(RADIATOR) Proxy RADIUS problem
Hugh Irvine
hugh at open.com.au
Tue Jan 21 18:00:17 CST 2003
Hello Richard -
Thanks for sending the files.
The usual reason for this type of problem is incorrect shared secrets.
You should check the shared secrets again and if you still have a
problem, please send us (not to the list) the configuration files with
secrets together with the contents of the users file with the real
passwords. And could you also include a trace 5 hex dump of the packets
so we can see exactly what is going on.
regards
Hugh
> I am currently having a problem with authentication of VPDN PPP
> sessions
> from a Cisco 7206 router.
>
> When I send this directly to the authentication radius server the
> authenication works fine. But when I try and proxy this via another
> server
> the authentication gets rejected with bad password.
>
> The proxy servers are working fine when proxying Lucent TNT ppp calls.
>
> It appears as though the proxy servers are changing the User-Password
> somehow. Below are the relevant configuration of both the
> authentication
> and proxy radius servers, as well as trace 4 logs. At the bottom is
> also a
> password log (with the passwords changed) but as you can see the
> second line
> (which is the proxyed one) has garbled decode of the password.
>
> Do you know what may be causing this?
>
> The proxy radius server is running Radiator 3.4 and the authentication
> radius server is running Radiator 3.4
>
> Thanks
>
> Richard
>
>
> Relevent bits of Authentication RADIUS Server
> <Client 203.76.13.132>
> Identifier ConnectADSL
> NasType CiscoVPDN
> Secret secret
> IdenticalClients 203.76.0.129
> </Client>
>
> <Client 203.32.160.9>
> Identifier ConnectADSL
> IdenticalClients 203.32.166.111
> Secret secret
> NasType Ascend
> </Client>
> <Handler Realm=zircon.com.au, Client-Identifier=ConnectADSL>
> <AuthBy FILE>
> Filename /usr/local/etc/radius/data/users
> Nocache
> </AuthBy>
> AcctLogFileName /var/log/radius/adsltesting.acct
> PasswordLogFileName /var/log/radius/adslpassword
> </Handler>
>
>
> Relevent config bits of Proxy RADIUS Server
>
> Trace 1
>
> Foreground
>
> AuthPort 1812
> AcctPort 1813
>
> DbDir /usr/local/etc/radius/raddb
> LogDir /var/log/radius
> DictionaryFile %D/dictionary
> <Client 203.76.0.129>
> Identifier ADSL
> NasType CiscoVPDN
> Secret secret
> </Client>
> <Handler Realm=zircon.com.au, Client-Identifier=ADSL>
> # RewriteUsername s/^([^@]+).*/$1/
> AuthBy STAFF
> AcctLogFileName /var/log/radius/adsltesting.acct
> </Handler>
> <AuthBy RADIUS>
> Identifier STAFF
> Host staff.syd.ip.net.au
> AuthPort 1812
> AcctPort 1813
> RetryTimeout 15
> Retries 0
> Secret secret
> </AuthBy>
>
>
> Direct Authentication Logfile
>
> Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
> *** Received from 203.76.0.129 port 1645 ....
> Code: Access-Request
> Identifier: 174
> Authentic:
> <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
> Attributes:
> NAS-IP-Address = 203.76.0.129
> NAS-Port = 1
> Cisco-NAS-Port = "Virtual-Access1"
> NAS-Port-Type = Virtual
> User-Name = "richardv at zircon.com.au"
> Calling-Station-Id = "nkt112100600855"
> User-Password =
> "<247><16>)HZ=<222><214><162><182>7V<236>f<252><217>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Tue Jan 21 09:25:52 2003: DEBUG: Handling request with Handler
> 'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
> Tue Jan 21 09:25:52 2003: DEBUG: Deleting session for
> richardv at zircon.com.au, 203.76.0.129, 1
> Tue Jan 21 09:25:52 2003: DEBUG: Handling with Radius::AuthFILE:
> Tue Jan 21 09:25:52 2003: DEBUG: Reading users file
> /usr/local/etc/radius/data/users
> Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE looks for match with
> richardv at zircon.com.au
> Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Tue Jan 21 09:25:52 2003: DEBUG: Access accepted for
> richardv at zircon.com.au
> Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
> *** Sending to 203.76.0.129 port 1645 ....
> Code: Access-Accept
> Identifier: 174
> Authentic:
> <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
> Attributes:
> Framed-IP-Address = 203.76.9.174
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Route = "203.76.9.128/29 203.76.9.174 1"
> Port-Limit = 2
> Idle-Timeout = 60
> Session-Timeout = 1200
>
>
>
>
> Via Proxy Server
>
> PROXY Server LOGFILE
>
> Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
> *** Received from 203.76.0.129 port 1645 ....
