Hello Nacho,
Thanks for the detailed description of this problem.
Basically the problem is this.
The default configuration for LDAP2 is to reject empty passwords, as protection
against a problem in the Perl LDAP module. This is causing CHAP access requests
to be incorrectly rejected.
The fix is to downlaoded a new version of AuthLDAP2.pm from the 2.16.3 patches
area.
We apologise for this problem. Thank you for reporting it to us.
Cheers.
> >X-Authentication-Warning: oscar.open.com.au: majordom set sender to
> >[EMAIL PROTECTED] using -f
> >>Received: from leira.eurocomercial.es (leira.eurocomercial.es
> >>[194.224.214.253]) by perki.connect.com.au with SMTP id VAA19020
> > (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Mon, 30 Oct 2000
> >21:16:45 +1100 (EST)
> >Date: Mon, 30 Oct 2000 11:18:22 +0000
> >From: Nacho Paredes <[EMAIL PROTECTED]>
> >Organization: EICSA
> >X-Accept-Language: en
> >To: [EMAIL PROTECTED]
> >Subject: (RADIATOR) Authentication problem
> >Sender: [EMAIL PROTECTED]
> >
> >This is really annoying me.
> >
> >I've already posted this, but I'm going to put it in a more
> >comprehensive way.
> >
> >We are using Radiator 2.16.3 + OpenLDAP + MySQL
> >We use LDAP for authentication and MySQL por IP allocation.
> >
> >This configuration works fine with radpwtst, the authentication is ok
> >and the IP allocation works fine. But when we try a dial-in access we
> >got the request rejected for an empty password. If we setup our ppp
> >client with the refuse-chap option, Radiator gets a User-Password
> >attribute (instead CHAP-Password) and everyting is ok.
> >
> >I include the config file and the log file with two accesses. The first
> >failed and the second successful.
> >
> >Thanks for your help
> >
> >***************** Configuration File ***************************
> >Foreground
> >LogStdout
> >LogDir .
> >DbDir /opt/servicios/RadSQL
> ># User a lower trace level in production systems:
> >Trace 4
> >
> >BindAddress yyy.yyy.yyy.98
> >
> ># Radius proxy
> ><Client zzz.zzz.zzz.52>
> > Secret xxxxxx
> ></Client>
> >
> ># Radius proxy
> ><Client zzz.zzz.zzz.48>
> > Secret xxxxxx
> ></Client>
> >
> ># You will probably want to change this to suit your site.
> ><Client yyy.yyy.yyy.98>
> > Secret xxxxxx
> > DupInterval 0
> ></Client>
> >
> ><AddressAllocator SQL>
> > Identifier myallocator
> >
> > DBSource dbi:mysql:radius:172.16.20.150
> > DBUsername xxxxxxx
> > DBAuth xxxxxxx
> >
> > <AddressPool pool1>
> > Subnetmask 255.255.255.240
> > Range xxx.xxx.xxx.98 xxx.xxx.xxx.126
> > </AddressPool>
> ></AddressAllocator>
> >
> ><Realm pruebasql>
> > AuthByPolicy ContinueWhileAccept
> > RewriteUsername s/^([^@]+).*/$1/
> > <AuthBy LDAP2>
> > Host 172.16.20.150
> > Port 389
> > AuthDN cn=xxxxx,car=xxxxx
> > AuthPassword xxxxxx
> > BaseDN rlm=pruebasql,car=xxxxxx
> > UsernameAttr uid
> > PasswordAttr userpassword
> > ReplyAttr replyitems
> > Debug 255
> > </AuthBy>
> > <AuthBy DYNADDRESS>
> > Allocator myallocator
> >
> > PoolHint %{Reply:PoolHint}
> >
> > MapAttribute yiaddr, Framed-IP-Address
> > MapAttribute subnetmask, Framed-IP-Netmask
> >
> > StripFromReply PoolHint
> > </AuthBy>
> >
> > MaxSessions 10
> > AcctLogFileName %L/detail-pruebasql
> ></Realm>
> >****************************************************************
> >
> >******************** Log File ****************************
> >Mon Oct 30 10:25:45 2000: DEBUG: Packet dump:
> >*** Received from aaa.aa.216.52 port 34071 ....
