(RADIATOR) initial run using simple.cfg with NAS client added fails
Joon Yun
joon at berkeley.edu
Tue Dec 13 16:44:49 CST 2005
Hi Hugh,
That was my first thought and I redid the client entry a number of
times:
#
<Client 128.32.231.212>
Secret new-secret
DupInterval 0
</Client>
#
And same results. The radpwtst works fine for fred/fred but I fail
authentication when I attempt it thru the NAS. Notice there is an
actual "Request Denied" message in the log. Is there a way to get more
verbose failure output from Radiator?
Also, I attempted to try a Kerberos config file to see if that would
make a difference but I get an error message when I try to launch
radiusd:
[ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file krb5.cfg
/libexec/ld-elf.so.1:
/usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:
Undefined symbol "krb5_init_ets"
I installed the Kerberos Perl5 module but am no expert. Am I supposed
to do any other configuration besides add client entries for NASes and
change the KrbRealm to BERKELEY.EDU in the config file?
I appreciate any assistance.
Regards,
Joon Yun
UC Berkeley
On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
>
> Hello Joon -
>
> I am guessing that your configuration file does not have the correct
> shared secret for your NAS device.
>
> Note that the NAS device should be in your configuration file (not
> your users file):
>
> <Client your.nas.device>
> Secret sharedsecret
> </Client>
>
> where "your.nas.device" is either the DNS name or the IP address and
> "sharedsecret" is the shared secret used by the NAS device.
>
> See section 6.5 in the Radiator 3.13 reference manual ("doc/ref.html").
>
> regards
>
> Hugh
>
>
> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>
>> Hello,
>>
>> After much trouble with 2 versions of Perl on my FreeBSD box I am
>> finally up and running with the demo installation of Radiator.
>> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but I
>> can't even seem to get the AuthBy File to work. I'm just using the
>> simple.cfg file and the perl radtest tool says everything is oky:
>>
>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred
>> -password fred
>> sending Access-Request...
>> OK
>> sending Accounting-Request Start...
>> OK
>> sending Accounting-Request Stop...
>> OK
>>
>> But when I add one of my NAS devices the users file as a client and
>> then test with the fred account I get a failure. I've appended the
>> debug output from the manually launched radiator radiusd. Any help
>> would be much appreciated.
>>
>> Regards,
>> Joon Yun
>> UC Berkeley
>>
>> ----------------------------------------------------------------------
>> -----------------
>>
>> [perimeter:local/etc/radiator] joon% sudo perl radiusd -config_file
>> goodies/simple.cfg
>> RADIUS Password:
>> Fri Dec 9 14:47:48 2005: DEBUG: Finished reading configuration file
>> 'goodies/simple.cfg'
>> This Radiator license will expire on 2006-01-30
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact admin at open.com.au
>>
>> Fri Dec 9 14:47:48 2005: DEBUG: Reading dictionary file
>> './dictionary'
>> Fri Dec 9 14:47:48 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Fri Dec 9 14:47:48 2005: DEBUG: Creating accounting port 0.0.0.0:1646
>> Fri Dec 9 14:47:48 2005: NOTICE: Server started: Radiator 3.13 on
>> perimeter.berkeley.edu (LOCKED)
>>
>>
>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>> *** Received from 128.32.231.212 port 32858 ....
>> Code: Access-Request
>> Identifier: 249
>> Authentic: B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>> Attributes:
>> NAS-Identifier = "128.32.231.212"
>> User-Name = "fred"
>> User-Password =
>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><199>
>>
>> Fri Dec 9 14:48:00 2005: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Fri Dec 9 14:48:00 2005: DEBUG: Deleting session for fred,
>> 128.32.231.212,
>> Fri Dec 9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>> Fri Dec 9 14:48:00 2005: DEBUG: Reading users file ./users
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with fred
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad Password
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Administrative-User' does not match '' in
>> request
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT1
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Login-User' does not match '' in request
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT2
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Outbound-User' does not match '' in request
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT3
>> Fri Dec 9 14:48:00 2005: WARNING: Could not find Identifier for
>> Auth-Type 'System'
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could not
>> find Identifier for Auth-Type 'System'
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT4
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username
>> not suffixed with .ppp
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT5
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username
>> not prefixed with P
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT6
>> Fri Dec 9 14:48:00 2005: WARNING: This AuthBy does not know how to
>> check Group membership
>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User fred
>> is not in Group group1
>> Fri Dec 9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User
>> fred is not in Group group1
>> Fri Dec 9 14:48:00 2005: INFO: Access rejected for fred: User fred
>> is not in Group group1
>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>> *** Sending to 128.32.231.212 port 32858 ....
>> Code: Access-Reject
>> Identifier: 249
>> Authentic: B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list