[RADIATOR] Radiator: Request Denied , AuthBy RADMIN result: REJECT, Check item User-Name expression '' does not match 'test101' in request

Scott scottshaw at 163.com
Tue Jun 12 22:53:47 CDT 2012


hi team, I am testing radiator with radmin with MS SQL server on windows platform. I use default cfg file without issue. but when I use this config file below to test with new created users on radmin, it's always rejected, any advice please?
thanks.Scott

error on client
C:\Perl\bin>perl radpwtst -user test101 -password P at ssw0rd123 -nostop
sending Access-Request...
Rejected: Request Denied
sending Accounting-Request Start...
OK
 
debug:
 
C:\Program Files\Radiator>perl \perl\bin\radiusd -config radius-con1.cfg -foregr
ound
Wed Jun 13 11:46:08 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048
Wed Jun 13 11:46:08 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:7777
Wed Jun 13 11:46:08 2012: DEBUG: Finished reading configuration file 'radius-con
1.cfg'
Wed Jun 13 11:46:08 2012: DEBUG: Reading dictionary file 'c:/Program Files/Radia
tor/dictionary'
Wed Jun 13 11:46:08 2012: DEBUG: Creating authentication port 0.0.0.0:1645
Wed Jun 13 11:46:08 2012: DEBUG: Creating accounting port 0.0.0.0:1646
Wed Jun 13 11:46:08 2012: NOTICE: Server started: Radiator 4.2 on radiatorvm
Wed Jun 13 11:46:11 2012: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2744 ....
Code:       Access-Request
Identifier: 56
Authentic:  <204><223><19><249><241><254><164><186><137><247>mL<230><0><216><203
>
Attributes:
        User-Name = "test101"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = X<179><177><246><176>c<221><228><207>^<249><134>\<134>},

Wed Jun 13 11:46:11 2012: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jun 13 11:46:11 2012: DEBUG: UH-RADIUS Deleting session for test101, 203.63.
154.1, 1234
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'delete from RADONLINE where NASID
ENTIFIER='203.63.154.1' and ACCTSESSIONID=NULL':
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select PASS_WORD, STATICADDRESS, TIM
ELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
 USERNAME='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID, IVALUE, S
VALUE, ITEM_TYPE from RADSTCONFIG where NAME='1' order by ITEM_TYPE':
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID, IVALUE, S
VALUE, ITEM_TYPE from RADCONFIG where NAME='test101' order by ITEM_TYPE':
Wed Jun 13 11:46:12 2012: DEBUG: Radius::AuthRADMIN looks for match with test101
 [test101]
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select NASIDENTIFIER, NASPORT, ACCTS
ESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: ValidFrom date converted to: 1339559086
Wed Jun 13 11:46:12 2012: DEBUG: Expiration date converted to: 1371052800
Wed Jun 13 11:46:12 2012: DEBUG: Radius::AuthRADMIN REJECT: Check item User-Name
 expression '' does not match 'test101' in request: test101 [test101]
Wed Jun 13 11:46:12 2012: DEBUG: AuthBy RADMIN result: REJECT, Check item User-N
ame expression '' does not match 'test101' in request
Wed Jun 13 11:46:12 2012: INFO: Access rejected for test101: Check item User-Nam
e expression '' does not match 'test101' in request
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'insert into RADAUTHLOG (TIME_STAM
P, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Na
me expression '''' does not match ''test101'' in request')':
Wed Jun 13 11:46:12 2012: ERR: do failed for 'insert into RADAUTHLOG (TIME_STAMP
, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Nam
e expression '''' does not match ''test101'' in request')': [Microsoft][ODBC SQL
 Server Driver][SQL Server]String or binary data would be truncated. (SQL-22001)
[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated
. (SQL-01000)(DBD: Execute immediate failed err=-1)
Wed Jun 13 11:46:12 2012: ERR: do failed for 'insert into RADAUTHLOG (TIME_STAMP
, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Nam
e expression '''' does not match ''test101'' in request')': [Microsoft][ODBC SQL
 Server Driver][SQL Server]String or binary data would be truncated. (SQL-22001)
[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated
. (SQL-01000)(DBD: Execute immediate failed err=-1)
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2744 ....
Code:       Access-Reject
Identifier: 56
Authentic:  <204><223><19><249><241><254><164><186><137><247>mL<230><0><216><203
>
Attributes:
        Reply-Message = "Request Denied"
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2744 ....
Code:       Accounting-Request
Identifier: 57
Authentic:  v<176>s<163><242>-><27><132><127>V<165><153>u<151><146>
Attributes:
        User-Name = "test101"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
Wed Jun 13 11:46:12 2012: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jun 13 11:46:12 2012: DEBUG: UH-RADIUS Adding session for test101, 203.63.15
4.1, 1234
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'delete from RADONLINE where NASID
ENTIFIER='203.63.154.1' and ACCTSESSIONID='00001234'':
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,S
ERVICETYPE) values ('test101', '203.63.154.1', 1234, '00001234', 1339559172,'',
'Async', 'Framed-User')':
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Handling accounting with Radius::AuthRADMIN
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'update RADUSERS set TIMELEFT=TIME
LEFT-0, OCTETSINLEFT=OCTETSINLEFT-0, OCTETSOUTLEFT=OCTETSOUTLEFT-0 where USERNAM
E='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: AuthBy RADMIN result: ACCEPT,
Wed Jun 13 11:46:12 2012: DEBUG: Accounting accepted
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2744 ....
Code:       Accounting-Response
Identifier: 57
Authentic:  v<176>s<163><242>-><27><132><127>V<165><153>u<151><146>
 

config file
 

# windows.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system on Windows. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example is expected to be installed in
#   c:\Program Files\Radiator\radius.cfg
# It will authenticate from a standard users file in
#   c:\Program Files\Radiator\users
# it will log debug and other messages to
#   c:\Program Files\Radiator\logfile
# and log accounting to a file in
#   c:\Program Files\Radiator\detail
# (of course you can change all these by editing this config file if you wish)
#
# It will accept requests from any client and try to handle requests
# for any realm.
# And it will print out what its doing in great detail to the log file.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir  c:/Program Files/Radiator
# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace   4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with. This will work
# at least with radpwtst running on the local machine
<Client DEFAULT>
 Secret mysecret
 DupInterval 0
</Client>
# Authenticate all realms with this
<Realm DEFAULT>
 # Look up user details in a flat file
 <AuthBy RADMIN>
  # Change DBSource, DBUsername, DBAuth for your database
  # See the reference manual. You will also have to
  # change the one in <SessionDatabse SQL> below
  # so its the same
  DBSource dbi:ODBC:radmin
  DBUsername radmin
  DBAuth  radminpw
  # Never look up the DEFAULT user
  NoDefault
  # You can add to or change these if you want, but you
  # will probably want to change the database schema first
# Scott: comment out the following 15 lines until DNIS,calledstation-d. for testing
#  AccountingTable RADUSAGE
#  AcctColumnDef USERNAME,User-Name
#  AcctColumnDef TIME_STAMP,Timestamp,integer
#  AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
#  AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
#  AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
#  AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
#  AcctColumnDef ACCTSESSIONID,Acct-Session-Id
#  AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
#  AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
#  AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
#  AcctColumnDef NASIDENTIFIER,NAS-IP-Address
#  AcctColumnDef NASIDENTIFIER,NAS-Identifier
#  AcctColumnDef NASPORT,NAS-Port,integer
#  AcctColumnDef DNIS,Called-Station-Id
#  AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
  # This updates the time and octets left
  # for this user
  AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
  # These are the classic things to add to each users
  # reply to allow a PPP dialup session. It may be
  # different for your NAS. This will add some
  # reply items to everyone's reply
  AddToReply Framed-Protocol = PPP,\
          Framed-IP-Netmask = 255.255.255.255,\
          Framed-Routing = None,\
          Framed-MTU = 1500,\
   Framed-Compression = Van-Jacobson-TCP-IP
  # If you intend to use rcrypt reversible encryption
  # for passwords in your Radmin database, you must
  # RcryptKey here to be the same secret key you
  # defined in your Radmin Site.pm, and also set
  # PasswordFormat in your Site.pm.
  # RcryptKey mysecret
  # If you intend to use Unix encryption in your database,
  # you will need to set EncryptedPasssword here,
  # as well as setting PasswordFormat in your Site.pm
  # EncryptedPassword
  # You can change the max bad login count from the default
  # of 5 with something like
  # MaxBadLogins 10
    MaxBadLogins 10
 </AuthBy>
 
