(RADIATOR) Tunnel-Password

[Hugh Irvine]

Hello Jeroen -

You should use the following in the AuthBy RADIUS clause (from the 
manual "doc/ref.html"):

  6.29.31 ClearTextTunnelPassword

  This optional paramter prevents Radiator decrypting and reencrypting 
Tunnel-Password attributes in replies during proxying. This is provided 
in order to support older NASs that do not support encrypted 
Tunnel-Password.

regards

Hugh


On 14 May 2004, at 04:48, Jeroen Moetwil wrote:

>
> Hello,
>
> We've been working on setting up a way to create a l2 tunnel between 
> our
> NAS and an l2tpd endpoint through Radius. This works fine using our own
> max tnt. However, now we need to get it working through Ikano / Level 
> 3.
> The problem I'm running into is that the Ikano radius servers which 
> also
> run Radiator, are getting the Tunnel-Password encrypted. Level 3 needs 
> it
> in clear text so that it can authenticate correctly against our 
> endpoint.
>
> Here is a trace 4 log that I got from Ikano when we were testing 
> this.. I
> pulled the IP's out of the trace for security reasons
>
>
> Wed May 12 14:55:55 2004: DEBUG: Packet dump:
> *** Received from 69.80.0.34 port 1645 ....
> Code:       Access-Accept
> Identifier: 2
> Authentic:  9=fu9U<170><202><162><234><23><147>.<21><222><211>
> Attributes:
> 	Tunnel-Type = 0:L2TP
> 	Tunnel-Medium-Type = 0:IP
> 	Tunnel-Server-Endpoint = 0:x.x.x.x
> 	Tunnel-Password =
> "<0><243><173>%;<157>|U<235><14>F:t(<227>|<7><215><232>"
> 	Tunnel-Client-Auth-ID = 0:username
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
>
>
> *** This is what we are sending to L3. Could the problem be with tagged
> (0:L2TP) attributes?
>
>
> Wed May 12 14:55:55 2004: DEBUG: Received reply in AuthRADIUS for req 2
> from 69.80.0.34:1645
> Wed May 12 14:55:55 2004: DEBUG: Access accepted for tun1 at infomagic.net
> Wed May 12 14:55:55 2004: DEBUG: Packet dump:
> *** Sending to 209.244.126.232 port 39486 ....
> Code:       Access-Accept
> Identifier: 196
> Authentic:  n<21> 6<157>5<194><11><150><183>,O<9><153>"3
> Attributes:
> 	Tunnel-Type = 0:L2TP
> 	Tunnel-Medium-Type = 0:IP
> 	Tunnel-Server-Endpoint = 0:x.x.x.x
> 	Tunnel-Password =
> "<0><182><19><149>1<218><198><3>`<212><188>]Pj<189>T<234><183>2"
> 	Tunnel-Client-Auth-ID = 0:username
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
> 	Ascend-Data-Filter = ip in forward tcp est
> 	Ascend-Data-Filter = ip in forward dstip x.x.x.x
> 	Ascend-Data-Filter = ip in forward dstip x.x.x.x
> 	Ascend-Data-Filter = ip in forward dstip x.x.x.x
> 	Ascend-Data-Filter = ip in forward dstip x.x.x.x
> 	Ascend-Data-Filter = ip in drop tcp dstport=25
> 	Ascend-Data-Filter = ip in drop tcp srcport=80
> 	Ascend-Data-Filter = ip in forward
> 	Session-Timeout = 21600
> 	Idle-Timeout = 1200
>
>
> Is there a way to send the tunnel password in clear text instead of
> encrypted? I think it needs to be this way in order for my tunneling
> endpoint to allow the NAS to create a tunnel to it.
>
> Thank you,
>
> Jeroen
> Aspect 1
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.