bug-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-gnu-radius] reply attributes order?

From: Daniel Kalchev
Subject: [Bug-gnu-radius] reply attributes order?
Date: Fri, 09 Aug 2002 13:34:27 +0300 
Hello,

I believe there is a bug in how gnu-radius-0.96.3 handles reply attribues when 
SQL database is used to store the attributes.

Suppose we have this example in the users file:

rloginme Password = "EHF0ROcjMkbOk"
        Service-Type = Login-User,
        Login-Service = Rlogin,
        Login-IP-Host =193.68.3.250


DEFAULT Auth-Type = SQL
       Service-Type = Framed-User,
       Framed-Protocol = PPP


everything workas as expected.

However, when the information for the rloginme user is stored in an SQL 
database, thus:

RADIUS=# select * from passwd where user_name = 'rloginme';
            user_name             |     service      |                         
    password                             | active
----------------------------------+------------------+-------------------------
-----------------------------------------+--------
 rloginme                         |                  | EHF0ROcjMkbOk           
                                         | Y
(1 row)


RADIUS=# select * from attrib where user_name = 'rloginme';
            user_name             |               attr               |         
                                                     value                     
                                          | op
----------------------------------+----------------------------------+---------
-------------------------------------------------------------------------------
------------------------------------------+----
 rloginme                         | Login-IP-Host                    | 
193.68.3.250                                                                   
                                                  |
 rloginme                         | Login-Service                    | Rlogin  
                                                                               
                                          |
 rloginme                         | Service-Type                     | Login   
                                                                               
                                          |
(3 rows)




When an cisco2511 Access Servers tries to authenticate with the RADIUS server 
for this user, it appears that the reply pairs returned include this:

rloginme Password = "EHF0ROcjMkbOk"
       Service-Type = Login-User,
       Login-Service = Rlogin,
       Login-IP-Host =193.68.3.250,
       Service-Type = Framed-User,
       Framed-Protocol = PPP

that is, combined Service-Type attributes... which is somewhat unexpected but 
understandable. The Cisco NAS thus generates an command in the form of:

telnet negitiated /alternate:193.68.3.250

When changing the DEFAULT entry to

DEFAULT Auth-Type = SQL
       NULL

the 'proper' command is generated on the Cisco 2511 

telnet 193.68.3.250

But - it should have used rlogin instead.

More debugging reveals that the problem is with the order of reply attributes 
being returned. gnu-radius will use the same order it received from the SQL 
server, creating something like this:

rloginme Password = "EHF0ROcjMkbOk"
       Login-IP-Host =193.68.3.250,
       Login-Service = Rlogin,
       Service-Type = Login-User

Which resets the Login-Service to Telnet...

An workaround is to order the attributes returned by the SQL database in the 
SELECT statement - to do this properly, would require definition of 'ordering' 
of the reply attributes - perhaps depends on the attribute types...

Hope this helps.

Daniel Kalchev
reply via email to
[Prev in Thread] Current Thread [Next in Thread]