Re: (RADIATOR) Authentication via MySQL

Hugh Irvine Wed, 07 Jun 2000 16:54:55 -0700

Hello Patricia -

On Thu, 08 Jun 2000, Patricia Jung wrote:
> Hi,
> 
> I really hope you don't mind a maybe stupid question but it really eats 
> up my days... The question is: why hasn't my testuser the slightest chance
> of authentication?
> 
> I'm playing a bit with a MySQL database that later will include the users
> database, but currently only has one valid testuser, trish:
> 
> $ mysql -u  radiususer -p
> [...]
> mysql> use radius;
> mysql> select * from SUBSCRIBERS where USERNAME='trish';
> +----------+---------------+-------------------+
> | USERNAME | PASSWORD      | HOMEDIR           |
> +----------+---------------+-------------------+
> | trish    | 71e5e1e45222b | /local/home/trish |
> [...]
> 
> My radius.cfg looks like this:
> ----
> Foreground
> LogStdout
> LogDir          /local/home/trish/Radiator-config
> DbDir           /local/home/trish/Radiator-config
> 
> FingerProg      /usr/bin/finger
> Trace 5
> 
> include %D/clients.cfg
> <Realm DEFAULT>
>     <AuthBy SQL>
> 
>         DBSource        dbi:mysql:radius
>         DBUsername      radiususer
>         DBAuth          blafasel  
> 
>         FailureBackoffTime      300
> 
>         AuthSelect      select PASSWORD from SUBSCRIBERS where USERNAME='%n'
> 
>         #AuthColumnDef  1, User-Password, check
>         AuthColumnDef   1, Encrypted-Password, check
> 
>     </AuthBy>
> </Realm>
> 
> ----
> 
> When running radpwtst -user trish -password xyz (no matter whether xyz equals 
> the correct password or not), the debug output looks like this:
> 
> ----
> Wed Jun  7 19:08:15 2000: INFO: Server started: Radiator 2.16
> Wed Jun  7 19:08:20 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 3981 ....
> 
> Packet length = 77
> [...]
> Code:       Access-Request
> Identifier: 125
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "trish"
>         Service-Type = Framed-User
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         User-Password = "<155><231>><207><195>=<4><246><188>8<9><160><216>}x<153>"
> 
> Wed Jun  7 19:08:20 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Wed Jun  7 19:25:00 2000: DEBUG:  Deleting session for trish, 203.63.154.1, 1234
> Wed Jun  7 19:25:00 2000: DEBUG: Handling with Radius::AuthSQL
> Wed Jun  7 19:25:00 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where 
>USERNAME='trish'
> 
> Wed Jun  7 19:25:00 2000: DEBUG: Radius::AuthSQL looks for match with trish
> 
> Wed Jun  7 19:25:00 2000: DEBUG: Radius::AuthSQL ACCEPT:
> Wed Jun  7 19:25:00 2000: DEBUG: Access accepted for trish
> Wed Jun  7 19:25:00 2000: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4018 ....
> Code:       Access-Accept
> Identifier: 105
> Authentic:  1234567890123456
> Attributes:
> 
> Wed Jun  7 19:25:00 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4018 ....
> 
> Packet length = 67
> [...]
> Code:       Accounting-Request
> Identifier: 106
> Authentic:  <230><222>C{<146>pR<10><192><8><177><143>H<191><151><198>
> Attributes:
>         User-Name = "trish"
>         Service-Type = Framed-User
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Start
> 
> Wed Jun  7 19:25:00 2000: WARNING: Bad authenticator in request from 127.0.0.1 
>(203.63.154.1)
> Wed Jun  7 19:25:05 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4018 ....
> 
> Packet length = 91
> [...]
> Code:       Accounting-Request
> Identifier: 107
> Authentic:  <254><167>o<234>)<143><198><179>X<231>?<138>y<194>0<202>
> Attributes:
>         User-Name = "trish"
>         Service-Type = Framed-User
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Stop
>         Acct-Delay-Time = 0
>         Acct-Session-Time = 1000
>         Acct-Input-Octets = 20000
>         Acct-Output-Octets = 30000
> 
> Wed Jun  7 19:25:05 2000: WARNING: Bad authenticator in request from 127.0.0.1 
>(203.63.154.1)
> 
> ----

Curious. The trace shows that the Access-Request is being accepted, however the
accounting requests are being rejected due to bad authenticators. Have you got
a correct Client entry for localhost (127.0.0.1)? And AuthBy SQL will only
always accept a user if the password field is NULL. It appears from the
configuration file above, that you are looking at the second field in the SQL
response rather than the first. You might try this:

Replace this:

>         AuthColumnDef   1, Encrypted-Password, check

with this:

        AuthColumnDef   0, Encrypted-Password, check

And you will need Encrypted-Password if the password field is indeed encrypted.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL

Reply via email to
