(RADIATOR) MegaPOP Auth Problems?

Hugh Irvine hugh at open.com.au
Fri Jul 13 20:30:35 CDT 2001


Hello Jeremy -

This sounds very much like the shared secrets are not set correctly.

hth

Hugh

On Saturday 14 July 2001 00:55, Jeremy Bushman wrote:
> I am having some problems getting our new MegaPOP sites to auth users. The
> problem is that the username makes it ok, but the password shows up as a
> bunch of garbage.
>
> I end up with entries like this:
>
> Tue Jul 10 20:55:17
> 2001:994816517:USERNAME:^Wg^UzaW:PASSWORD:FAIL:64.24.37.5 Tue Jul 10
> 20:55:35 2001:994816535:USERNAME:^Wg^UzaW:PASSWORD:FAIL:64.24.37.5 Tue Jul
> 10 20:58:50
> 2001:994816730:USERNAME:^X^S^Jo^A^N^W>Bb-^[:PASSWORD:FAIL:64.24.37.4 Tue
> Jul 10 20:59:08
> 2001:994816748:USERNAME:^X^S^Jo^A^N^W>Bb-^[:PASSWORD:FAIL:64.24.37.4
>
> I've tried various MegaPOP numbers across the country and come up with the
> same problem. I can take the same user and dial into any of our POP's just
> fine.
>
> I've presented this information to MegaPOP and they just replied:
>
> "When I run a radtest through our radius, I get a timeout.  When I
> bounce it directly off your radius, I get "Request Denied".  This
> sounds like a problem(s) in your radius configuration."
>
> Could this possibly be a problem with my Client statement? An example:
>
> <Client 216.126.128.8>
>         Secret *******
>         RewriteUsername s/\s//g;
>         DupInterval 300
>         NasType ignore
> </Client>
>
> I have an entry exactly like this for each of the MegaPOP radius servers,
> as well as a few of our RAS's. (Something with the "NasType ignore" that
> we need)
>
> I am also doing some re-writes in the Handler field, but that is just
> appending domains and converting uppercase to lowercase, the same things
> we are doing for all our POP's.
>
> I've tried a Trace 4 and it just looks like we are getting a bad password
> from MegaPOP.
>
> Anyone have any insight or ideas?
>
> Thank you.
>
> ----------------------------------------------------
> Jeremy Bushman                  (Voice) 563-557-8463
> Network Operations Center
> MidWest Communications, Inc.
> 241 Main St.                    noc at mwci.net
> Dubuque, IA  52001              jbushman at mwci.net
> ----------------------------------------------------
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiatorFrom owner-radiator at open.com.au Fri Jul 13 18:57:32 2001
Received: (from majordomo at localhost)
	by server1.open.com.au (8.11.0/8.11.0) id f6DNvW815517
	for radiatorzz-list; Fri, 13 Jul 2001 18:57:32 -0500
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from entoo.connect.com.au (entoo.connect.com.au [192.189.54.8])
	by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f6DNvVD15514
	for <radiator at open.com.au>; Fri, 13 Jul 2001 18:57:32 -0500
Received: from hugo (acc1-ppp244.mel.dialup.connect.net.au [210.10.128.244])
	by entoo.connect.com.au (Postfix) with SMTP
	id 3D1B8DF9FE; Sat, 14 Jul 2001 11:46:37 +1000 (EST)
From: Hugh Irvine <hugh at open.com.au>
Reply-To: hugh at open.com.au
Organization: Open System Consultants
To: Dmitry Kopylov <dmitry.kopylov at bbned.nl>,
   "'radiator at open.com.au'" <radiator at open.com.au>
Subject: Re: (RADIATOR) MaxSessions issue, still a problem
Date: Sat, 14 Jul 2001 11:43:03 +1000
X-Mailer: KMail [version 1.1.99]
Content-Type: text/plain;
  charset="iso-8859-7"
References: <293C5129F5AFD411BC4100508BE76EA407DEAC at smtp.bbned.nl>
In-Reply-To: <293C5129F5AFD411BC4100508BE76EA407DEAC at smtp.bbned.nl>
MIME-Version: 1.0
Message-Id: <0107141143030L.00958 at hugo>
Content-Transfer-Encoding: 8bit
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>


Hello Dmitry -

I see.

