Fwd: (RADIATOR) WARNING: Bad EAP Message-Authenticator
Dave Albertson
wavey at intercom.net
Mon Sep 24 08:28:19 CDT 2001
Hello all, Mike and Hugh,
I forgot to tell you in my first note that I did try
IgnoreAcctSignature
IgnoreAcctSignature yes
IgnoreAcctSignature no
IgnoreAcctSignature 0
in the default client handler (the only client handler) to no avail. Gave
the same error
>>Wed Sep 19 12:17:32 2001: WARNING: Bad EAP Message-Authenticator
>>Wed Sep 19 12:17:32 2001: WARNING: Bad authenticator in request from
Also definatly no proxy involved I hop on the bay 5399 and point it directly
to the IP that
Radiator is listening too.
The secret I am sure is correct not only because I have changed it a million
times but because it works
with an older install (Radiator 2.16.3) on another box.
I have the latest firmware installed for my bay 5000 terminal server. I
could not find anything about EAP in
the documents for the terminal server.
Thank you in advance
David Albertson
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Dave Albertson" <wavey at intercom.net>
Sent: Thursday, September 20, 2001 12:50 AM
Subject: Fwd: Re: Fwd: (RADIATOR) WARNING: Bad EAP Message-Authenticator
>
> Hello Dave -
>
> Here is Mike's reply regarding your problem.
>
> Note that you can also set the IgnoreAcctSignature flag in the Client
clause
> which will also disable the checking of the Access-Request.
>
> Please let us know what you end up doing.
>
> regards
>
> Hugh
>
>
> ---------- Forwarded Message ----------
> Subject: Re: Fwd: (RADIATOR) WARNING: Bad EAP Message-Authenticator
> Date: Thu, 20 Sep 2001 11:29:13 +1000
> From: Mike McCauley <mikem at open.com.au>
> To: hugh at open.com.au
>
>
> Hi Hugh,
>
>
> I have had another look at the code and RFC2869, and as far as I can see
> Radaitor is doing the right thing: it is permitted to have a bare
> Message-Authenticator to protect any Raidus packet and Radiator is
checking
> it as per RFC
>
> So either:
> 1. The shared secret is wrong.
> 2. The packet has been proxied via another radisu server that does not
know
> how to handle Message-Authenticator properly
> 3. The originating NAS is not computing Message-Authentifcator properly
> 4. There is something that I dont understand going on.
>
> Cheers.
>
> On Thu, 20 Sep 2001 09:55, you wrote:
> > Mike -
> >
> > As discussed.
> >
> > cheers
> >
> > Hugh
> >
> >
> > ---------- Forwarded Message ----------
> > Subject: (RADIATOR) WARNING: Bad EAP Message-Authenticator
> > Date: Wed, 19 Sep 2001 12:46:25 -0400
> > From: "Dave Albertson" <wavey at intercom.net>
> > To: <radiator at open.com.au>
> >
> >
> > Trying to set up a new install of Radiator 2.18.4.
> >
> > Would like requests to go through a user file to get reply attributes
then
> > to be authed via system as the users all have local accounts on the same
> > solaris box.
> >
> > It works as it should so long as I use radpwtst but when I point a bay
5399
> > RAC at the radius server start getting
> > WARNING: Bad EAP Message-Authenticator
> > WARNING: Bad authenticator in request from DEFAULT (216.240.100.231)
> >
> > I know that the shared secret is correct. The radius server handles
> > accounting just fine for radpwtst and the bay rac. Any ideas ? Please
> > help.
> >
> > Thank you in advance!
> >
> > included is
> > config file (radius.cfg)
> > user file
> > radpwtst trace 4
> > real security requests from bay rac trace 4
> >
> >
> >
> >
> > RADIUS.CFG
> > ################################################
> > Foreground
> > LogStdout
> > Trace 4
> > DbDir /etc/Radiator
> > LogDir /var/adm
> > LogFile /var/adm/radiusd.log
> > BindAddress 216.240.106.10
> >
> > PidFile /etc/Radiator/radiusd.pid
> >
> > RewriteUsername tr/-A-Za-z0-9_\.\@//cd
> >
> > <Log FILE>
> > Filename /var/adm/radius.log
> > </Log FILE>
> >
> >
> > <Client localhost>
> > Secret xxxxxx
> > </Client>
> >
> >
> > <Client DEFAULT>
> > NasType Bay
> > Secret xxxxxx
> > </Client>
> >
> >
> > <Handler>
> >
> > AuthByPolicy ContinueAlways
> >
> > <AuthBy FILE>
> > Filename /etc/Radiator/users
> > AddToReply NAS-Port=0
> > </AuthBy>
> >
> >
> >
> > # Log accounting to the detail file in LogDir
> > AcctLogFileName /var/adm/radacct/%N/detail
> > PasswordLogFileName /var/adm/radius.log
> > ExcludeFromPasswordLog root admin ronh kennethj ward wavey
> > </Handler>
> >
> >
> > <AuthBy SYSTEM>
> > Identifier System
> > UseGetspnamf
> > </AuthBy>
> > #######################################################
> >
> > USERS
> >
> > wavey Auth-Type = System
> > Service-Type = Framed-User,
> > Session-Timeout = 28800,
> > Idle-Timeout = 900,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 216.240.110.251,
> > Framed-Routing = None,
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobson-TCP-IP
> >
> >
> > DEFAULT Auth-Type = System, Simultaneous-Use = 1
> > Session-Timeout = 28800,
> > Idle-Timeout = 900,
> > Framed-IP-Address = 255.255.255.254,
> > Framed-MTU = 1500,
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-Compression = Van-Jacobson-TCP-IP
> > #############################################################
> >
> > TRACE 4 W/ radpwtst -user wavey -password xxxx
> >
> > Radiator> sudo perl ./radiusd -config_file radius.cfg -dictionary_file
> > dictionary
> > Wed Sep 19 12:11:40 2001: DEBUG: Reading users file /etc/Radiator/users
> > Wed Sep 19 12:11:42 2001: INFO: Server started: Radiator 2.18.4 on
urchin
> > Wed Sep 19 12:12:41 2001: DEBUG: Packet dump:
> > *** Received from 216.240.106.3 port 36119 ....
