(RADIATOR) initial run using simple.cfg with NAS client added fails

Joon Yun joon at berkeley.edu
Tue Dec 13 18:04:05 CST 2005


Hi Hugh,

I have attached the configuration file I am using. Here is the trace 4 
file again when it fails from my NAS (128.32.231.212).

[perimeter:local/etc/radiator] joon% perl radiusd -config_file 
simple.cfg
Tue Dec 13 14:30:26 2005: DEBUG: Finished reading configuration file 
'simple.cfg'
This Radiator license will expire on 2006-01-30
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au

Tue Dec 13 14:30:26 2005: DEBUG: Reading dictionary file './dictionary'
Tue Dec 13 14:30:26 2005: DEBUG: Creating authentication port 
0.0.0.0:1645
Tue Dec 13 14:30:26 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Dec 13 14:30:26 2005: NOTICE: Server started: Radiator 3.13 on 
ndrl5.berkeley.edu (LOCKED)





Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
*** Received from 128.32.231.212 port 32859 ....
Code:       Access-Request
Identifier: 188
Authentic:  
We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
Attributes:
         NAS-IP-Address = 128.32.231.212
         User-Name = "fred"
         User-Password = 
q<216><187><139><197><222><233>H<247>4<148>t~<254><171><195>

Tue Dec 13 14:31:17 2005: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Dec 13 14:31:17 2005: DEBUG:  Deleting session for fred, 
128.32.231.212,
Tue Dec 13 14:31:17 2005: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 13 14:31:17 2005: DEBUG: Reading users file ./users
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
fred
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item 
Service-Type expression 'Framed-User' does not match '' in request
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item 
Service-Type expression 'Administrative-User' does not match '' in 
request
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT1
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item 
Service-Type expression 'Login-User' does not match '' in request
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT2
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item 
Service-Type expression 'Outbound-User' does not match '' in request
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT3
Tue Dec 13 14:31:17 2005: WARNING: Could not find Identifier for 
Auth-Type 'System'
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Could not 
find Identifier for Auth-Type 'System'
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT4
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username not 
suffixed with .ppp
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT5
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username not 
prefixed with P
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT6
Tue Dec 13 14:31:17 2005: WARNING: This AuthBy does not know how to 
check Group membership
Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: User fred is 
not in Group group1
Tue Dec 13 14:31:17 2005: DEBUG: AuthBy FILE result: REJECT, User fred 
is not in Group group1
Tue Dec 13 14:31:17 2005: INFO: Access rejected for fred: User fred is 
not in Group group1
Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
*** Sending to 128.32.231.212 port 32859 ....
Code:       Access-Reject
Identifier: 188
Authentic:  
We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
Attributes:
         Reply-Message = "Request Denied"



-------------- next part --------------
A non-text attachment was scrubbed...
Name: simple.cfg
Type: application/octet-stream
Size: 1446 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051213/3b971bff/attachment.obj>
-------------- next part --------------


I appreciate your assistance.

Regards,
Joon Yun
UC Berkeley

P.S. I installed the BSD ports version of the p5-Authen-Krb5 perl  
module (version 1.5) as per section 6.57 in the Radiator 3.13 reference  
manual and restarted the server. There is no trace file as radiator  
does not launch and the only difference in config from them simple.cfg  
config file I am using is  the "KrbRealm" parameter. Radiator seems to  
even sorta find the library as here is the error I get again:

[perimeter:local/etc/radiator] joon% perl radiusd -config_file krb5.cfg
/libexec/ld-elf.so.1:  
/usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:  
Undefined symbol "krb5_init_ets"


On Dec 13, 2005, at 2:59 PM, Hugh Irvine wrote:

