Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ARCHIVE] How to verify the password being used in SQL authentication is being read correctly by Steel-Belted RADIUS

0

0

Article ID: KB14435 KB Last Updated: 05 May 2020Version: 4.0
Summary:
User is failing authentication against a SQL database and the administrator needs to troubleshoot the issue
Symptoms:
Users are failing authentication when Steel-Belted RADIUS is configured to use an SQL database. The connectivity to the database has been verified by way of logging. The user is providing the correct password but is still getting rejected.
Solution:
Assuming that the user is providing the correct password and database connectivity has been verified, attempt to determine what password is being retrieved from the SQL database table by Steel-Belted RADIUS.

Below are excerpts from a typical SQL auth file. Below is a minor change, which will allow SBR to log the value being returned from the password field in the SQL database table.
 
[Bootstrap]
Enable=1
LibraryName=sqlauth.dll
InitializationString=SQL

[Settings]
Connect=DSN=DC2;UID=craig;PWD=sqllogin

SQL=Select password from auth where %user = uname

[Results]
Password=1
;Profile=2/4
;Alias=2/48

 
Note that in the ‘SQL=Select’ statement above, what is being selected is the password value from the table known as ‘auth’ where the user name is equal to the %user variable. This variable contains the user name provided by the user contained in the RADIUS Access Request. In the [Results] section, the value returned from the password field is assigned to the Steel-Belted RADIUS parameter called ‘password’. This will allow SBR to compare the password provided in the RADIUS Access Request with the value in the database.

Below is the log of the failed authentication. Note the password returned from the SQL database is not shown.
 
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Authentication Request
06/15/2009 14:50:59 Received from: ip=172.28.73.175 port=3767
06/15/2009 14:50:59
06/15/2009 14:50:59 Raw Packet :
06/15/2009 14:50:59 000: 0100003f 208e2f3e 2d3ce909 21a134f6 |...? ./>-<..!.4.|
06/15/2009 14:50:59 010: 2e3b6b85 01076372 61696702 12d2baec |.;k...craig.....|
06/15/2009 14:50:59 020: 08afbbe4 db026511 b81732f8 290406ac |......e...2.)...|
06/15/2009 14:50:59 030: 1c49af05 06000000 003d0600 000002 |.I.......=..... |
06/15/2009 14:50:59
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3022 Entering
06/15/2009 14:50:59 Looking up shared secret
06/15/2009 14:50:59 Looking for RAS client 172.28.73.175 in DB
06/15/2009 14:50:59 Matched 172.28.73.175 to RAS client <ANY>
06/15/2009 14:50:59 Parsing request
06/15/2009 14:50:59 Initializing cache entry
06/15/2009 14:50:59 Doing inventory check on request
06/15/2009 14:50:59 Getting info on requesting client
06/15/2009 14:50:59 NAS-IP-Address in request: 172.28.73.175
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Authentication Request
06/15/2009 14:50:59 Received From: ip=172.28.73.175 port=3767
06/15/2009 14:50:59 Packet : Code = 0x1 ID = 0x0
06/15/2009 14:50:59 Client Name = <ANY> Dictionary Name = Radius.dct
06/15/2009 14:50:59 Vector =
06/15/2009 14:50:59 000: 208e2f3e 2d3ce909 21a134f6 2e3b6b85 | ./>-<..!.4..;k.|
06/15/2009 14:50:59 Parsed Packet =
06/15/2009 14:50:59 User-Name : String Value = craig
06/15/2009 14:50:59 User-Password : Value =
06/15/2009 14:50:59 000: d2baec08 afbbe4db 026511b8 1732f829 |.........e...2.)|
06/15/2009 14:50:59 NAS-IP-Address : IPAddress = 172.28.73.175
06/15/2009 14:50:59 NAS-Port : Integer Value = 0
06/15/2009 14:50:59 NAS-Port-Type : Integer Value = 2
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Determining if request is for a tunnel
06/15/2009 14:50:59 Determining if this radius should act as a proxy
06/15/2009 14:50:59 Determining user class
06/15/2009 14:50:59 Authenticating user craig with authentication method SQL
06/15/2009 14:50:59 Authentication attempt = 0, user = craig, server = <unnamed>
06/15/2009 14:50:59 SQL statement executed successfully
06/15/2009 14:50:59 Unable to find user craig with matching password
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Authentication Response (reject)
06/15/2009 14:50:59 Packet : Code = 0x3 ID = 0x0
06/15/2009 14:50:59 Vector =
06/15/2009 14:50:59 000: 034ac5c5 d9612e69 a6f286d3 907305f3 |.J...a.i.....s..|
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Authentication Response (reject)
06/15/2009 14:50:59 Sent to: ip=172.28.73.175 port=3767
06/15/2009 14:50:59
06/15/2009 14:50:59 Raw Packet :
06/15/2009 14:50:59 000: 03000014 034ac5c5 d9612e69 a6f286d3 |.....J...a.i....|
06/15/2009 14:50:59 010: 907305f3 |.s.. |
06/15/2009 14:50:59
06/15/2009 14:50:59 -----------------------------------------------------------
06/15/2009 14:50:59 Packet containing 20 bytes successfully sent
06/15/2009 14:50:59 Sent reject response


