Re: [RADIATOR] Problem with pam_radius

Wed, 30 Mar 2011 04:39:45 -0700 

Hi,

On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:


Hi,

My SQL connection is OK, for other reasons the connection between the SQL 
server and Radiator is not been use for 20 seconds, the SQL servers drops it 
down.

On the other hand, I have stated before that the secret is not the problem; the 
config of the secret at radius:


let me summarize:

1. The password in a radius request from pam_radius shows up garbled
    in the trace 4 log of your radius server.

2. The password in a radius request from radpwtst on the same server
    as above gets through fine in the trace 4 log of your radius server.

That means you have no problem in your radiator config and there is
nothing to fix on the radius server.

You need to look into why pam_radius is incorrectly encrypting the
password.  This is most certainly a secret issue.  Search for the
problem on the pam_radius side.

As a next step you might want to use tcpdump to capture the radius requests
from pam_radius and from radpwtst and compare them in wireshark.

You can have wireshark decode udp/1940 traffic as radius and you can
specify your specific secret so wireshark can decode the password.

This will allow you to verify if pam_radius is doing what it is supposed to.

Greetings
Christian





<Client 10.0.124.53>
       Secret laboratorio
       Identifier BBDD_Labo
</Client>

The config at the server:

10.0.124.52:1940 laboratorio


They are the same, and the password is correctly configured at the database, 
because i can test it from the radpwtst utility and is ok. The config of the 
authby SQL:

<AuthBy SQL>
       Identifier SERVERS
       DBSource dbi:mysql:auth_oss:127.0.0.1:3306
       DBUsername  root
       DBAuth root
       NoDefault
       NoDefaultIfFound
       Timeout 10
       FailureBackoffTime 20
       AuthSelect SELECT password FROM usuarios WHERE username='%{User-Name}'
       AuthColumnDef 0, Password, check
       AccountingTable
</AuthBy>




The radpwtst command is being sent from the server im also trying to connect to 
using pam_radius, and that is not the radius server.

Any ideas?

-----Mensaje original-----
De: Christian Kratzer [mailto:ck-li...@cksoft.de]
Enviado el: miércoles, 30 de marzo de 2011 9:23
Para: Francisco Rodrigo Cortinas Maseda
CC: radiator@open.com.au
Asunto: Re: [RADIATOR] Problem with pam_radius

Hi,

On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:
<snipp/>

Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler 
'NAS-Identifier="sshd"'
Tue Mar 22 09:19:00 2011: DEBUG:  Deleting session for frcm, 127.0.0.1, 26576
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* 
uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS
Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios WHERE 
username='frcm'':
Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM 
usuarios WHERE username='frcm'': Lost connection to MySQL server during query


you have a problem with the connection to your sql server.



Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm 
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* 
uVf<204><1>w<227>-<190>V..<15>


this still looks a lot like a mismatched secret.


Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm 
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password
Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password
Tue Mar 22 09:19:00 2011: DEBUG: Packet dump:
*** Sending to 10.0.124.53 port 27601 ....
Code:       Access-Reject
Identifier: 108
Authentic:  7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
       Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>"
       Reply-Message = "Bad Password"

If I use the radpwtst utility on the server where I am trying to authenticate 
from using pam_radius, the password is correctly decoded and is showed up 
correctly on the trace4.


you secret is ok for the Client from 127.0.0.1 but mismatched for the Client 
clause that the server with pam_radius is using.

Greetings
Christian

--
Christian Kratzer                      CK Software GmbH
Email:   c...@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

Antes de imprimir este e-mail piense bien si es necesario hacerlo.


--------------------------------------------------------------------------------

Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su 
destinatario. Si usted ha recibido este mensaje por error, no debe revelar, 
copiar, distribuir o usarlo en ningún sentido. Le rogamos lo comunique al 
remitente y borre dicho mensaje y cualquier documento adjunto que pudiera 
contener. El correo electrónico via Internet no permite asegurar la 
confidencialidad de los mensajes que se transmiten ni su integridad o correcta 
recepción. JAZZTEL no asume responsabilidad por estas circunstancias. Si el 
destinatario de este mensaje no consintiera la utilización del correo 
electrónico via Internet y la grabación de los mensajes, rogamos lo ponga en 
nuestro conocimiento de forma inmediata.Cualquier opinión expresada en este 
mensaje pertenece únicamente al autor remitente, y no representa necesariamente 
la opinión de JAZZTEL, a no ser que expresamente se diga y el remitente esté 
autorizado para hacerlo.


--------------------------------------------------------------------------------


This message is private and CONFIDENTIAL and it is intended exclusively for its 
addressee. If you receive this message in error, you should not disclose, copy, 
distribute this e-mail or use it in any other way. Please inform the sender and 
delete the message and attachments from your system.Internet e-mail neither 
guarantees the confidentiality nor the integrity or proper receipt of the 
messages sent. JAZZTEL does not assume any liability for those circumstances. 
If the addressee of this message does not consent to the use of Internet e-mail 
and message recording, please notify us immediately.Any views or opinions 
contained in this message are solely those of the author, and do not 
necessarily represent those of JAZZTEL, unless otherwise specifically stated 
and the sender is authorised to do so.


--------------------------------------------------------------------------------



--
Christian Kratzer                      CK Software GmbH
Email:   c...@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to