[RADIATOR] Strange username in radiator logs

Heikki Vatiainen hvn at open.com.au
Tue Apr 17 02:18:10 CDT 2012 

On 04/17/2012 09:47 AM, Arya, Manish Kumar wrote:

>     We have configured ALU devices to authenticate against radiator
> server. I have added vendor dictionary to config and created client list.
> but I see mangled username in radius logs. not sure why this is
> happening. here is snapshot of my config

Please reply with your full configuration (no secrets or passwords
needed) and full log from Radiator including any startup messages. Also
include the vendor dictionary.

If the dictionary has been added correctly, then the NAS (ALU device?)
is doing something odd.

Heikki


> # ALU MSP Auth
> <AuthBy LDAP2>
>         NoDefault
>         Identifier      alu_msp_user_auth
>         Host            10.5.1.29
>         Port            2389
>         Timeout         60
>         AuthDN          uid=radius,ou=appusers,dc=xxxx,dc=net
>         AuthPassword    xxxxx
>         BaseDN          o=colt,ou=customers,dc=xxxx,dc=net
>         Scope           subtree
>         SearchFilter    (&(colt-access-device-type=alumsp)(uid=%1))
>         UsernameAttr    uid
>         PasswordAttr    userPassword
>         ServerChecksPassword
>         AuthAttrDef     userPassword,User-Password,check
>         AuthAttrDef     radius-Callback-Id,Callback-Id,reply
>         AuthAttrDef    
> radius-sam-sec-grp-name,Sam-security-group-name,reply
>         AuthAttrDef     radius-Timetra-Access,Timetra-Access,reply
>         AuthAttrDef    
> radius-Timetra-Home-Directory,Timetra-Home-Directory,reply
>         AuthAttrDef    
> radius-Timetra-Restrict-To-Home,Timetra-Restrict-To-Home,reply
>         AuthAttrDef     radius-Timetra-Profile,Timetra-Profile,reply
>         AuthAttrDef    
> radius-Timetra-Default-Action,Timetra-Default-Action,reply
>         AuthAttrDef     radius-Timetra-Cmd,Timetra-Cmd,reply
>         AuthAttrDef     radius-Timetra-Action,Timetra-Action,reply
>         AuthAttrDef     radius-Timetra-Exec-File,Timetra-Exec-File,reply
>         AddToReplyIfNotExist    Service-Type=Login-User
> </AuthBy>
> 
> # Handler for ALU MSP
> <Handler Realm = alumsp.srv>
>         AuthLog         auth_log
>         RewriteUsername s/^([^@]+).*/$1/
>         AuthBy          alu_msp_user_auth
> </Handler>
> 
> here is what I see in logs when a login request is originated for
> abc at alumsp.srv
> 
> *** Received from 10.174.1.1 port 50118 ....
> Code:       Access-Request
> Identifier: 242
> Authentic:  r<255>*<27>7<230>y1<23>Z<17>cxI9<170>
> Attributes:
>         User-Name = "p1z1x2c7s9y9b0o8<240>"
>         User-Password =
> "<219>w0[<153><175><235><216><192><151>G<26>`<224><16>|<180>W<136><203><174><179>LJ<151>d<251><20><159><5><222><9>"
>         NAS-IP-Address = 10.174.1.1
> 
> Tue Apr 17 07:44:31 2012: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Apr 17 07:44:31 2012: DEBUG: SESSDBSQL Deleting session for
> P1Z1X2C7S9Y9B0O8ð, 10.174.1.1,
> Tue Apr 17 07:44:31 2012: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.174.1.1' and NASPORT=0':
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: PreAuthHook called...
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Access code: Access-Request
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Proceeding...
> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Got User-Name:
> p1z1x2c7s9y9b0o8ð and Realm: p1z1x2c7s9y9b0o8ð
> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Couldn't connect to LDAP
> 127.0.0.1: IO::Socket::INET: connect: Connection refused
> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Trying LDAP 10.5.1.29...
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Attempting to bind to LDAP
> server
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: ldapsearch with base
> ou=customers,dc=xxx,dc=net
> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: No service found with
> realm/domain p1z1x2c7s9y9b0o8ð
> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Adding to Access-Request
> -> Pre-Auth: 0
> Tue Apr 17 07:44:31 2012: DEBUG: Handling with Radius::AuthLDAP2: user_auth
> Tue Apr 17 07:44:31 2012: ERR: ldap search for (uid=p1z1x2c7s9y9b0o8ð)
> failed with error LDAP_NO_SUCH_OBJECT.
> Tue Apr 17 07:44:31 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> p1z1x2c7s9y9b0o8ð [P1Z1X2C7S9Y9B0O8ð]
> Tue Apr 17 07:44:31 2012: DEBUG: Radius::AuthLDAP2 REJECT: No such user:
> p1z1x2c7s9y9b0o8ð [P1Z1X2C7S9Y9B0O8ð]
> Tue Apr 17 07:44:31 2012: DEBUG: AuthBy LDAP2 result: REJECT, No such user
> Tue Apr 17 07:44:31 2012: INFO: Access rejected for p1z1x2c7s9y9b0o8ð:
> No such user
> Tue Apr 17 07:44:31 2012: DEBUG: Packet dump:
> *** Sending to 10.174.1.1 port 50118 ....
> Code:       Access-Reject
> Identifier: 242
> Authentic:  <28>X<161>IZ-<144>s1<214><145><147><230>N<223>+
> Attributes:
>         Reply-Message = "No such user"
> 
> Regards,
> -Manish
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list