Now, one simple change is made to the SQL auth file.  This will expose the password returned, to allow us to verify that SBR is using the correct value for comparing the passwords.
 
[Bootstrap]
Enable=1
LibraryName=sqlauth.dll
InitializationString=SQL

[Settings]
Connect=DSN=DC2;UID=craig;PWD=sqllogin

SQL=Select password from auth where %user = uname

[Results]
@Filter-ID=1
;Password=1
;Profile=2/4
;Alias=2/48

Note above that we are now assigning the value from the password field returned by the ‘select’ statement to a RADIUS attribute called ‘Filter-ID’. This is a string value attribute and its value is shown in the Steel-Belted RADIUS debug log.


In the logs below, note that the user is actually authenticated. This is due to the fact that we did not allow SBR to compare passwords. In this case, as long as the SQL statement executed successfully and returned data, it is considered a successful authentication.
 
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Authentication Request
06/15/2009 14:53:02 Received from: ip=172.28.73.175 port=3776
06/15/2009 14:53:02
06/15/2009 14:53:02 Raw Packet :
06/15/2009 14:53:02 000: 0101003f b2d45ce9 02e75992 6fad2320 |...?..\...Y.o.# |
06/15/2009 14:53:02 010: 37390fee 01076372 61696702 1229d963 |79....craig..).c|
06/15/2009 14:53:02 020: 2cbcf8b2 1cf529aa 5712e5c0 540406ac |,.....).W...T...|
06/15/2009 14:53:02 030: 1c49af05 06000000 013d0600 000002 |.I.......=..... |
06/15/2009 14:53:02
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3022 Entering
06/15/2009 14:53:02 Looking up shared secret
06/15/2009 14:53:02 Looking for RAS client 172.28.73.175 in DB
06/15/2009 14:53:02 Matched 172.28.73.175 to RAS client <ANY>
06/15/2009 14:53:02 Parsing request
06/15/2009 14:53:02 Initializing cache entry
06/15/2009 14:53:02 Doing inventory check on request
06/15/2009 14:53:02 Getting info on requesting client
06/15/2009 14:53:02 NAS-IP-Address in request: 172.28.73.175
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Authentication Request
06/15/2009 14:53:02 Received From: ip=172.28.73.175 port=3776
06/15/2009 14:53:02 Packet : Code = 0x1 ID = 0x1
06/15/2009 14:53:02 Client Name = <ANY> Dictionary Name = Radius.dct
06/15/2009 14:53:02 Vector =
06/15/2009 14:53:02 000: b2d45ce9 02e75992 6fad2320 37390fee |..\...Y.o.# 79..|
06/15/2009 14:53:02 Parsed Packet =
06/15/2009 14:53:02 User-Name : String Value = craig
06/15/2009 14:53:02 User-Password : Value =
06/15/2009 14:53:02 000: 29d9632c bcf8b21c f529aa57 12e5c054 |).c,.....).W...T|
06/15/2009 14:53:02 NAS-IP-Address : IPAddress = 172.28.73.175
06/15/2009 14:53:02 NAS-Port : Integer Value = 1
06/15/2009 14:53:02 NAS-Port-Type : Integer Value = 2
