(RADIATOR) initial run using simple.cfg with NAS client added fails
Hugh Irvine
hugh at open.com.au
Wed Dec 14 01:23:00 CST 2005
Hello Joon -
Many thanks for the files.
The problem now is that you are trying to authenticate "fred", and
the users file entry for "fred" has a check item of "Service-Type =
Framed-User". As there is no "Service-Type = Framed-User" in the
radius request from the NAS, the request is rejected.
You should define "fred" as follows:
# users file entry for "fred"
fred User-Password = "fred"
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP,
Exec-Program = "/bin/echo here I am %u"
Also if you don't want the DEFAULT lookups, you should add
"NoDefault" to your AuthBy FILE clause.
I have passed on your questions about Krb5 to Mike.
regards
Hugh
On 14 Dec 2005, at 11:04, Joon Yun wrote:
> Hi Hugh,
>
> I have attached the configuration file I am using. Here is the
> trace 4 file again when it fails from my NAS (128.32.231.212).
>
> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
> simple.cfg
> Tue Dec 13 14:30:26 2005: DEBUG: Finished reading configuration
> file 'simple.cfg'
> This Radiator license will expire on 2006-01-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Tue Dec 13 14:30:26 2005: DEBUG: Reading dictionary file './
> dictionary'
> Tue Dec 13 14:30:26 2005: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Tue Dec 13 14:30:26 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Dec 13 14:30:26 2005: NOTICE: Server started: Radiator 3.13 on
> ndrl5.berkeley.edu (LOCKED)
>
>
>
>
>
> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
> *** Received from 128.32.231.212 port 32859 ....
> Code: Access-Request
> Identifier: 188
> Authentic:
> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
> Attributes:
> NAS-IP-Address = 128.32.231.212
> User-Name = "fred"
> User-Password =
> q<216><187><139><197><222><233>H<247>4<148>t~<254><171><195>
>
> Tue Dec 13 14:31:17 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Dec 13 14:31:17 2005: DEBUG: Deleting session for fred,
> 128.32.231.212,
> Tue Dec 13 14:31:17 2005: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 13 14:31:17 2005: DEBUG: Reading users file ./users
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with fred
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
> item Service-Type expression 'Framed-User' does not match '' in
> request
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
> item Service-Type expression 'Administrative-User' does not match
> '' in request
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT1
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
> item Service-Type expression 'Login-User' does not match '' in request
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT2
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
> item Service-Type expression 'Outbound-User' does not match '' in
> request
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT3
> Tue Dec 13 14:31:17 2005: WARNING: Could not find Identifier for
> Auth-Type 'System'
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Could not
> find Identifier for Auth-Type 'System'
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT4
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username
> not suffixed with .ppp
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT5
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username
> not prefixed with P
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT6
> Tue Dec 13 14:31:17 2005: WARNING: This AuthBy does not know how to
> check Group membership
> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: User fred
> is not in Group group1
> Tue Dec 13 14:31:17 2005: DEBUG: AuthBy FILE result: REJECT, User
> fred is not in Group group1
> Tue Dec 13 14:31:17 2005: INFO: Access rejected for fred: User fred
> is not in Group group1
> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
> *** Sending to 128.32.231.212 port 32859 ....
> Code: Access-Reject
> Identifier: 188
> Authentic:
> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
> Attributes:
> Reply-Message = "Request Denied"
>
>
>
> <simple.cfg>
>
>
> I appreciate your assistance.
>
> Regards,
> Joon Yun
> UC Berkeley
>
> P.S. I installed the BSD ports version of the p5-Authen-Krb5 perl
> module (version 1.5) as per section 6.57 in the Radiator 3.13
> reference manual and restarted the server. There is no trace file
> as radiator does not launch and the only difference in config from
> them simple.cfg config file I am using is the "KrbRealm"
> parameter. Radiator seems to even sorta find the library as here is
> the error I get again:
>
> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
> krb5.cfg
> /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.7/mach/
> auto/Authen/Krb5/Krb5.so: Undefined symbol "krb5_init_ets"
>
>
> On Dec 13, 2005, at 2:59 PM, Hugh Irvine wrote:
>
>>
>> Hello Joon -
>>
>> I will need to see a copy of your configuration file together with
>> a trace 4 debug showing what is happening.
>>
>> Note that you must restart radiusd to have a changed configuration
>> file reread.
>>
>> As for using KRB5, you will need to install the Authen-Krb5 module
>> from CPAN, together with any prerequisites.
>>
>> See section 6.57 in the Radiator 3.13 reference manual ("doc/
>> ref.html").
>>
>> regards
>>
>> Hugh
>>
>>
>> On 14 Dec 2005, at 09:44, Joon Yun wrote:
>>
>>> Hi Hugh,
>>>
>>> That was my first thought and I redid the client entry a number
>>> of times:
>>>
>>> #
>>> <Client 128.32.231.212>
>>> Secret new-secret
>>> DupInterval 0
>>> </Client>
>>> #
>>>
>>> And same results. The radpwtst works fine for fred/fred but I
>>> fail authentication when I attempt it thru the NAS. Notice there
>>> is an actual "Request Denied" message in the log. Is there a way
>>> to get more verbose failure output from Radiator?
