(RADIATOR) Access Rejected on AuthBy RADIUS

Hugh Irvine hugh at open.com.au
Thu Dec 20 16:32:29 CST 2001 

Hello Matt -

The only way that an AuthBy SQL clause would be called is if there is such a 
clause in the configuration file. Are you sure you are starting Radiator with 
the configuration file that you think you are? How are you starting radiusd? 
And how are you sending the test request? 

I notice the configuration file below is set for 1812 and 1813. Don't forget 
the radpwtst program sends to 1645/1646 by default. Have you got another copy 
of radiusd running on those ports with an AuthBy SQL in it?

regards

Hugh 


On Fri, 21 Dec 2001 04:17, Matt Scifo wrote:
> Hugh
>
> Thanks for repsonding.  I know for sure that we only have one Handler
> clause.  I have also tried putting it in the main radius.cfg without
> using include statements.  This doesn't explain why the debug indicates
> that AuthSQL is being used for the Handler.  Also, the debug also has a
> line stating "Access rejected for stevek: Authentication disabled".  So,
> if there is only one handler, why is AuthSQL using it and why is
> Authentication Disabled.  This is a fresh install with no other changes.
> What can I do to overcome this, as the majority of our radius use is
> proxying?
>
> Thanks
>
> Matt
>
> On Wed, 2001-12-19 at 20:04, Hugh Irvine wrote:
> > Hello Matt -
> >
> > The only thing I can think of is that you have another
> >
> > <Handler Called-Station-Id = /1155$/>
> >
> > in one of your other included files which is overwriting the one you show
> > below.
> >
> > And Radiator always maintains an internal session database which is why
> > you see the "Deleting session ...." message.
> >
> > hth
> >
> > Hugh
> >
> > On Thu, 20 Dec 2001 10:18, Matt Scifo wrote:
> > > Hello
> > >
> > > I have a installation of Radiator 2.19 on a Debian box.  My config only
> > > has an AuthBy RADUIS clause in a single Handler.  Whenever I send a
> > > test auth, I get a "Request Denied" with no explaination.  The server
> > > that I am proxying to is up and in production.  I have successfully
> > > test authed to it from another box (not going through radiator first). 
> > > When I check the trace 4 debug, I see the following....
> > >
> > > ###################################################################
> > > *** Received from xxx.xxx.xxx.xxx port 1024 ....
> > > Code:       Access-Request
> > > Identifier: 117
> > > Authentic:  1234567890123456
> > > Attributes:
> > > 	User-Name = "stevek"
> > > 	Service-Type = Framed-User
> > > 	NAS-IP-Address = xxx.xxx.xxx.xxx
> > > 	NAS-Port = 1234
> > > 	Called-Station-Id = "xxxxxxxxxx"
> > > 	Calling-Station-Id = "987654321"
> > > 	NAS-Port-Type = Async
> > > 	User-Password = "<29>M<146>Uq<15><170><200>T<10><201>,m3<15><172>"
> > >
> > > Wed Dec 19 15:04:27 2001: DEBUG: Check if Handler Called-Station-Id =
> > > /1155$/ should be used to handle this request
> > > Wed Dec 19 15:04:27 2001: DEBUG: Handling request with Handler
> > > 'Called-Station-Id = /1155$/'
> > > Wed Dec 19 15:04:27 2001: DEBUG:  Deleting session for stevek,
> > > xxx.xxx.xxx.xxx, 1234
> > > Wed Dec 19 15:04:27 2001: DEBUG: Handling with Radius::AuthSQL
> > > Wed Dec 19 15:04:27 2001: INFO: Access rejected for stevek:
> > > Authentication disabled
> > > Wed Dec 19 15:04:27 2001: DEBUG: Packet dump:
> > > *** Sending to xxx.xxx.xxx.xxx port 1024 ....
> > > Code:       Access-Reject
> > > Identifier: 117
> > > Authentic:  1234567890123456
> > > Attributes:
> > > 	Reply-Message = "Request Denied"
> > > ##################################################################
> > >
> > > Why does it say "Deleting session for stevek" and "Handling with
> > > Radius::AuthSQL" when I am only using AuthRADIUS?  What is the reason
> > > for the reject?  I have checked everything, the client list, the
> > > secrets, the user/pass.
> > >
> > > Below is my radius.cfg.  Any ideas??
> > >
> > > -Matt
> > >
> > >
> > >
> > > ## radius.cfg
> > > ########################################################## Foreground
> > > #LogStdout
> > > LogDir		/var/log/radius
> > > LogFile		/var/log/radius/%Y%m%d-radius.log
> > > AuthPort	1812
> > > AcctPort	1813
> > >
> > > # User a lower trace level in production systems:
> > > Trace 	4
> > >
> > > # You will probably want to add other Clients to suit your site,
> > > # one for each NAS you want to work with
> > > <ClientListSQL>
> > > 	DBSource	dbi:mysql:radius
> > > 	DBUsername	root
> > > 	DBAuth		xxxxxxxxx
> > >
> > > 	GetClientQuery	select NASIDENTIFIER, SECRET from RADCLIENTLIST
> > > </ClientListSQL>
> > >
> > > # Get configs from specified directory
> > > include /usr/local/radiator/configs/1155.cfg
> > > #######################################################################
> > >#
> > >
> > > ## 1155.cfg
> > > ############################################################ <Handler
> > > Called-Station-Id = /1155$/>
> > > 	#AuthByPolicy ContinueAlways
> > >
> > >         <AuthBy RADIUS>
> > >                 #Synchronous
> > >                 #FailureBackoffTime
> > >                 #StripFromRequest
> > >                 #AddToRequest
> > >                 #NoForwardAuthentication
> > >                 #NoForwardAccounting
> > >
> > > 		#USERNAME =
> > >                 #PASSWORD =
> > >                 <Host xxx.xxx.xxx.xxx>
> > >                         Secret xxxxxxxxx
> > >                         AuthPort 11155
> > >                         #AcctPort 11156
> > >                         Retries 3
> > >                         RetryTimeout 10
> > >                 </Host>
> > >         </AuthBy>
> > > </Handler>
> > > #######################################################################
> > >
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list