(RADIATOR) Bad authenticator in wrong packet?

Paul paul at kbs.net.au
Mon May 10 04:02:28 CDT 2004 

Hi list,

Does anyone else have any ideas or tricks I can do to test this or prevent
it from occurring in our logs?
We have scripts to check our hourly logs and this keeps coming up over and
over each hour.

Any help would be great, thanks

----- Original Message ----- 
From: "Paul" <paul at kbs.net.au>
To: "Hugh Irvine" <hugh at open.com.au>
Cc: <radiator at open.com.au>
Sent: Thursday, May 06, 2004 6:22 PM
Subject: Re: (RADIATOR) Bad authenticator in wrong packet?


>
> Hi Hugh and List,
>
> OK, yes the packet is an accounting start request for a l2tp tunnel, but
> from a Cisco NAS.
> I believe they run a backwards compatible dictionary with Ascend so we
> actually get packets that look like Ascend ones.
> The packets below and the ones we use aren't natted or masq'd, I've simply
> masked the corresponding IP addresses to protect the inoccent.
> The IP's could be any number on any subnet, it just so happened I chose
> those subnets.
>
> Any other ideas?
>
> Thanks for your time
>
> ----- Original Message ----- 
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Paul" <paul at kbs.net.au>
> Cc: <radiator at open.com.au>
> Sent: Thursday, May 06, 2004 3:26 PM
> Subject: Re: (RADIATOR) Bad authenticator in wrong packet?
>
>
> >
> > Hello Paul -
> >
> > The NAS-IP-Address attribute has the IP address "200.200.200.200" and
> > the NAS-Identifier of ""my-cool-nas01.ournet.com.au"".
> >
> > This appears to be an Ascend tunnel setup accounting start.
> >
> > Judging by some of the IP addresses I suspect there is some address
> > translation happening somewhere.
> >
> > regards
> >
> > Hugh
> >
> >
> > On 6 May 2004, at 10:08, Paul wrote:
> >
> > > Hi Everyone,
> > >
> > > We are running Radiator 3.7.1 and every 2 hours or so we see the
> > > following
> > > packet come through and directly below is a "Bad authenticator"
> > > however the
> > > IP address mentioned is different to the one that is in the "Recieved"
> > > from
> > > header. So it's like Radiator is getting mixed up as to which host has
> > > the
> > > "Bad authenticator" packet issue.
> > >
> > > Checking through a full two hours of logs and we can't find a single
> > > packet
> > > that was sent from 192.168.100.100 to even remotely match the wrong
> > > packet.
> > >
> > > Has anyone seen this type of behaviour?
> > >
> > > Wed May  5 15:01:13 2004 617315: DEBUG: Packet dump:
> > > *** Received from 200.150.150.150 port 34123 ....
> > > Code:       Accounting-Request
> > > Identifier:   57
> > > Authentic:  <170><112>gG<45><123><100><7><333>EE<03><123><50>O<125>
> > > Attributes:
> > >         Acct-Session-Id = "00093EJ2A"
> > >         Tunnel-Server-Endpoint = 0:172.100.10.10
> > >         Tunnel-Client-Endpoint = 0:10.10.10.10
> > >         Tunnel-Assignment-ID = 0:1
> > >         Tunnel-Type = 0:L2TP
> > >         Tunnel-ID = 0:390325
> > >         Tunnel-Client-Auth-ID = 0:n43325267k-cwv13
> > >         Tunnel-Server-Auth-ID = 0:my-cool-nas01
> > >         Framed-Protocol = PPP
> > >         Framed-IP-Address = 120.100.100.100
> > >         Ascend-Connect-Progress = prLanSessionUp
> > >         Acct-Authentic = RADIUS
> > >         Acct-Status-Type = Start
> > >         NAS-Port = 50
> > >         Calling-Station-Id = "atm 20"
> > >         Called-Station-Id = "0:1.150#999111000##speed:UBR:1536#/"
> > >         Service-Type = Framed-User
> > >         NAS-IP-Address = 200.200.200.200
> > >         Ascend-Session-Svr-Key = "8DQ2KCE0"
> > >         Event-Timestamp = 1083733257
> > >         NAS-Identifier = "my-cool-nas01.ournet.com.au"
> > >         Acct-Delay-Time = 15
> > >         User-Name = "12345678 at hehe.com.au"
> > >         NAS-Port-Type = ADSL-DMT
> > >         Timestamp = 1083733259
> > >         Proxy-State = OSC-Extended-Id=1201
> > >
> > > Wed May  5 15:01:13 2004 617958: DEBUG: Rewrote user name to
> > > 12345678 at hehe.com.au
> > > Wed May  5 15:01:13 2004 618200: DEBUG: Rewrote user name to
> > > 12345678 at hehe.com.au
> > > Wed May  5 15:01:13 2004 618649: WARNING: Bad authenticator in request
> > > from
> > > 192.168.100.100 (200.200.200.200)
> > >
> > > Any ideas/clues would be great.
> > >
> > > Thanks
> > >
> > > Paul
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> > >
> > >
> >
> > NB: have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > -- 
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list