(RADIATOR) cisco 3330 vpn config

Hugh Irvine hugh at open.com.au
Fri Sep 9 01:15:48 CDT 2005 

Hello Kevin -

 From the dubug shown below it appears that Radiator is doing the  
same thing every time.

This being the case I would have to conclude that there is some  
problem with the VPN NAS device.

I note that you are not sending any reply attributes in the radius  
access accept, and this my be contributing to the problem.

You should check your VPN documentation to see if there are any  
radius reply attributes required for correct operation.

What does a debug on the VPN device show?

BTW - this problem may also be due to firewalls and/or filters  
blocking the return path so the VPN device never sees the access  
accept(s).

Again a debug on the VPN device will show you what is happening.

regards

Hugh


On 9 Sep 2005, at 14:10, kevin_amorin at harvard.edu wrote:

>
> Hello,
>       I have a quick question.  I've done a bit of testing, and  
> reading the
> archives but I seem to be stuck on what I hope is an easy fix.
>
> Background:
>       Cisco 3330 VPN
>       Raditor 3.13
>             LDAP Proxy
>
> The first time I authenticate to vpn it works, every next time it  
> fails.
>
> Logs:
>
>
> Fri Sep  9 04:46:22 2005: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Fri Sep  9 04:46:22 2005: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Fri Sep  9 04:46:22 2005: DEBUG: Creating authentication port  
> 0.0.0.0:1812
> Fri Sep  9 04:46:22 2005: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Sep  9 04:46:22 2005: NOTICE: Server started: Radiator 3.13 on  
> xxxxx
> (LOCKED)
>
>
> Fri Sep  9 04:46:59 2005: DEBUG: Packet dump:
> *** Received from 128.103.xxx port 1025 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  dOxxxx
> Attributes:
>         User-Name = "kamorin"
>         User-Password = <173>xxxx
>         Altiga-Argument-Auth-Server-Priority = 2
>         NAS-IP-Address = 128.103.xxx
>         NAS-Port-Type = Virtual
>
> Fri Sep  9 04:46:59 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep  9 04:46:59 2005: DEBUG:  Deleting session for kamorin,
> 128.103.xxx.xxx
> Fri Sep  9 04:46:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Sep  9 04:46:59 2005: INFO: Connecting to xxxldap.harvard.edu,  
> port 389
> Fri Sep  9 04:46:59 2005: INFO: Attempting to bind to LDAP server
> xxxxxxx.harvard.edu:389
> Fri Sep  9 04:46:59 2005: DEBUG: LDAP got result for CN=Kevin Amorin
> Fri Sep  9 04:46:59 2005: DEBUG: LDAP got uid: kamorin leftybk kevdogg
> Fri Sep  9 04:46:59 2005: ERR: Bad attribute=value pair:
> kamorin,leftybk,kevdogg
> Fri Sep  9 04:46:59 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> kamorin
> Fri Sep  9 04:46:59 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Sep  9 04:46:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Sep  9 04:46:59 2005: DEBUG: Access accepted for kamorin
> Fri Sep  9 04:46:59 2005: DEBUG: Packet dump:
> *** Sending to 128.103.xxx port 1025 ....
> Code:       Access-Accept
> Identifier: 1
> Authentic:  dOxxxxx
> Attributes:
>
>
> (vpn returns sucessful)
>
>
> Fri Sep  9 04:47:14 2005: DEBUG: Packet dump:
> *** Received from 128.103.xxx port 1025 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <182>xxxx
> Attributes:
>         User-Name = "kamorin"
>         User-Password = xC<157>xxxx
>         Altiga-Argument-Auth-Server-Priority = 2
>         NAS-IP-Address = 128.103.xxx
>         NAS-Port-Type = Virtual
>
> Fri Sep  9 04:47:14 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep  9 04:47:14 2005: DEBUG:  Deleting session for kamorin,
> 128.103.xxx.xxx,
> Fri Sep  9 04:47:14 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Sep  9 04:47:14 2005: INFO: Connecting to xxxxx.harvard.edu,  
> port 389
> Fri Sep  9 04:47:14 2005: INFO: Attempting to bind to LDAP server
> xxxx.harvard.edu:389
> Fri Sep  9 04:47:15 2005: DEBUG: LDAP got result for CN=Kevin Amorin
> Fri Sep  9 04:47:15 2005: DEBUG: LDAP got uid: kamorin leftybk kevdogg
> Fri Sep  9 04:47:15 2005: ERR: Bad attribute=value pair:
> kamorin,leftybk,kevdogg
> Fri Sep  9 04:47:15 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> kamorin
> Fri Sep  9 04:47:15 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Sep  9 04:47:15 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Sep  9 04:47:15 2005: DEBUG: Access accepted for kamorin
> Fri Sep  9 04:47:15 2005: DEBUG: Packet dump:
> *** Sending to 128.103.xxx port 1025 ....
> Code:       Access-Accept
> Identifier: 2
> Authentic:  <182>
> Attributes:
>
> Fri Sep  9 04:47:18 2005: DEBUG: Packet dump:
> *** Received from 128.103.xxx port 1025 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <182>
> Attributes:
>         User-Name = "kamorin"
>         User-Password = <157>
>         Altiga-Argument-Auth-Server-Priority = 2
>         NAS-IP-Address = 128.103.xxx
>         NAS-Port-Type = Virtual
>
> Fri Sep  9 04:47:18 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep  9 04:47:18 2005: DEBUG:  Deleting session for kamorin,
> 128.103.xxx,
> Fri Sep  9 04:47:18 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Sep  9 04:47:18 2005: INFO: Connecting to xxxldap.harvard.edu,  
> port 389
> Fri Sep  9 04:47:18 2005: INFO: Attempting to bind to LDAP server
> xxxldap.harvard.edu:389
>
> Fri Sep  9 04:47:20 2005: DEBUG: LDAP got result for CN=Kevin Amorin
> Fri Sep  9 04:47:20 2005: DEBUG: LDAP got uid: kamorin leftybk kevdogg
> Fri Sep  9 04:47:20 2005: ERR: Bad attribute=value pair:
> kamorin,leftybk,kevdogg
> Fri Sep  9 04:47:20 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> kamorin
> Fri Sep  9 04:47:20 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Sep  9 04:47:20 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Sep  9 04:47:20 2005: DEBUG: Access accepted for kamorin
> Fri Sep  9 04:47:20 2005: DEBUG: Packet dump:
> *** Sending to 128.103.xxx port 1025 ....
> Code:       Access-Accept
> Identifier: 2
> Authentic:  <182>
> Attributes:
>
>
>
> asks twice then fails.  The Radius server is then deemed "offline"  
> by the
> vpn and all auth fails.
>
> Config:
> Foreground
> LogStdout
> Trace           4
> AcctPort 1813
> AuthPort 1812
> LogDir          /var/log/radius
> DbDir           /etc/radiator
>
> <Client DEFAULT>
>         Secret  xxxxxxxxx
>         DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>         AcctLogFileName %L/detail
>         AcctLogFileName %L/detail-%Y%m
>
>         <AuthBy LDAP2>
>                 Host            xxxxx.harvard.edu
>
>                 AuthDN          cn=xxxxxx
>                 AuthPassword   xxxxxx
>                 BaseDN          c=US
>                 UsernameAttr    uid
>                 ServerChecksPassword
>                 CheckAttr       uid
>                 PasswordAttr    userpassword
>
>                 Version 3
>         </AuthBy>
> </Realm>
>
>
>
>
> any help is appreciated.
>
> Thanks
> Kevin
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list