[RADIATOR] Radiator: Request Denied , AuthBy RADMIN result: REJECT, Check item User-Name expression '' does not match 'test101' in request
Scott
scottshaw at 163.com
Tue Jun 12 22:53:47 CDT 2012
hi team, I am testing radiator with radmin with MS SQL server on windows platform. I use default cfg file without issue. but when I use this config file below to test with new created users on radmin, it's always rejected, any advice please?
thanks.Scott
error on client
C:\Perl\bin>perl radpwtst -user test101 -password P at ssw0rd123 -nostop
sending Access-Request...
Rejected: Request Denied
sending Accounting-Request Start...
OK
debug:
C:\Program Files\Radiator>perl \perl\bin\radiusd -config radius-con1.cfg -foregr
ound
Wed Jun 13 11:46:08 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048
Wed Jun 13 11:46:08 2012: DEBUG: Creating StreamServer tcp port 0.0.0.0:7777
Wed Jun 13 11:46:08 2012: DEBUG: Finished reading configuration file 'radius-con
1.cfg'
Wed Jun 13 11:46:08 2012: DEBUG: Reading dictionary file 'c:/Program Files/Radia
tor/dictionary'
Wed Jun 13 11:46:08 2012: DEBUG: Creating authentication port 0.0.0.0:1645
Wed Jun 13 11:46:08 2012: DEBUG: Creating accounting port 0.0.0.0:1646
Wed Jun 13 11:46:08 2012: NOTICE: Server started: Radiator 4.2 on radiatorvm
Wed Jun 13 11:46:11 2012: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2744 ....
Code: Access-Request
Identifier: 56
Authentic: <204><223><19><249><241><254><164><186><137><247>mL<230><0><216><203
>
Attributes:
User-Name = "test101"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = X<179><177><246><176>c<221><228><207>^<249><134>\<134>},
Wed Jun 13 11:46:11 2012: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jun 13 11:46:11 2012: DEBUG: UH-RADIUS Deleting session for test101, 203.63.
154.1, 1234
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'delete from RADONLINE where NASID
ENTIFIER='203.63.154.1' and ACCTSESSIONID=NULL':
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select PASS_WORD, STATICADDRESS, TIM
ELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where
USERNAME='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID, IVALUE, S
VALUE, ITEM_TYPE from RADSTCONFIG where NAME='1' order by ITEM_TYPE':
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select ATTR_ID, VENDOR_ID, IVALUE, S
VALUE, ITEM_TYPE from RADCONFIG where NAME='test101' order by ITEM_TYPE':
Wed Jun 13 11:46:12 2012: DEBUG: Radius::AuthRADMIN looks for match with test101
[test101]
Wed Jun 13 11:46:12 2012: DEBUG: Query is: 'select NASIDENTIFIER, NASPORT, ACCTS
ESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: ValidFrom date converted to: 1339559086
Wed Jun 13 11:46:12 2012: DEBUG: Expiration date converted to: 1371052800
Wed Jun 13 11:46:12 2012: DEBUG: Radius::AuthRADMIN REJECT: Check item User-Name
expression '' does not match 'test101' in request: test101 [test101]
Wed Jun 13 11:46:12 2012: DEBUG: AuthBy RADMIN result: REJECT, Check item User-N
ame expression '' does not match 'test101' in request
Wed Jun 13 11:46:12 2012: INFO: Access rejected for test101: Check item User-Nam
e expression '' does not match 'test101' in request
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'insert into RADAUTHLOG (TIME_STAM
P, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Na
me expression '''' does not match ''test101'' in request')':
Wed Jun 13 11:46:12 2012: ERR: do failed for 'insert into RADAUTHLOG (TIME_STAMP
, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Nam
e expression '''' does not match ''test101'' in request')': [Microsoft][ODBC SQL
Server Driver][SQL Server]String or binary data would be truncated. (SQL-22001)
[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated
. (SQL-01000)(DBD: Execute immediate failed err=-1)
Wed Jun 13 11:46:12 2012: ERR: do failed for 'insert into RADAUTHLOG (TIME_STAMP
, USERNAME, TYPE, REASON) values (1339559172, 'test101', 0, 'Check item User-Nam
e expression '''' does not match ''test101'' in request')': [Microsoft][ODBC SQL
Server Driver][SQL Server]String or binary data would be truncated. (SQL-22001)
[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated
. (SQL-01000)(DBD: Execute immediate failed err=-1)
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2744 ....
