Just don't specify any PasswordAttr, that will give you a warning at startup, but then it works just fine by checking only according to your SearchFilter.
/Ingvar > -----Original Message----- > From: Matthew Trout [mailto:[EMAIL PROTECTED]] > Sent: den 16 januari 2003 13:05 > To: '[EMAIL PROTECTED]' > Subject: (RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password >auth n ot working as in 2.19 > > I'm currently having some nasty problems going from Radiator 2.19 to 3.5; most >things work, but I have a configuration hack that we need that's suddenly stopped >working. > > Our FRIACO dialup products are locked to a single CLI, so no username and password >should be needed. Wherein lies the problem - ensuring they have the correct CLI >(which means AcceptIfMissing isn't suitable, so far as I can see) but getting auth to >succeed with no password. Previously, I used a PostSearchHook in the AuthBy clause to >set the EAP_MESSAGE attribute, which then meant Radiator assumed the password had >already been authenticated. However, this doesn't seem to work under 3.5 and I've >spent an entire day trwaling through the source trying to figure it out without >success. Following is my config files, and an extract from logfile for both versions. > > --- Configuration > AuthByPolicy ContinueUntilAccept > > <AuthBy LDAP2> > ***** elided; simple user search for roaming FRIACO users (internal >only, no customers) ***** > </AuthBy> > > <AuthBy LDAP2> > NoDefault > HoldServerConnection > Host ********** > AuthDN ********** > AuthPassword ********** > BaseDN ou=customers, ou=people, dc=bsve.net, o=internet > PasswordAttr friacopassword > AuthAttrDef FRIACO-todr, Time, check > SearchFilter >(&(objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes))) > PostSearchHook sub { >$_[2]->addAttrByNum($Radius::Radius::EAP_MESSAGE,1); } > AddToReply Service-Type = Framed-User, \ > Framed-Protocol = PPP, \ > Framed-IP-Address = 255.255.255.254, \ > Framed-IP-Netmask = 255.255.255.255, \ > Framed-Routing = None, \ > Framed-Compression = Van-Jacobsen-TCP-IP, \ > Framed-MTU = 1500, \ > Session-Timeout = 7200 > </AuthBy> > > --- Logfile excerpts (trace 5, command radpwtst -s localhost -user blah -password >blah -calling_station_id 1524848611) > > With 2.19, I get - > > Code: Access-Request > Identifier: 51 > Authentic: 1234567890123456 > Attributes: > User-Name = "blah" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "1524848611" > NAS-Port-Type = Async > User-Password = "<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>" > > Wed Jan 15 12:30:51 2003: DEBUG: Check if Handler Client-Identifier = >BT-FRIACO-Radius should be used to handle this request > > Wed Jan 15 12:30:51 2003: DEBUG: Handling request with Handler 'Client-Identifier = >BT-FRIACO-Radius' > Wed Jan 15 12:30:51 2003: DEBUG: FRIACO-SessDB Deleting session for blah, >203.63.154.1, 1234 > Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthGROUP > Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2: > Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with ********* > Wed Jan 15 12:30:51 2003: DEBUG: No entries for blah found in LDAP database > Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah > Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2: > Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with ********* > Wed Jan 15 12:30:51 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, >ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve> > > .net, o=internet > Wed Jan 15 12:30:51 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400 > Wed Jan 15 12:30:51 2003: ERR: There was no password attribute found for blah. Check >your LDAP database. > Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah > Wed Jan 15 12:30:51 2003: DEBUG: Handling with EAP > Wed Jan 15 12:30:51 2003: DEBUG: EAP code 49, , > Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 ACCEPT: > Wed Jan 15 12:30:51 2003: DEBUG: Access accepted for blah > Wed Jan 15 12:30:51 2003: DEBUG: Packet dump: > > With 3.5, I get - > > Code: Access-Request > Identifier: 31 > Authentic: 1234567890123456 > Attributes: > User-Name = "blah" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "1524848611" > NAS-Port-Type = Async > User-Password = "<155><231>><197><175>\<4><246><188>8<9><160><216>}x<153>" > > Wed Jan 15 09:40:31 2003: DEBUG: Handling request with Handler 'Client-Identifier = >BT-FRIACO-Radius' > Wed Jan 15 09:40:31 2003: DEBUG: FRIACO-SessDB Deleting session for blah, >203.63.154.1, 1234 > Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthGROUP > Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2: > Wed Jan 15 09:40:31 2003: DEBUG: No entries for blah found in LDAP database > Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah > Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2: > Wed Jan 15 09:40:31 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, >ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve > > .net, o=internet > Wed Jan 15 09:40:31 2003: DEBUG: LDAP got FRIACO-todr: Al0000-2400 > Wed Jan 15 09:40:31 2003: ERR: There was no password attribute found for blah. Check >your LDAP database. > Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah > Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password > Wed Jan 15 09:40:31 2003: INFO: Access rejected for blah: Bad Encrypted password > Wed Jan 15 09:40:31 2003: DEBUG: Packet dump: > > - Matt S Trout > Internet Systems Developer > Business Serve plc > E-mail : [EMAIL PROTECTED] > Tel : 0870 759 2041 > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
