(RADIATOR) Authentication via proxy

Hugh Irvine hugh at open.com.au
Tue Jul 2 18:52:59 CDT 2002


Hello Chris -

If you use radpwtst on the localhost for testing, the shared secret by default 
is "mysecret", so if you change the secret in the <Client localhost> clause 
you should see the same behaviour as for the other Client.

You can set up the <Client localhost> clause with the shared secret of the 
Client that has problems and use radpwtst with the -secret flag to verify 
correct operation.

Ie:

<Client localhost>
	Secret ***whatever***
	....
</Client>

then

radpwtst -secret ***whatever*** -user .... -password ....

If this test works, then you know that the shared secret on the problem Client 
is not correct.

BTW - keep in mind that there is one shared secret between the NAS and the 
remote proxy, and another shared secret between the proxy and your Radiator.

regards

Hugh


On Wed, 3 Jul 2002 03:36, chris wrote:
> I have added a client clause for every nas, and every proxy. I still get
> the same results.
> Is there anyway to verify that the shared secrets indeed do no match?
>
> The radpwtst from localhost returns an OK for the user....
>
>
> Thanks,
> Chris
>
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "chris" <lists at powernet.net>
> Sent: Monday, July 01, 2002 4:18 PM
> Subject: Re: (RADIATOR) Authentication via proxy
>
> > Hello Chris -
> >
> > I am still quite sure that the problem is shared secrets.
> >
> > You should probably add a Client clause for the proxy:
> >
> > # define Client clause for proxy
> >
> > <Client 64.66.192.32>
> > Secret ......
> > .....
> > </Client>
> >
> > It is fairly easy to verify this by using radpwtst locally against the
> > <Client localhost> to make sure the user record is checked correctly.
> >
> > regards
> >
> > Hugh
> >
> > On Tue, 2 Jul 2002 04:00, chris wrote:
> > > I have verified shared secret, even tried setting to a simple number
>
> like
>
> > > 11 to rule out CaSe issues.
> > > I am still having the same issues
> > >
> > > I am not sure how much it matters, but the setup is like this......
> > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier
>
> radius
>
> > > proxy that hands off to us.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Hugh Irvine" <hugh at open.com.au>
> > > To: "chris" <lists at powernet.net>; <radiator at open.com.au>
> > > Sent: Monday, June 24, 2002 4:21 PM
> > > Subject: Re: (RADIATOR) Authentication via proxy
> > >
> > > > Hello Chris -
> > > >
> > > > This is almost always due to incorrect shared secrets.
> > > >
> > > > If you still have problems, please send me a copy of your
>
> configuration
>
> > > file
> > >
> > > > and a copy of the user record from the users file, as well as a trace
>
> 4
>
> > > debug.
> > >
> > > > regards
> > > >
> > > > Hugh
> > > >
> > > > On Tue, 25 Jun 2002 03:51, chris wrote:
> > > > > I am trying to setup a managed modem system with a local clec. They
> > >
> > > answer
> > >
> > > > > the calls and proxy to
> > > > > my radius. I am trying to figgure our where the problem is in
> > > > > authentication. It brings the username over ok, but the password is
> > >
> > > garbled
> > >
> > > > > into non-printables....
> > > > >
> > > > > Here is a L5trace of one such session, am I overlooking something
> > >
> > > obvious?
> > >
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump:
> > > > > *** Received from 64.66.192.33 port 34998 ....
> > > > >
> > > > > Packet length = 100
> > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d
> > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02
> > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06
> > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02
> > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30
> > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06
> > > > > 00 00 00 00
> > > > > Code:       Access-Request
> > > > > Identifier: 7
> > > > > Authentic:  _<193>3sF|er<184>?<254>]<165><255>mP
> > > > > Attributes:
> > > > >         User-Name = "testme"
> > > > > Password =
> > > > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>"
> > > > > NAS-IP-Address = 63.93.57.35
> > > > >         NAS-Port = 18646
> > > > > Service-Type = Framed-User
> > > > > Framed-Protocol = PPP
> > > > > Called-Station-Id = "7024410063"
> > > > > Calling-Station-Id = "2099263677"
> > > > > NAS-Port-Type = Async
> > > > >         NAS-Port-Type = Async
> > > > >
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler
> > > > > 'Realm=DEFAULT'
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme
> > > > > Mon Jun 24 10:18:35 2002: DEBUG:  Deleting session for testme,
> > > > > 63.93.57.35, 1864
> > > > > 6
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file
> > > > > /usr/local/etc/raddb/users
> > > > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match
>
> with
>
> > > > > testme
> > > > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad
>
> Password
>
> > > > > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad
> > > > > Password
> > > > > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump:
> > > > > *** Sending to 64.66.192.33 port 34998 ....
> > > > > Code:       Access-Reject
> > > > > Identifier: 7
> > > > > Authentic:  _<193>3sF|er<184>?<254>]<165><255>mP
> > > > > Attributes:
> > > > >         Reply-Message = "Request Denied"
> > > > > Reply-Message = "Bad Password"
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Chris
> > > > >
> > > > >
> > > > > ===
> > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > Announcements on radiator-announce at open.com.au
> > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > 'unsubscribe radiator' in the body of the message.
> > > >
> > > > --
> > > > Radiator: the most portable, flexible and configurable RADIUS server
> > > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > > > -
> > > > Nets: internetwork inventory and management - graphical, extensible,
> > > > flexible with hardware, software, platform and database independence.
> > > > ===
> > > > Archive at http://www.open.com.au/archives/radiator/
> > > > Announcements on radiator-announce at open.com.au
> > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list