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Determining if request is for a tunnel
06/15/2009 14:53:02 Determining if this radius should act as a proxy
06/15/2009 14:53:02 Determining user class
06/15/2009 14:53:02 Authenticating user craig with authentication method SQL
06/15/2009 14:53:02 Authentication attempt = 0, user = craig, server = <unnamed>
06/15/2009 14:53:02 SQL statement executed successfully
06/15/2009 14:53:02 SQLAUTH: Returning attribute Filter-ID = "support"
06/15/2009 14:53:02 Determined that craig authenticated by plug-in module is the user
06/15/2009 14:53:02 Getting profile info for requesting user
06/15/2009 14:53:02 Merging saved attributes with user info
06/15/2009 14:53:02 Merging profile info with user info
06/15/2009 14:53:02 Comparing checklist items with user/profile items
06/15/2009 14:53:02 Appending echo values, if any
06/15/2009 14:53:02 User CRAIG being passed to attribute editing authentication methods
06/15/2009 14:53:02 Class subattribute: DistName : String Value = craig
06/15/2009 14:53:02 Class subattribute: AuthType : String Value = 200
06/15/2009 14:53:02 Class subattribute: TransactionId : Value =
06/15/2009 14:53:02 000: b0cb39f0 ff87cc3b 00000001 |..9....;.... |
06/15/2009 14:53:02 Sent accept response for user craig to client <ANY>
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Authentication Response
06/15/2009 14:53:02 Packet : Code = 0x2 ID = 0x1
06/15/2009 14:53:02 Vector =
06/15/2009 14:53:02 000: 63f15a1e f6c304a2 4510e985 5c1bb114 |c.Z.....E...\...|
06/15/2009 14:53:02 Class : Value =
06/15/2009 14:53:02 000: 53425232 434cd8b2 e79f87fe 8fcc9dc0 |SBR2CL..........|
06/15/2009 14:53:02 010: 11802401 80048199 8c868002 800681b1 |..$.............|
06/15/2009 14:53:02 020: dccc96cb 9c12800e 81d8b2e7 9f87fe8f |................|
06/15/2009 14:53:02 030: cc9dc080 808084 |....... |
06/15/2009 14:53:02 Filter-Id : String Value = support
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Authentication Response
06/15/2009 14:53:02 Sent to: ip=172.28.73.175 port=3776
06/15/2009 14:53:02
06/15/2009 14:53:02 Raw Packet :
06/15/2009 14:53:02 000: 02010057 63f15a1e f6c304a2 4510e985 |...Wc.Z.....E...|
06/15/2009 14:53:02 010: 5c1bb114 19395342 5232434c d8b2e79f |\....9SBR2CL....|
06/15/2009 14:53:02 020: 87fe8fcc 9dc01180 24018004 81998c86 |........$.......|
06/15/2009 14:53:02 030: 80028006 81b1dccc 96cb9c12 800e81d8 |................|
06/15/2009 14:53:02 040: b2e79f87 fe8fcc9d c0808080 840b0a73 |...............s|
06/15/2009 14:53:02 050: 7570706f 727400 |upport. |
06/15/2009 14:53:02
06/15/2009 14:53:02 -----------------------------------------------------------
06/15/2009 14:53:02 Packet containing 87 bytes successfully sent

