Re: [RadiusNT] RadGetUser in RadiusNT30

Peter Deacon ( peterd@iea-software.com )
Thu, 15 Jun 2000 09:29:50 -0700 (Pacific Daylight Time)

On Thu, 15 Jun 2000, Christian Gatti wrote:

> Option 'Disable User Cache Authentication' in RadiusNT Administrator 3.0 is
> checked.

> I tried to intercept the username and password of every user that logs in,
> by adding a sql-insert-cmd to the stored procedure 'RadGetUsers':

> CREATE PROCEDURE RadGetUser @user VARCHAR(64) , @password VARCHAR(32) AS
> insert into spy (login,password) values (@user,@password)

> SELECT SubAccounts.AccountID, SubAccounts.Login, SubAccounts.Password,
> NULL, SubAccounts.AccountType, SubAccounts.LoginLimit, SubAccounts.TimeLeft,
> MasterExpire=DateAdd(Day, ma.Extension+ma.OverDue+1, maExpireDate),
> SubExpire=DateAdd(Day, SubAccounts.Extension+1, saExpireDate)
> FROM SubAccounts, MasterAccounts ma
> WHERE SubAccounts.CustomerID = ma.CustomerID
> AND SubAccounts.Active <> 0
> AND ma.Active <> 0
> AND SubAccounts.Login = @user
> AND SubAccounts.Password = @password

> Why does RadiusNT30 always pass 'NULL' instead of the user's password?

Radius handles searching for matching passwords internally... It
always sends a NULL password to RadGetUser.

You can get a list of failed logins from RadLogs and a list of successfull
ones from the Calls table.

Have Fun!
Peter

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart