck at cksoft.de                  Wildberger Weg 24/2
> Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
> Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
> Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>
>
> --------------------------------------------------------------------------------
>
> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su destinatario. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir o usarlo en ningún sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. El correo electrónico via Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción. JAZZTEL no asume responsabilidad por estas circunstancias. Si el destinatario de este mensaje no consintiera la utilización del correo electrónico via Internet y la grabación de los mensajes, rogamos lo ponga en nuestro conocimiento de forma inmediata.Cualquier opinión expresada en este mensaje pertenece únicamente al autor remitente, y no representa necesariamente la opinión de JAZZTEL, a no ser que expresamente se diga y el remitente esté autorizado para hacerlo.
>
>
> --------------------------------------------------------------------------------
>
>
> This message is private and CONFIDENTIAL and it is intended exclusively for its addressee. If you receive this message in error, you should not disclose, copy, distribute this e-mail or use it in any other way. Please inform the sender and delete the message and attachments from your system.Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. JAZZTEL does not assume any liability for those circumstances. If the addressee of this message does not consent to the use of Internet e-mail and message recording, please notify us immediately.Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of JAZZTEL, unless otherwise specifically stated and the sender is authorised to do so.
>
>
> --------------------------------------------------------------------------------
>

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

More information about the radiator mailing list