 # This clause logs all authentication successes and failures to the RADAUTHLOG table
 # Suitable for use with RAdmin version 1.6 or later
 <AuthLog SQL>
  # This database spec usually should be exactly the same
  # as in <AuthBy RADMIN> above
  DBSource dbi:ODBC:radmin
  DBUsername radmin
  DBAuth  radminpw
  LogSuccess
  SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (%t, '%n', 1)
  LogFailure
  FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
 </AuthLog>
 # Log accounting to a detail file. %D is replaced by DbDir above
 AcctLogFileName %D/detail
</Realm>
 
 
 

<ServerHTTP>
 # Specifies the TCP port to use. Defaults to 9048
 #Port %{GlobalVar:serverhttpport}
 Port 9048
     
 # ServerHTTP saves for viewing the last LogMaxLines log entries
 # at or below this trace level.
 Trace 4
 # LogMaxLines specifies the max number of recent log messages that are
 # saved. Defaults to 500. If you set this to 0, then no
 # logger will be created for ServerHTTP, slightly improving performance
 #LogMaxLines 1000
 # BindAddress allows you to bind to a different network address
 # for multihomed hosts. Defaults to 0.0.0.0
 #BindAddress 203.63.154.29, 127.0.0.1
 # You can have one or more AuthBy clauses or AuthBy parameters
 # to specify how to authenticate HTTP connections. AuthByPolicy is also
 # supported. If the last AuthBy returns ACCEPT, the connection
 # is accepted. If the last AuthBy returns IGNORE, or there are
 # no AuthBy, then fall back to the hardwired Username and
 # Password parameters
 # If the authenticated user has a Management-Policy-Id reply item,
 # it will be used
 # as that users privilege level, instead of DefaultPrivilegeLevel.
# <AuthBy FILE>
#  Filename %D/users
# </AuthBy>
 # This is the fallback username and password that clients must LOGIN as
 # if there are no AuthBy clauses, or if they return IGNORE
 # If there are no AuthBys (or the last returns IGNORE) and there is no
 # Username, you can connect to this interface anonymously (not
 # recommended except for testing in secure enviromnents).
 Username mikem
 # Password can be plaintext or any of the encrypted formats such as
 # {crypt}....., {nthash}....., {SHA}...., {SSHA}....., {mysql}....,
 # {msssql}...., {dechpwd}...., {MD5}......, {clear}....
 Password fred
 # Controls the ServerHTTP users privilege level if
 # a per-user Management-Policy-Id is not available from a successful
 # authentication from the AuthBy list.
 # The privilege level is a bitmask. The following privilege levels are
 # defined, and may be logically or'd together
 #  0 means no access, including no login permission.
 #  1 means viewing basic status only.
 #  2 means ability to reset the server
 #  4 means the ability to edit and change the running config (but not
 #    save it)
 #  8 means the ability to save changes to the configuration
 #  15 means all privileges
 # Defaults to 1
 DefaultPrivilegeLevel 15
 # Clients let you limit which clients you will accept connects from
 # You can specify one or more comma or space separated IP addresses
 # Use this parameter to make your server more secure by limiting
 # which clients can connect.
 #Clients 127.0.0.2, 203.63.154.29
 # This one limits access to the same host that Radiator runs on:
 Clients 127.0.0.1,192.168.1.2
 # If AuditTrail is defined, all editing operations and changes will be
 # logged to the file (as well as to the normal log file at trace level 3)
 AuditTrail %D/audit.txt
 # Like most loggers, you can enable LogMicroseconds to get
        # microsecond accuracy in log messages. Requires the
 # Time::HiRes module from CPAN.
 #LogMicroseconds
 # Specifies the maximum time before the user has to log in again
 # Defaults to 1 hour
 #SessionTimeout 3600
 # You can force SSL connections, and use all the standard TLS
 # certificate and verification mechanisms
# UseSSL 1
 TLS_CAFile ./certificates/demoCA/cacert.pem
 TLS_CertificateFile ./certificates/cert-srv.pem
 TLS_CertificateType PEM
 TLS_PrivateKeyFile ./certificates/cert-srv.pem
 TLS_PrivateKeyPassword whatever
 #TLS_RequireClientCert
 #TLS_ExpectedPeerName .+
 #TLS_SubjectAltNameURI .*open.com.au
 #TLS_CRLCheck
 #TLS_CRLFile %D/certificates/revocations.pem
 #TLS_CRLFile %D/certificates/revocations2.pem
 # Users that log in to the Server HTTP interface can be logged with an
 # AuthLog clause:
 <AuthLog FILE>
   Filename %L/authlog
 </AuthLog>
 
