[RADIATOR] AuthByLDAP2 + AuthAttrDef and AuthByFILE

Kurt Bauer kurt.bauer at univie.ac.at
Fri Jan 20 06:48:14 CST 2012


Hello,

I wanted to use LDAP Attributes for further authentication according to
Section 5.38.16 Example 3 in the Radiator Reference manual (4.9).
Unfortunatly it doesn't seem to work and the variable is not checked as
expected if at all. It even seems to me the check item is evaluated
against the variable name and not the value.
Following the cfg snippets and debug outputs with comments:

radius.cfg:
<AuthBy LDAP2>
    include         /etc/radiator/ldap.cfg
    Identifier      LDAP_local
    SearchFilter    (&(aconetService=radius)(uid=%1))
    AuthAttrDef     radiusGroupName,LDAPgroup,request
    AuthAttrDef     ipHostNumber, LDAPipHost, request
</AuthBy>

<AuthBy FILE>
    Identifier      FILE_IP_check
    Filename        /etc/radiator/IP_check.cfg
</AuthBy>

### Ende AuthBy Definitionen ###

### Beginn Authentication Handler ###

<Handler Client-Identifier=radius21>
    <AuthBy GROUP>
        AuthByPolicy ContinueWhileAccept
        AuthBy       LDAP_local
        AuthBy       FILE_IP_check
    </AuthBy>
    <AuthLog FILE>
        Filename /var/log/radiator/radius21.log
        FailureFormat         %l: Access-Reject for %u (allowed
LDAPipHost=%{LDAPipHost}, incoming request from %{NAS-IP-Address})
        SuccessFormat         %l: Access-Accept for %u (allowed
LDAPipHost=%{LDAPipHost}, incoming request from %{NAS-IP-Address})
        LogSuccess            1
        LogFailure            1
    </AuthLog>
</Handler>

IP_check.cfg:
DEFAULT         NAS-IP-Address = %{LDAPipHost}
                Reply-Message = "var IP OK"

DEFAULT         NAS-IP-Address=193.171.16.223
                Reply-Message = "explicit IP OK"


DEFAULT         Auth-Type = Reject
                Reply-Message = "Please call the helpdesk."

AuthN-Req. with completely wrong NAS-IP:
radpwtst -s radius21.aco.net -secret xxx -dictionary
/var/local/raddb/dictionary -auth_port 1812 -noacct -user ctac -password xxx

and according debug output:
Fri Jan 20 12:32:48 2012: DEBUG: Packet dump:
*** Received from 78.104.134.125 port 56934 ....
Code:       Access-Request
Identifier: 183
Authentic:  s<137><150><161>z<199><246>}rr"<145><233><228><190><136>
Attributes:
	User-Name = "ctac"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = ;<175><133><195>b~<173>h<27><142>Ch<20><203><169><10>

Fri Jan 20 12:32:48 2012: DEBUG: Handling request with Handler
'Client-Identifier=radius21', Identifier ''
Fri Jan 20 12:32:48 2012: DEBUG:  Deleting session for ctac,
203.63.154.1, 1234
Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthGROUP:
Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
Fri Jan 20 12:32:48 2012: INFO: Connecting to ldap1.aco.net:389
Fri Jan 20 12:32:48 2012: INFO: Attempting to bind to LDAP server
ldap1.aco.net:389
Fri Jan 20 12:32:48 2012: DEBUG: LDAP got result for
cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
Fri Jan 20 12:32:48 2012: DEBUG: LDAP got radiusGroupName: disabled
Fri Jan 20 12:32:48 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthLDAP2 looks for match with
ctac [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
ACCEPT,
Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthFILE:
FILE_IP_check
Fri Jan 20 12:32:48 2012: DEBUG: Reading users file
/etc/radiator/IP_check.cfg
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
ctac [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
ctac [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: Check item
NAS-IP-Address expression '%{LDAPipHost}' does not match '203.63.154.1'
in request: DEFAULT [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT1 [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: Check item
NAS-IP-Address expression '193.171.16.223' does not match '203.63.154.1'
in request: DEFAULT1 [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT2 [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject: DEFAULT2 [ctac]
Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
result: REJECT_IMMEDIATE, Rejected explicitly by Auth-Type=Reject
Fri Jan 20 12:32:48 2012: DEBUG: AuthBy GROUP result: REJECT_IMMEDIATE,
Rejected explicitly by Auth-Type=Reject
Fri Jan 20 12:32:48 2012: INFO: Access rejected for ctac: Rejected
explicitly by Auth-Type=Reject
Fri Jan 20 12:32:48 2012: DEBUG: Packet dump:
*** Sending to 78.104.134.125 port 56934 ....
Code:       Access-Reject
Identifier: 183
Authentic:  <155><17>^6<22>p<225><179>b<19>]C<153><237>;<12>
Attributes:
	Reply-Message = "Request Denied"

plus logline:
Fri Jan 20 12:32:48 2012: Access-Reject for ctac (allowed
LDAPipHost=193.171.16.222, incoming request from 203.63.154.1)



AuthN request with NAS-IP which should match the variable (value derived
from LDAP):
radpwtst -s radius21.aco.net -secret xxx -dictionary
/var/local/raddb/dictionary -auth_port 1812 -noacct -nas_ip_address
193.171.16.222 -user ctac -password

and according debug output:
Fri Jan 20 12:32:59 2012: DEBUG: Packet dump:
*** Received from 78.104.134.125 port 35138 ....
Code:       Access-Request
Identifier: 194
Authentic:  yN)\<133><239><190>7=<150>i#9<13>Ts
Attributes:
	User-Name = "ctac"
	Service-Type = Framed-User
	NAS-IP-Address = 193.171.16.222
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password =
<132><152><184><129><222><207><10>o<24><152><210>^<178><23><157><157>

