(RADIATOR) Packet of Disconnect

Michael Saunders mick at tsn.cc
Sun May 11 23:25:01 CDT 2003 

Hugh,

We have read through the mailing list and 
nobody has got it working successfully.

We setup the cisco server to accept POD.

aaa pod server auth-type any server-key xxxx

This will allow us to disconnect the user with any value
of the following
(username,framed-ip-address,Session Key or Session ID)

Unfortunately when we send the session it complains about an 
invalid authenticator. We have found someone on the 
freeradius mailing list how makes the following comment. 

Hi Chris,
Many thanks for your reply.  Just for your info we managed to get it
sorted out if it is still of use to you.  The problem with the illegal
authenticator is that the authenticator on a auth request type packet
is calculated differently from the authenticator on a accounting
request (which POD is).  My understanding is that the auth packet uses
the user-password as well as the secret key to calculate the
authenticator, where the accounting packet just gets an overall hash
from all the components of the packet.  The detail is in the relevant
RADIUS RFCs and more specifically in the draft extension for packet of
disconnect (the later versions, I think no 6 or 7 is available).

We are using freeradius, and the radclient packaged with that works
well for bog standard auth and acct requests, but defaults to an auth
request for non-standard RADIUS request types (e.g. 40, POD).  We
modified the radclient (and radiusd) code so that if we entered
radclient -f file -x <NASIP>:1700 40 (this is usually auth/acct)
<secret>

It would calculate the authenticator as if for an accounting packet,
and Bob's your autnie, it works.
packet types returned, 41 for ACK (success), 42 for NACK (failure)
even though freeradius does not recognise these types it still gets a
response.

Our equipment:
Cisco AS5350
IOS 12.2 XB
FreeRadius 0.8.1
Postgres on Redhat 8

Unfortunately even with this information we are unable to get it to work
maybe you could shed some light on this problem

Michael Saunders


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Monday, 12 May 2003 2:14 PM
To: Michael Saunders
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Packet of Disconnect



Hello Michael -

You need to specify "Disconnect-Request" when you run radpwtst:

	perl radpwtst -noacct -code Disconnect-Request .....

This is not an accounting request.

You will need to check with your NAS vendor what attributes need to be 
supplied.

This topic has been discussed on the mailing list previously:

	www.open.com.au/archives/radiator

regards

Hugh


On Monday, May 12, 2003, at 13:26 Australia/Melbourne, Michael Saunders 
wrote:

> Hugh and Mike,
>
> We are trying to get the packet of disconnect working using
> the radpwtst client.
>
> Another user said we need to make it of a packet type of accounting
>
> How can we do this?
>
> Michael Saunders
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list