(RADIATOR) initial run using simple.cfg with NAS client added fails

Joon Yun joon at berkeley.edu
Thu Dec 22 16:28:11 CST 2005 

Hi Mike,

I hadn't realized the machine radiator is running on needs to be more  
than just a functioning Kerberos client. I'm reading you to mean that  
radiator is actually a kerberos "application service" host meaning I  
need it to be added to the KDC's keytab file and have a  
/etc/krb5.keytab file itself. Is this the case? If so, is a generic  
host principal sufficient (e.g.  
host/something.berkeley.edu at BERKELEY.EDU) and/or do I need a radius  
service principal (e.g. radius/something.berkeley.edu at BERKELEY.EDU)?  
Thank you for all your assistance.

Regards,
Joon Yun


On Dec 21, 2005, at 5:12 PM, Mike McCauley wrote:

> Hello,
>
> AuthBy KRB5 tested fine here after setting up Heimdal kerberos on  
> FreeBSD 6.0
> following the instructions at
> http://www.freebsd.org/doc/handbook/kerberos5.html
>
> papa# perl radiusd -config goodies/krb5.cfg
> Thu Dec 22 11:00:51 2005: DEBUG: Finished reading configuration file
> 'goodies/krb5.cfg'
> Thu Dec 22 11:00:51 2005: DEBUG: Reading dictionary file './dictionary'
> Thu Dec 22 11:00:52 2005: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Thu Dec 22 11:00:52 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Thu Dec 22 11:00:52 2005: NOTICE: Server started: Radiator 3.13 on
> papa.open.com.au
> Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
> *** Received from 203.63.154.29 port 56583 ....
> Code:       Access-Request
> Identifier: 88
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "mikem"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> <159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>
>
> Thu Dec 22 11:00:54 2005: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Thu Dec 22 11:00:54 2005: DEBUG:  Deleting session for mikem,  
> 203.63.154.1,
> 1234
> Thu Dec 22 11:00:54 2005: DEBUG: Handling with Radius::AuthKRB5:
> Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 looks for match with  
> mikem
> [mikem]
> Thu Dec 22 11:00:54 2005: DEBUG: Building Kerberos principal:
> mikem at OPEN.COM.AU
> Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 ACCEPT: : mikem  
> [mikem]
> Thu Dec 22 11:00:54 2005: DEBUG: AuthBy KRB5 result: ACCEPT,
> Thu Dec 22 11:00:54 2005: DEBUG: Access accepted for mikem
> Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
> *** Sending to 203.63.154.29 port 56583 ....
> Code:       Access-Accept
> Identifier: 88
> Authentic:  1234567890123456
> Attributes:
>
>
> In our tests, Radiator ran on the same host as the KDC. Perhaps you are
> running on a different host to the KDC? The error you are getting  
> looks like
> the client machine does not trust the reply from KDC, so I wonder if  
> you have
> set up your kerberos client machine properly?
>
> Cheers.
>
> On Thursday 22 December 2005 08:10, Joon Yun wrote:
>> Hi Hugh,
>>
>> I found this thread
>> (http://www.open.com.au/archives/radiator/2000-11/msg00078.html) in  
>> the
>> archives where you explain how you recommend applying patches and I  
>> can
>> now report success! Radiator launches fine now with the Kerberos
>> configuration, but it is now failing the auth. :(
>>
>> Here is the trace info:
>>
>> [ndrl5] ~/Radiator-Locked-3.13> perl radiusd -config_file krb5.cfg
>> Wed Dec 21 13:56:08 2005: DEBUG: Finished reading configuration file
>> 'krb5.cfg'
>> Wed Dec 21 13:56:08 2005: DEBUG: Reading dictionary file  
>> './dictionary'
>> Wed Dec 21 13:56:09 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Wed Dec 21 13:56:09 2005: DEBUG: Creating accounting port 0.0.0.0:1646
>> Wed Dec 21 13:56:09 2005: NOTICE: Server started: Radiator 3.13 on
>> ndrl5.berkeley.edu
>>
>>
>> Wed Dec 21 13:56:28 2005: DEBUG: Packet dump:
>> *** Received from 128.32.231.212 port 32870 ....
>> Code:       Access-Request
>> Identifier: 226
>> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
>> Attributes:
>>          NAS-IP-Address = 128.32.231.212
>>          User-Name = "joon"
>>          User-Password =
>> <148><214><241><253><11>Q<246><22><214>wB<14><0><140><203><127><0>9<23 
>> 0>
>> =cq<201><147><177><11><174><12><3><31>Z<173>
>>
>> Wed Dec 21 13:56:28 2005: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Wed Dec 21 13:56:28 2005: DEBUG:  Deleting session for joon,
>> 128.32.231.212,
>> Wed Dec 21 13:56:28 2005: DEBUG: Handling with Radius::AuthKRB5:
>> Wed Dec 21 13:56:28 2005: DEBUG: Radius::AuthKRB5 looks for match with
>> joon [joon]
>> Wed Dec 21 13:56:28 2005: DEBUG: Building Kerberos principal:
>> joon at BERKELEY.EDU
>> Wed Dec 21 13:56:29 2005: DEBUG: Radius::AuthKRB5 REJECT: Kinit  
>> failed:
>> Decrypt integrity check failed: joon [joon]
>> Wed Dec 21 13:56:29 2005: DEBUG: AuthBy KRB5 result: REJECT, Kinit
>> failed: Decrypt integrity check failed
>> Wed Dec 21 13:56:29 2005: INFO: Access rejected for joon: Kinit  
>> failed:
>> Decrypt integrity check failed
>> Wed Dec 21 13:56:29 2005: DEBUG: Packet dump:
>> *** Sending to 128.32.231.212 port 32870 ....
>> Code:       Access-Reject
>> Identifier: 226
>> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
>> Attributes:
>>          Reply-Message = "Request Denied"
>> ---------------------------------------------------------------------- 
>> --
>> -----------
>>
>> I can do a kinit manually perfectly fine though and can get a tgt.
>>
>> [ndrl5] ~> kinit
>> joon at BERKELEY.EDU's Password:
>> kinit: NOTICE: ticket renewable lifetime is 1 week
>> [ndrl5] ~> klist
>> Credentials cache: FILE:/tmp/krb5cc_5696
>>          Principal: joon at BERKELEY.EDU
>>
>>    Issued           Expires          Principal
>> Dec 21 14:06:54  Dec 22 00:06:41  krbtgt/BERKELEY.EDU at BERKELEY.EDU
>>
>> So I am not sure what the problem is exactly. Sorry to keep pestering
>> you but what is my next step?
>>
>> Regards,
>> Joon Yun
>> UC Berkeley
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia    
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list