Fri Jan 20 12:32:59 2012: DEBUG: Handling request with Handler
'Client-Identifier=radius21', Identifier ''
Fri Jan 20 12:32:59 2012: DEBUG:  Deleting session for ctac,
193.171.16.222, 1234
Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthGROUP:
Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
Fri Jan 20 12:32:59 2012: INFO: Connecting to ldap1.aco.net:389
Fri Jan 20 12:32:59 2012: INFO: Attempting to bind to LDAP server
ldap1.aco.net:389
Fri Jan 20 12:32:59 2012: DEBUG: LDAP got result for
cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
Fri Jan 20 12:32:59 2012: DEBUG: LDAP got radiusGroupName: disabled
Fri Jan 20 12:32:59 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthLDAP2 looks for match with
ctac [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
ACCEPT,
Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthFILE:
FILE_IP_check
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
ctac [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
ctac [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: Check item
NAS-IP-Address expression '%{LDAPipHost}' does not match
'193.171.16.222' in request: DEFAULT [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT1 [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: Check item
NAS-IP-Address expression '193.171.16.223' does not match
'193.171.16.222' in request: DEFAULT1 [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT2 [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
Rejected explicitly by Auth-Type=Reject: DEFAULT2 [ctac]
Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
result: REJECT_IMMEDIATE, Rejected explicitly by Auth-Type=Reject
Fri Jan 20 12:32:59 2012: DEBUG: AuthBy GROUP result: REJECT_IMMEDIATE,
Rejected explicitly by Auth-Type=Reject
Fri Jan 20 12:32:59 2012: INFO: Access rejected for ctac: Rejected
explicitly by Auth-Type=Reject
Fri Jan 20 12:32:59 2012: DEBUG: Packet dump:
*** Sending to 78.104.134.125 port 35138 ....
Code:       Access-Reject
Identifier: 194
Authentic:  <242>!<185><9>;<5><246> <166><178><15>>r:<15><146>
Attributes:
	Reply-Message = "Request Denied"

plus logline:
Fri Jan 20 12:32:59 2012: Access-Reject for ctac (allowed
LDAPipHost=193.171.16.222, incoming request from 193.171.16.222)

AuthN request to prove the rest of the setup works as the check value is
'hardcoded' in the file:
radpwtst -s radius21.aco.net -secret xxx -dictionary
/var/local/raddb/dictionary -auth_port 1812 -noacct -nas_ip_address
193.171.16.223 -user ctac -password xxx

and according debug output:
Fri Jan 20 12:33:05 2012: DEBUG: Packet dump:
*** Received from 78.104.134.125 port 41866 ....
Code:       Access-Request
Identifier: 200
Authentic:  <143><252><230><153><29><26><154><246><170><199>)<21>^uZN
Attributes:
	User-Name = "ctac"
	Service-Type = Framed-User
	NAS-IP-Address = 193.171.16.223
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = =<208><157><135>1b at X~B<234>U<3><131><130><26>

Fri Jan 20 12:33:05 2012: DEBUG: Handling request with Handler
'Client-Identifier=radius21', Identifier ''
Fri Jan 20 12:33:05 2012: DEBUG:  Deleting session for ctac,
193.171.16.223, 1234
Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthGROUP:
Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
Fri Jan 20 12:33:05 2012: INFO: Connecting to ldap1.aco.net:389
Fri Jan 20 12:33:05 2012: INFO: Attempting to bind to LDAP server
ldap1.aco.net:389
Fri Jan 20 12:33:05 2012: DEBUG: LDAP got result for
cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
Fri Jan 20 12:33:05 2012: DEBUG: LDAP got radiusGroupName: disabled
Fri Jan 20 12:33:05 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthLDAP2 looks for match with
ctac [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
ACCEPT,
Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthFILE:
FILE_IP_check
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
ctac [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
ctac [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE REJECT: Check item
NAS-IP-Address expression '%{LDAPipHost}' does not match
'193.171.16.223' in request: DEFAULT [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
DEFAULT1 [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT1 [ctac]
Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
result: ACCEPT,
Fri Jan 20 12:33:05 2012: DEBUG: AuthBy GROUP result: ACCEPT,
Fri Jan 20 12:33:05 2012: DEBUG: Access accepted for ctac
Fri Jan 20 12:33:05 2012: DEBUG: Packet dump:
*** Sending to 78.104.134.125 port 41866 ....
Code:       Access-Accept
Identifier: 200
Authentic:  D<222>="w<162><14><186><248><214><222>r<190><189>&<219>
Attributes:
	Reply-Message = "explicit IP OK"

plus logline:
Fri Jan 20 12:33:05 2012: Access-Accept for ctac (allowed
LDAPipHost=193.171.16.222, incoming request from 193.171.16.223)


I tried various things, even GlobalVar, but the check just doesnt' seem
to be performed right by AuthByFILE. Is this a documentation bug and it
isn't intended to work that way or am I missing smth. in my configuration?

Thanks a lot for your help,
best regards,
Kurt


-- 
Kurt Bauer <kurt.bauer at univie.ac.at>
Vienna University Computer Center - ACOnet - VIX
Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe
Tel: ++43 1 4277 - 14070 (Fax: - 9140)  KB1970-RIPE


More information about the radiator mailing list