Proxy RADIUS problem

Richard Vander Reyden vanderreydenr at zircon.com.au
Mon Jan 20 17:33:27 CST 2003 

Hi,

I am currently having a problem with authentication of VPDN PPP sessions
from a Cisco 7206 router.

When I send this directly to the authentication radius server the
authenication works fine.  But when I try and proxy this via another server
the authentication gets rejected with bad password.

The proxy servers are working fine when proxying Lucent TNT ppp calls.

It appears as though the proxy servers are changing the User-Password
somehow.  Below are the relevant configuration of both the authentication
and proxy radius servers, as well as trace 4 logs.  At the bottom is also a
password log (with the passwords changed) but as you can see the second line
(which is the proxyed one) has garbled decode of the password.

Do you know what may be causing this?

The proxy radius server is running Radiator 3.4 and the authentication
radius server is running Radiator 3.4

Thanks

Richard


Relevent bits of Authentication RADIUS Server
<Client 203.76.13.132>
        Identifier ConnectADSL
        NasType CiscoVPDN
        Secret  secret
        IdenticalClients 203.76.0.129
</Client>

<Client 203.32.160.9>
        Identifier ConnectADSL
        IdenticalClients 203.32.166.111
        Secret secret
        NasType Ascend
</Client>
<Handler Realm=zircon.com.au, Client-Identifier=ConnectADSL>
        <AuthBy FILE>
                Filename /usr/local/etc/radius/data/users
                Nocache
        </AuthBy>
        AcctLogFileName /var/log/radius/adsltesting.acct
        PasswordLogFileName /var/log/radius/adslpassword
</Handler>


Relevent config bits of Proxy RADIUS Server

Trace 1

Foreground

AuthPort        1812
AcctPort        1813

DbDir /usr/local/etc/radius/raddb
LogDir /var/log/radius
DictionaryFile %D/dictionary
<Client 203.76.0.129>
        Identifier ADSL
        NasType CiscoVPDN
        Secret secret
</Client>
<Handler Realm=zircon.com.au, Client-Identifier=ADSL>
#       RewriteUsername s/^([^@]+).*/$1/
        AuthBy STAFF
        AcctLogFileName /var/log/radius/adsltesting.acct
</Handler>
<AuthBy RADIUS>
        Identifier STAFF
        Host staff.syd.ip.net.au
        AuthPort 1812
        AcctPort 1813
        RetryTimeout 15
        Retries 0
        Secret secret
</AuthBy>


Direct Authentication Logfile

Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
*** Received from 203.76.0.129 port 1645 ....
Code:       Access-Request
Identifier: 174
Authentic:  <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
Attributes:
        NAS-IP-Address = 203.76.0.129
        NAS-Port = 1
        Cisco-NAS-Port = "Virtual-Access1"
        NAS-Port-Type = Virtual
        User-Name = "richardv at zircon.com.au"
        Calling-Station-Id = "nkt112100600855"
        User-Password =
"<247><16>)HZ=<222><214><162><182>7V<236>f<252><217>"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Tue Jan 21 09:25:52 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
Tue Jan 21 09:25:52 2003: DEBUG:  Deleting session for
richardv at zircon.com.au, 203.76.0.129, 1
Tue Jan 21 09:25:52 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Jan 21 09:25:52 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE looks for match with
richardv at zircon.com.au
Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE ACCEPT:
Tue Jan 21 09:25:52 2003: DEBUG: Access accepted for richardv at zircon.com.au
Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
*** Sending to 203.76.0.129 port 1645 ....
Code:       Access-Accept
Identifier: 174
Authentic:  <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
Attributes:
        Framed-IP-Address = 203.76.9.174
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Route = "203.76.9.128/29 203.76.9.174 1"
        Port-Limit = 2
        Idle-Timeout = 60
        Session-Timeout = 1200




Via Proxy Server

PROXY Server LOGFILE

Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Received from 203.76.0.129 port 1645 ....
Code:       Access-Request
Identifier: 195
Authentic:  <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
        NAS-IP-Address = 203.76.0.129
        NAS-Port = 1
        Cisco-NAS-Port = "Virtual-Access1"
        NAS-Port-Type = Virtual
        User-Name = "richardv at zircon.com.au"
        Calling-Station-Id = "nkt112100600855"
        User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145>"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Tue Jan 21 09:35:29 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ADSL'
Tue Jan 21 09:35:29 2003: DEBUG: SDB1 Deleting session for
richardv at zircon.com.au, 203.76.0.129, 1
Tue Jan 21 09:35:29 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='203.76.0.129' and NASPORT=1

Tue Jan 21 09:35:29 2003: DEBUG: Handling with Radius::AuthRADIUS
Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Sending to 203.32.166.18 port 1812 ....
Code:       Access-Request
Identifier: 1
Authentic:  <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
        NAS-IP-Address = 203.76.0.129
        NAS-Port = 1
        Cisco-NAS-Port = "Virtual-Access1"
        NAS-Port-Type = Virtual
        User-Name = "richardv at zircon.com.au"
        Calling-Station-Id = "nkt112100600855"
        User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><241><1
31>DBM<184>W6<197><244><165><206><204><243>"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Received from 203.32.166.18 port 1812 ....
Code:       Access-Reject
Identifier: 1
Authentic:  n|<202><227><168>v<246>e<183><219><174><222><241><178><190>6
Attributes:
        Reply-Message = "Request Denied"

Tue Jan 21 09:35:30 2003: DEBUG: Received reply in AuthRADIUS for req 1 from
203.32.166.18:1812
Tue Jan 21 09:35:30 2003: INFO: Access rejected for richardv at zircon.com.au:
Proxied
Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Sending to 203.76.0.129 port 1645 ....
Code:       Access-Reject
Identifier: 195
Authentic:  <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
        Reply-Message = "Request Denied"
        Reply-Message = "Request Denied"


Logfile from Authenticating RADIUS Server

Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Received from 203.32.160.9 port 1124 ....
Code:       Access-Request
Identifier: 1
Authentic:  <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
        NAS-IP-Address = 203.76.0.129
        NAS-Port = 1
        Cisco-NAS-Port = "Virtual-Access1"
        NAS-Port-Type = Virtual
        User-Name = "richardv at zircon.com.au"
        Calling-Station-Id = "nkt112100600855"
        User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><241><1
31>DBM<184>W6<197><244><165><206><204><243>"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Tue Jan 21 09:35:30 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
Tue Jan 21 09:35:30 2003: DEBUG:  Deleting session for
richardv at zircon.com.au, 203.76.0.129, 1
Tue Jan 21 09:35:30 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE looks for match with
richardv at zircon.com.au
Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:35:30 2003: INFO: Access rejected for richardv at zircon.com.au:
Bad Password
Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Sending to 203.32.160.9 port 1124 ....
Code:       Access-Reject
Identifier: 1
Authentic:  <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
        Reply-Message = "Request Denied"


PASSWORD LOGFILE
Tue Jan 21 09:25:52
2003:1043101552:richardv at zircon.com.au:correctpassword:correctpassword:PASS
Tue Jan 21 09:35:30
2003:1043102130:richardv at zircon.com.au:(¯þbbǽX"æu3:correctpassword:FAIL


Richard Vander Reyden            E: vanderreydenr at zircon.com.au
Network & Product Engineer       P: +61 2 8304 9300
Zircon Systems Pty Ltd           F: +61 2 9669 2912

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list