(RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request

Hugh Irvine hugh at open.com.au
Wed Nov 12 23:19:44 CST 2003 

Hello Sergei -

See my other mail, but what is shown below is a NAS configured for 
CHAP, hence the "CHAP-Password" in the request.

You should use something like this:

qqq  Password = kkk

or

qqq  User-Password = kkk

which will work for both forms (note that the spelling is important).

See section 13.1.1 in the Radiator 3.7.1 reference manual 
("doc/ref.html").

regards

Hugh


On 12/11/2003, at 8:45 PM, Sergei Keler wrote:

>
> Hi!
>
> I have Cisco 2621 (IOS 12.2).
> When I use folloed radiator config:
>
> users file:
>
> qqq     user-password="kkk", Service-Type = Framed-User
>         Framed-Protocol = PPP,
>         Framed-IP-Netmask = 255.255.255.0,
>         Framed-Routing = None,
>         Framed-MTU = 1500
>
> conf file:
>
> <Realm DEFAULT>
>         <AuthBy FILE>
>                 Filename %D/users
>                 AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
>         </AuthBy>
>         AcctLogFileName %L/detail
>         PasswordLogFileName %L/passwd
> </Realm>
>
> I found followed in log file:
>
> Wed Nov 12 12:33:01 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.254 port 1645 ....
>
> Packet length = 81
> 01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc
> 00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03
> 13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e
> 44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07
> 61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00
> fe
> Code:       Access-Request
> Identifier: 34
> Authentic: 
>  <193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
> Attributes:
>         Framed-Protocol = PPP
>         User-Name = "qqq"
>         CHAP-Password = 
> <10><152><185>r-<135>D<196>}<224><232><216><230><174><30>D]
>         NAS-Port = 33
>         NAS-Port-Type = Async
>         Calling-Station-Id = "async"
>         Service-Type = Framed-User
>         NAS-IP-Address = 192.168.0.254
>
> Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Wed Nov 12 12:33:01 2003: DEBUG:  Deleting session for qqq, 
> 192.168.0.254, 33
> Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users
> Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with 
> qqq
> Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item 
> user-password expression'kkk' does not match '' in request
> Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item 
> user-password expression 'kkk' does not match '' in request
> Wed Nov 12 12:33:01 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.254 port 1645 ....
> Packet length = 36
> 03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6
> 96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 34
> Authentic: 
>  <193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
> Attributes:
>         Reply-Message = "Request Denied"
>
> ====
>
> Cisco's debug:
>
> Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting
> Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line
> Nov 12 09:33:00.717: As33 PPP: Authorization required
> Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds 
> trivially
> Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state 
> to up
> Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from "gdc-gw"
> Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from "qqq"
> Nov 12 09:33:01.209: AAA/AUTHEN/PPP (0000DB31): Pick method list 
> 'DIAL-UP'
> Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA
> Nov 12 09:33:01.209: RADIUS:  AAA Unsupported     [134] 7
> Nov 12 09:33:01.209: RADIUS:   41 73 79 6E 63                         
>           [Async]
> Nov 12 09:33:01.209: RADIUS(0000DB31): Storing nasport 33 in rad_db
> Nov 12 09:33:01.209: RADIUS/ENCODE(0000DB31): acct_session_id: 56116
> Nov 12 09:33:01.213: RADIUS(0000DB31): sending
> Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, 
> Access-Request, len 81
> Nov 12 09:33:01.213: RADIUS:  authenticator C1 0B B7 A4 7F 2F D6 6D - 
> F1 81 84 FC 00 CA 95 46
> Nov 12 09:33:01.213: RADIUS:  Framed-Protocol     [7]   6   PPP       
>                 [1]
> Nov 12 09:33:01.213: RADIUS:  User-Name           [1]   5   "qqq"
> Nov 12 09:33:01.213: RADIUS:  CHAP-Password       [3]   19  *
> Nov 12 09:33:01.213: RADIUS:  NAS-Port            [5]   6   33         
>              
> Nov 12 09:33:01.213: RADIUS:  NAS-Port-Type       [61]  6   Async     
>                 [0]
> Nov 12 09:33:01.213: RADIUS:  Calling-Station-Id  [31]  7   "async"
> Nov 12 09:33:01.217: RADIUS:  Service-Type        [6]   6   Framed     
>                [2]
> Nov 12 09:33:01.217: RADIUS:  NAS-IP-Address      [4]   6   
> 192.168.0.254          
> Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, 
> Access-Reject, len 36
> Nov 12 09:33:01.225: RADIUS:  authenticator 08 FD AC E8 B2 2D 66 6E - 
> C5 97 98 F6 96 3D 58 1A
> Nov 12 09:33:01.229: RADIUS:  Reply-Message       [18]  16
> Nov 12 09:33:01.229: RADIUS:   52 65 71 75 65 73 74 20 44 65 6E 69 65 
> 64        [Request Denied]
> Nov 12 09:33:01.229: RADIUS: Received from id DB31
> Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL
> Nov 12 09:33:01.229: As33 CHAP: O FAILURE id 10 len 18 msg is "Request 
> Denied"
> Nov 12 12:33:03 MSK: %LINK-5-CHANGED: Interface Async33, changed state 
> to reset
> Nov 12 12:33:08 MSK: %LINK-3-UPDOWN: Interface Async33, changed state 
> to down
>
> ====
>
> So, as I understand cisco didnt send user password to radius???
> What to do? :-(
>
> Sergei N Keler
> IT-Manager
> General DataComm
> [skeler at gdc.ru] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax 
> +7(812)325-1086]
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list