We're trying to convert an existing Radiator setup from dbm to mySQL. The
platform is freebsd 3.3R and mySQL 3.22. Before I describe the problem,
here's the background details:
Here's the radius.cfg file:
AuthPort1812
AcctPort1813
DictionaryFile /usr/local/etc/dictionary
PidFile /var/run/radiusd.pid
<Log SQL>
DBSource dbi:mysql:radius
DBUsername xxxx
DBAuth xxxx
Table RADLOG
Trace 4
</Log>
<ClientListSQL>
DBSource dbi:mysql:radius
DBUsername xxxx
DBAuth xxxx
</ClientListSQL>
<SessionDatabase SQL>
DBSource dbi:mysql:radius
DBUsername xxxx
DBAuth xxxx
</SessionDatabase>
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
DBSource dbi:mysql:radius
DBUsername xxxx
DBAuth xxxx
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
</AuthBy>
<AuthBy FILE>
Filename /usr/local/etc/defuser
</AuthBy>
</Realm>
Here's the defuserfile:
DEFAULT Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
Here's a typical users entry from the users file that was run through
buildsql:
testuser Password = "xxxx"
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Idle-Timeout = 1200
Here's the appropriate lines from RADLOG (select * from RADLOG;):
| 942621812 | 4 | Handling with Radius::AuthSQL
|
| 942621812 | 4 | Query is: select PASSWORD from SUBSCRIBERS where
USERNAME='testuser'
|
| 942621812 | 4 | Radius::AuthSQL looks for match with testuser
|
| 942621812 | 4 | Radius::AuthSQL ACCEPT:
|
| 942621812 | 4 | Handling with Radius::AuthFILE
|
| 942621812 | 4 | Radius::AuthFILE looks for match with testuser
|
| 942621812 | 4 | Radius::AuthFILE looks for match with DEFAULT
|
| 942621812 | 4 | Radius::AuthFILE ACCEPT:
|
| 942621812 | 4 | Access accepted for testuser
|
| 942621812 | 4 | Packet dump:
*** Sending to 209.83.134.1 port 1645 ....
Code: Access-Accept
Identifier: 150
Authentic: <15><159><131>K<242>{<143><25><230><201>Wf8Yj<248>
Attributes:
Framed-Protocol = PPP
Fra |
+------------+----------+---------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------+
xx rows in set (0.01 sec)
Ok, now for the problem description. I turn on debugging on the router for
aaa. The user calls in and the router tries first to check the local
usertable in the router. This fails as it should. Then it checks
authorization via radius. The radius server generates the above "accept"
message. The router debug shows the user PASSes authentication. A split
second later the routers says authorization failed, even though it's
previous message was accepted. The user does not connect.
Bear in mind I'm using the exact same dictionary that was working with
authby DBM. I suspect one of two problems. Notice the Attribues: item in the
above RADLOG looks strange - there's a bunch of leading spaces (it wraps
around) then says Framed-Protocol=PPP and wraps around more and then says
Fra which is part of the next reply attribute. If this is what is being
sent back, there's the problem. What on earth could be causing this? The
second possibility is that Radiator isn't correctly getting the REPLYATTR's
from SQL and correctly combining them with the "global" ones from userdef
and sending back one complete merged set of REPLY attr's.
In case it matters, I'm not using quite the same users.dbm file I was
before. My attributes on average were longer than the 255 characters mySQL
allows for a character field. So I had to remove common items from the users
file and put then in the authbyfile defuser and just keep the user-unique
items in the SQL database for replyattr's.
I'm desperate to get this working! Any ideas???????
Jay West
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