> >Code: Access-Request -----------------------> FAILED ACCESS
> >Identifier: 5
> >Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152>
> >Attributes:
> > User-Name = "user2@pruebasql"
> > CHAP-Password = "<3> <18>2-<133>P<15>Z<232><232>P<237><11>$ <191>"
> > NAS-Port = 528
> > Acct-Session-Id = "34538485"
> > USR-Interface-Index = 1784
> > Tunnel-Supports-Tags = 0
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Chassis-Call-Slot = 3
> > Chassis-Call-Span = 1
> > Chassis-Call-Channel = 16
> > Connect-Speed = 300_BPS
> > Calling-Station-Id = "98519xxxx"
> > Called-Station-Id = "90166xxxx"
> > NAS-Port-Type = Async
> >
> >Mon Oct 30 10:25:45 2000: DEBUG: Handling request with Handler
> >'Realm=pruebasql'
> >Mon Oct 30 10:25:45 2000: DEBUG: Rewrote user name to user2
> >Mon Oct 30 10:25:45 2000: DEBUG: Deleting session for user2@pruebasql,
> >aaa.aa.216.52, 528
> >Mon Oct 30 10:25:45 2000: DEBUG: Handling with Radius::AuthLDAP2
> >Mon Oct 30 10:25:45 2000: DEBUG: Radius::AuthLDAP2 rejected user2
> >because of an empty password
> >Mon Oct 30 10:25:45 2000: INFO: Access rejected for user2: Empty
> >password
> >Mon Oct 30 10:25:45 2000: DEBUG: Packet dump:
> >*** Sending to aaa.aa.216.52 port 34071 ....
> >Code: Access-Reject
> >Identifier: 5
> >Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152>
> >Attributes:
> > Port-Message = "Request Denied"
> >
> >Mon Oct 30 10:27:43 2000: DEBUG: Packet dump:
> >*** Received from aaa.aa.216.52 port 34071 ....
> >Code: Access-Request ----------------------------->SUCCESSFUL
> >ACCESS
> >Identifier: 9
> >Authentic: <3>-<179>d<31><254><231>s<6><211><134>6<247><236>H<29>
> >Attributes:
> > User-Name = "user2@pruebasql"
> > User-Password = "<208><233><128>#$[<18><22>#<176>EF$<157><254><202>"
> > NAS-Port = 534
> > Acct-Session-Id = "34931520"
> > USR-Interface-Index = 1790
> > Tunnel-Supports-Tags = 0
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Chassis-Call-Slot = 3
> > Chassis-Call-Span = 1
> > Chassis-Call-Channel = 22
> > Connect-Speed = 300_BPS
> > Calling-Station-Id = "98519xxxx"
> > Called-Station-Id = "90166xxxx"
> > NAS-Port-Type = Async
> >
> >Mon Oct 30 10:27:43 2000: DEBUG: Handling request with Handler
> >'Realm=pruebasql'
> >Mon Oct 30 10:27:43 2000: DEBUG: Rewrote user name to user2
> >Mon Oct 30 10:27:43 2000: DEBUG: Deleting session for user2@pruebasql,
> >aaa.aa.216.52, 534
> >Mon Oct 30 10:27:43 2000: DEBUG: Handling with Radius::AuthLDAP2
> >Mon Oct 30 10:27:43 2000: DEBUG: Connecting to bbb.bb.20.150, port 389
> >Mon Oct 30 10:27:46 2000: DEBUG: LDAP got result for uid=user2,
> >rlm=pruebasql, car=carrier
