(RADIATOR) initial run using simple.cfg with NAS client added fails

Hugh Irvine hugh at open.com.au
Fri Dec 9 19:04:04 CST 2005 

Hello Joon -

I am guessing that your configuration file does not have the correct  
shared secret for your NAS device.

Note that the NAS device should be in your configuration file (not  
your users file):

<Client your.nas.device>
	Secret sharedsecret
</Client>

where "your.nas.device" is either the DNS name or the IP address and  
"sharedsecret" is the shared secret used by the NAS device.

See section 6.5 in the Radiator 3.13 reference manual ("doc/ref.html").

regards

Hugh


On 10 Dec 2005, at 10:04, Joon Yun wrote:

> Hello,
>
> After much trouble with 2 versions of Perl on my FreeBSD box I am  
> finally up and running with the demo installation of Radiator.  
> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but I  
> can't even seem to get the AuthBy File to work. I'm just using the  
> simple.cfg file and the perl radtest tool says everything is oky:
>
> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred - 
> password fred
> sending Access-Request...
> OK
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
> But when I add one of my NAS devices the users file as a client and  
> then test with the fred account I get a failure. I've appended the  
> debug output from the manually launched radiator radiusd. Any help  
> would be much appreciated.
>
> Regards,
> Joon Yun
> UC Berkeley
>
> ---------------------------------------------------------------------- 
> -----------------
>
> [perimeter:local/etc/radiator] joon% sudo perl radiusd -config_file  
> goodies/simple.cfg
> RADIUS Password:
> Fri Dec  9 14:47:48 2005: DEBUG: Finished reading configuration  
> file 'goodies/simple.cfg'
> This Radiator license will expire on 2006-01-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Dec  9 14:47:48 2005: DEBUG: Reading dictionary file './ 
> dictionary'
> Fri Dec  9 14:47:48 2005: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Fri Dec  9 14:47:48 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Fri Dec  9 14:47:48 2005: NOTICE: Server started: Radiator 3.13 on  
> perimeter.berkeley.edu (LOCKED)
>
>
> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
> *** Received from 128.32.231.212 port 32858 ....
> Code:       Access-Request
> Identifier: 249
> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
> Attributes:
>         NAS-Identifier = "128.32.231.212"
>         User-Name = "fred"
>         User-Password =  
> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><199>
>
> Fri Dec  9 14:48:00 2005: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Dec  9 14:48:00 2005: DEBUG:  Deleting session for fred,  
> 128.32.231.212,
> Fri Dec  9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
> Fri Dec  9 14:48:00 2005: DEBUG: Reading users file ./users
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with fred
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
> item Service-Type expression 'Administrative-User' does not match  
> '' in request
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT1
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
> item Service-Type expression 'Login-User' does not match '' in request
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT2
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
> item Service-Type expression 'Outbound-User' does not match '' in  
> request
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT3
> Fri Dec  9 14:48:00 2005: WARNING: Could not find Identifier for  
> Auth-Type 'System'
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could not  
> find Identifier for Auth-Type 'System'
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT4
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
> not suffixed with .ppp
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT5
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
> not prefixed with P
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
> with DEFAULT6
> Fri Dec  9 14:48:00 2005: WARNING: This AuthBy does not know how to  
> check Group membership
> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User fred  
> is not in Group group1
> Fri Dec  9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User  
> fred is not in Group group1
> Fri Dec  9 14:48:00 2005: INFO: Access rejected for fred: User fred  
> is not in Group group1
> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
> *** Sending to 128.32.231.212 port 32858 ....
> Code:       Access-Reject
> Identifier: 249
> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
> Attributes:
>         Reply-Message = "Request Denied"
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list