(RADIATOR) Realm authentication problems
Hi all,
I have running radiator 2.13.1 with patches over NT 4.0 SP3. My nas a PM3
I have defined a radius.cfg with two realms like this:
..
# Realm Interlinea2000
PasswordLogFileName %L/%d-%m-%y-password.log
FramedGroup 0
Filename %D/users.ftf
AcctLogFileName %L/%d-%m-%y-detail.log
AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port}
%{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info}
# Default Realm
PasswordLogFileName %L/%d-%m-%y-password.log
# SE seleeciona El FrameGoupBaseAddress 0 (Pool)
FramedGroup 0
Filename %D/users.ftf
AcctLogFileName %L/%d-%m-%y-detail.log
AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port}
%{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info}
..
users.ftf has a user fer8:
fer8User-Password = "fer8"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
The problem is that I can not access with username fer8@interlinea2000 and
password fer8 . The system rejects me. But all seems to be ok !
Whit trace 4 we can see that:
Tue May 4 09:26:01 1999: DEBUG: Packet dump:
*** Received from 194.224.0.62 port 1028
Code: Access-Request
Identifier: 129
Authentic:
<187>D<208><172><10><183><22><170>;<186><178><156><241><240><13><224>
Attributes:
User-Name = "fer8@interlinea2000"
User-Password = "w<252><30>O<147> <189>Y'G<128><157><7>g<28>m"
NAS-IP-Address = 194.224.0.62
NAS-Port = 41
NAS-Port-Type = ISDN
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "943319101"
Calling-Station-Id = "943639698"
Tue May 4 09:26:01 1999: DEBUG: Handling request with Handler
'Realm=interlinea2000'
Tue May 4 09:26:01 1999: DEBUG: Handling with Radius::AuthFILE
Tue May 4 09:26:01 1999: DEBUG: Radius::AuthFILE looks for match with
fer8@interlinea2000
Tue May 4 09:26:01 1999: INFO: Access rejected for fer8@interlinea2000: No
such user
Tue May 4 09:26:01 1999: DEBUG: Packet dump:
*** Sending to 194.224.0.62 port 1028
Code: Access-Reject
Identifier: 129
Authentic:
<187>D<208><172><10><183><22><170>;<186><178><156><241><240><13><224>
Attributes:
Reply-Message = "Request Denied"
So, it says:
'Realm=interlinea2000'
User-Name = "fer8@interlinea2000"
INFO: Access rejected for fer8@interlinea2000: No such user
Why is user fer8@interlinea2000, and not fer8? I think the system detects
realm: interlinea2000, so it must authenticate user fer8 no more. is it right?
How to solution that? Any idea?
Thanks for your help and time.
Best regards,
PD: Sorry for my questions, too many this week, but I want to finish my
radiator configuration. We are very close :-)
Fernando Martin
Interlinea2000
http://www.i2000.es
Voz:(943)-621033
Fax:(943)-627340
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
Mike McCauley wrote: > the prooblem is that you are logging in with fer8@interlinea2000, but in the > user dataabse, your username is just fer8. > > Therefore you must add a rewriteUsername so that it strips the realm off before > authenticating: > Mike, in relation with this issue, is it posible to strip the realm only for authentication but not for accounting? Thanks. Félix __ DATAGRAMA SERVICIOS INTERNET C/ Acer 30Tlf: +34 3 223 00 98 08038 BARCELONA ( Spain ) Fax: +34 3 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Realm authentication problems
Hi, i think you probably need to do a "RewriteUsername" to strip your "@Interlinea200" realm to get authenticated as "fer8" only. i hope this helps. Regards, Darwin > So, it says: > > 'Realm=interlinea2000' > User-Name = "fer8@interlinea2000" > INFO: Access rejected for fer8@interlinea2000: No such user > > Why is user fer8@interlinea2000, and not fer8? I think the system detects > realm: interlinea2000, so it must authenticate user fer8 no more. is it > right? > How to solution that? Any idea? > > Thanks for your help and time. > > Best regards, > > PD: Sorry for my questions, too many this week, but I want to finish my > radiator configuration. We are very close :-) > Fernando Martin > Interlinea2000 > http://www.i2000.es > Voz:(943)-621033 > Fax:(943)-627340 > --- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- darwin a. bawasanta [EMAIL PROTECTED] pgp-id: 0x367CADAC network security admin. SKYinternet incorporated philippines tel:+63 32 4126282 loc 104 pager: ec# 963589 marsma|ow@IRC =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Expecting different output from the same input is lunacy." -- Albert Einstein === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
Hello Fernando,
the prooblem is that you are logging in with fer8@interlinea2000, but in the
user dataabse, your username is just fer8.
Therefore you must add a rewriteUsername so that it strips the realm off before
authenticating:
# This remove the realm from the user anme before authenticating,
# because th user database does not have the realm on the username
RewriteUsername s/^([^@]+).*/$1/
PasswordLogFileName %L/%d-%m-%y-password.log
FramedGroup 0
Filename %D/users.ftf
Hope that helps.
Cheers.
On May 4, 10:47am, Fernando Martin wrote:
> Subject: (RADIATOR) Realm authentication problems
> Hi all,
>
> I have running radiator 2.13.1 with patches over NT 4.0 SP3. My nas a PM3
>
> I have defined a radius.cfg with two realms like this:
>
> ..
