(RADIATOR) Packet of Disconnect

Hugh Irvine hugh at open.com.au
Sun May 11 23:29:53 CDT 2003


Hello Michael -

You will need to specify the correct shared secret as well:

	perl radpwtst -noacct -secret xxxxx -code Disconnect-Request ...

Here is the help from radpwtst:

bash-2.05a$ perl radpwtst -h
usage: radpwtst [-h] [-time] [-iterations n]
           [-trace [level]] [-s server] [-secret secret]
           [-noauth] [-noacct][-nostart] [-nostop] [-status]
           [-chap] [-mschap] [-mschapv2] [-eapmd5]
           [-accton] [-acctoff] [-framed_ip_address address]
           [-auth_port port] [-acct_port port] [-identifier n]
           [-user username] [-password password] [-nas_ip_address 
address]
           [-nas_port port] [-nas_port_type type] [-service_type service]
           [-calling_station_id string] [-called_station_id string]
           [-session_id string] [-interactive]
           [-delay_time n] [-session_time n] [-input_octets n]
           [-output_octets n] [-timeout n] [-dictionary file,file]
           [-gui] [-class string] [-useoldascendpasswords]
           [-code requestcode] [-raw data] [-rawfile filename]
           [attribute=value]...


regards

Hugh


On Monday, May 12, 2003, at 14:25 Australia/Melbourne, Michael Saunders 
wrote:

> Hugh,
>
> We have read through the mailing list and
> nobody has got it working successfully.
>
> We setup the cisco server to accept POD.
>
> aaa pod server auth-type any server-key xxxx
>
> This will allow us to disconnect the user with any value
> of the following
> (username,framed-ip-address,Session Key or Session ID)
>
> Unfortunately when we send the session it complains about an
> invalid authenticator. We have found someone on the
> freeradius mailing list how makes the following comment.
>
> Hi Chris,
> Many thanks for your reply.  Just for your info we managed to get it
> sorted out if it is still of use to you.  The problem with the illegal
> authenticator is that the authenticator on a auth request type packet
> is calculated differently from the authenticator on a accounting
> request (which POD is).  My understanding is that the auth packet uses
> the user-password as well as the secret key to calculate the
> authenticator, where the accounting packet just gets an overall hash
> from all the components of the packet.  The detail is in the relevant
> RADIUS RFCs and more specifically in the draft extension for packet of
> disconnect (the later versions, I think no 6 or 7 is available).
>
> We are using freeradius, and the radclient packaged with that works
> well for bog standard auth and acct requests, but defaults to an auth
> request for non-standard RADIUS request types (e.g. 40, POD).  We
> modified the radclient (and radiusd) code so that if we entered
> radclient -f file -x <NASIP>:1700 40 (this is usually auth/acct)
> <secret>
>
> It would calculate the authenticator as if for an accounting packet,
> and Bob's your autnie, it works.
> packet types returned, 41 for ACK (success), 42 for NACK (failure)
> even though freeradius does not recognise these types it still gets a
> response.
>
> Our equipment:
> Cisco AS5350
> IOS 12.2 XB
> FreeRadius 0.8.1
> Postgres on Redhat 8
>
> Unfortunately even with this information we are unable to get it to 
> work
> maybe you could shed some light on this problem
>
> Michael Saunders
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, 12 May 2003 2:14 PM
> To: Michael Saunders
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Packet of Disconnect
>
>
>
> Hello Michael -
>
> You need to specify "Disconnect-Request" when you run radpwtst:
>
> 	perl radpwtst -noacct -code Disconnect-Request .....
>
> This is not an accounting request.
>
> You will need to check with your NAS vendor what attributes need to be
> supplied.
>
> This topic has been discussed on the mailing list previously:
>
> 	www.open.com.au/archives/radiator
>
> regards
>
> Hugh
>
>
> On Monday, May 12, 2003, at 13:26 Australia/Melbourne, Michael Saunders
> wrote:
>
>> Hugh and Mike,
>>
>> We are trying to get the packet of disconnect working using
>> the radpwtst client.
>>
>> Another user said we need to make it of a packet type of accounting
>>
>> How can we do this?
>>
>> Michael Saunders
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list