I think you have two choices: first (prefered) is to change the proxy so it 
sends you all requests with the realm intact, and second is to add an 
additional proxy in front of your Radiator that only rewrites the usernames. 
The only way that the session database is going to work reliably is if it 
always gets the usernames in the same format.

regards

Hugh


On Friday 13 July 2001 20:58, Dmitry Kopylov wrote:
> Hello,
>
> and the problem here is that NAS generates the Access-Request in form
> "username at realm", proxy stripes off the the realmname and my Radiator
> receives just "username". Whereas the accounting request approaches the
> Radiator in its original form e.g. "username at realm". So the session
> database is built up based on the "username at realm" and not on the
> "username". The question here is if it's possible to rewrite the User-Name
> in Accounting request?  Or maybe there is another solution?
>
> regards,
> Dmitry Kopylov
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, July 13, 2001 8:43 AM
> To: Vangelis Kyriakakis; radiator at open.com.au
> Subject: Re: (RADIATOR) MaxSessions issue, still a problem
>
>
>
> Hello Vangelis -
>
> Actually, an internal session database is exactly that - a session database
> held entirely in memory. The username in each request is what is used, as
> follows: Access-Request - check current sessions and reject if limit
> exceeded, Accounting Start - add new record, Accounting Start - delete
> record.
>
> regards
>
> Hugh
>
> On Thursday 12 July 2001 22:33, Vangelis Kyriakakis wrote:
> > I think the problem when you use the Internal session database is that it
> > uses the username from the Accounting file to count the number of
>
> sessions.
>
> > When a new user logs in it checks the rewritten username against the
> > session database. So it checks with the name uunoc and not with the
> > uunoc at bbeyond.nl and sees that it hasn't logged in again. I had the same
> > problem with small and capital letters.
> >    Maxsession 0 works always since it's no need to check the session
> > database...
> >
> >                    Vangelis
> >
> > Dmitry Kopylov wrote:
> > > Hi,
> > >
> > > I upgraded to the 18.2.2 but the problem with MaxSession still exists.
> > > Here is part of config and trace 4 output:
> > >
> > > <Handler Realm=bbeyond.nl>
> > >         RewriteUsername s/^([^@]+).*/$1/
> > >         MaxSessions 1
> > >         <AuthBy FILE>
> > >         </AuthBy>
> > >         AcctLogFileName %L/bbeyond/details
> > >         PasswordLogFileName %L/bbeyond/uunet-passwords.log
> > > </Handler>
> > >
> > > If I set MaxSessions 0, it works and rejects all sessio/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
ns, but when I
>
> set
>
> > > MaxSessions to 1 it allows the second connection with the same
> > > username.
> > >
> > > MaxSessions 0:
> > >
> > > Thu Jul 12 11:30:06 2001: DEBUG: Reading users file
> > > /opt/radiator-2.18/raddb/users
> > > Thu Jul 12 11:30:06 2001: DEBUG: Reading users file
> > > /opt/radiator-2.18/raddb/users
> > > Thu Jul 12 11:30:06 2001: INFO: Server started: Radiator 2.18.2 on
> > > bbyrad1.bbeyond.nl
> > > Thu Jul 12 11:30:25 2001: DEBUG: Packet dump:
> > > *** Received from 62.177.149.2 port 1645 ....
> > > Code:       Access-Request
> > > Identifier: 102
> > > Authentic:  z<211><178><22><170><220><204><200><219>w6<5>;<11>>:
> > > Attributes:
> > >         User-Name = "uunoc at bbeyond.nl"
> > >         User-Password = "_<178><219>A<0><201><238><192>3<130><183>
> > > <28>@q<228>"
