(RADIATOR) Bad authenticator in wrong packet?

Hugh Irvine hugh at open.com.au
Mon May 10 20:39:54 CDT 2004 

Hello Paul -

There really isn't anything you can do in Radiator, as by then it is 
too late.

All I can suggest is that you put in a routing filter _before_ the 
packet gets to the Radiator host.

regards

Hugh


On 10 May 2004, at 19:02, Paul wrote:

>
> Hi list,
>
> Does anyone else have any ideas or tricks I can do to test this or 
> prevent
> it from occurring in our logs?
> We have scripts to check our hourly logs and this keeps coming up over 
> and
> over each hour.
>
> Any help would be great, thanks
>
> ----- Original Message -----
> From: "Paul" <paul at kbs.net.au>
> To: "Hugh Irvine" <hugh at open.com.au>
> Cc: <radiator at open.com.au>
> Sent: Thursday, May 06, 2004 6:22 PM
> Subject: Re: (RADIATOR) Bad authenticator in wrong packet?
>
>
>>
>> Hi Hugh and List,
>>
>> OK, yes the packet is an accounting start request for a l2tp tunnel, 
>> but
>> from a Cisco NAS.
>> I believe they run a backwards compatible dictionary with Ascend so we
>> actually get packets that look like Ascend ones.
>> The packets below and the ones we use aren't natted or masq'd, I've 
>> simply
>> masked the corresponding IP addresses to protect the inoccent.
>> The IP's could be any number on any subnet, it just so happened I 
>> chose
>> those subnets.
>>
>> Any other ideas?
>>
>> Thanks for your time
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Paul" <paul at kbs.net.au>
>> Cc: <radiator at open.com.au>
>> Sent: Thursday, May 06, 2004 3:26 PM
>> Subject: Re: (RADIATOR) Bad authenticator in wrong packet?
>>
>>
>>>
>>> Hello Paul -
>>>
>>> The NAS-IP-Address attribute has the IP address "200.200.200.200" and
>>> the NAS-Identifier of ""my-cool-nas01.ournet.com.au"".
>>>
>>> This appears to be an Ascend tunnel setup accounting start.
>>>
>>> Judging by some of the IP addresses I suspect there is some address
>>> translation happening somewhere.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 6 May 2004, at 10:08, Paul wrote:
>>>
>>>> Hi Everyone,
>>>>
>>>> We are running Radiator 3.7.1 and every 2 hours or so we see the
>>>> following
>>>> packet come through and directly below is a "Bad authenticator"
>>>> however the
>>>> IP address mentioned is different to the one that is in the 
>>>> "Recieved"
>>>> from
>>>> header. So it's like Radiator is getting mixed up as to which host 
>>>> has
>>>> the
>>>> "Bad authenticator" packet issue.
>>>>
>>>> Checking through a full two hours of logs and we can't find a single
>>>> packet
>>>> that was sent from 192.168.100.100 to even remotely match the wrong
>>>> packet.
>>>>
>>>> Has anyone seen this type of behaviour?
>>>>
>>>> Wed May  5 15:01:13 2004 617315: DEBUG: Packet dump:
>>>> *** Received from 200.150.150.150 port 34123 ....
>>>> Code:       Accounting-Request
>>>> Identifier:   57
>>>> Authentic:  <170><112>gG<45><123><100><7><333>EE<03><123><50>O<125>
>>>> Attributes:
>>>>         Acct-Session-Id = "00093EJ2A"
>>>>         Tunnel-Server-Endpoint = 0:172.100.10.10
>>>>         Tunnel-Client-Endpoint = 0:10.10.10.10
>>>>         Tunnel-Assignment-ID = 0:1
>>>>         Tunnel-Type = 0:L2TP
>>>>         Tunnel-ID = 0:390325
>>>>         Tunnel-Client-Auth-ID = 0:n43325267k-cwv13
>>>>         Tunnel-Server-Auth-ID = 0:my-cool-nas01
>>>>         Framed-Protocol = PPP
>>>>         Framed-IP-Address = 120.100.100.100
>>>>         Ascend-Connect-Progress = prLanSessionUp
>>>>         Acct-Authentic = RADIUS
>>>>         Acct-Status-Type = Start
>>>>         NAS-Port = 50
>>>>         Calling-Station-Id = "atm 20"
>>>>         Called-Station-Id = "0:1.150#999111000##speed:UBR:1536#/"
>>>>         Service-Type = Framed-User
>>>>         NAS-IP-Address = 200.200.200.200
>>>>         Ascend-Session-Svr-Key = "8DQ2KCE0"
>>>>         Event-Timestamp = 1083733257
>>>>         NAS-Identifier = "my-cool-nas01.ournet.com.au"
>>>>         Acct-Delay-Time = 15
>>>>         User-Name = "12345678 at hehe.com.au"
>>>>         NAS-Port-Type = ADSL-DMT
>>>>         Timestamp = 1083733259
>>>>         Proxy-State = OSC-Extended-Id=1201
>>>>
>>>> Wed May  5 15:01:13 2004 617958: DEBUG: Rewrote user name to
>>>> 12345678 at hehe.com.au
>>>> Wed May  5 15:01:13 2004 618200: DEBUG: Rewrote user name to
>>>> 12345678 at hehe.com.au
>>>> Wed May  5 15:01:13 2004 618649: WARNING: Bad authenticator in 
>>>> request
>>>> from
>>>> 192.168.100.100 (200.200.200.200)
>>>>
>>>> Any ideas/clues would be great.
>>>>
>>>> Thanks
>>>>
>>>> Paul
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list