(RADIATOR) Anyone using Cisco URT ?
Ed Spick
es at soas.ac.uk
Thu Jan 13 12:28:32 CST 2005
Hi Hugh,
I have ran both radiator and the Cisco vps at trace 5 - it looks like the
vps is receiving a null string for the vlan-association from radiator - in
my config it should have been sent itdept as the vlan associations - not
sure what this attribute should be sent as - string or integer - any thoughts ?
cheers
ed
In my test setup
The Cisco vps1 is 172.16.0.5 - appears in log as Called-Station-Id
The test switch is 172.16.1.11 - appears in log as NAS-IP-Address
The vlan that the pc begins in is called urt-logon (10.254.254.0/24) and
the test pc picked up 10.254.254.177 in it, after authentication I want it
to be switched to another vlan called itdept
added to dictionary :
ATTRIBUTE Vlan-Association 92 string
# Vendor-attrib for Cisco urt ?
VENDORATTR 1397702995 Vlan-association 92 string
Radiator Config :
LogDir /var/log/radiator
DbDir /usr/local/radiator/Radiator-3.11
Trace 5
AuthPort 1645,1812
AcctPort 1646,1813
# vpses for Dynamic Ports
# vps1.soas.ac.uk
<Client 172.16.0.5>
Secret xxxxxxxxxxxxxxxx
Identifier SOAS-URT
NasType Cisco
SNMPCommunity xxxxxxxxxx
DupInterval 2
</Client>
# vps1.soas.ac.uk
<Client 172.16.5.253>
Secret xxxxxxxxxxxxxxxx
Identifier SOAS-URT
NasType Cisco
SNMPCommunity xxxxxxxxxx
DupInterval 2
</Client>
<Handler Client-Identifier=SOAS-URT>
# Strip the realm from the uid before looking for authentication
RewriteUsername s/^([^@]+).*/$1/
# Limit all users in this realm to max of 1 session
MaxSessions 1
<AuthBy FILE>
Filename /usr/local/radiator/etc/vlanusers
</AuthBy>
AcctLogFileName %L/logfile
PasswordLogFileName %L/logfile
</Handler>
/usr/local/radiator/etc/vlanusers
test1 User-Password = "xxxxxxxxx"
Vlan-Association = SOAS\itdept,
Allow-Multiple-Users = false,
Logon-User-Only = false
Radiator - Logfile
Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
*** Received from 172.16.0.5 port 1242 ....
Packet length = 106
01 13 00 6a df dd 96 db 0b 79 ee 5c 57 66 f6 ba
13 64 f0 5e 20 10 30 30 30 36 2e 35 62 61 63 2e
64 61 39 31 04 0d 31 37 32 2e 31 36 2e 31 2e 31
31 57 08 46 61 30 2f 32 30 1e 0c 31 37 32 2e 31
36 2e 30 2e 35 3d 06 00 00 00 05 05 06 00 a9 5f
74 01 07 74 65 73 74 31 02 12 2f 3b b5 90 44 9e
c1 45 b4 b2 8f 6c 36 d3 28 37
Code: Access-Request
Identifier: 19
Authentic: <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
Attributes:
NAS-Identifier = "0006.5bac.da91"
NAS-IP-Address = UNKNOWN
NAS-Port-Id = "Fa0/20"
Called-Station-Id = "172.16.0.5"
NAS-Port-Type = Virtual
NAS-Port = 11100020
User-Name = "test1"
User-Password = "/;<181><144>D<158><193>E<180><178><143>l6<211>(7"
Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler
'Client-Identifier=SOAS-URT'
Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
Thu Jan 13 17:42:59 2005: DEBUG: Deleting session for test1, UNKNOWN, 11100020
Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE looks for match with test1
Thu Jan 13 17:42:59 2005:1105638179:test1:xxxxxxxx:xxxxxxxx:PASS
Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE ACCEPT:
Thu Jan 13 17:42:59 2005: DEBUG: Access accepted for test1
Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
*** Sending to 172.16.0.5 port 1242 ....
Packet length = 50
02 13 00 32 17 e9 1a cb 1a d1 77 1e 41 8c c7 e3
d8 2a c2 1b 5c 0e 00 53 4f 41 53 5c 69 74 64 65
70 74 1a 08 00 66 61 6c 73 65 18 08 00 66 61 6c
73 65
Code: Access-Accept
Identifier: 19
Authentic: <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
Attributes:
