(RADIATOR) Access Rejected on AuthBy RADIUS

Matt Scifo mscifo at o1.com
Thu Dec 20 11:17:18 CST 2001 

Hugh

Thanks for repsonding.  I know for sure that we only have one Handler
clause.  I have also tried putting it in the main radius.cfg without
using include statements.  This doesn't explain why the debug indicates
that AuthSQL is being used for the Handler.  Also, the debug also has a
line stating "Access rejected for stevek: Authentication disabled".  So,
if there is only one handler, why is AuthSQL using it and why is
Authentication Disabled.  This is a fresh install with no other changes.
What can I do to overcome this, as the majority of our radius use is
proxying?

Thanks

Matt

On Wed, 2001-12-19 at 20:04, Hugh Irvine wrote:
> 
> Hello Matt -
> 
> The only thing I can think of is that you have another 
> 
> <Handler Called-Station-Id = /1155$/>
> 
> in one of your other included files which is overwriting the one you show 
> below.
> 
> And Radiator always maintains an internal session database which is why you 
> see the "Deleting session ...." message.
> 
> hth
> 
> Hugh
> 
> 
> On Thu, 20 Dec 2001 10:18, Matt Scifo wrote:
> > Hello
> >
> > I have a installation of Radiator 2.19 on a Debian box.  My config only
> > has an AuthBy RADUIS clause in a single Handler.  Whenever I send a test
> > auth, I get a "Request Denied" with no explaination.  The server that I
> > am proxying to is up and in production.  I have successfully test authed
> > to it from another box (not going through radiator first).  When I check
> > the trace 4 debug, I see the following....
> >
> > ###################################################################
> > *** Received from xxx.xxx.xxx.xxx port 1024 ....
> > Code:       Access-Request
> > Identifier: 117
> > Authentic:  1234567890123456
> > Attributes:
> > 	User-Name = "stevek"
> > 	Service-Type = Framed-User
> > 	NAS-IP-Address = xxx.xxx.xxx.xxx
> > 	NAS-Port = 1234
> > 	Called-Station-Id = "xxxxxxxxxx"
> > 	Calling-Station-Id = "987654321"
> > 	NAS-Port-Type = Async
> > 	User-Password = "<29>M<146>Uq<15><170><200>T<10><201>,m3<15><172>"
> >
> > Wed Dec 19 15:04:27 2001: DEBUG: Check if Handler Called-Station-Id =
> > /1155$/ should be used to handle this request
> > Wed Dec 19 15:04:27 2001: DEBUG: Handling request with Handler
> > 'Called-Station-Id = /1155$/'
> > Wed Dec 19 15:04:27 2001: DEBUG:  Deleting session for stevek,
> > xxx.xxx.xxx.xxx, 1234
> > Wed Dec 19 15:04:27 2001: DEBUG: Handling with Radius::AuthSQL
> > Wed Dec 19 15:04:27 2001: INFO: Access rejected for stevek:
> > Authentication disabled
> > Wed Dec 19 15:04:27 2001: DEBUG: Packet dump:
> > *** Sending to xxx.xxx.xxx.xxx port 1024 ....
> > Code:       Access-Reject
> > Identifier: 117
> > Authentic:  1234567890123456
> > Attributes:
> > 	Reply-Message = "Request Denied"
> > ##################################################################
> >
> > Why does it say "Deleting session for stevek" and "Handling with
> > Radius::AuthSQL" when I am only using AuthRADIUS?  What is the reason
> > for the reject?  I have checked everything, the client list, the
> > secrets, the user/pass.
> >
> > Below is my radius.cfg.  Any ideas??
> >
> > -Matt
> >
> >
> >
> > ## radius.cfg ##########################################################
> > Foreground
> > #LogStdout
> > LogDir		/var/log/radius
> > LogFile		/var/log/radius/%Y%m%d-radius.log
> > AuthPort	1812
> > AcctPort	1813
> >
> > # User a lower trace level in production systems:
> > Trace 	4
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <ClientListSQL>
> > 	DBSource	dbi:mysql:radius
> > 	DBUsername	root
> > 	DBAuth		xxxxxxxxx
> >
> > 	GetClientQuery	select NASIDENTIFIER, SECRET from RADCLIENTLIST
> > </ClientListSQL>
> >
> > # Get configs from specified directory
> > include /usr/local/radiator/configs/1155.cfg
> > ########################################################################
> >
> > ## 1155.cfg ############################################################
> > <Handler Called-Station-Id = /1155$/>
> > 	#AuthByPolicy ContinueAlways
> >
> >         <AuthBy RADIUS>
> >                 #Synchronous
> >                 #FailureBackoffTime
> >                 #StripFromRequest
> >                 #AddToRequest
> >                 #NoForwardAuthentication
> >                 #NoForwardAccounting
> >
> > 		#USERNAME =
> >                 #PASSWORD =
> >                 <Host xxx.xxx.xxx.xxx>
> >                         Secret xxxxxxxxx
> >                         AuthPort 11155
> >                         #AcctPort 11156
> >                         Retries 3
> >                         RetryTimeout 10
> >                 </Host>
> >         </AuthBy>
> > </Handler>
> > #######################################################################
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list