(RADIATOR) initial run using simple.cfg with NAS client added fails
Joon Yun
joon at berkeley.edu
Wed Dec 14 12:05:58 CST 2005
Hi Hugh,
Thank you for your timely and accurate assistance. I feel dumb but yes
that was the problem.
I look forward to hearing from Mike or you regarding my Kerberos
problem. I haven't even begun my real objective of testing 801.X
eap/ttls backended by Kerberos yet but I am still impressed with the
rich feature-set of radiator. I guess you haven't worked out the
telepathic UI for the configuration yet though. The one where it does
what I thought I wanted and not what I told it to do.
Regards,
Joon Yun
CNS-NS
On Dec 13, 2005, at 11:23 PM, Hugh Irvine wrote:
>
> Hello Joon -
>
> Many thanks for the files.
>
> The problem now is that you are trying to authenticate "fred", and the
> users file entry for "fred" has a check item of "Service-Type =
> Framed-User". As there is no "Service-Type = Framed-User" in the
> radius request from the NAS, the request is rejected.
>
> You should define "fred" as follows:
>
>
> # users file entry for "fred"
>
> fred User-Password = "fred"
> Framed-Protocol = PPP,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP,
> Exec-Program = "/bin/echo here I am %u"
>
>
> Also if you don't want the DEFAULT lookups, you should add "NoDefault"
> to your AuthBy FILE clause.
>
> I have passed on your questions about Krb5 to Mike.
>
> regards
>
> Hugh
>
>
> On 14 Dec 2005, at 11:04, Joon Yun wrote:
>
>> Hi Hugh,
>>
>> I have attached the configuration file I am using. Here is the trace
>> 4 file again when it fails from my NAS (128.32.231.212).
>>
>> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
>> simple.cfg
>> Tue Dec 13 14:30:26 2005: DEBUG: Finished reading configuration file
>> 'simple.cfg'
>> This Radiator license will expire on 2006-01-30
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact admin at open.com.au
>>
>> Tue Dec 13 14:30:26 2005: DEBUG: Reading dictionary file
>> './dictionary'
>> Tue Dec 13 14:30:26 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Tue Dec 13 14:30:26 2005: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Dec 13 14:30:26 2005: NOTICE: Server started: Radiator 3.13 on
>> ndrl5.berkeley.edu (LOCKED)
>>
>>
>>
>>
>>
>> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
>> *** Received from 128.32.231.212 port 32859 ....
>> Code: Access-Request
>> Identifier: 188
>> Authentic:
>> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
>> Attributes:
>> NAS-IP-Address = 128.32.231.212
>> User-Name = "fred"
>> User-Password =
>> q<216><187><139><197><222><233>H<247>4<148>t~<254><171><195>
>>
>> Tue Dec 13 14:31:17 2005: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Tue Dec 13 14:31:17 2005: DEBUG: Deleting session for fred,
>> 128.32.231.212,
>> Tue Dec 13 14:31:17 2005: DEBUG: Handling with Radius::AuthFILE:
>> Tue Dec 13 14:31:17 2005: DEBUG: Reading users file ./users
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with fred
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Framed-User' does not match '' in request
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Administrative-User' does not match '' in
>> request
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT1
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Login-User' does not match '' in request
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT2
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check item
>> Service-Type expression 'Outbound-User' does not match '' in request
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT3
>> Tue Dec 13 14:31:17 2005: WARNING: Could not find Identifier for
>> Auth-Type 'System'
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Could not
>> find Identifier for Auth-Type 'System'
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT4
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username
>> not suffixed with .ppp
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT5
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Username
>> not prefixed with P
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT6
>> Tue Dec 13 14:31:17 2005: WARNING: This AuthBy does not know how to
>> check Group membership
>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: User fred
>> is not in Group group1
>> Tue Dec 13 14:31:17 2005: DEBUG: AuthBy FILE result: REJECT, User
>> fred is not in Group group1
>> Tue Dec 13 14:31:17 2005: INFO: Access rejected for fred: User fred
>> is not in Group group1
>> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
>> *** Sending to 128.32.231.212 port 32859 ....
>> Code: Access-Reject
>> Identifier: 188
>> Authentic:
>> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>>
>> <simple.cfg>
>>
>>
>> I appreciate your assistance.
>>
>> Regards,
>> Joon Yun
>> UC Berkeley
>>
>> P.S. I installed the BSD ports version of the p5-Authen-Krb5 perl
>> module (version 1.5) as per section 6.57 in the Radiator 3.13
>> reference manual and restarted the server. There is no trace file as
>> radiator does not launch and the only difference in config from them
>> simple.cfg config file I am using is the "KrbRealm" parameter.
>> Radiator seems to even sorta find the library as here is the error I
>> get again:
>>
>> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
>> krb5.cfg
>> /libexec/ld-elf.so.1:
>> /usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:
>> Undefined symbol "krb5_init_ets"
>>
>>
>> On Dec 13, 2005, at 2:59 PM, Hugh Irvine wrote:
>>
>>>
>>> Hello Joon -
>>>
>>> I will need to see a copy of your configuration file together with a
>>> trace 4 debug showing what is happening.
>>>
>>> Note that you must restart radiusd to have a changed configuration
>>> file reread.
>>>
>>> As for using KRB5, you will need to install the Authen-Krb5 module
>>> from CPAN, together with any prerequisites.
>>>
>>> See section 6.57 in the Radiator 3.13 reference manual
>>> ("doc/ref.html").