> > >         NAS-IP-Address = 213.116.1.14
> > >         NAS-Port = 70
> > >         NAS-Port-Type = Sync
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > >         State = ""
> > >         Calling-Station-Id = "235652175"
> > >         Called-Station-Id = "0107110035"
> > >         Acct-Session-Id = "328619273"
> > >         Ascend-Data-Rate = 64000
> > >         Ascend-Xmit-Rate = 64000
> > >         Proxy-State =
> > > PX01<0><0><*z<211><178><22><170><220><204><200><219>w6<5>;
>
> <11>>:<0><2><6><149><213>t<1><14><0><0><0><0><0><0><0><0><0><0><0>F<0><2>
>
> > ><7> <20>
> >
> ><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0><224><199><221>h<25
> >
> > > >1><
> > >
> > > 225>
> > > <236>&<13>XA<188>NY<153>O
> > >
> > > Thu Jul 12 11:30:25 2001: DEBUG: Check if Handler Realm=bbeyond.nl
>
> should
>
> > > be use
> > > d to handle this request
> > > Thu Jul 12 11:30:25 2001: DEBUG: Handling request with Handler
> > > 'Realm=bbeyond.nl
> > > '
> > > Thu Jul 12 11:30:25 2001: DEBUG: Rewrote user name to uunoc
> > > Thu Jul 12 11:30:25 2001: DEBUG:  Deleting session for
> > > uunoc at bbeyond.nl, 213.116
> > > .1.14, 70
> > > Thu Jul 12 11:30:25 2001: INFO: Access rejected for uunoc: MaxSessions
> > > exceeded
> > > Thu Jul 12 11:30:25 2001: DEBUG: Packet dump:
> > > *** Sending to 62.177.149.2 port 1645 ....
> > > Code:       Access-Reject
> > > Identifier: 102
> > > Authentic:  z<211><178><22><170><220><204><200><219>w6<5>;<11>>:
> > > Attributes:
> > >         Reply-Message = "Request Denied"
> > >
> > > MaxSessions 1:
> > >
> > > Thu Jul 12 11:31:26 2001: NOTICE: SIGTERM received: stopping
> > > Thu Jul 12 11:31:28 2001: DEBUG: Reading users file
> > > /opt/radiator-2.18/raddb/users
> > > Thu Jul 12 11:31:28 2001: DEBUG: Reading users file
> > > /opt/radiator-2.18/raddb/users
> > > Thu Jul 12 11:31:29 2001: INFO: Server started: Radiator 2.18.2 on
> > > bbyrad1.bbeyond.nl
> > > Thu Jul 12 11:31:37 2001: DEBUG: Packet dump:
> > > *** Received from 62.177.149.1 port 1645 ....
> > > Code:       Access-Request
> > > Identifier: 173
> > > Authentic:  <242><12> <252>)<203>T<230><252><143>P<201><22>}9Y
> > > Attributes:
> > >         User-Name = "uunoc at bbeyond.nl"
> > >         User-Password = "e<218><137><3>\<17><241><230>gi<150>q <208>cn"
> > >         NAS-IP-Address = 213.116.1.30
> > >         NAS-Port = 2054
> > >         NAS-Port-Type = Sync
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > >         State = ""
> > >         Calling-Station-Id = "235652175"
> > >         Called-Station-Id = "0107110035"
> > >         Acct-Session-Id = "347654980"
> > >         Ascend-Data-Rate = 64000
> > >         Ascend-Xmit-Rate = 64000
> > >         Proxy-State = PX01<0><0><9><254><242><12>
> > > <252>)<203>T<230><252><143>P<2
>
> 01><22>}9Y<0><2><6><140><213>t<1><30><0><0><0><0><0><0><0><0><0><0><8><6>
>
> > ><0> <2><
>
> 7><20>><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0>u<151><253>^<
>
> > >30> H<18
> > > 5><142><234><10>v\w<187><218>n
> > >
> > > Thu Jul 12 11:31:37 2001: DEBUG: Check if Handler Realm=bbeyond.nl
>
> should
>
> > > be use
> > > d to handle this request
> > > Thu Jul 12 11:31:37 2001: DEBUG: Handling request with Handler
> > > 'Realm=bbeyond.nl
> > > '
> > > Thu Jul 12 11:31:37 2001: DEBUG: Rewrote user name to uunoc
> > > Thu Jul 12 11:31:37 2001: DEBUG:  Deleting session for
> > > uunoc at bbeyond.nl, 213.116
> > > .1.30, 2054
> > > Thu Jul 12 11:31:37 2001: DEBUG: Handling with Radius::AuthFILE
> > > Thu Jul 12 11:31:37 2001: DEBUG: Radius::AuthFILE looks for match with
