(RADIATOR) initial run using simple.cfg with NAS client added fails

Joon Yun joon at berkeley.edu
Tue Dec 13 16:44:49 CST 2005 

Hi Hugh,

That was my first thought and I redid the client entry a number of  
times:

#
<Client 128.32.231.212>
         Secret  new-secret
         DupInterval 0
</Client>
#

And same results. The radpwtst works fine for fred/fred but I fail  
authentication when I attempt it thru the NAS. Notice there is an  
actual "Request Denied" message in the log. Is there a way to get more  
verbose failure output from Radiator?

Also, I attempted to try a Kerberos config file to see if that would  
make a difference but I get an error message when I try to launch  
radiusd:

[ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file krb5.cfg
/libexec/ld-elf.so.1:  
/usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:  
Undefined symbol "krb5_init_ets"

I installed the Kerberos Perl5 module but am no expert. Am I supposed  
to do any other configuration besides add client entries for NASes and  
change the KrbRealm to BERKELEY.EDU in the config file?

I appreciate any assistance.

Regards,
Joon Yun
UC Berkeley


On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:

>
> Hello Joon -
>
> I am guessing that your configuration file does not have the correct  
> shared secret for your NAS device.
>
> Note that the NAS device should be in your configuration file (not  
> your users file):
>
> <Client your.nas.device>
> 	Secret sharedsecret
> </Client>
>
> where "your.nas.device" is either the DNS name or the IP address and  
> "sharedsecret" is the shared secret used by the NAS device.
>
> See section 6.5 in the Radiator 3.13 reference manual ("doc/ref.html").
>
> regards
>
> Hugh
>
>
> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>
>> Hello,
>>
>> After much trouble with 2 versions of Perl on my FreeBSD box I am  
>> finally up and running with the demo installation of Radiator.  
>> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but I  
>> can't even seem to get the AuthBy File to work. I'm just using the  
>> simple.cfg file and the perl radtest tool says everything is oky:
>>
>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred  
>> -password fred
>> sending Access-Request...
>> OK
>> sending Accounting-Request Start...
>> OK
>> sending Accounting-Request Stop...
>> OK
>>
>> But when I add one of my NAS devices the users file as a client and  
>> then test with the fred account I get a failure. I've appended the  
>> debug output from the manually launched radiator radiusd. Any help  
>> would be much appreciated.
>>
>> Regards,
>> Joon Yun
>> UC Berkeley
>>
>> ---------------------------------------------------------------------- 
>> -----------------
>>
>> [perimeter:local/etc/radiator] joon% sudo perl radiusd -config_file  
>> goodies/simple.cfg
>> RADIUS Password:
>> Fri Dec  9 14:47:48 2005: DEBUG: Finished reading configuration file  
>> 'goodies/simple.cfg'
>> This Radiator license will expire on 2006-01-30
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact admin at open.com.au
>>
>> Fri Dec  9 14:47:48 2005: DEBUG: Reading dictionary file  
>> './dictionary'
>> Fri Dec  9 14:47:48 2005: DEBUG: Creating authentication port  
>> 0.0.0.0:1645
>> Fri Dec  9 14:47:48 2005: DEBUG: Creating accounting port 0.0.0.0:1646
>> Fri Dec  9 14:47:48 2005: NOTICE: Server started: Radiator 3.13 on  
>> perimeter.berkeley.edu (LOCKED)
>>
>>
>> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
>> *** Received from 128.32.231.212 port 32858 ....
>> Code:       Access-Request
>> Identifier: 249
>> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>> Attributes:
>>         NAS-Identifier = "128.32.231.212"
>>         User-Name = "fred"
>>         User-Password =  
>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><199>
>>
>> Fri Dec  9 14:48:00 2005: DEBUG: Handling request with Handler  
>> 'Realm=DEFAULT'
>> Fri Dec  9 14:48:00 2005: DEBUG:  Deleting session for fred,  
>> 128.32.231.212,
>> Fri Dec  9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>> Fri Dec  9 14:48:00 2005: DEBUG: Reading users file ./users
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with fred
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad Password
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item  
>> Service-Type expression 'Administrative-User' does not match '' in  
>> request
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT1
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item  
>> Service-Type expression 'Login-User' does not match '' in request
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT2
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item  
>> Service-Type expression 'Outbound-User' does not match '' in request
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT3
>> Fri Dec  9 14:48:00 2005: WARNING: Could not find Identifier for  
>> Auth-Type 'System'
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could not  
>> find Identifier for Auth-Type 'System'
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT4
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
>> not suffixed with .ppp
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT5
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
>> not prefixed with P
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>> with DEFAULT6
>> Fri Dec  9 14:48:00 2005: WARNING: This AuthBy does not know how to  
>> check Group membership
>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User fred  
>> is not in Group group1
>> Fri Dec  9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User  
>> fred is not in Group group1
>> Fri Dec  9 14:48:00 2005: INFO: Access rejected for fred: User fred  
>> is not in Group group1
>> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
>> *** Sending to 128.32.231.212 port 32858 ....
>> Code:       Access-Reject
>> Identifier: 249
>> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>> Attributes:
>>         Reply-Message = "Request Denied"
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive  
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list