> >Mon Oct 30 10:27:46 2000: DEBUG: LDAP got userpassword: user2
> >Mon Oct 30 10:27:46 2000: DEBUG: LDAP got replyitems: PoolHint=pool1
> >Mon Oct 30 10:27:46 2000: DEBUG: Radius::AuthLDAP2 looks for match with
> >user2
> >Mon Oct 30 10:27:46 2000: DEBUG: Radius::AuthLDAP2 ACCEPT:
> >Mon Oct 30 10:27:46 2000: DEBUG: Handling with Radius::AuthDYNADDRESS
> >Mon Oct 30 10:27:46 2000: DEBUG: Query is: select YIADDR, SUBNETMASK,
> >DNSSERVER from RADPOOL where
> >POOL='pool1' and STATE=0 order by TIME_STAMP
> >
> >Mon Oct 30 10:27:46 2000: DEBUG: do query is: update RADPOOL set
> >STATE=1, TIME_STAMP=972901666,
> >EXPIRY=972988066, USERNAME='user2' where YIADDR='zzz.zzz.19.113'
> >
> >Mon Oct 30 10:27:46 2000: DEBUG: Access accepted for user2
> >Mon Oct 30 10:27:46 2000: DEBUG: Packet dump:
> >*** Sending to aaa.aa.216.52 port 34071 ....
> >Code: Access-Accept
> >Identifier: 9
> >Authentic: <3>-<179>d<31><254><231>s<6><211><134>6<247><236>H<29>
> >Attributes:
> > Framed-IP-Netmask = 255.255.255.240
> > Framed-IP-Address = zzz.zzz.19.113
> >
> >Mon Oct 30 10:27:46 2000: DEBUG: Packet dump:
> >*** Received from aaa.aa.216.52 port 34071 ....
> >Code: Accounting-Request
> >Identifier: 10
> >Authentic: =+}<190><174><145><227><230><27><175>59<28><171><187><234>
> >Attributes:
> > User-Name = "user2@pruebasql"
> > Acct-Status-Type = Start
> > Acct-Session-Id = "34931520"
> > Acct-Delay-Time = 0
> > Acct-Authentic = RADIUS
> > Service-Type = Framed-User
> > NAS-Port-Type = Async
> > NAS-Port = 534
> > USR-Modem-Training-Time = 12
> > USR-Interface-Index = 1790
> > Chassis-Call-Slot = 3
> > Chassis-Call-Span = 1
> > Chassis-Call-Channel = 22
> > Unauthenticated-Time = 4
> > Calling-Station-Id = "98519xxxx"
> > Called-Station-Id = "90166xxxx"
> > Modulation-Type = v34
> > Simplified-MNP-Levels = ccittV42
> > Simplified-V42bis-Usage = ccittV42bis
> > Connect-Speed = 33600_BPS
> > Framed-Protocol = PPP
> > Framed-IP-Address = zzz.zzz.19.113
> > VTS-Session-Key =
> >"<222>q<160><217><135><0><141><234><183>H<139>Z<133><223><160><27>"
> > Call-Arrived-time = 152443549
> > Timestamp = 972897965
> >
> >Mon Oct 30 10:27:46 2000: DEBUG: Handling request with Handler
> >'Realm=pruebasql'
> >Mon Oct 30 10:27:46 2000: DEBUG: Rewrote user name to user2
> >Mon Oct 30 10:27:46 2000: DEBUG: Adding session for user2@pruebasql,
> >aaa.aa.216.52, 534
> >Mon Oct 30 10:27:46 2000: DEBUG: Handling with Radius::AuthLDAP2
> >Mon Oct 30 10:27:46 2000: DEBUG: Handling with Radius::AuthDYNADDRESS
> >Mon Oct 30 10:27:46 2000: DEBUG: Accounting accepted
> >Mon Oct 30 10:27:46 2000: DEBUG: Packet dump:
> >*** Sending to aaa.aa.216.52 port 34071 ....
