(RADIATOR) initial run using simple.cfg with NAS client added fails
Mike McCauley
mikem at open.com.au
Wed Dec 21 19:12:08 CST 2005
Hello,
AuthBy KRB5 tested fine here after setting up Heimdal kerberos on FreeBSD 6.0
following the instructions at
http://www.freebsd.org/doc/handbook/kerberos5.html
papa# perl radiusd -config goodies/krb5.cfg
Thu Dec 22 11:00:51 2005: DEBUG: Finished reading configuration file
'goodies/krb5.cfg'
Thu Dec 22 11:00:51 2005: DEBUG: Reading dictionary file './dictionary'
Thu Dec 22 11:00:52 2005: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Dec 22 11:00:52 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Dec 22 11:00:52 2005: NOTICE: Server started: Radiator 3.13 on
papa.open.com.au
Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
*** Received from 203.63.154.29 port 56583 ....
Code: Access-Request
Identifier: 88
Authentic: 1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>
Thu Dec 22 11:00:54 2005: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Dec 22 11:00:54 2005: DEBUG: Deleting session for mikem, 203.63.154.1,
1234
Thu Dec 22 11:00:54 2005: DEBUG: Handling with Radius::AuthKRB5:
Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 looks for match with mikem
[mikem]
Thu Dec 22 11:00:54 2005: DEBUG: Building Kerberos principal:
mikem at OPEN.COM.AU
Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 ACCEPT: : mikem [mikem]
Thu Dec 22 11:00:54 2005: DEBUG: AuthBy KRB5 result: ACCEPT,
Thu Dec 22 11:00:54 2005: DEBUG: Access accepted for mikem
Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
*** Sending to 203.63.154.29 port 56583 ....
Code: Access-Accept
Identifier: 88
Authentic: 1234567890123456
Attributes:
In our tests, Radiator ran on the same host as the KDC. Perhaps you are
running on a different host to the KDC? The error you are getting looks like
the client machine does not trust the reply from KDC, so I wonder if you have
set up your kerberos client machine properly?
Cheers.
On Thursday 22 December 2005 08:10, Joon Yun wrote:
> Hi Hugh,
>
> I found this thread
> (http://www.open.com.au/archives/radiator/2000-11/msg00078.html) in the
> archives where you explain how you recommend applying patches and I can
> now report success! Radiator launches fine now with the Kerberos
> configuration, but it is now failing the auth. :(
>
> Here is the trace info:
>
> [ndrl5] ~/Radiator-Locked-3.13> perl radiusd -config_file krb5.cfg
> Wed Dec 21 13:56:08 2005: DEBUG: Finished reading configuration file
> 'krb5.cfg'
> Wed Dec 21 13:56:08 2005: DEBUG: Reading dictionary file './dictionary'
> Wed Dec 21 13:56:09 2005: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Wed Dec 21 13:56:09 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Wed Dec 21 13:56:09 2005: NOTICE: Server started: Radiator 3.13 on
> ndrl5.berkeley.edu
>
>
> Wed Dec 21 13:56:28 2005: DEBUG: Packet dump:
> *** Received from 128.32.231.212 port 32870 ....
> Code: Access-Request
> Identifier: 226
> Authentic: <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> Attributes:
> NAS-IP-Address = 128.32.231.212
> User-Name = "joon"
> User-Password =
> <148><214><241><253><11>Q<246><22><214>wB<14><0><140><203><127><0>9<230>
> =cq<201><147><177><11><174><12><3><31>Z<173>
>
> Wed Dec 21 13:56:28 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Dec 21 13:56:28 2005: DEBUG: Deleting session for joon,
> 128.32.231.212,
> Wed Dec 21 13:56:28 2005: DEBUG: Handling with Radius::AuthKRB5:
> Wed Dec 21 13:56:28 2005: DEBUG: Radius::AuthKRB5 looks for match with
> joon [joon]
> Wed Dec 21 13:56:28 2005: DEBUG: Building Kerberos principal:
> joon at BERKELEY.EDU
> Wed Dec 21 13:56:29 2005: DEBUG: Radius::AuthKRB5 REJECT: Kinit failed:
> Decrypt integrity check failed: joon [joon]
> Wed Dec 21 13:56:29 2005: DEBUG: AuthBy KRB5 result: REJECT, Kinit
> failed: Decrypt integrity check failed
> Wed Dec 21 13:56:29 2005: INFO: Access rejected for joon: Kinit failed:
> Decrypt integrity check failed
> Wed Dec 21 13:56:29 2005: DEBUG: Packet dump:
> *** Sending to 128.32.231.212 port 32870 ....
> Code: Access-Reject
> Identifier: 226
> Authentic: <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> Attributes:
> Reply-Message = "Request Denied"
> ------------------------------------------------------------------------
> -----------
>
> I can do a kinit manually perfectly fine though and can get a tgt.
>
> [ndrl5] ~> kinit
> joon at BERKELEY.EDU's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> [ndrl5] ~> klist
> Credentials cache: FILE:/tmp/krb5cc_5696
> Principal: joon at BERKELEY.EDU
>
> Issued Expires Principal
> Dec 21 14:06:54 Dec 22 00:06:41 krbtgt/BERKELEY.EDU at BERKELEY.EDU
>
> So I am not sure what the problem is exactly. Sorry to keep pestering
> you but what is my next step?
>
> Regards,
> Joon Yun
> UC Berkeley
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list