(RADIATOR) initial run using simple.cfg with NAS client added fails
Hugh Irvine
hugh at open.com.au
Wed Dec 14 16:33:39 CST 2005
Hello Joon -
I'm pleased we are making progress (even if it is not telepathic...).
We aren't sure what the problem is with Krb5, but perhaps you could
try installing the source tarball from CPAN?
I did a Google search on the error you are getting but didn't find
anything particularily useful.
regards
Hugh
On 15 Dec 2005, at 05:05, Joon Yun wrote:
> Hi Hugh,
>
> Thank you for your timely and accurate assistance. I feel dumb but
> yes that was the problem.
>
> I look forward to hearing from Mike or you regarding my Kerberos
> problem. I haven't even begun my real objective of testing 801.X
> eap/ttls backended by Kerberos yet but I am still impressed with
> the rich feature-set of radiator. I guess you haven't worked out
> the telepathic UI for the configuration yet though. The one where
> it does what I thought I wanted and not what I told it to do.
>
> Regards,
> Joon Yun
> CNS-NS
>
>
> On Dec 13, 2005, at 11:23 PM, Hugh Irvine wrote:
>
>>
>> Hello Joon -
>>
>> Many thanks for the files.
>>
>> The problem now is that you are trying to authenticate "fred", and
>> the users file entry for "fred" has a check item of "Service-Type
>> = Framed-User". As there is no "Service-Type = Framed-User" in the
>> radius request from the NAS, the request is rejected.
>>
>> You should define "fred" as follows:
>>
>>
>> # users file entry for "fred"
>>
>> fred User-Password = "fred"
>> Framed-Protocol = PPP,
>> Framed-IP-Netmask = 255.255.255.255,
>> Framed-Routing = None,
>> Framed-MTU = 1500,
>> Framed-Compression = Van-Jacobson-TCP-IP,
>> Exec-Program = "/bin/echo here I am %u"
>>
>>
>> Also if you don't want the DEFAULT lookups, you should add
>> "NoDefault" to your AuthBy FILE clause.
>>
>> I have passed on your questions about Krb5 to Mike.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 14 Dec 2005, at 11:04, Joon Yun wrote:
>>
>>> Hi Hugh,
>>>
>>> I have attached the configuration file I am using. Here is the
>>> trace 4 file again when it fails from my NAS (128.32.231.212).
>>>
>>> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
>>> simple.cfg
>>> Tue Dec 13 14:30:26 2005: DEBUG: Finished reading configuration
>>> file 'simple.cfg'
>>> This Radiator license will expire on 2006-01-30
>>> This Radiator license will stop operating after 1000 requests
>>> To purchase an unlimited full source version of Radiator, see
>>> http://www.open.com.au/ordering.html
>>> To extend your license period, contact admin at open.com.au
>>>
>>> Tue Dec 13 14:30:26 2005: DEBUG: Reading dictionary file './
>>> dictionary'
>>> Tue Dec 13 14:30:26 2005: DEBUG: Creating authentication port
>>> 0.0.0.0:1645
>>> Tue Dec 13 14:30:26 2005: DEBUG: Creating accounting port
>>> 0.0.0.0:1646
>>> Tue Dec 13 14:30:26 2005: NOTICE: Server started: Radiator 3.13
>>> on ndrl5.berkeley.edu (LOCKED)
>>>
>>>
>>>
>>>
>>>
>>> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
>>> *** Received from 128.32.231.212 port 32859 ....
>>> Code: Access-Request
>>> Identifier: 188
>>> Authentic:
>>> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
>>> Attributes:
>>> NAS-IP-Address = 128.32.231.212
>>> User-Name = "fred"
>>> User-Password =
>>> q<216><187><139><197><222><233>H<247>4<148>t~<254><171><195>
>>>
>>> Tue Dec 13 14:31:17 2005: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Dec 13 14:31:17 2005: DEBUG: Deleting session for fred,
>>> 128.32.231.212,
>>> Tue Dec 13 14:31:17 2005: DEBUG: Handling with Radius::AuthFILE:
>>> Tue Dec 13 14:31:17 2005: DEBUG: Reading users file ./users
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with fred
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>> item Service-Type expression 'Framed-User' does not match '' in
>>> request
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>> item Service-Type expression 'Administrative-User' does not match
>>> '' in request
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT1
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>> item Service-Type expression 'Login-User' does not match '' in
>>> request
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT2
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Check
>>> item Service-Type expression 'Outbound-User' does not match '' in
>>> request
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT3
>>> Tue Dec 13 14:31:17 2005: WARNING: Could not find Identifier for
>>> Auth-Type 'System'
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: Could
>>> not find Identifier for Auth-Type 'System'
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT4
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT:
>>> Username not suffixed with .ppp
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT5
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT:
>>> Username not prefixed with P
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE looks for match
>>> with DEFAULT6
>>> Tue Dec 13 14:31:17 2005: WARNING: This AuthBy does not know how
>>> to check Group membership
>>> Tue Dec 13 14:31:17 2005: DEBUG: Radius::AuthFILE REJECT: User
>>> fred is not in Group group1
>>> Tue Dec 13 14:31:17 2005: DEBUG: AuthBy FILE result: REJECT, User
>>> fred is not in Group group1
>>> Tue Dec 13 14:31:17 2005: INFO: Access rejected for fred: User
>>> fred is not in Group group1
>>> Tue Dec 13 14:31:17 2005: DEBUG: Packet dump:
>>> *** Sending to 128.32.231.212 port 32859 ....
