[RADIATOR] Password with local characters fails

Patrik Forsberg patrik.forsberg at ip-only.se
Mon May 21 02:47:34 CDT 2012


Hi,

I have a minor issue with our current setup where it seems like local characters aren't working for some reason ?
If a person have a password like "hello" it works but "hallå" won't work .. from debugging it looks like the character get stripped from the password request.. but I'm NOT sure if it is equipment related or Radiator that strips it ?

My question is if there are anything in Radiator that could strips the local characters from the password field prior to adding it up for authentication ? My guess is no and that this is actually an equipment issue :)


Trace 4 from failed password (hallå)
"
Mon May 21 09:34:10 2012: DEBUG: New TacacsplusConnection created for 2.2.2.2:39038
Mon May 21 09:34:10 2012: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 1928940964, 34
Mon May 21 09:34:10 2012: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for test2, telnet932, 1.1.1.1
Mon May 21 09:34:10 2012: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, IPO Password:,  
Mon May 21 09:34:10 2012: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 1928940964, 9
Mon May 21 09:34:10 2012: DEBUG: TacacsplusConnection Authentication CONTINUE 0, **obscured**, 
Mon May 21 09:34:10 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  p1<237>TA<222><217><149><129>C5<131><222><22><175><141>
Attributes:
        NAS-IP-Address = 2.2.2.2
        NAS-Port-Id = "telnet932"
        Calling-Station-Id = "1.1.1.1"
        Service-Type = Login-User
        NAS-Identifier = "TACACS"
        OSC-Environment-Identifier = "Tacacs"
        User-Name = "test2 at extreme.switch"
        User-Password = "**obscured**"
        cisco-avpair = "action=1"
        cisco-avpair = "authen_type=1"
        cisco-avpair = "priv-lvl=15"
        cisco-avpair = "service=1"
        OSC-Version-Identifier = "192"

Mon May 21 09:34:10 2012: DEBUG: Handling request with Handler 'Realm=extreme.switch', Identifier 'HandlerExtremeSwitchIdentUser'
Mon May 21 09:34:10 2012: DEBUG: Rewrote user name to test2
Mon May 21 09:34:10 2012: DEBUG: SessionSQL Deleting session for test2, 2.2.2.2, 
Mon May 21 09:34:10 2012: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='2.2.2.2' and NASPORT=0': 
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthGROUP: 
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthSQL: SQLAuthExtraUsers
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthSQL: SQLAuthExtraUsers
Mon May 21 09:34:10 2012: DEBUG: Query is: 'select PASSWORD,CHECKATTR,REPLYATTR from EXTRAUSERS where USERNAME=? and ENABLED=1': test2
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthSQL looks for match with test2 [test2]
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: test2 [test2]
Mon May 21 09:34:10 2012: DEBUG: Query is: 'select PASSWORD,CHECKATTR,REPLYATTR from EXTRAUSERS where USERNAME=? and ENABLED=1': DEFAULT
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthGROUP: SQLAuthExtraUsers result: REJECT, Bad Password
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthGROUP: AuthenticateLuser1
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthGROUP: 
Mon May 21 09:34:10 2012: DEBUG: Handling with Radius::AuthFILE: 
Mon May 21 09:34:10 2012: DEBUG: Reading users file /etc/radiator/mix/manager
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthFILE looks for match with test2 [test2]
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthFILE ACCEPT: : test2 [test2]
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthGROUP:  result: ACCEPT, 
Mon May 21 09:34:10 2012: DEBUG: Radius::AuthGROUP:AuthenticateLuser1  result: ACCEPT, 
Mon May 21 09:34:10 2012: DEBUG: Handling with PAM service radiusd
Mon May 21 09:34:10 2012: DEBUG: PAM is asking for 1: 'Password'
Mon May 21 09:34:12 2012: DEBUG: Radius::AuthGROUP:AuthenticateLuser1  result: REJECT, Authentication failure: 
Mon May 21 09:34:12 2012: DEBUG: Radius::AuthGROUP: AuthenticateLuser1 result: REJECT, Authentication failure: 
Mon May 21 09:34:12 2012: DEBUG: Handling with Radius::AuthSQL: SQLAcct
Mon May 21 09:34:12 2012: DEBUG: Radius::AuthGROUP: SQLAcct result: IGNORE, Ignored due to IgnoreAuthentication
Mon May 21 09:34:12 2012: DEBUG: AuthBy GROUP result: IGNORE, Ignored due to IgnoreAuthentication
Mon May 21 09:34:12 2012: DEBUG: TacacsplusConnection Authentication REPLY 7, 0, Database failure,  
Mon May 21 09:34:12 2012: DEBUG: TacacsplusConnection disconnected from 2.2.2.2:39038
"

Trace 4 from successful password (hello)
"
Mon May 21 09:34:47 2012: DEBUG: New TacacsplusConnection created for 2.2.2.2:57964
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 602545701, 34
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for test2, telnet933, 1.1.1.1
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, IPO Password:,  
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 602545701, 10
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authentication CONTINUE 0, **obscured**, 
Mon May 21 09:34:47 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <167><130><206><167>M(my<139><205><169><219>Z'#<191>
Attributes:
        NAS-IP-Address = 2.2.2.2
        NAS-Port-Id = "telnet933"
        Calling-Station-Id = "1.1.1.1"
        Service-Type = Login-User
        NAS-Identifier = "TACACS"
        OSC-Environment-Identifier = "Tacacs"
        User-Name = "test2 at extreme.switch"
        User-Password = "**obscured**"
        cisco-avpair = "action=1"
        cisco-avpair = "authen_type=1"
        cisco-avpair = "priv-lvl=15"
        cisco-avpair = "service=1"
        OSC-Version-Identifier = "192"