Code: Access-Reject
Identifier: 56
Authentic: <204><223><19><249><241><254><164><186><137><247>mL<230><0><216><203
>
Attributes:
Reply-Message = "Request Denied"
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2744 ....
Code: Accounting-Request
Identifier: 57
Authentic: v<176>s<163><242>-><27><132><127>V<165><153>u<151><146>
Attributes:
User-Name = "test101"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Wed Jun 13 11:46:12 2012: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jun 13 11:46:12 2012: DEBUG: UH-RADIUS Adding session for test101, 203.63.15
4.1, 1234
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'delete from RADONLINE where NASID
ENTIFIER='203.63.154.1' and ACCTSESSIONID='00001234'':
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,S
ERVICETYPE) values ('test101', '203.63.154.1', 1234, '00001234', 1339559172,'',
'Async', 'Framed-User')':
Wed Jun 13 11:46:12 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Jun 13 11:46:12 2012: DEBUG: Handling accounting with Radius::AuthRADMIN
Wed Jun 13 11:46:12 2012: DEBUG: do query is: 'update RADUSERS set TIMELEFT=TIME
LEFT-0, OCTETSINLEFT=OCTETSINLEFT-0, OCTETSOUTLEFT=OCTETSOUTLEFT-0 where USERNAM
E='test101'':
Wed Jun 13 11:46:12 2012: DEBUG: AuthBy RADMIN result: ACCEPT,
Wed Jun 13 11:46:12 2012: DEBUG: Accounting accepted
Wed Jun 13 11:46:12 2012: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2744 ....
Code: Accounting-Response
Identifier: 57
Authentic: v<176>s<163><242>-><27><132><127>V<165><153>u<151><146>
config file
# windows.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system on Windows. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example is expected to be installed in
# c:\Program Files\Radiator\radius.cfg
# It will authenticate from a standard users file in
# c:\Program Files\Radiator\users
# it will log debug and other messages to
# c:\Program Files\Radiator\logfile
# and log accounting to a file in
# c:\Program Files\Radiator\detail
# (of course you can change all these by editing this config file if you wish)
#
# It will accept requests from any client and try to handle requests
# for any realm.
# And it will print out what its doing in great detail to the log file.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with. This will work
# at least with radpwtst running on the local machine
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# Authenticate all realms with this
<Realm DEFAULT>
# Look up user details in a flat file
<AuthBy RADMIN>
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:ODBC:radmin
DBUsername radmin
DBAuth radminpw
# Never look up the DEFAULT user
NoDefault
# You can add to or change these if you want, but you
# will probably want to change the database schema first
# Scott: comment out the following 15 lines until DNIS,calledstation-d. for testing
# AccountingTable RADUSAGE
# AcctColumnDef USERNAME,User-Name
# AcctColumnDef TIME_STAMP,Timestamp,integer
# AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
# AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
# AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
# AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
# AcctColumnDef ACCTSESSIONID,Acct-Session-Id
# AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
# AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
# AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
# AcctColumnDef NASIDENTIFIER,NAS-IP-Address
# AcctColumnDef NASIDENTIFIER,NAS-Identifier
# AcctColumnDef NASPORT,NAS-Port,integer
# AcctColumnDef DNIS,Called-Station-Id
# AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
# This updates the time and octets left
# for this user
AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# If you intend to use rcrypt reversible encryption