>>> Code: Access-Reject
>>> Identifier: 188
>>> Authentic:
>>> We<253><245><161><224><249><224>0<201>C<168><137><242><159><151>
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>>
>>> <simple.cfg>
>>>
>>>
>>> I appreciate your assistance.
>>>
>>> Regards,
>>> Joon Yun
>>> UC Berkeley
>>>
>>> P.S. I installed the BSD ports version of the p5-Authen-Krb5 perl
>>> module (version 1.5) as per section 6.57 in the Radiator 3.13
>>> reference manual and restarted the server. There is no trace file
>>> as radiator does not launch and the only difference in config
>>> from them simple.cfg config file I am using is the "KrbRealm"
>>> parameter. Radiator seems to even sorta find the library as here
>>> is the error I get again:
>>>
>>> [perimeter:local/etc/radiator] joon% perl radiusd -config_file
>>> krb5.cfg
>>> /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.7/mach/
>>> auto/Authen/Krb5/Krb5.so: Undefined symbol "krb5_init_ets"
>>>
>>>
>>> On Dec 13, 2005, at 2:59 PM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Joon -
>>>>
>>>> I will need to see a copy of your configuration file together
>>>> with a trace 4 debug showing what is happening.
>>>>
>>>> Note that you must restart radiusd to have a changed
>>>> configuration file reread.
>>>>
>>>> As for using KRB5, you will need to install the Authen-Krb5
>>>> module from CPAN, together with any prerequisites.
>>>>
>>>> See section 6.57 in the Radiator 3.13 reference manual ("doc/
>>>> ref.html").
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 14 Dec 2005, at 09:44, Joon Yun wrote:
>>>>
>>>>> Hi Hugh,
>>>>>
>>>>> That was my first thought and I redid the client entry a number
>>>>> of times:
>>>>>
>>>>> #
>>>>> <Client 128.32.231.212>
>>>>> Secret new-secret
>>>>> DupInterval 0
>>>>> </Client>
>>>>> #
>>>>>
>>>>> And same results. The radpwtst works fine for fred/fred but I
>>>>> fail authentication when I attempt it thru the NAS. Notice
>>>>> there is an actual "Request Denied" message in the log. Is
>>>>> there a way to get more verbose failure output from Radiator?
>>>>>
>>>>> Also, I attempted to try a Kerberos config file to see if that
>>>>> would make a difference but I get an error message when I try
>>>>> to launch radiusd:
>>>>>
>>>>> [ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file
>>>>> krb5.cfg
>>>>> /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.7/mach/
>>>>> auto/Authen/Krb5/Krb5.so: Undefined symbol "krb5_init_ets"
>>>>>
>>>>> I installed the Kerberos Perl5 module but am no expert. Am I
>>>>> supposed to do any other configuration besides add client
>>>>> entries for NASes and change the KrbRealm to BERKELEY.EDU in
>>>>> the config file?
>>>>>
>>>>> I appreciate any assistance.
>>>>>
>>>>> Regards,
>>>>> Joon Yun
>>>>> UC Berkeley
>>>>>
>>>>>
>>>>> On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Joon -
>>>>>>
>>>>>> I am guessing that your configuration file does not have the
>>>>>> correct shared secret for your NAS device.
>>>>>>
>>>>>> Note that the NAS device should be in your configuration file
>>>>>> (not your users file):
>>>>>>
>>>>>> <Client your.nas.device>
>>>>>> Secret sharedsecret
>>>>>> </Client>
>>>>>>
>>>>>> where "your.nas.device" is either the DNS name or the IP
>>>>>> address and "sharedsecret" is the shared secret used by the
>>>>>> NAS device.
>>>>>>
>>>>>> See section 6.5 in the Radiator 3.13 reference manual ("doc/
>>>>>> ref.html").