> > Code: Access-Request
> > Identifier: 160
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "wavey"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "N<214><203><168><193>S<163>B<199><240><248><160><254><239><232>'"
> >
> > Wed Sep 19 12:12:41 2001: DEBUG: Rewrote user name to wavey
> > Wed Sep 19 12:12:41 2001: DEBUG: Check if Handler should be used to
handle
> > this request
> > Wed Sep 19 12:12:41 2001: DEBUG: Handling request with Handler ''
> > Wed Sep 19 12:12:41 2001: DEBUG: Deleting session for wavey,
203.63.154.1,
> > 1234
> > Wed Sep 19 12:12:41 2001: DEBUG: Handling with Radius::AuthFILE:
> > Wed Sep 19 12:12:41 2001: DEBUG: Radius::AuthFILE looks for match with
> > wavey Wed Sep 19 12:12:41 2001: DEBUG: Radius::AuthFILE looks for match
> > with DEFAULT
> > Wed Sep 19 12:12:41 2001: DEBUG: Handling with Radius::AuthSYSTEM:
System
> > Wed Sep 19 12:12:42 2001: DEBUG: getpwnam got wavey, KpYDRRUwrn6Hc, 896,
> > 10, , David Albertson,001004, David Albertson,001004,
/export/home/w/wavey,
> > /usr/local/bin/tcsh, -1
> > Wed Sep 19 12:12:42 2001: DEBUG: Radius::AuthSYSTEM looks for match with
> > wavey
> > Wed Sep 19 12:12:42 2001: DEBUG: Radius::AuthSYSTEM ACCEPT:
> > Wed Sep 19 12:12:42 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Sep 19 12:12:42 2001: DEBUG: Access accepted for wavey
> > Wed Sep 19 12:12:42 2001: DEBUG: Packet dump:
> > *** Sending to 216.240.106.3 port 36119 ....
> > Code: Access-Accept
> > Identifier: 160
> > Authentic: 1234567890123456
> > Attributes:
> > Framed-IP-Address = 255.255.255.254
> > Session-Timeout = 28800
> > Idle-Timeout = 900
> > Framed-MTU = 1500
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > Framed-Compression = Van-Jacobson-TCP-IP
> > NAS-Port = 0
> >
> > Wed Sep 19 12:12:42 2001: DEBUG: Packet dump:
> >
> > ##################################################################
> >
> > TRACE 4 from bay annex 5399 RAC (Real requests from customers)
> >
> > Wed Sep 19 12:17:04 2001: DEBUG: Reading users file /etc/Radiator/users
> > Wed Sep 19 12:17:06 2001: INFO: Server started: Radiator 2.18.4 on
urchin
> > Wed Sep 19 12:17:32 2001: DEBUG: Packet dump:
> > *** Received from 216.240.100.231 port 1576 ....
> > Code: Access-Request
> > Identifier: 250
> > Authentic: <156>p<9><146><129><192><7>vf<16><6>\K`<4><0>
> > Attributes:
> > User-Name = "billsue1"
> > User-Password =
> > "7<15><142>6<193>3<181><167><228><131><20><140><166>[<206><133>"
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> > NAS-IP-Address = 216.240.100.231
> > Framed-IP-Address = 216.240.100.1
> > NAS-Port = 28
> > Annex-Port = 20101
> > NAS-Port-Type = Async
> > Connect-Info = "42666 28800 V.90"
> > Annex-Transmit-Speed = 42666
> > Annex-Receive-Speed = 28800
> > Annex-Wan-Number = 1
> > Annex-Logical-Channel-Number = 8
> > Called-Station-Id = "8240550"
> > Calling-Station-Id = "7573365256"
> > Message-Authenticator =
> > <5><251><224>yL<205>.<129><149>:D<29>V\<134>v
> >
> > Wed Sep 19 12:17:32 2001: DEBUG: Rewrote user name to billsue1
> > Wed Sep 19 12:17:32 2001: WARNING: Bad EAP Message-Authenticator
> > Wed Sep 19 12:17:32 2001: WARNING: Bad authenticator in request from
> > DEFAULT (216.240.100.231)
> > Wed Sep 19 12:17:38 2001: DEBUG: Packet dump:
> >
> >
> >
> >
> >
> >
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> > -------------------------------------------------------
>
> -------------------------------------------------------
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list