(RADIATOR) Bad authenticator in wrong packet?

Paul paul at kbs.net.au
Thu May 6 03:22:00 CDT 2004 

Hi Hugh and List,

OK, yes the packet is an accounting start request for a l2tp tunnel, but
from a Cisco NAS.
I believe they run a backwards compatible dictionary with Ascend so we
actually get packets that look like Ascend ones.
The packets below and the ones we use aren't natted or masq'd, I've simply
masked the corresponding IP addresses to protect the inoccent.
The IP's could be any number on any subnet, it just so happened I chose
those subnets.

Any other ideas?

Thanks for your time

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Paul" <paul at kbs.net.au>
Cc: <radiator at open.com.au>
Sent: Thursday, May 06, 2004 3:26 PM
Subject: Re: (RADIATOR) Bad authenticator in wrong packet?


>
> Hello Paul -
>
> The NAS-IP-Address attribute has the IP address "200.200.200.200" and
> the NAS-Identifier of ""my-cool-nas01.ournet.com.au"".
>
> This appears to be an Ascend tunnel setup accounting start.
>
> Judging by some of the IP addresses I suspect there is some address
> translation happening somewhere.
>
> regards
>
> Hugh
>
>
> On 6 May 2004, at 10:08, Paul wrote:
>
> > Hi Everyone,
> >
> > We are running Radiator 3.7.1 and every 2 hours or so we see the
> > following
> > packet come through and directly below is a "Bad authenticator"
> > however the
> > IP address mentioned is different to the one that is in the "Recieved"
> > from
> > header. So it's like Radiator is getting mixed up as to which host has
> > the
> > "Bad authenticator" packet issue.
> >
> > Checking through a full two hours of logs and we can't find a single
> > packet
> > that was sent from 192.168.100.100 to even remotely match the wrong
> > packet.
> >
> > Has anyone seen this type of behaviour?
> >
> > Wed May  5 15:01:13 2004 617315: DEBUG: Packet dump:
> > *** Received from 200.150.150.150 port 34123 ....
> > Code:       Accounting-Request
> > Identifier:   57
> > Authentic:  <170><112>gG<45><123><100><7><333>EE<03><123><50>O<125>
> > Attributes:
> >         Acct-Session-Id = "00093EJ2A"
> >         Tunnel-Server-Endpoint = 0:172.100.10.10
> >         Tunnel-Client-Endpoint = 0:10.10.10.10
> >         Tunnel-Assignment-ID = 0:1
> >         Tunnel-Type = 0:L2TP
> >         Tunnel-ID = 0:390325
> >         Tunnel-Client-Auth-ID = 0:n43325267k-cwv13
> >         Tunnel-Server-Auth-ID = 0:my-cool-nas01
> >         Framed-Protocol = PPP
> >         Framed-IP-Address = 120.100.100.100
> >         Ascend-Connect-Progress = prLanSessionUp
> >         Acct-Authentic = RADIUS
> >         Acct-Status-Type = Start
> >         NAS-Port = 50
> >         Calling-Station-Id = "atm 20"
> >         Called-Station-Id = "0:1.150#999111000##speed:UBR:1536#/"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 200.200.200.200
> >         Ascend-Session-Svr-Key = "8DQ2KCE0"
> >         Event-Timestamp = 1083733257
> >         NAS-Identifier = "my-cool-nas01.ournet.com.au"
> >         Acct-Delay-Time = 15
> >         User-Name = "12345678 at hehe.com.au"
> >         NAS-Port-Type = ADSL-DMT
> >         Timestamp = 1083733259
> >         Proxy-State = OSC-Extended-Id=1201
> >
> > Wed May  5 15:01:13 2004 617958: DEBUG: Rewrote user name to
> > 12345678 at hehe.com.au
> > Wed May  5 15:01:13 2004 618200: DEBUG: Rewrote user name to
> > 12345678 at hehe.com.au
> > Wed May  5 15:01:13 2004 618649: WARNING: Bad authenticator in request
> > from
> > 192.168.100.100 (200.200.200.200)
> >
> > Any ideas/clues would be great.
> >
> > Thanks
> >
> > Paul
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list