Hello Manish, Hello Heikki - I have seen these before - they are probes from the device with usernames of this form.
There is nothing wrong with your configuration - but you might want to turn off these probes on the device. regards Hugh On 17 Apr 2012, at 17:18, Heikki Vatiainen wrote: > On 04/17/2012 09:47 AM, Arya, Manish Kumar wrote: > >> We have configured ALU devices to authenticate against radiator >> server. I have added vendor dictionary to config and created client list. >> but I see mangled username in radius logs. not sure why this is >> happening. here is snapshot of my config > > Please reply with your full configuration (no secrets or passwords > needed) and full log from Radiator including any startup messages. Also > include the vendor dictionary. > > If the dictionary has been added correctly, then the NAS (ALU device?) > is doing something odd. > > Heikki > > >> # ALU MSP Auth >> <AuthBy LDAP2> >> NoDefault >> Identifier alu_msp_user_auth >> Host 10.5.1.29 >> Port 2389 >> Timeout 60 >> AuthDN uid=radius,ou=appusers,dc=xxxx,dc=net >> AuthPassword xxxxx >> BaseDN o=colt,ou=customers,dc=xxxx,dc=net >> Scope subtree >> SearchFilter (&(colt-access-device-type=alumsp)(uid=%1)) >> UsernameAttr uid >> PasswordAttr userPassword >> ServerChecksPassword >> AuthAttrDef userPassword,User-Password,check >> AuthAttrDef radius-Callback-Id,Callback-Id,reply >> AuthAttrDef >> radius-sam-sec-grp-name,Sam-security-group-name,reply >> AuthAttrDef radius-Timetra-Access,Timetra-Access,reply >> AuthAttrDef >> radius-Timetra-Home-Directory,Timetra-Home-Directory,reply >> AuthAttrDef >> radius-Timetra-Restrict-To-Home,Timetra-Restrict-To-Home,reply >> AuthAttrDef radius-Timetra-Profile,Timetra-Profile,reply >> AuthAttrDef >> radius-Timetra-Default-Action,Timetra-Default-Action,reply >> AuthAttrDef radius-Timetra-Cmd,Timetra-Cmd,reply >> AuthAttrDef radius-Timetra-Action,Timetra-Action,reply >> AuthAttrDef radius-Timetra-Exec-File,Timetra-Exec-File,reply >> AddToReplyIfNotExist Service-Type=Login-User >> </AuthBy> >> >> # Handler for ALU MSP >> <Handler Realm = alumsp.srv> >> AuthLog auth_log >> RewriteUsername s/^([^@]+).*/$1/ >> AuthBy alu_msp_user_auth >> </Handler> >> >> here is what I see in logs when a login request is originated for >> [email protected] >> >> *** Received from 10.174.1.1 port 50118 .... >> Code: Access-Request >> Identifier: 242 >> Authentic: r<255>*<27>7<230>y1<23>Z<17>cxI9<170> >> Attributes: >> User-Name = "p1z1x2c7s9y9b0o8<240>" >> User-Password = >> "<219>w0[<153><175><235><216><192><151>G<26>`<224><16>|<180>W<136><203><174><179>LJ<151>d<251><20><159><5><222><9>" >> NAS-IP-Address = 10.174.1.1 >> >> Tue Apr 17 07:44:31 2012: DEBUG: Handling request with Handler '', >> Identifier '' >> Tue Apr 17 07:44:31 2012: DEBUG: SESSDBSQL Deleting session for >> P1Z1X2C7S9Y9B0O8ð, 10.174.1.1, >> Tue Apr 17 07:44:31 2012: DEBUG: do query is: 'delete from RADONLINE >> where NASIDENTIFIER='10.174.1.1' and NASPORT=0': >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: PreAuthHook called... >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Access code: Access-Request >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Proceeding... >> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Got User-Name: >> p1z1x2c7s9y9b0o8ð and Realm: p1z1x2c7s9y9b0o8ð >> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Couldn't connect to LDAP >> 127.0.0.1: IO::Socket::INET: connect: Connection refused >> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: Trying LDAP 10.5.1.29... >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Attempting to bind to LDAP >> server >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: ldapsearch with base >> ou=customers,dc=xxx,dc=net >> Tue Apr 17 07:44:31 2012: INFO: PreAuthHook: No service found with >> realm/domain p1z1x2c7s9y9b0o8ð >> Tue Apr 17 07:44:31 2012: DEBUG: PreAuthHook: Adding to Access-Request >> -> Pre-Auth: 0 >> Tue Apr 17 07:44:31 2012: DEBUG: Handling with Radius::AuthLDAP2: user_auth >> Tue Apr 17 07:44:31 2012: ERR: ldap search for (uid=p1z1x2c7s9y9b0o8ð) >> failed with error LDAP_NO_SUCH_OBJECT. >> Tue Apr 17 07:44:31 2012: DEBUG: Radius::AuthLDAP2 looks for match with >> p1z1x2c7s9y9b0o8ð [P1Z1X2C7S9Y9B0O8ð] >> Tue Apr 17 07:44:31 2012: DEBUG: Radius::AuthLDAP2 REJECT: No such user: >> p1z1x2c7s9y9b0o8ð [P1Z1X2C7S9Y9B0O8ð] >> Tue Apr 17 07:44:31 2012: DEBUG: AuthBy LDAP2 result: REJECT, No such user >> Tue Apr 17 07:44:31 2012: INFO: Access rejected for p1z1x2c7s9y9b0o8ð: >> No such user >> Tue Apr 17 07:44:31 2012: DEBUG: Packet dump: >> *** Sending to 10.174.1.1 port 50118 .... >> Code: Access-Reject >> Identifier: 242 >> Authentic: <28>X<161>IZ-<144>s1<214><145><147><230>N<223>+ >> Attributes: >> Reply-Message = "No such user" >> >> Regards, >> -Manish >> >> >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