> # Realm Interlinea2000
>
>
> PasswordLogFileName %L/%d-%m-%y-password.log
>
>
>
> FramedGroup 0
> Filename %D/users.ftf
>
>
> AcctLogFileName %L/%d-%m-%y-detail.log
>
> AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port}
> %{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info}
>
>
>
>
> # Default Realm
>
>
> PasswordLogFileName %L/%d-%m-%y-password.log
>
>
> # SE seleeciona El FrameGoupBaseAddress 0 (Pool)
> FramedGroup 0
> Filename %D/users.ftf
>
>
> AcctLogFileName %L/%d-%m-%y-detail.log
>
> AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port}
> %{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info}
>
>
> ..
>
> users.ftf has a user fer8:
> fer8User-Password = "fer8"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
> The problem is that I can not access with username fer8@interlinea2000 and
> password fer8 . The system rejects me. But all seems to be ok !
>
> Whit trace 4 we can see that:
>
>
> Tue May 4 09:26:01 1999: DEBUG: Packet dump:
> *** Received from 194.224.0.62 port 1028
> Code: Access-Request
> Identifier: 129
> Authentic:
> <187>D<208><172><10><183><22><170>;<186><178><156><241><240><13><224>
> Attributes:
> User-Name = "fer8@interlinea2000"
> User-Password = "w<252><30>O<147> <189>Y'G<128><157><7>g<28>m"
> NAS-IP-Address = 194.224.0.62
> NAS-Port = 41
> NAS-Port-Type = ISDN
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "943319101"
> Calling-Station-Id = "943639698"
>
> Tue May 4 09:26:01 1999: DEBUG: Handling request with Handler
> 'Realm=interlinea2000'
> Tue May 4 09:26:01 1999: DEBUG: Handling with Radius::AuthFILE
> Tue May 4 09:26:01 1999: DEBUG: Radius::AuthFILE looks for match with
> fer8@interlinea2000
> Tue May 4 09:26:01 1999: INFO: Access rejected for fer8@interlinea2000: No
> such user
> Tue May 4 09:26:01 1999: DEBUG: Packet dump:
> *** Sending to 194.224.0.62 port 1028
> Code: Access-Reject
> Identifier: 129
> Authentic:
> <187>D<208><172><10><183><22><170>;<186><178><156><241><240><13><224>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> So, it says:
>
> 'Realm=interlinea2000'
> User-Name = "fer8@interlinea2000"
> INFO: Access rejected for fer8@interlinea2000: No such user
>
> Why is user fer8@interlinea2000, and not fer8? I think the system detects
> realm: interlinea2000, so it must authenticate user fer8 no more. is it
right?
> How to solution that? Any idea?
>
> Thanks for your help and time.
>
> Best regards,
>
> PD: Sorry for my questions, too many this week, but I want to finish my
> radiator configuration. We are very close :-)
> Fernando Martin
> Interlinea2000
> http://www.i2000.es
> Voz:(943)-621033
> Fax:(943)-627340
>
>
> ===
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Fernando Martin
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
On May 4, 3:02pm, Felix Izquierdo wrote: > Subject: Re: (RADIATOR) Realm authentication problems > Mike McCauley wrote: > > the prooblem is that you are logging in with fer8@interlinea2000, but in the > > user dataabse, your username is just fer8. > > > > Therefore you must add a rewriteUsername so that it strips the realm off before > > authenticating: > > > > Mike, in relation with this issue, is it posible to strip the realm only > for authentication but not for accounting? No, not easily. It might be possible to set up one Handler that does accounting and does not strip the realm, and a differnt Handler than does strip the realm: # This will handle acocunting starts and stops: # This will handle all the rest: RewriteUsername See what I mean? But that may not be suitable to you because of other constraints on how you are using Handlers and Realms? Hope that helps. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
Mike McCauley schrieb: > > > [...] > > Mike, in relation with this issue, is it posible to strip the realm only > > for authentication but not for accounting? > > No, not easily. > > It might be possible to set up one Handler that does accounting and does not > strip the realm, and a differnt Handler than does strip the realm: > > # This will handle acocunting starts and stops: > > Eureka, that's what I missed for my configuration with the second Accounting only Radiator on a differnt box. Thanks Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration Tel/Fax: ++49 731 50 22499/22471 pgp-key available: http://www.uni-ulm.de/urz/Netzwerk/uuca/keylist.html === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
Mike McCauley wrote: > > Mike, in relation with this issue, is it posible to strip the realm only > > for authentication but not for accounting? > > No, not easily. > > It might be possible to set up one Handler that does accounting and does not > strip the realm, and a differnt Handler than does strip the realm: > Is posible ( in a future version ) to permit the use of the RewriteUsername sentence in the AuthBy context? It seems a solution... Félix __ DATAGRAMA SERVICIOS INTERNET C/ Acer 30Tlf: +34 3 223 00 98 08038 BARCELONA ( Spain ) Fax: +34 3 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Realm authentication problems
Hi Felix On May 5, 3:02pm, Felix Izquierdo wrote: > Subject: Re: (RADIATOR) Realm authentication problems > Mike McCauley wrote: > > > Mike, in relation with this issue, is it posible to strip the realm only > > > for authentication but not for accounting? > > > > No, not easily. > > > > It might be possible to set up one Handler that does accounting and does not > > strip the realm, and a differnt Handler than does strip the realm: > > > > Is posible ( in a future version ) to permit the use of the > RewriteUsername sentence in the AuthBy context? It seems a solution... The AuthBy GROUP understands RewriteUsername, so you could enclose any AuthBy inside an AuthBy GROUP and get the same effect now. Hope that helps. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