# for passwords in your Radmin database, you must
# RcryptKey here to be the same secret key you
# defined in your Radmin Site.pm, and also set
# PasswordFormat in your Site.pm.
# RcryptKey mysecret
# If you intend to use Unix encryption in your database,
# you will need to set EncryptedPasssword here,
# as well as setting PasswordFormat in your Site.pm
# EncryptedPassword
# You can change the max bad login count from the default
# of 5 with something like
# MaxBadLogins 10
MaxBadLogins 10
</AuthBy>
# This clause logs all authentication successes and failures to the RADAUTHLOG table
# Suitable for use with RAdmin version 1.6 or later
<AuthLog SQL>
# This database spec usually should be exactly the same
# as in <AuthBy RADMIN> above
DBSource dbi:ODBC:radmin
DBUsername radmin
DBAuth radminpw
LogSuccess
SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (%t, '%n', 1)
LogFailure
FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
</AuthLog>
# Log accounting to a detail file. %D is replaced by DbDir above
AcctLogFileName %D/detail
</Realm>
<ServerHTTP>
# Specifies the TCP port to use. Defaults to 9048
#Port %{GlobalVar:serverhttpport}
Port 9048
# ServerHTTP saves for viewing the last LogMaxLines log entries
# at or below this trace level.
Trace 4
# LogMaxLines specifies the max number of recent log messages that are
# saved. Defaults to 500. If you set this to 0, then no
# logger will be created for ServerHTTP, slightly improving performance
#LogMaxLines 1000
# BindAddress allows you to bind to a different network address
# for multihomed hosts. Defaults to 0.0.0.0
#BindAddress 203.63.154.29, 127.0.0.1
# You can have one or more AuthBy clauses or AuthBy parameters
# to specify how to authenticate HTTP connections. AuthByPolicy is also
# supported. If the last AuthBy returns ACCEPT, the connection
# is accepted. If the last AuthBy returns IGNORE, or there are
# no AuthBy, then fall back to the hardwired Username and
# Password parameters
# If the authenticated user has a Management-Policy-Id reply item,
# it will be used
# as that users privilege level, instead of DefaultPrivilegeLevel.
# <AuthBy FILE>
# Filename %D/users
# </AuthBy>
# This is the fallback username and password that clients must LOGIN as
# if there are no AuthBy clauses, or if they return IGNORE
# If there are no AuthBys (or the last returns IGNORE) and there is no
# Username, you can connect to this interface anonymously (not
# recommended except for testing in secure enviromnents).
Username mikem
# Password can be plaintext or any of the encrypted formats such as
# {crypt}....., {nthash}....., {SHA}...., {SSHA}....., {mysql}....,
# {msssql}...., {dechpwd}...., {MD5}......, {clear}....
Password fred
# Controls the ServerHTTP users privilege level if
# a per-user Management-Policy-Id is not available from a successful
# authentication from the AuthBy list.
# The privilege level is a bitmask. The following privilege levels are
# defined, and may be logically or'd together
# 0 means no access, including no login permission.
# 1 means viewing basic status only.
# 2 means ability to reset the server
# 4 means the ability to edit and change the running config (but not
# save it)
# 8 means the ability to save changes to the configuration
# 15 means all privileges
# Defaults to 1
DefaultPrivilegeLevel 15
# Clients let you limit which clients you will accept connects from
# You can specify one or more comma or space separated IP addresses
# Use this parameter to make your server more secure by limiting
# which clients can connect.
#Clients 127.0.0.2, 203.63.154.29
# This one limits access to the same host that Radiator runs on:
Clients 127.0.0.1,192.168.1.2
# If AuditTrail is defined, all editing operations and changes will be
# logged to the file (as well as to the normal log file at trace level 3)
AuditTrail %D/audit.txt