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 14 Dec 2005, at 09:44, Joon Yun wrote:
>>>
>>>> Hi Hugh,
>>>>
>>>> That was my first thought and I redid the client entry a number of
>>>> times:
>>>>
>>>> #
>>>> <Client 128.32.231.212>
>>>> Secret new-secret
>>>> DupInterval 0
>>>> </Client>
>>>> #
>>>>
>>>> And same results. The radpwtst works fine for fred/fred but I fail
>>>> authentication when I attempt it thru the NAS. Notice there is an
>>>> actual "Request Denied" message in the log. Is there a way to get
>>>> more verbose failure output from Radiator?
>>>>
>>>> Also, I attempted to try a Kerberos config file to see if that
>>>> would make a difference but I get an error message when I try to
>>>> launch radiusd:
>>>>
>>>> [ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file
>>>> krb5.cfg
>>>> /libexec/ld-elf.so.1:
>>>> /usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:
>>>> Undefined symbol "krb5_init_ets"
>>>>
>>>> I installed the Kerberos Perl5 module but am no expert. Am I
>>>> supposed to do any other configuration besides add client entries
>>>> for NASes and change the KrbRealm to BERKELEY.EDU in the config
>>>> file?
>>>>
>>>> I appreciate any assistance.
>>>>
>>>> Regards,
>>>> Joon Yun
>>>> UC Berkeley
>>>>
>>>>
>>>> On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
>>>>
>>>>>
>>>>> Hello Joon -
>>>>>
>>>>> I am guessing that your configuration file does not have the
>>>>> correct shared secret for your NAS device.
>>>>>
>>>>> Note that the NAS device should be in your configuration file (not
>>>>> your users file):
>>>>>
>>>>> <Client your.nas.device>
>>>>> Secret sharedsecret
>>>>> </Client>
>>>>>
>>>>> where "your.nas.device" is either the DNS name or the IP address
>>>>> and "sharedsecret" is the shared secret used by the NAS device.
>>>>>
>>>>> See section 6.5 in the Radiator 3.13 reference manual
>>>>> ("doc/ref.html").
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> After much trouble with 2 versions of Perl on my FreeBSD box I am
>>>>>> finally up and running with the demo installation of Radiator.
>>>>>> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but
>>>>>> I can't even seem to get the AuthBy File to work. I'm just using
>>>>>> the simple.cfg file and the perl radtest tool says everything is
>>>>>> oky:
>>>>>>
>>>>>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred
>>>>>> -password fred
>>>>>> sending Access-Request...
>>>>>> OK
>>>>>> sending Accounting-Request Start...
>>>>>> OK
>>>>>> sending Accounting-Request Stop...
>>>>>> OK
>>>>>>
>>>>>> But when I add one of my NAS devices the users file as a client
>>>>>> and then test with the fred account I get a failure. I've
>>>>>> appended the debug output from the manually launched radiator
>>>>>> radiusd. Any help would be much appreciated.
>>>>>>
>>>>>> Regards,
>>>>>> Joon Yun
>>>>>> UC Berkeley
>>>>>>
>>>>>> ------------------------------------------------------------------
>>>>>> ---------------------
>>>>>>
>>>>>> [perimeter:local/etc/radiator] joon% sudo perl radiusd
>>>>>> -config_file goodies/simple.cfg
>>>>>> RADIUS Password:
>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Finished reading configuration
>>>>>> file 'goodies/simple.cfg'
>>>>>> This Radiator license will expire on 2006-01-30
>>>>>> This Radiator license will stop operating after 1000 requests
>>>>>> To purchase an unlimited full source version of Radiator, see
>>>>>> http://www.open.com.au/ordering.html
>>>>>> To extend your license period, contact admin at open.com.au
>>>>>>
>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Reading dictionary file
>>>>>> './dictionary'
>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating authentication port
>>>>>> 0.0.0.0:1645
>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating accounting port
>>>>>> 0.0.0.0:1646
>>>>>> Fri Dec 9 14:47:48 2005: NOTICE: Server started: Radiator 3.13
>>>>>> on perimeter.berkeley.edu (LOCKED)
>>>>>>
>>>>>>
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>>> *** Received from 128.32.231.212 port 32858 ....
>>>>>> Code: Access-Request
>>>>>> Identifier: 249
>>>>>> Authentic:
>>>>>> B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>>>>>> Attributes:
>>>>>> NAS-Identifier = "128.32.231.212"
>>>>>> User-Name = "fred"
>>>>>> User-Password =
>>>>>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><19
>>>>>> 9>
>>>>>>
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling request with Handler
>>>>>> 'Realm=DEFAULT'
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Deleting session for fred,
>>>>>> 128.32.231.212,
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Reading users file ./users
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with fred
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad
>>>>>> Password
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>>> item Service-Type expression 'Administrative-User' does not match
>>>>>> '' in request
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT1
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>>> item Service-Type expression 'Login-User' does not match '' in
>>>>>> request
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT2
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>>>>> item Service-Type expression 'Outbound-User' does not match '' in
>>>>>> request
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT3
>>>>>> Fri Dec 9 14:48:00 2005: WARNING: Could not find Identifier for
>>>>>> Auth-Type 'System'
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could
>>>>>> not find Identifier for Auth-Type 'System'
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT4
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>> Username not suffixed with .ppp
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT5
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>> Username not prefixed with P
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
>>>>>> with DEFAULT6
>>>>>> Fri Dec 9 14:48:00 2005: WARNING: This AuthBy does not know how
>>>>>> to check Group membership
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User
>>>>>> fred is not in Group group1
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User
>>>>>> fred is not in Group group1
>>>>>> Fri Dec 9 14:48:00 2005: INFO: Access rejected for fred: User
>>>>>> fred is not in Group group1
>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>>> *** Sending to 128.32.231.212 port 32858 ....
>>>>>> Code: Access-Reject
>>>>>> Identifier: 249
>>>>>> Authentic:
>>>>>> B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
>>>>>> Attributes:
>>>>>> Reply-Message = "Request Denied"
>>>>>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list