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 10 Dec 2005, at 10:04, Joon Yun wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> After much trouble with 2 versions of Perl on my FreeBSD box
>>>>>>> I am finally up and running with the demo installation of
>>>>>>> Radiator. Ultimately I want to test the AuthBy KRB5 for eap/
>>>>>>> ttls usage but I can't even seem to get the AuthBy File to
>>>>>>> work. I'm just using the simple.cfg file and the perl radtest
>>>>>>> tool says everything is oky:
>>>>>>>
>>>>>>> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred
>>>>>>> -password fred
>>>>>>> sending Access-Request...
>>>>>>> OK
>>>>>>> sending Accounting-Request Start...
>>>>>>> OK
>>>>>>> sending Accounting-Request Stop...
>>>>>>> OK
>>>>>>>
>>>>>>> But when I add one of my NAS devices the users file as a
>>>>>>> client and then test with the fred account I get a failure.
>>>>>>> I've appended the debug output from the manually launched
>>>>>>> radiator radiusd. Any help would be much appreciated.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Joon Yun
>>>>>>> UC Berkeley
>>>>>>>
>>>>>>> ----------------------------------------------------------------
>>>>>>> -----------------------
>>>>>>>
>>>>>>> [perimeter:local/etc/radiator] joon% sudo perl radiusd -
>>>>>>> config_file goodies/simple.cfg
>>>>>>> RADIUS Password:
>>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Finished reading
>>>>>>> configuration file 'goodies/simple.cfg'
>>>>>>> This Radiator license will expire on 2006-01-30
>>>>>>> This Radiator license will stop operating after 1000 requests
>>>>>>> To purchase an unlimited full source version of Radiator, see
>>>>>>> http://www.open.com.au/ordering.html
>>>>>>> To extend your license period, contact admin at open.com.au
>>>>>>>
>>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Reading dictionary file './
>>>>>>> dictionary'
>>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating authentication port
>>>>>>> 0.0.0.0:1645
>>>>>>> Fri Dec 9 14:47:48 2005: DEBUG: Creating accounting port
>>>>>>> 0.0.0.0:1646
>>>>>>> Fri Dec 9 14:47:48 2005: NOTICE: Server started: Radiator
>>>>>>> 3.13 on perimeter.berkeley.edu (LOCKED)
>>>>>>>
>>>>>>>
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>>>> *** Received from 128.32.231.212 port 32858 ....
>>>>>>> Code: Access-Request
>>>>>>> Identifier: 249
>>>>>>> Authentic: B<179><163><247><2><174><152><130>,<243>?
>>>>>>> i<168><226>X<253>
>>>>>>> Attributes:
>>>>>>> NAS-Identifier = "128.32.231.212"
>>>>>>> User-Name = "fred"
>>>>>>> User-Password =
>>>>>>> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><
>>>>>>> 199>
>>>>>>>
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling request with
>>>>>>> Handler 'Realm=DEFAULT'
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Deleting session for fred,
>>>>>>> 128.32.231.212,
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Reading users file ./users
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with fred
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad
>>>>>>> Password
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Check item Service-Type expression 'Administrative-User' does
>>>>>>> not match '' in request
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT1
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Check item Service-Type expression 'Login-User' does not
>>>>>>> match '' in request
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT2
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Check item Service-Type expression 'Outbound-User' does not
>>>>>>> match '' in request
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT3
>>>>>>> Fri Dec 9 14:48:00 2005: WARNING: Could not find Identifier
>>>>>>> for Auth-Type 'System'
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Could not find Identifier for Auth-Type 'System'
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT4
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Username not suffixed with .ppp
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT5
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> Username not prefixed with P
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for
>>>>>>> match with DEFAULT6
>>>>>>> Fri Dec 9 14:48:00 2005: WARNING: This AuthBy does not know
>>>>>>> how to check Group membership
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT:
>>>>>>> User fred is not in Group group1
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT,
>>>>>>> User fred is not in Group group1
>>>>>>> Fri Dec 9 14:48:00 2005: INFO: Access rejected for fred:
>>>>>>> User fred is not in Group group1
>>>>>>> Fri Dec 9 14:48:00 2005: DEBUG: Packet dump:
>>>>>>> *** Sending to 128.32.231.212 port 32858 ....
>>>>>>> Code: Access-Reject
>>>>>>> Identifier: 249
>>>>>>> Authentic: B<179><163><247><2><174><152><130>,<243>?
>>>>>>> i<168><226>X<253>
>>>>>>> Attributes:
>>>>>>> Reply-Message = "Request Denied"
>>>>>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list