 # If a page is requested but not found in the set of built-in pages
 # PageNotFoundHook is called to try to handle the request.
 # PageNotFoundHook is passed the requested URI and a reference to the
 # ServerHTTP connection. If it can handle the request, it returns an
 # array of ($httpcode, $content, @httpheaders) else undef.
 #PageNotFoundHook sub {return (200, "your HTML content");}
</ServerHTTP>
 
 

<Monitor>
 # Specifies the TCP port to use. Defaults to 9048
 #Port  7777
 Port  7777
 #Port %{GlobalVar:monitorport}
 # BindAddress allows you to bind to a different network address
 # for multihomed hosts. Defaults to 0.0.0.0
 #BindAddress 203.63.154.29, 127.0.0.1
 # You can have one or more AuthBy clauses or AuthBy parameters
 # to specify how to authenticate connections. AuthByPolicy is also
 # supported. If the last AuthBy returns ACCEPT, the connection
 # is accepted. If the last AuthBy returns IGNORE, or there are
 # no AuthBy, then fall back to the hardwired Username and
 # Password parameters
# <AuthBy FILE>
#  Filename ./users
# </AuthBy>
 # This is the fallback username and password that clients must LOGIN as
 # if there are no AuthBy clauses, or they return IGNORE
 Username mikem
 Password fred
 # IF you set TraceOnly, connections through this Monitor are
 # prevented from getting statistics, or getting or setting
 # configuration data, or restarting the server
 # TraceOnly
 # Clients let you specify which clients you will accept connects from
 # You can specify one or more comma or space separated IP addresses
 #Clients 127.0.0.2, 203.63.154.29
 # Like most loggers, you can enable LogMicroseconds to get
        # microsecond accuracy in log messages. Requires the
 # Time::HiRes module from CPAN.
 #LogMicroseconds
</Monitor>
 
 
 
 
<SessionDatabase SQL>
 # Specify the SQL database to connect to is similar to AuthSQL
 # You can specify multiple databases as fallbacks etc. See
 # the reference manual for more details
  DBSource dbi:ODBC:radmin
  DBUsername radmin
  DBAuth  radminpw
 
 # You can alter the SQL statements used to add, delete and count
 # sessions with AddQuery, DeleteQuery, ClearNasQuery and
 # CountQuery. That means you can accomodate many different
 # SQL Session Database schemas. The defaults for these parameters
 # are suitable for the example RADONLINE table in the example SQL
 # scripts in the goodies directory.
 # See the reference manual for more details
 #AddQuery insert into .....
 #DeleteQuery delete from .....
 #ClearNasQuery delete from ...
 #CountQuery select ........
 
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,SERVICETYPE) values ('%u', '%1', %2, %3, %{Timestamp},'%{Framed-IP-Address}', '%{NAS-Port-Type}', '%{Service-Type}')
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and ACCTSESSIONID=%3
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='%u'
 # Optional identifier. Igts just a name
# Identifier SDB2
Identifier UH-RADIUS
</SessionDatabase>
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120613/86b853de/attachment-0001.html 


More information about the radiator mailing list