 
The reason this is valuable is to diagnose issues on the SQL server database. In the above example, our database’s password field was defined using the ‘varchar’ data type. This allows for a value to be stored with a variable length. The value is terminated by a null character added by the database.



Alternately, a database designer can use a fixed field length to define the password field. When this is done, the value has padding space characters added to it to reach the defined length. Below is a sample log showing a value with padding. Our sample ‘password’ field was defined with a fixed length of 10 characters. This will cause the authentication to fail. The user password would also have to contain the same number of padding characters.
 
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Authentication Request
06/15/2009 15:24:27 Received from: ip=172.28.73.175 port=3950
06/15/2009 15:24:27
06/15/2009 15:24:27 Raw Packet :
06/15/2009 15:24:27 000: 0103003f be5e47dc 1f853339 ebb91074 |...?.^G...39...t|
06/15/2009 15:24:27 010: fc7a312b 01076372 61696702 1253f184 |.z1+..craig..S..|
06/15/2009 15:24:27 020: c62a2c7a f1331909 0d8afcbb c40406ac |.*,z.3..........|
06/15/2009 15:24:27 030: 1c49af05 06000000 033d0600 000002 |.I.......=..... |
06/15/2009 15:24:27
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3022 Entering
06/15/2009 15:24:27 Looking up shared secret
06/15/2009 15:24:27 Looking for RAS client 172.28.73.175 in DB
06/15/2009 15:24:27 Matched 172.28.73.175 to RAS client <ANY>
06/15/2009 15:24:27 Parsing request
06/15/2009 15:24:27 Initializing cache entry
06/15/2009 15:24:27 Doing inventory check on request
06/15/2009 15:24:27 Getting info on requesting client
06/15/2009 15:24:27 NAS-IP-Address in request: 172.28.73.175
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Authentication Request
06/15/2009 15:24:27 Received From: ip=172.28.73.175 port=3950
06/15/2009 15:24:27 Packet : Code = 0x1 ID = 0x3
06/15/2009 15:24:27 Client Name = <ANY> Dictionary Name = Radius.dct
06/15/2009 15:24:27 Vector =
06/15/2009 15:24:27 000: be5e47dc 1f853339 ebb91074 fc7a312b |.^G...39...t.z1+|
06/15/2009 15:24:27 Parsed Packet =
06/15/2009 15:24:27 User-Name : String Value = craig
06/15/2009 15:24:27 User-Password : Value =
06/15/2009 15:24:27 000: 53f184c6 2a2c7af1 3319090d 8afcbbc4 |S...*,z.3.......|
06/15/2009 15:24:27 NAS-IP-Address : IPAddress = 172.28.73.175
06/15/2009 15:24:27 NAS-Port : Integer Value = 3
06/15/2009 15:24:27 NAS-Port-Type : Integer Value = 2
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Determining if request is for a tunnel
06/15/2009 15:24:27 Determining if this radius should act as a proxy
06/15/2009 15:24:27 Determining user class
06/15/2009 15:24:27 Authenticating user craig with authentication method SQL
06/15/2009 15:24:27 Authentication attempt = 0, user = craig, server = <unnamed>
06/15/2009 15:24:27 SQL statement executed successfully
06/15/2009 15:24:27 SQLAUTH: Returning attribute Filter-ID = "support "
06/15/2009 15:24:27 Determined that craig authenticated by plug-in module is the user
06/15/2009 15:24:27 Getting profile info for requesting user
06/15/2009 15:24:27 Merging saved attributes with user info
06/15/2009 15:24:27 Merging profile info with user info
06/15/2009 15:24:27 Comparing checklist items with user/profile items
06/15/2009 15:24:27 Appending echo values, if any
06/15/2009 15:24:27 User CRAIG being passed to attribute editing authentication methods
06/15/2009 15:24:27 Class subattribute: DistName : String Value = craig
06/15/2009 15:24:27 Class subattribute: AuthType : String Value = 200
06/15/2009 15:24:27 Class subattribute: TransactionId : Value =
06/15/2009 15:24:27 000: b0cb39f0 ff87cc3b 00000001 |..9....;.... |
06/15/2009 15:24:27 Sent accept response for user craig to client <ANY>
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Authentication Response
06/15/2009 15:24:27 Packet : Code = 0x2 ID = 0x3
06/15/2009 15:24:27 Vector =
06/15/2009 15:24:27 000: d0020c24 e1125384 154d1596 64dc4669 |...$..S..M..d.Fi|
06/15/2009 15:24:27 Class : Value =
06/15/2009 15:24:27 000: 53425232 434cd8b2 e79f87fe 8fcc9dc0 |SBR2CL..........|
06/15/2009 15:24:27 010: 11802401 80048199 8c868002 800681b1 |..$.............|
06/15/2009 15:24:27 020: dccc96cb 9c12800e 81d8b2e7 9f87fe8f |................|
06/15/2009 15:24:27 030: cc9dc080 808084 |....... |
06/15/2009 15:24:27 Filter-Id : String Value = support
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Authentication Response
06/15/2009 15:24:27 Sent to: ip=172.28.73.175 port=3950
06/15/2009 15:24:27
06/15/2009 15:24:27 Raw Packet :
06/15/2009 15:24:27 000: 0203005a d0020c24 e1125384 154d1596 |...Z...$..S..M..|
06/15/2009 15:24:27 010: 64dc4669 19395342 5232434c d8b2e79f |d.Fi.9SBR2CL....|
06/15/2009 15:24:27 020: 87fe8fcc 9dc01180 24018004 81998c86 |........$.......|
06/15/2009 15:24:27 030: 80028006 81b1dccc 96cb9c12 800e81d8 |................|
06/15/2009 15:24:27 040: b2e79f87 fe8fcc9d c0808080 840b0d73 |...............s|
06/15/2009 15:24:27 050: 7570706f 72742020 2000 |upport . |
06/15/2009 15:24:27
06/15/2009 15:24:27 -----------------------------------------------------------
06/15/2009 15:24:27 Packet containing 90 bytes successfully sent

 
Notice that in the raw RADIUS packet from the Steel-Belted RADIUS log, padding occurs to the right of the value ‘support’.


Once you have diagnosed the problem, be sure to reconfigure your SQL auth file to its original state and retest.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search