Mon May 21 09:34:47 2012: DEBUG: Handling request with Handler 'Realm=extreme.switch', Identifier 'HandlerExtremeSwitchIdentUser'
Mon May 21 09:34:47 2012: DEBUG: Rewrote user name to test2
Mon May 21 09:34:47 2012: DEBUG: SessionSQL Deleting session for test2, 2.2.2.2, 
Mon May 21 09:34:47 2012: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='2.2.2.2' and NASPORT=0': 
Mon May 21 09:34:47 2012: DEBUG: Handling with Radius::AuthGROUP: 
Mon May 21 09:34:47 2012: DEBUG: Handling with Radius::AuthSQL: SQLAuthExtraUsers
Mon May 21 09:34:47 2012: DEBUG: Handling with Radius::AuthSQL: SQLAuthExtraUsers
Mon May 21 09:34:47 2012: DEBUG: Query is: 'select PASSWORD,CHECKATTR,REPLYATTR from EXTRAUSERS where USERNAME=? and ENABLED=1': test2
Mon May 21 09:34:47 2012: DEBUG: Radius::AuthSQL looks for match with test2 [test2]
Mon May 21 09:34:47 2012: DEBUG: Radius::AuthSQL ACCEPT: : test2 [test2]
Mon May 21 09:34:47 2012: DEBUG: Radius::AuthGROUP: SQLAuthExtraUsers result: ACCEPT, 
Mon May 21 09:34:47 2012: DEBUG: AuthBy GROUP result: ACCEPT, 
Mon May 21 09:34:47 2012: DEBUG: Access accepted for test2
Mon May 21 09:34:47 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <167><130><206><167>M(my<139><205><169><219>Z'#<191>
Attributes:
        Service-Type = Administrative-User
        Mikrotik-Group = "full"
        IPO-AuthGroup = "manager"
        Management-Policy-Id = "15"
        Extreme-EPICenter-Role = "Administrator"
        Brocade-Auth-Role = "admin"

Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection result Access-Accept
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,  
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection disconnected from 2.2.2.2:57964
Mon May 21 09:34:47 2012: DEBUG: New TacacsplusConnection created for 2.2.2.2:52207
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1640898187, 53
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6, 15, 1, 1, test2, telnet933, 1.1.1.1, 2, service=shell cmd=
Mon May 21 09:34:47 2012: DEBUG: AuthorizeGroup rule match found: permit service=shell cmd= { priv-lvl=15 }
Mon May 21 09:34:47 2012: INFO: Authorization permitted for test2 at 2.2.2.2, group manager, args service=shell cmd=
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , priv-lvl=15
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection disconnected from 2.2.2.2:52207
Mon May 21 09:34:47 2012: DEBUG: New TacacsplusConnection created for 2.2.2.2:42613
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 2077904988, 71
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 15, 1, 1, test2, telnet933, 1.1.1.1, 2, start_time=1337614871 service=shell
Mon May 21 09:34:47 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  <167><144><5>y<0><7><21>a<10><191><250>v<248><194>_<5>
Attributes:
        NAS-IP-Address = 2.2.2.2
        NAS-Port-Id = "telnet933"
        Calling-Station-Id = "1.1.1.1"
        NAS-Identifier = "TACACS"
        OSC-Environment-Identifier = "Tacacs"
        User-Name = "test2 at extreme.switch"
        Acct-Status-Type = Start
        Acct-Session-Id = "2077904988"
        cisco-avpair = "start_time=1337614871"
        cisco-avpair = "service=shell"
        OSC-Version-Identifier = "192"

Mon May 21 09:34:47 2012: DEBUG: Handling request with Handler 'OSC-Environment-Identifier=Tacacs,Request-Type=Accounting-Request', Identifier 'TacacsAcctHandler'
Mon May 21 09:34:47 2012: DEBUG: Rewrote user name to test2
Mon May 21 09:34:47 2012: DEBUG: SessionSQL Adding session for test2, 2.2.2.2, 
Mon May 21 09:34:47 2012: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='2.2.2.2' and NASPORT=00': 
Mon May 21 09:34:47 2012: DEBUG: do query is: 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('test2', '2.2.2.2', 0, '2077904988', 1337585687, '', '', '')': 
Mon May 21 09:34:47 2012: DEBUG: Handling with Radius::AuthSQL: SqlAcctTacacs
Mon May 21 09:34:47 2012: DEBUG: Handling accounting with Radius::AuthSQL
Mon May 21 09:34:47 2012: DEBUG: do query is: 'insert into RADCOMMANDAUDIT (ACCTSESSIONID,ACCTSTATUSTYPE,CMD,NASIPADDRESS,NASPORTID,TIME_STAMP,USERNAME) values ('2077904988','Start','start_time=1337614871','2.2.2.2','telnet933',1337585687,'test2')': 
Mon May 21 09:34:47 2012: DEBUG: AuthBy SQL result: ACCEPT, 
Mon May 21 09:34:47 2012: DEBUG: Accounting accepted
Mon May 21 09:34:47 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  <167><144><5>y<0><7><21>a<10><191><250>v<248><194>_<5>
Attributes:

Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection result Accounting-Response
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection Accounting REPLY 1, ,  
Mon May 21 09:34:47 2012: DEBUG: TacacsplusConnection disconnected from 2.2.2.2:42613
"

>From "PasswordLogFileName"
hallå password: Mon May 21 09:34:10 2012: 1337585650:test2:hall:hallÃ¥:FAIL
hello password: Mon May 21 09:34:47 2012: 1337585687:test2:hello:hello:PASS


Regards,
Patrik Forsberg




More information about the radiator mailing list