(RADIATOR) initial run using simple.cfg with NAS client added fails

Mike McCauley mikem at open.com.au
Thu Dec 22 17:50:21 CST 2005 

Hi,


On Friday 23 December 2005 08:28, Joon Yun wrote:
> Hi Mike,
>
> I hadn't realized the machine radiator is running on needs to be more
> than just a functioning Kerberos client. I'm reading you to mean that
> radiator is actually a kerberos "application service" host meaning I
> need it to be added to the KDC's keytab file and have a
> /etc/krb5.keytab file itself. Is this the case? If so, is a generic
> host principal sufficient (e.g.
> host/something.berkeley.edu at BERKELEY.EDU) and/or do I need a radius
> service principal (e.g. radius/something.berkeley.edu at BERKELEY.EDU)?
> Thank you for all your assistance.

Im sorry that I am not expert enough in Kerberos to answer your question. All 
I can say is that the error message you are seeing makes me think the 
Kerberos client code does not trust the answer from the Kerberos server.

Cheers.

>
> Regards,
> Joon Yun
>
> On Dec 21, 2005, at 5:12 PM, Mike McCauley wrote:
> > Hello,
> >
> > AuthBy KRB5 tested fine here after setting up Heimdal kerberos on
> > FreeBSD 6.0
> > following the instructions at
> > http://www.freebsd.org/doc/handbook/kerberos5.html
> >
> > papa# perl radiusd -config goodies/krb5.cfg
> > Thu Dec 22 11:00:51 2005: DEBUG: Finished reading configuration file
> > 'goodies/krb5.cfg'
> > Thu Dec 22 11:00:51 2005: DEBUG: Reading dictionary file './dictionary'
> > Thu Dec 22 11:00:52 2005: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Thu Dec 22 11:00:52 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> > Thu Dec 22 11:00:52 2005: NOTICE: Server started: Radiator 3.13 on
> > papa.open.com.au
> > Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
> > *** Received from 203.63.154.29 port 56583 ....
> > Code:       Access-Request
> > Identifier: 88
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "mikem"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Identifier = "203.63.154.1"
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password =
> > <159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>
> >
> > Thu Dec 22 11:00:54 2005: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Thu Dec 22 11:00:54 2005: DEBUG:  Deleting session for mikem,
> > 203.63.154.1,
> > 1234
> > Thu Dec 22 11:00:54 2005: DEBUG: Handling with Radius::AuthKRB5:
> > Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 looks for match with
> > mikem
> > [mikem]
> > Thu Dec 22 11:00:54 2005: DEBUG: Building Kerberos principal:
> > mikem at OPEN.COM.AU
> > Thu Dec 22 11:00:54 2005: DEBUG: Radius::AuthKRB5 ACCEPT: : mikem
> > [mikem]
> > Thu Dec 22 11:00:54 2005: DEBUG: AuthBy KRB5 result: ACCEPT,
> > Thu Dec 22 11:00:54 2005: DEBUG: Access accepted for mikem
> > Thu Dec 22 11:00:54 2005: DEBUG: Packet dump:
> > *** Sending to 203.63.154.29 port 56583 ....
> > Code:       Access-Accept
> > Identifier: 88
> > Authentic:  1234567890123456
> > Attributes:
> >
> >
> > In our tests, Radiator ran on the same host as the KDC. Perhaps you are
> > running on a different host to the KDC? The error you are getting
> > looks like
> > the client machine does not trust the reply from KDC, so I wonder if
> > you have
> > set up your kerberos client machine properly?
> >
> > Cheers.
> >
> > On Thursday 22 December 2005 08:10, Joon Yun wrote:
> >> Hi Hugh,
> >>
> >> I found this thread
> >> (http://www.open.com.au/archives/radiator/2000-11/msg00078.html) in
> >> the
> >> archives where you explain how you recommend applying patches and I
> >> can
> >> now report success! Radiator launches fine now with the Kerberos
> >> configuration, but it is now failing the auth. :(
> >>
> >> Here is the trace info:
> >>
> >> [ndrl5] ~/Radiator-Locked-3.13> perl radiusd -config_file krb5.cfg
> >> Wed Dec 21 13:56:08 2005: DEBUG: Finished reading configuration file
> >> 'krb5.cfg'
> >> Wed Dec 21 13:56:08 2005: DEBUG: Reading dictionary file
> >> './dictionary'
> >> Wed Dec 21 13:56:09 2005: DEBUG: Creating authentication port
> >> 0.0.0.0:1645
> >> Wed Dec 21 13:56:09 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> >> Wed Dec 21 13:56:09 2005: NOTICE: Server started: Radiator 3.13 on
> >> ndrl5.berkeley.edu
> >>
> >>
> >> Wed Dec 21 13:56:28 2005: DEBUG: Packet dump:
> >> *** Received from 128.32.231.212 port 32870 ....
> >> Code:       Access-Request
> >> Identifier: 226
> >> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> >> Attributes:
> >>          NAS-IP-Address = 128.32.231.212
> >>          User-Name = "joon"
> >>          User-Password =
> >> <148><214><241><253><11>Q<246><22><214>wB<14><0><140><203><127><0>9<23
> >> 0>
> >> =cq<201><147><177><11><174><12><3><31>Z<173>
> >>
> >> Wed Dec 21 13:56:28 2005: DEBUG: Handling request with Handler
> >> 'Realm=DEFAULT'
> >> Wed Dec 21 13:56:28 2005: DEBUG:  Deleting session for joon,
> >> 128.32.231.212,
> >> Wed Dec 21 13:56:28 2005: DEBUG: Handling with Radius::AuthKRB5:
> >> Wed Dec 21 13:56:28 2005: DEBUG: Radius::AuthKRB5 looks for match with
> >> joon [joon]
> >> Wed Dec 21 13:56:28 2005: DEBUG: Building Kerberos principal:
> >> joon at BERKELEY.EDU
> >> Wed Dec 21 13:56:29 2005: DEBUG: Radius::AuthKRB5 REJECT: Kinit
> >> failed:
> >> Decrypt integrity check failed: joon [joon]
> >> Wed Dec 21 13:56:29 2005: DEBUG: AuthBy KRB5 result: REJECT, Kinit
> >> failed: Decrypt integrity check failed
> >> Wed Dec 21 13:56:29 2005: INFO: Access rejected for joon: Kinit
> >> failed:
> >> Decrypt integrity check failed
> >> Wed Dec 21 13:56:29 2005: DEBUG: Packet dump:
> >> *** Sending to 128.32.231.212 port 32870 ....
> >> Code:       Access-Reject
> >> Identifier: 226
> >> Authentic:  <250><147><186>Px<163>K<192>'<224><12><154><16><233>O<185>
> >> Attributes:
> >>          Reply-Message = "Request Denied"
> >> ----------------------------------------------------------------------
> >> --
> >> -----------
> >>
> >> I can do a kinit manually perfectly fine though and can get a tgt.
> >>
> >> [ndrl5] ~> kinit
> >> joon at BERKELEY.EDU's Password:
> >> kinit: NOTICE: ticket renewable lifetime is 1 week
> >> [ndrl5] ~> klist
> >> Credentials cache: FILE:/tmp/krb5cc_5696
> >>          Principal: joon at BERKELEY.EDU
> >>
> >>    Issued           Expires          Principal
> >> Dec 21 14:06:54  Dec 22 00:06:41  krbtgt/BERKELEY.EDU at BERKELEY.EDU
> >>
> >> So I am not sure what the problem is exactly. Sorry to keep pestering
> >> you but what is my next step?
> >>
> >> Regards,
> >> Joon Yun
> >> UC Berkeley
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list