> > > uunoc Thu Jul 12 11:31:37 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > > Thu Jul 12 11:31:37 2001: DEBUG: Access accepted for uunoc
> > > Thu Jul 12 11:31:37 2001: DEBUG: Packet dump:
> > > *** Sending to 62.177.149.1 port 1645 ....
> > > Code:       Access-Accept
> > > Identifier: 173
> > > Authentic:  <242><12> <252>)<203>T<230><252><143>P<201><22>}9Y
> > > Attributes:
> > >         Proxy-State = PX01<0><0><9><254><242><12>
> > > <252>)<203>T<230><252><143>P<2
>
> 01><22>}9Y<0><2><6><140><213>t<1><30><0><0><0><0><0><0><0><0><0><0><8><6>
>
> > ><0> <2><
>
> 7><20>><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0>u<151><253>^<
>
> > >30> H<18
> > > 5><142><234><10>v\w<187><218>n
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > > Thu Jul 12 11:32:09 2001: DEBUG: Packet dump:
> > > *** Received from 62.177.149.3 port 1645 ....
> > > Code:       Access-Request
> > > Identifier: 142
> > > Authentic:  <169>}<237><131><201><239><13>BCw<255><205><14><128><213>F
> > > Attributes:
> > >         User-Name = "uunoc at bbeyond.nl"
> > >         User-Password =
> > > "<229>jVD<174><222><25><10>U<246>o<242><229><3><7>*" NAS-IP-Address =
> > > 213.116.1.11
> > >         NAS-Port = 3209
> > >         NAS-Port-Type = Sync
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > >         State = ""
> > >         Calling-Station-Id = "235652175"
> > >         Called-Station-Id = "0107110035"
> > >         Acct-Session-Id = "328849897"
> > >         Ascend-Data-Rate = 64000
> > >         Ascend-Xmit-Rate = 64000
> > >         Proxy-State =
> > > PX01<0><0>]<184><169>}<237><131><201><239><13>BCw<255><205
> >
> ><14><128><213>F<0><2><6><142><213>t<1><11><0><0><0><0><0><0><0><0><0><0>
> >
> > > ><12 <13
>
> 7><0><2><7><20>><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0><130
>
> > >>s< 205>
> > >
> > > <<224><149>z<143>gH<147><173>k/<221><239>
> > >
> > > Thu Jul 12 11:32:09 2001: DEBUG: Check if Handler Realm=bbeyond.nl
>
> should
>
> > > be use
> > > d to handle this request
> > > Thu Jul 12 11:32:09 2001: DEBUG: Handling request with Handler
> > > 'Realm=bbeyond.nl
> > > '
> > > Thu Jul 12 11:32:09 2001: DEBUG: Rewrote user name to uunoc
> > > Thu Jul 12 11:32:09 2001: DEBUG:  Deleting session for
> > > uunoc at bbeyond.nl, 213.116
> > > .1.11, 3209
> > > Thu Jul 12 11:32:09 2001: DEBUG: Handling with Radius::AuthFILE
> > > Thu Jul 12 11:32:09 2001: DEBUG: Radius::AuthFILE looks for match with
> > > uunoc Thu Jul 12 11:32:09 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > > Thu Jul 12 11:32:09 2001: DEBUG: Access accepted for uunoc
> > > Thu Jul 12 11:32:09 2001: DEBUG: Packet dump:
> > > *** Sending to 62.177.149.3 port 1645 ....
> > > Code:       Access-Accept
> > > Identifier: 142
> > > Authentic:  <169>}<237><131><201><239><13>BCw<255><205><14><128><213>F
> > > Attributes:
> > >         Proxy-State =
> > > PX01<0><0>]<184><169>}<237><131><201><239><13>BCw<255><205
> >
> ><14><128><213>F<0><2><6><142><213>t<1><11><0><0><0><0><0><0><0><0><0><0>
> >
> > > ><12 <13
>
> 7><0><2><7><20>><177><144><3><0><0><0><0><0><0><0><0><0><0><5><22><0><130
>
> > >>s< 205>
> > >
> > > <<224><149>z<143>gH<147><173>k/<221><239>
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > >
> > > Regards,
> > > Dmitry Kopylov
> > >
> > > Network Architect ISP/DSL
> > > BBned
> > > Saturnusstraat 40-44
> > > 2132 HB Hoofdorp
> > > Phone: +31 23 5659953
> > > Fax:     +31 23 5633356
> > > Mobile: +31 62 7047960
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list