>
> Hello Joon -
>
> I will need to see a copy of your configuration file together with a  
> trace 4 debug showing what is happening.
>
> Note that you must restart radiusd to have a changed configuration  
> file reread.
>
> As for using KRB5, you will need to install the Authen-Krb5 module  
> from CPAN, together with any prerequisites.
>
> See section 6.57 in the Radiator 3.13 reference manual  
> ("doc/ref.html").
>
> regards
>
> Hugh
>
>
> On 14 Dec 2005, at 09:44, Joon Yun wrote:
>
>> Hi Hugh,
>>
>> That was my first thought and I redid the client entry a number of  
>> times:
>>
>> #
>> <Client 128.32.231.212>
>>         Secret  new-secret
>>         DupInterval 0
>> </Client>
>> #
>>
>> And same results. The radpwtst works fine for fred/fred but I fail  
>> authentication when I attempt it thru the NAS. Notice there is an  
>> actual "Request Denied" message in the log. Is there a way to get  
>> more verbose failure output from Radiator?
>>
>> Also, I attempted to try a Kerberos config file to see if that would  
>> make a difference but I get an error message when I try to launch  
>> radiusd:
>>
>> [ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file  
>> krb5.cfg
>> /libexec/ld-elf.so.1:  
>> /usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:  
>> Undefined symbol "krb5_init_ets"
>>
>> I installed the Kerberos Perl5 module but am no expert. Am I supposed  
>> to do any other configuration besides add client entries for NASes  
>> and change the KrbRealm to BERKELEY.EDU in the config file?
>>
>> I appreciate any assistance.
>>
>> Regards,
>> Joon Yun
>> UC Berkeley
>>
>>
>> On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
>>
>>>
>>> Hello Joon -
>>>
>>> I am guessing that your configuration file does not have the correct  
>>> shared secret for your NAS device.
>>>
>>> Note that the NAS device should be in your configuration file (not  
>>> your users file):
>>>
>>> <Client your.nas.device>
>>> 	Secret sharedsecret
>>> </Client>
>>>
>>> where "your.nas.device" is either the DNS name or the IP address and  
>>> "sharedsecret" is the shared secret used by the NAS device.
>>>
>>> See section 6.5 in the Radiator 3.13 reference manual  
>>> ("doc/ref.html").
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>>>
>>>> Hello,
>>>>
>>>> After much trouble with 2 versions of Perl on my FreeBSD box I am  
>>>> finally up and running with the demo installation of Radiator.  
>>>> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but I  
>>>> can't even seem to get the AuthBy File to work. I'm just using the  
>>>> simple.cfg file and the perl radtest tool says everything is oky:
>>>>
>>>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred  
>>>> -password fred
>>>> sending Access-Request...
>>>> OK
>>>> sending Accounting-Request Start...
>>>> OK
>>>> sending Accounting-Request Stop...
>>>> OK
>>>>
>>>> But when I add one of my NAS devices the users file as a client and  
>>>> then test with the fred account I get a failure. I've appended the  
>>>> debug output from the manually launched radiator radiusd. Any help  
>>>> would be much appreciated.
>>>>
>>>> Regards,
>>>> Joon Yun
>>>> UC Berkeley
>>>>
>>>> -------------------------------------------------------------------- 
>>>> -------------------
>>>>
>>>> [perimeter:local/etc/radiator] joon% sudo perl radiusd -config_file  
>>>> goodies/simple.cfg
>>>> RADIUS Password:
>>>> Fri Dec  9 14:47:48 2005: DEBUG: Finished reading configuration  
>>>> file 'goodies/simple.cfg'
>>>> This Radiator license will expire on 2006-01-30
>>>> This Radiator license will stop operating after 1000 requests
>>>> To purchase an unlimited full source version of Radiator, see
>>>> http://www.open.com.au/ordering.html
>>>> To extend your license period, contact admin at open.com.au
>>>>
>>>> Fri Dec  9 14:47:48 2005: DEBUG: Reading dictionary file  
>>>> './dictionary'
>>>> Fri Dec  9 14:47:48 2005: DEBUG: Creating authentication port  
>>>> 0.0.0.0:1645
>>>> Fri Dec  9 14:47:48 2005: DEBUG: Creating accounting port  
>>>> 0.0.0.0:1646
>>>> Fri Dec  9 14:47:48 2005: NOTICE: Server started: Radiator 3.13 on  
>>>> perimeter.berkeley.edu (LOCKED)
>>>>
>>>>
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
>>>> *** Received from 128.32.231.212 port 32858 ....
>>>> Code:       Access-Request
>>>> Identifier: 249
>>>> Authentic:   
>>>> B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>>>> Attributes:
>>>>         NAS-Identifier = "128.32.231.212"
>>>>         User-Name = "fred"
>>>>         User-Password =  
>>>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><199>
>>>>
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Handling request with Handler  
>>>> 'Realm=DEFAULT'
>>>> Fri Dec  9 14:48:00 2005: DEBUG:  Deleting session for fred,  
>>>> 128.32.231.212,
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Reading users file ./users
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with fred
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad  
>>>> Password
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
>>>> item Service-Type expression 'Administrative-User' does not match  
>>>> '' in request
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT1
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
>>>> item Service-Type expression 'Login-User' does not match '' in  
>>>> request
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT2
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check  
>>>> item Service-Type expression 'Outbound-User' does not match '' in  
>>>> request
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT3
>>>> Fri Dec  9 14:48:00 2005: WARNING: Could not find Identifier for  
>>>> Auth-Type 'System'
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could not  
>>>> find Identifier for Auth-Type 'System'
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT4
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
>>>> not suffixed with .ppp
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT5
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username  
>>>> not prefixed with P
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match  
>>>> with DEFAULT6
>>>> Fri Dec  9 14:48:00 2005: WARNING: This AuthBy does not know how to  
>>>> check Group membership
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User fred  
>>>> is not in Group group1
>>>> Fri Dec  9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User  
>>>> fred is not in Group group1
>>>> Fri Dec  9 14:48:00 2005: INFO: Access rejected for fred: User fred  
>>>> is not in Group group1
>>>> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
>>>> *** Sending to 128.32.231.212 port 32858 ....
>>>> Code:       Access-Reject
>>>> Identifier: 249
>>>> Authentic:   
>>>> B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>>>> Attributes:
>>>>         Reply-Message = "Request Denied"
>>>>


More information about the radiator mailing list