> Code: Access-Request
> Identifier: 195
> Authentic:
> <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
> Attributes:
> NAS-IP-Address = 203.76.0.129
> NAS-Port = 1
> Cisco-NAS-Port = "Virtual-Access1"
> NAS-Port-Type = Virtual
> User-Name = "richardv at zircon.com.au"
> Calling-Station-Id = "nkt112100600855"
> User-Password =
> "Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Tue Jan 21 09:35:29 2003: DEBUG: Handling request with Handler
> 'Realm=zircon.com.au, Client-Identifier=ADSL'
> Tue Jan 21 09:35:29 2003: DEBUG: SDB1 Deleting session for
> richardv at zircon.com.au, 203.76.0.129, 1
> Tue Jan 21 09:35:29 2003: DEBUG: do query is: delete from RADONLINE
> where
> NASIDENTIFIER='203.76.0.129' and NASPORT=1
>
> Tue Jan 21 09:35:29 2003: DEBUG: Handling with Radius::AuthRADIUS
> Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
> *** Sending to 203.32.166.18 port 1812 ....
> Code: Access-Request
> Identifier: 1
> Authentic:
> <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
> Attributes:
> NAS-IP-Address = 203.76.0.129
> NAS-Port = 1
> Cisco-NAS-Port = "Virtual-Access1"
> NAS-Port-Type = Virtual
> User-Name = "richardv at zircon.com.au"
> Calling-Station-Id = "nkt112100600855"
> User-Password =
> "Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><2
> 41><1
> 31>DBM<184>W6<197><244><165><206><204><243>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
> *** Received from 203.32.166.18 port 1812 ....
> Code: Access-Reject
> Identifier: 1
> Authentic:
> n|<202><227><168>v<246>e<183><219><174><222><241><178><190>6
> Attributes:
> Reply-Message = "Request Denied"
>
> Tue Jan 21 09:35:30 2003: DEBUG: Received reply in AuthRADIUS for req
> 1 from
> 203.32.166.18:1812
> Tue Jan 21 09:35:30 2003: INFO: Access rejected for
> richardv at zircon.com.au:
> Proxied
> Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
> *** Sending to 203.76.0.129 port 1645 ....
> Code: Access-Reject
> Identifier: 195
> Authentic:
> <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
> Attributes:
> Reply-Message = "Request Denied"
> Reply-Message = "Request Denied"
>
>
> Logfile from Authenticating RADIUS Server
>
> Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
> *** Received from 203.32.160.9 port 1124 ....
> Code: Access-Request
> Identifier: 1
> Authentic:
> <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
> Attributes:
> NAS-IP-Address = 203.76.0.129
> NAS-Port = 1
> Cisco-NAS-Port = "Virtual-Access1"
> NAS-Port-Type = Virtual
> User-Name = "richardv at zircon.com.au"
> Calling-Station-Id = "nkt112100600855"
> User-Password =
> "Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><2
> 41><1
> 31>DBM<184>W6<197><244><165><206><204><243>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Tue Jan 21 09:35:30 2003: DEBUG: Handling request with Handler
> 'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
> Tue Jan 21 09:35:30 2003: DEBUG: Deleting session for
> richardv at zircon.com.au, 203.76.0.129, 1
> Tue Jan 21 09:35:30 2003: DEBUG: Handling with Radius::AuthFILE:
> Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
> /usr/local/etc/radius/data/users
> Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE looks for match with
> richardv at zircon.com.au
> Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
> /usr/local/etc/radius/data/users
> Tue Jan 21 09:35:30 2003: INFO: Access rejected for
> richardv at zircon.com.au:
> Bad Password
> Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
> *** Sending to 203.32.160.9 port 1124 ....
> Code: Access-Reject
> Identifier: 1
> Authentic:
> <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> PASSWORD LOGFILE
> Tue Jan 21 09:25:52
> 2003:1043101552:richardv at zircon.com.au:correctpassword:correctpassword:
> PASS
> Tue Jan 21 09:35:30
> 2003:1043102130:richardv at zircon.com.au:(¯þbbǽX"æu3:correctpassword:FAI
> L
>
>
> Richard Vander Reyden E: vanderreydenr at zircon.com.au
> Network & Product Engineer P: +61 2 8304 9300
> Zircon Systems Pty Ltd F: +61 2 9669 2912
>
> -------------------------------------------------------
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list