(RADIATOR) Radiator Auth issues (I think)...

Mark Sergeant msergeant at snsonline.net
Wed Apr 13 03:08:07 CDT 2005


FYI it turned out to be a problem with the VPN-IEXEC\\nip part of the  
Cisco-AVPair's , cistron likes \\, radiator likes \

Cheers,

Mark

On 05/04/2005, at 06:29, Hugh Irvine wrote:

>
> Hello Mark -
>
> I can't see anything obviously wrong with what you show below.
>
> I suggest you check a debug on the Cisco to see what it thinks is  
> wrong.
>
> regards
>
> Hugh
>
>
> On 4 Apr 2005, at 02:21, Mark Sergeant wrote:
>
>
>> To start with I'll admit I'm new to radiator and am in the process  
>> of trying to migrate all our systems from cistron to radiator. I'm  
>> having an issue with our test cisco kit authenticating sessions...  
>> the test auth from the radpwtest command works fine, as does a  
>> test aaa group radius username password legacy on the actual cisco  
>> router itself, yet when I try and get a dsl session to login it  
>> just sits there reauthing, the following is the log output and  
>> config files, let me know what else is needed... and if I missed  
>> something obvious a pointer to the doco would be great !
>>
>> The system is a FreeBSD 5.3-RELEASE-p5 machine, with perl 5.8.6  
>> and all other ports up to date, the eventual plan is to do a full  
>> postgres setup but for now I'd like to work with the old cistron  
>> files...
>>
>> Users file entry...
>>
>> 0755555555 at qIEXECTEST.rdsln03 Password = "blah"
>>         Service-Type = Framed,
>>         Framed-Protocol = PPP,
>>         Framed-MTU = 1450,
>>         Framed-IP-Address = 192.168.254.198,
>>         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding VPN- 
>> IEXEC\\nip unnumbered loopback 86",
>>         Cisco-AVPair = "ip:route#1=vrf VPN-IEXEC 192.168.100.0  
>> 255.255.255.0 192.168.254.198",
>>         Cisco-AVPair = "lcp:interface-config=bandwidth 512",
>>         Cisco-AVPair = "lcp:interface-config=description iexecpty- 
>> test"
>>
>> N.B. I've added Framed and Cisco-AVPair into the dictionary file  
>> instead of Framed-User & cisco-avpair.
>>
>> Config file...
>>
>> Foreground
>> LogStdout
>> Trace   4
>> PidFile /tmp/radiusd.pid
>> AuthPort        1812
>> AcctPort        1813
>> BindAddress     127.0.0.1, x.x.x.x
>> LogDir          /var/log/radius
>> DbDir           /usr/local/etc/raddb
>>
>> <Client 127.0.0.1>
>>         Secret mysecret
>>         DupInterval 0
>> </Client>
>>
>> <Client x.x.x.x>
>>         Secret mysecret
>>         DupInterval 0
>> </Client>
>>
>> <Handler Realm=/qEXESIIG|qEXESFIX|qEXESVOL|[nvw]IEXEC|[qnvw] 
>> IEXECVPN|[qnvw]IEXECTEST|dsl\.iexec.*|dialports.iexec.com.au/>
>>         AcctLogFileName %L/detail
>>         WtmpFileName %L/wtmp
>>         PasswordLogFileName %L/password.log
>>         RejectHasReason
>>         <AuthBy FILE>
>>                 Filename        %D/users
>>         </AuthBy>
>> </Handler>
>>
>> # Ignore the preauth requests.
>> <Handler Realm=/dnis.*/i>
>> </Handler>
>>
>> -- Log entries...
>>
>> Thu Mar 31 16:07:58 2005: DEBUG: Packet dump:
>> *** Received from x.x.x.x port 1645 ....
>> Code:       Access-Request
>> Identifier: 8
>> Authentic:  <154><20>@<141>:h2e<26><0><222>I<216>9<239><247>
>> Attributes:
>>         Framed-Protocol = PPP
>>         User-Name = "iexec at qIEXECTEST"
>>         CHAP-Password =  
>> <2><254><235><227><153>#<247><149><213><227>k<210><222>O<7><0><127>
>>         NAS-Port-Type = Virtual
>>         NAS-Port = 187
>>         NAS-Port-Id = "Uniq-Sess-ID187"
>>         Connect-Info = "524288"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 210.18.254.47
>>
>> Thu Mar 31 16:07:58 2005: DEBUG: Handling request with Handler  
>> 'Realm=/qEXESIIG|qEXESFIX|qEXESVOL|[nvw]IEXEC|[qnvw]IEXECVPN|[qnvw] 
>> IEXECTEST|dsl\.iexec.*|dialports
>> .iexec.com.au/'
>> Thu Mar 31 16:07:58 2005: DEBUG:  Deleting session for  
>> iexec at qIEXECTEST, x.x.x.x
>> Thu Mar 31 16:07:58 2005: DEBUG: Handling with Radius::AuthFILE:
>>  Thu Mar 31 16:07:58 2005: DEBUG: Radius::AuthFILE looks for match  
>> with iexec at qIEXECTEST
>> Thu Mar 31 16:07:58 2005: DEBUG: Radius::AuthFILE ACCEPT:
>>  Thu Mar 31 16:07:58 2005: DEBUG: Access accepted for  
>> iexec at qIEXECTEST
>> Thu Mar 31 16:07:58 2005: DEBUG: Packet dump:
>> *** Sending to 210.18.254.47 port 1645 ....
>> Code:       Access-Accept
>> Identifier: 8
>> Authentic:  <154><20>@<141>:h2e<26><0><222>I<216>9<239><247>
>> Attributes:
>>         Framed-IP-Address = 192.168.250.101
>>         Service-Type = Framed
>>         Framed-Protocol = PPP
>>         Framed-MTU = 1450
>>         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding VPN- 
>> IEXEC\\nip unnumbered loopback 86"
>>         Cisco-AVPair = "lcp:interface-config=bandwidth 512"
>>         Cisco-AVPair = "lcp:interface-config=description iexec- 
>> test-shdsl"
>>
>>
>
> NB: I am travelling this week, so there may be delays in our  
> correspondence.
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list