>>>
>>> Also, I attempted to try a Kerberos config file to see if that
>>> would make a difference but I get an error message when I try to
>>> launch radiusd:
>>>
>>> [ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file
>>> krb5.cfg
>>> /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.7/mach/
>>> auto/Authen/Krb5/Krb5.so: Undefined symbol "krb5_init_ets"
>>>
>>> I installed the Kerberos Perl5 module but am no expert. Am I
>>> supposed to do any other configuration besides add client entries
>>> for NASes and change the KrbRealm to BERKELEY.EDU in the config
>>> file?
>>>
>>> I appreciate any assistance.
>>>
>>> Regards,
>>> Joon Yun
>>> UC Berkeley
>>>
>>>
>>> On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Joon -
>>>>
>>>> I am guessing that your configuration file does not have the
>>>> correct shared secret for your NAS device.
>>>>
>>>> Note that the NAS device should be in your configuration file
>>>> (not your users file):
>>>>
>>>> <Client your.nas.device>
>>>> Secret sharedsecret
>>>> </Client>
>>>>
>>>> where "your.nas.device" is either the DNS name or the IP address
>>>> and "sharedsecret" is the shared secret used by the NAS device.
>>>>
>>>> See section 6.5 in the Radiator 3.13 reference manual ("doc/
>>>> ref.html").
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> After much trouble with 2 versions of Perl on my FreeBSD box I
>>>>> am finally up and running with the demo installation of
>>>>> Radiator. Ultimately I want to test the AuthBy KRB5 for eap/
>>>>> ttls usage but I can't even seem to get the AuthBy File to
>>>>> work. I'm just using the simple.cfg file and the perl radtest
>>>>> tool says everything is oky:
>>>>>
>>>>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred -
>>>>> password fred
>>>>> sending Access-Request...
>>>>> OK
>>>>> sending Accounting-Request Start...
>>>>> OK
>>>>> sending Accounting-Request Stop...
>>>>> OK
>>>>>
>>>>> But when I add one of my NAS devices the users file as a client
>>>>> and then test with the fred account I get a failure. I've
>>>>> appended the debug output from the manually launched radiator
>>>>> radiusd. Any help would be much appreciated.
>>>>>
>>>>> Regards,
>>>>> Joon Yun
>>>>> UC Berkeley
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> ---------------------
>>>>>
>>>>> [perimeter:local/etc/radiator] joon% sudo perl radiusd -
>>>>> config_file goodies/simple.cfg
>>>>> RADIUS Password:
>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Finished reading configuration
>>>>> file 'goodies/simple.cfg'
>>>>> This Radiator license will expire on 2006-01-30
>>>>> This Radiator license will stop operating after 1000 requests
>>>>> To purchase an unlimited full source version of Radiator, see
>>>>> http://www.open.com.au/ordering.html
>>>>> To extend your license period, contact admin at open.com.au
>>>>>
>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Reading dictionary file './
>>>>> dictionary'
>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating authentication port
>>>>> 0.0.0.0:1645
>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating accounting port
>>>>> 0.0.0.0:1646
>>>>> Fri Dec 9 14:47:48 2005: NOTICE: Server started: Radiator 3.13
>>>>> on perimeter.berkeley.edu (LOCKED)
>>>>>
>>>>>
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>> *** Received from 128.32.231.212 port 32858 ....
>>>>> Code: Access-Request
>>>>> Identifier: 249
>>>>> Authentic: B<179><163><247><2><174><152><130>,<243>?
>>>>> i<168><226>X<253>
>>>>> Attributes:
>>>>> NAS-Identifier = "128.32.231.212"
>>>>> User-Name = "fred"
>>>>> User-Password =
>>>>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><19
>>>>> 9>
>>>>>
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling request with Handler
>>>>> 'Realm=DEFAULT'
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Deleting session for fred,
>>>>> 128.32.231.212,
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Reading users file ./users
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with fred
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad
>>>>> Password
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>> item Service-Type expression 'Administrative-User' does not
>>>>> match '' in request
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT1
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>> item Service-Type expression 'Login-User' does not match '' in
>>>>> request
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT2
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>> item Service-Type expression 'Outbound-User' does not match ''
>>>>> in request
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT3
>>>>> Fri Dec 9 14:48:00 2005: WARNING: Could not find Identifier
>>>>> for Auth-Type 'System'
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could
>>>>> not find Identifier for Auth-Type 'System'
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT4
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>> Username not suffixed with .ppp
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT5
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>> Username not prefixed with P
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>> match with DEFAULT6
>>>>> Fri Dec 9 14:48:00 2005: WARNING: This AuthBy does not know
>>>>> how to check Group membership
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User
>>>>> fred is not in Group group1
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT,
>>>>> User fred is not in Group group1
>>>>> Fri Dec 9 14:48:00 2005: INFO: Access rejected for fred: User
>>>>> fred is not in Group group1
>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>> *** Sending to 128.32.231.212 port 32858 ....
>>>>> Code: Access-Reject
>>>>> Identifier: 249
>>>>> Authentic: B<179><163><247><2><174><152><130>,<243>?
>>>>> i<168><226>X<253>
>>>>> Attributes:
>>>>> Reply-Message = "Request Denied"
>>>>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list