(RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request

Sergei Keler skeler at gdc.ru
Wed Nov 12 03:45:08 CST 2003 

Hi!

I have Cisco 2621 (IOS 12.2).
When I use folloed radiator config:

users file:

qqq     user-password="kkk", Service-Type = Framed-User
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500

conf file:

<Realm DEFAULT>
        <AuthBy FILE>
                Filename %D/users
                AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
        </AuthBy>
        AcctLogFileName %L/detail
        PasswordLogFileName %L/passwd
</Realm>

I found followed in log file:

Wed Nov 12 12:33:01 2003: DEBUG: Packet dump:
*** Received from 192.168.0.254 port 1645 ....

Packet length = 81
01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc
00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03
13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e
44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07
61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00
fe
Code:       Access-Request
Identifier: 34
Authentic: 
<193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
Attributes:
        Framed-Protocol = PPP
        User-Name = "qqq"
        CHAP-Password = 
<10><152><185>r-<135>D<196>}<224><232><216><230><174><30>D]
        NAS-Port = 33
        NAS-Port-Type = Async
        Calling-Station-Id = "async"
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.0.254

Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Wed Nov 12 12:33:01 2003: DEBUG:  Deleting session for qqq, 192.168.0.254, 
33
Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users
Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq
Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item 
user-password expression 'kkk' does not match '' in request
Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item 
user-password expression 'kkk' does not match '' in request
Wed Nov 12 12:33:01 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.254 port 1645 ....
Packet length = 36
03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6
96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 34
Authentic: 
<193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
Attributes:
        Reply-Message = "Request Denied"

====

Cisco's debug:

Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting
Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line
Nov 12 09:33:00.717: As33 PPP: Authorization required
Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially
Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to 
up
Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from "gdc-gw"
Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from "qqq"
Nov 12 09:33:01.209: AAA/AUTHEN/PPP (0000DB31): Pick method list 'DIAL-UP'
Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA
Nov 12 09:33:01.209: RADIUS:  AAA Unsupported     [134] 7
Nov 12 09:33:01.209: RADIUS:   41 73 79 6E 63      [Async]
Nov 12 09:33:01.209: RADIUS(0000DB31): Storing nasport 33 in rad_db
Nov 12 09:33:01.209: RADIUS/ENCODE(0000DB31): acct_session_id: 56116
Nov 12 09:33:01.213: RADIUS(0000DB31): sending
Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, 
Access-Request, len 81
Nov 12 09:33:01.213: RADIUS:  authenticator C1 0B B7 A4 7F 2F D6 6D - F1 
81 84 FC 00 CA 95 46
Nov 12 09:33:01.213: RADIUS:  Framed-Protocol     [7]   6   PPP  [1]
Nov 12 09:33:01.213: RADIUS:  User-Name           [1]   5   "qqq"
Nov 12 09:33:01.213: RADIUS:  CHAP-Password       [3]   19  *
Nov 12 09:33:01.213: RADIUS:  NAS-Port            [5]   6   33  
Nov 12 09:33:01.213: RADIUS:  NAS-Port-Type       [61]  6   Async    [0]
Nov 12 09:33:01.213: RADIUS:  Calling-Station-Id  [31]  7   "async"
Nov 12 09:33:01.217: RADIUS:  Service-Type        [6]   6   Framed     [2]
Nov 12 09:33:01.217: RADIUS:  NAS-IP-Address      [4]   6   192.168.0.254  
 
Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, 
Access-Reject, len 36
Nov 12 09:33:01.225: RADIUS:  authenticator 08 FD AC E8 B2 2D 66 6E - C5 
97 98 F6 96 3D 58 1A
Nov 12 09:33:01.229: RADIUS:  Reply-Message       [18]  16
Nov 12 09:33:01.229: RADIUS:   52 65 71 75 65 73 74 20 44 65 6E 69 65 64   
  [Request Denied]
Nov 12 09:33:01.229: RADIUS: Received from id DB31
Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL
Nov 12 09:33:01.229: As33 CHAP: O FAILURE id 10 len 18 msg is "Request 
Denied"
Nov 12 12:33:03 MSK: %LINK-5-CHANGED: Interface Async33, changed state to 
reset
Nov 12 12:33:08 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to 
down

====

So, as I understand cisco didnt send user password to radius???
What to do? :-(

Sergei N Keler
IT-Manager
General DataComm
[skeler at gdc.ru] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax 
+7(812)325-1086]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20031112/102e983a/attachment.html>

More information about the radiator mailing list