# Like most loggers, you can enable LogMicroseconds to get
# microsecond accuracy in log messages. Requires the
# Time::HiRes module from CPAN.
#LogMicroseconds
# Specifies the maximum time before the user has to log in again
# Defaults to 1 hour
#SessionTimeout 3600
# You can force SSL connections, and use all the standard TLS
# certificate and verification mechanisms
# UseSSL 1
TLS_CAFile ./certificates/demoCA/cacert.pem
TLS_CertificateFile ./certificates/cert-srv.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile ./certificates/cert-srv.pem
TLS_PrivateKeyPassword whatever
#TLS_RequireClientCert
#TLS_ExpectedPeerName .+
#TLS_SubjectAltNameURI .*open.com.au
#TLS_CRLCheck
#TLS_CRLFile %D/certificates/revocations.pem
#TLS_CRLFile %D/certificates/revocations2.pem
# Users that log in to the Server HTTP interface can be logged with an
# AuthLog clause:
<AuthLog FILE>
Filename %L/authlog
</AuthLog>
# If a page is requested but not found in the set of built-in pages
# PageNotFoundHook is called to try to handle the request.
# PageNotFoundHook is passed the requested URI and a reference to the
# ServerHTTP connection. If it can handle the request, it returns an
# array of ($httpcode, $content, @httpheaders) else undef.
#PageNotFoundHook sub {return (200, "your HTML content");}
</ServerHTTP>
<Monitor>
# Specifies the TCP port to use. Defaults to 9048
#Port 7777
Port 7777
#Port %{GlobalVar:monitorport}
# BindAddress allows you to bind to a different network address
# for multihomed hosts. Defaults to 0.0.0.0
#BindAddress 203.63.154.29, 127.0.0.1
# You can have one or more AuthBy clauses or AuthBy parameters
# to specify how to authenticate connections. AuthByPolicy is also
# supported. If the last AuthBy returns ACCEPT, the connection
# is accepted. If the last AuthBy returns IGNORE, or there are
# no AuthBy, then fall back to the hardwired Username and
# Password parameters
# <AuthBy FILE>
# Filename ./users
# </AuthBy>
# This is the fallback username and password that clients must LOGIN as
# if there are no AuthBy clauses, or they return IGNORE
Username mikem
Password fred
# IF you set TraceOnly, connections through this Monitor are
# prevented from getting statistics, or getting or setting
# configuration data, or restarting the server
# TraceOnly
# Clients let you specify which clients you will accept connects from
# You can specify one or more comma or space separated IP addresses
#Clients 127.0.0.2, 203.63.154.29
# Like most loggers, you can enable LogMicroseconds to get
# microsecond accuracy in log messages. Requires the
# Time::HiRes module from CPAN.
#LogMicroseconds
</Monitor>
<SessionDatabase SQL>
# Specify the SQL database to connect to is similar to AuthSQL
# You can specify multiple databases as fallbacks etc. See
# the reference manual for more details
DBSource dbi:ODBC:radmin
DBUsername radmin
DBAuth radminpw
# You can alter the SQL statements used to add, delete and count
# sessions with AddQuery, DeleteQuery, ClearNasQuery and
# CountQuery. That means you can accomodate many different
# SQL Session Database schemas. The defaults for these parameters
# are suitable for the example RADONLINE table in the example SQL
# scripts in the goodies directory.
# See the reference manual for more details
#AddQuery insert into .....
#DeleteQuery delete from .....
#ClearNasQuery delete from ...
#CountQuery select ........
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,SERVICETYPE) values ('%u', '%1', %2, %3, %{Timestamp},'%{Framed-IP-Address}', '%{NAS-Port-Type}', '%{Service-Type}')
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and ACCTSESSIONID=%3
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='%u'
# Optional identifier. Igts just a name
# Identifier SDB2
Identifier UH-RADIUS
</SessionDatabase>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120613/86b853de/attachment-0001.html
More information about the radiator
mailing list