(RADIATOR) initial run using simple.cfg with NAS client added fails

Mike McCauley mikem at open.com.au
Tue Dec 20 18:39:35 CST 2005 

Hello,

Thank you fore reporting the problem with krb5_init_ets.

It turns out that krb5-1.4.* does not support krb5_init_ets and it is not 
required to be called any more.

We have made a patch to the Radiator source code and tested it on FreeBSD 6.0 
after installing the ports krb5-1.4.3 and p5-Authen-Krb5-1.5 from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/All/p5-Authen-Krb5-1.5.tbz
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/All/krb5-1.4.3.tbz

The Radiator patch is now available for download from our web site.

We apologise for any inconvenience.

Cheers.


On Wednesday 14 December 2005 08:44, Joon Yun wrote:
> Hi Hugh,
>
> That was my first thought and I redid the client entry a number of
> times:
>
> #
> <Client 128.32.231.212>
>          Secret  new-secret
>          DupInterval 0
> </Client>
> #
>
> And same results. The radpwtst works fine for fred/fred but I fail
> authentication when I attempt it thru the NAS. Notice there is an
> actual "Request Denied" message in the log. Is there a way to get more
> verbose failure output from Radiator?
>
> Also, I attempted to try a Kerberos config file to see if that would
> make a difference but I get an error message when I try to launch
> radiusd:
>
> [ndrl5] ~/Radiator-Locked-3.13> sudo perl radiusd -config_file krb5.cfg
> /libexec/ld-elf.so.1:
> /usr/local/lib/perl5/site_perl/5.8.7/mach/auto/Authen/Krb5/Krb5.so:
> Undefined symbol "krb5_init_ets"
>
> I installed the Kerberos Perl5 module but am no expert. Am I supposed
> to do any other configuration besides add client entries for NASes and
> change the KrbRealm to BERKELEY.EDU in the config file?
>
> I appreciate any assistance.
>
> Regards,
> Joon Yun
> UC Berkeley
>
> On Dec 9, 2005, at 5:04 PM, Hugh Irvine wrote:
> > Hello Joon -
> >
> > I am guessing that your configuration file does not have the correct
> > shared secret for your NAS device.
> >
> > Note that the NAS device should be in your configuration file (not
> > your users file):
> >
> > <Client your.nas.device>
> > 	Secret sharedsecret
> > </Client>
> >
> > where "your.nas.device" is either the DNS name or the IP address and
> > "sharedsecret" is the shared secret used by the NAS device.
> >
> > See section 6.5 in the Radiator 3.13 reference manual ("doc/ref.html").
> >
> > regards
> >
> > Hugh
> >
> > On 10 Dec 2005, at 10:04, Joon Yun wrote:
> >> Hello,
> >>
> >> After much trouble with 2 versions of Perl on my FreeBSD box I am
> >> finally up and running with the demo installation of Radiator.
> >> Ultimately I want to test the AuthBy KRB5 for eap/ttls usage but I
> >> can't even seem to get the AuthBy File to work. I'm just using the
> >> simple.cfg file and the perl radtest tool says everything is oky:
> >>
> >> [perimeter:local/etc/radiator] joon% perl radpwtst -user fred
> >> -password fred
> >> sending Access-Request...
> >> OK
> >> sending Accounting-Request Start...
> >> OK
> >> sending Accounting-Request Stop...
> >> OK
> >>
> >> But when I add one of my NAS devices the users file as a client and
> >> then test with the fred account I get a failure. I've appended the
> >> debug output from the manually launched radiator radiusd. Any help
> >> would be much appreciated.
> >>
> >> Regards,
> >> Joon Yun
> >> UC Berkeley
> >>
> >> ----------------------------------------------------------------------
> >> -----------------
> >>
> >> [perimeter:local/etc/radiator] joon% sudo perl radiusd -config_file
> >> goodies/simple.cfg
> >> RADIUS Password:
> >> Fri Dec  9 14:47:48 2005: DEBUG: Finished reading configuration file
> >> 'goodies/simple.cfg'
> >> This Radiator license will expire on 2006-01-30
> >> This Radiator license will stop operating after 1000 requests
> >> To purchase an unlimited full source version of Radiator, see
> >> http://www.open.com.au/ordering.html
> >> To extend your license period, contact admin at open.com.au
> >>
> >> Fri Dec  9 14:47:48 2005: DEBUG: Reading dictionary file
> >> './dictionary'
> >> Fri Dec  9 14:47:48 2005: DEBUG: Creating authentication port
> >> 0.0.0.0:1645
> >> Fri Dec  9 14:47:48 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> >> Fri Dec  9 14:47:48 2005: NOTICE: Server started: Radiator 3.13 on
> >> perimeter.berkeley.edu (LOCKED)
> >>
> >>
> >> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
> >> *** Received from 128.32.231.212 port 32858 ....
> >> Code:       Access-Request
> >> Identifier: 249
> >> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
> >> Attributes:
> >>         NAS-Identifier = "128.32.231.212"
> >>         User-Name = "fred"
> >>         User-Password =
> >> <239><150><187><255><218><190><139><218><177>.<216>xG<167><187><199>
> >>
> >> Fri Dec  9 14:48:00 2005: DEBUG: Handling request with Handler
> >> 'Realm=DEFAULT'
> >> Fri Dec  9 14:48:00 2005: DEBUG:  Deleting session for fred,
> >> 128.32.231.212,
> >> Fri Dec  9 14:48:00 2005: DEBUG: Handling with Radius::AuthFILE:
> >> Fri Dec  9 14:48:00 2005: DEBUG: Reading users file ./users
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with fred
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Bad Password
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
> >> Service-Type expression 'Administrative-User' does not match '' in
> >> request
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT1
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
> >> Service-Type expression 'Login-User' does not match '' in request
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT2
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Check item
> >> Service-Type expression 'Outbound-User' does not match '' in request
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT3
> >> Fri Dec  9 14:48:00 2005: WARNING: Could not find Identifier for
> >> Auth-Type 'System'
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Could not
> >> find Identifier for Auth-Type 'System'
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT4
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username
> >> not suffixed with .ppp
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT5
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: Username
> >> not prefixed with P
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE looks for match
> >> with DEFAULT6
> >> Fri Dec  9 14:48:00 2005: WARNING: This AuthBy does not know how to
> >> check Group membership
> >> Fri Dec  9 14:48:00 2005: DEBUG: Radius::AuthFILE REJECT: User fred
> >> is not in Group group1
> >> Fri Dec  9 14:48:00 2005: DEBUG: AuthBy FILE result: REJECT, User
> >> fred is not in Group group1
> >> Fri Dec  9 14:48:00 2005: INFO: Access rejected for fred: User fred
> >> is not in Group group1
> >> Fri Dec  9 14:48:00 2005: DEBUG: Packet dump:
> >> *** Sending to 128.32.231.212 port 32858 ....
> >> Code:       Access-Reject
> >> Identifier: 249
> >> Authentic:  B<179><163><247><2><174><152><130>,<243>?i<168><226>X<253>
> >> Attributes:
> >>         Reply-Message = "Request Denied"
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list