(RADIATOR) initial run using simple.cfg with NAS client added fails

Mike McCauley mikem at open.com.au
Wed Dec 21 19:12:08 CST 2005


Hello,

AuthBy KRB5 tested fine here after setting up Heimdal kerberos on FreeBSD 6.0 
following the instructions at 
http://www.freebsd.org/doc/handbook/kerberos5.html

papa# perl radiusd -config goodies/krb5.cfg
Thu Dec 22 11:00:51 2005: DEBUG: Finished reading configuration file 
'goodies/krb5.cfg'
Thu Dec 22 11:00:51 2005: DEBUG: Reading dictionary file './dictionary'
Thu Dec 22 11:00:52 2005: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Dec 22 11:00:52 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Dec 22 11:00:52 2005: NOTICE: Server started: Radiator 3.13 on 
papa.open.com.au
Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
*** Received from 203.63.154.29 port 56583 ....
Code:       Access-Request
Identifier: 88
Authentic:  1234567890123456
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>

Thu Dec 22 11:00:54 2005: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Dec 22 11:00:54 2005: DEBUG:  Deleting session for mikem, 203.63.154.1, 
1234
Thu Dec 22 11:00:54 2005: DEBUG: Handling with Radius::AuthKRB5:
Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 looks for match with mikem 
[mikem]
Thu Dec 22 11:00:54 2005: DEBUG: Building Kerberos principal: 
mikem at OPEN.COM.AU
Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 ACCEPT: : mikem [mikem]
Thu Dec 22 11:00:54 2005: DEBUG: AuthBy KRB5 result: ACCEPT,
Thu Dec 22 11:00:54 2005: DEBUG: Access accepted for mikem
Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
*** Sending to 203.63.154.29 port 56583 ....
Code:       Access-Accept
Identifier: 88
Authentic:  1234567890123456
Attributes:


In our tests, Radiator ran on the same host as the KDC. Perhaps you are 
running on a different host to the KDC? The error you are getting looks like 
the client machine does not trust the reply from KDC, so I wonder if you have 
set up your kerberos client machine properly?

Cheers.

On Thursday 22 December 2005 08:10, Joon Yun wrote:
> Hi Hugh,
>
> I found this thread
> (http://www.open.com.au/archives/radiator/2000-11/msg00078.html) in the
> archives where you explain how you recommend applying patches and I can
> now report success! Radiator launches fine now with the Kerberos
> configuration, but it is now failing the auth. :(
>
> Here is the trace info:
>
> [ndrl5] ~/Radiator-Locked-3.13> perl radiusd -config_file krb5.cfg
> Wed Dec 21 13:56:08 2005: DEBUG: Finished reading configuration file
> 'krb5.cfg'
> Wed Dec 21 13:56:08 2005: DEBUG: Reading dictionary file './dictionary'
> Wed Dec 21 13:56:09 2005: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Wed Dec 21 13:56:09 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Wed Dec 21 13:56:09 2005: NOTICE: Server started: Radiator 3.13 on
> ndrl5.berkeley.edu
>
>
> Wed Dec 21 13:56:28 2005: DEBUG: Packet dump:
> *** Received from 128.32.231.212 port 32870 ....
> Code:       Access-Request
> Identifier: 226
> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> Attributes:
>          NAS-IP-Address = 128.32.231.212
>          User-Name = "joon"
>          User-Password =
> <148><214><241><253><11>Q<246><22><214>wB<14><0><140><203><127><0>9<230>
> =cq<201><147><177><11><174><12><3><31>Z<173>
>
> Wed Dec 21 13:56:28 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Dec 21 13:56:28 2005: DEBUG:  Deleting session for joon,
> 128.32.231.212,
> Wed Dec 21 13:56:28 2005: DEBUG: Handling with Radius::AuthKRB5:
> Wed Dec 21 13:56:28 2005: DEBUG: Radius::AuthKRB5 looks for match with
> joon [joon]
> Wed Dec 21 13:56:28 2005: DEBUG: Building Kerberos principal:
> joon at BERKELEY.EDU
> Wed Dec 21 13:56:29 2005: DEBUG: Radius::AuthKRB5 REJECT: Kinit failed:
> Decrypt integrity check failed: joon [joon]
> Wed Dec 21 13:56:29 2005: DEBUG: AuthBy KRB5 result: REJECT, Kinit
> failed: Decrypt integrity check failed
> Wed Dec 21 13:56:29 2005: INFO: Access rejected for joon: Kinit failed:
> Decrypt integrity check failed
> Wed Dec 21 13:56:29 2005: DEBUG: Packet dump:
> *** Sending to 128.32.231.212 port 32870 ....
> Code:       Access-Reject
> Identifier: 226
> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> Attributes:
>          Reply-Message = "Request Denied"
> ------------------------------------------------------------------------
> -----------
>
> I can do a kinit manually perfectly fine though and can get a tgt.
>
> [ndrl5] ~> kinit
> joon at BERKELEY.EDU's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> [ndrl5] ~> klist
> Credentials cache: FILE:/tmp/krb5cc_5696
>          Principal: joon at BERKELEY.EDU
>
>    Issued           Expires          Principal
> Dec 21 14:06:54  Dec 22 00:06:41  krbtgt/BERKELEY.EDU at BERKELEY.EDU
>
> So I am not sure what the problem is exactly. Sorry to keep pestering
> you but what is my next step?
>
> Regards,
> Joon Yun
> UC Berkeley
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list