> >Code: Accounting-Response
> >Identifier: 10
> >Authentic: =+}<190><174><145><227><230><27><175>59<28><171><187><234>
> >Attributes:
> >
> >Mon Oct 30 10:32:23 2000: DEBUG: Packet dump:
> >*** Received from aaa.aa.216.52 port 34071 ....
> >Code: Accounting-Request
> >Identifier: 11
> >Authentic: *<226><134>y<173><29>L(?vH<183><203><246><226><252>
> >Attributes:
> > User-Name = "user2@pruebasql"
> > Acct-Status-Type = Stop
> > Acct-Session-Id = "34931520"
> > Acct-Delay-Time = 0
> > Acct-Authentic = RADIUS
> > Service-Type = Framed-User
> > NAS-Port-Type = Async
> > NAS-Port = 534
> > USR-Modem-Training-Time = 12
> > USR-Interface-Index = 1790
> > Chassis-Call-Slot = 3
> > Chassis-Call-Span = 1
> > Chassis-Call-Channel = 22
> > Unauthenticated-Time = 4
> > Calling-Station-Id = "98519xxxx"
> > Called-Station-Id = "90166xxxx"
> > Modulation-Type = v34
> > Simplified-MNP-Levels = ccittV42
> > Simplified-V42bis-Usage = ccittV42bis
> > Connect-Speed = 33600_BPS
> > Framed-Protocol = PPP
> > Framed-IP-Address = zzz.zzz.19.113
> > VTS-Session-Key =
> >"<222>q<160><217><135><0><141><234><183>H<139>Z<133><223><160><27>"
> > Call-Arrived-time = 152443549
> > Call-Lost-time = 152443841
> > Acct-Session-Time = 280
> > Acct-Terminate-Cause = ACCT_TERM_USER_REQUEST
> > Disconnect-Reason = drv_user_req_drop
> > Acct-Input-Octets = 34336
> > Acct-Output-Octets = 55214
> > Acct-Input-Packets = 705
> > Acct-Output-Packets = 538
> > Timestamp = 972898241
> >
> >Mon Oct 30 10:32:23 2000: DEBUG: Handling request with Handler
> >'Realm=pruebasql'
> >Mon Oct 30 10:32:23 2000: DEBUG: Rewrote user name to user2
> >Mon Oct 30 10:32:23 2000: DEBUG: Deleting session for user2@pruebasql,
> >aaa.aa.216.52, 534
> >Mon Oct 30 10:32:23 2000: DEBUG: Handling with Radius::AuthLDAP2
> >Mon Oct 30 10:32:23 2000: DEBUG: Handling with Radius::AuthDYNADDRESS
> >Mon Oct 30 10:32:23 2000: DEBUG: do query is: update RADPOOL set
> >STATE=0, TIME_STAMP=972901943
> >where YIADDR='zzz.zzz.19.113'
> >
> >Mon Oct 30 10:32:23 2000: DEBUG: Accounting accepted
> >Mon Oct 30 10:32:23 2000: DEBUG: Packet dump:
> >*** Sending to aaa.aa.216.52 port 34071 ....
> >Code: Accounting-Response
> >Identifier: 11
> >Authentic: *<226><134>y<173><29>L(?vH<183><203><246><226><252>
> >Attributes:
> >
> >
> >****************************************************************
> >
> >
> >--
> >--------------------------------------------------------------------
> >Ignacio Paredes | email: [EMAIL PROTECTED]
> >Eurocomercial | Tfno: +34 91 4359687
> >Informatica y Comunicaciones | Fax: +34 91 4313240
> >--------------------------------------------------------------------
> >
> >===
> >Archive at http://www.starport.net/~radiator/
> >Announcements on [EMAIL PROTECTED]
> >To unsubscribe, email '[EMAIL PROTECTED]' with
> >'unsubscribe radiator' in the body of the message.
>
> --
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
>-- End of excerpt from Hugh Irvine
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