Vlan-Association = SOAS\itdept
Allow-Multiple-Users = false
Logon-User-Only = false
Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
*** Received from 172.16.0.5 port 1243 ....
Packet length = 163
04 13 00 a3 4d 3c ff 67 a6 ab 08 a8 78 ec 77 5e
0d 7d 90 c0 28 06 00 00 00 01 1f 10 31 30 2e 32
35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
73 74 31
Code: Accounting-Request
Identifier: 19
Authentic: M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
Attributes:
Acct-Status-Type = Start
Calling-Station-Id = "10.254.254.177"
NAS-Identifier = "0006.5bac.da91"
Framed-IP-Netmask = 255.255.255.0
Proxy-State = 10.254.254.1
NAS-IP-Address = 172.16.1.11
NAS-Port-Id = "Fa0/20"
Called-Station-Id = "172.16.0.5"
Vlan-association = rt-logon
NAS-Port-Type = Virtual
NAS-Port = 11100020
Acct-Session-Id = "181340460006.5bac.da91"
User-Name = "test1"
Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler
'Client-Identifier=SOAS-URT'
Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
Thu Jan 13 17:42:59 2005
Acct-Status-Type = Start
Calling-Station-Id = "10.254.254.177"
NAS-Identifier = "0006.5bac.da91"
Framed-IP-Netmask = 255.255.255.0
Proxy-State = 10.254.254.1
NAS-IP-Address = 172.16.1.11
NAS-Port-Id = "Fa0/20"
Called-Station-Id = "172.16.0.5"
Vlan-association = rt-logon
NAS-Port-Type = Virtual
NAS-Port = 11100020
Acct-Session-Id = "181340460006.5bac.da91"
User-Name = "test1"
Timestamp = 1105638179
Thu Jan 13 17:42:59 2005: DEBUG: Adding session for test1, 172.16.1.11,
11100020
Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 13 17:42:59 2005: DEBUG: Accounting accepted
Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
*** Sending to 172.16.0.5 port 1243 ....
Packet length = 34
05 13 00 22 3e ba 3d 5b e4 bd fb 09 b1 15 0c 45
20 c6 31 db 21 0e 31 30 2e 32 35 34 2e 32 35 34
2e 31
Code: Accounting-Response
Identifier: 19
Authentic: M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
Attributes:
Proxy-State = 10.254.254.1
Thu Jan 13 17:43:00 2005: DEBUG: Packet dump:
*** Received from 172.16.0.5 port 1244 ....
Packet length = 163
04 13 00 a3 f8 5f 41 68 22 46 1d 7c e5 4c fc e8
80 93 8f 9f 28 06 00 00 00 02 1f 10 31 30 2e 32
35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
73 74 31
Code: Accounting-Request
Identifier: 19
Authentic: <248>_Ah"F<29>|<229>L<252><232><128><147><143><159>
Attributes:
Acct-Status-Type = Stop
Calling-Station-Id = "10.254.254.177"
NAS-Identifier = "0006.5bac.da91"
Framed-IP-Netmask = 255.255.255.0
Proxy-State = 10.254.254.1
NAS-IP-Address = 172.16.1.11
NAS-Port-Id = "Fa0/20"
Called-Station-Id = "172.16.0.5"
Vlan-association = rt-logon
NAS-Port-Type = Virtual
NAS-Port = 11100020
Acct-Session-Id = "181340460006.5bac.da91"
User-Name = "test1"
Thu Jan 13 17:43:00 2005: INFO: Duplicate request id 19 received from
172.16.0.5(1244): ignored
Debugging output from the Cisco VPS-1 (172.16.0.5) for the same session :
Thu Jan 13 17:42:58 GMT 2005 TRACE:(UrtClientTask) Received client packet>
(SECURITY_PACKET_DH): {VERSION = 1} {IP = 10.254.254.177} {Port = 1298}
{MAC = 0006.5bac.da91} {Data = 199}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address in
cache: 0006.5bac.da91
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
(SECURITY_PACKET_AUTH): {IP = 10.254.254.177} {Port = 1298} {XID =
0006.5bac.da91} {Data = 199}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client packet>
(SECURITY_PACKET_PMSG): {VERSION = 1} {IP = 10.254.254.177} {Port = 1298}
{MAC = 0006.5bac.da91} {Data = 3}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
(SECURITY_PACKET_PMSG): {IP = 10.254.254.177} {Port = 1298} {XID =
0006.5bac.da91} {Data = 0}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client packet>
(SECURITY_PACKET_LOGON): {VERSION = 1} {IP = 10.254.254.177} {Port = 1298}
{MAC = 0006.5bac.da91} {Data = 2099}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Decrypted client packet>
(USER_LOGON): {VERSION = 1} {IP = 10.254.254.177} {Port = 1298} {XID =
181340460006.5bac.da91} {SID = 181340460006.5bac.da91} {MAC =
0006.5bac.da91} {User = SOAS-URT\test1} {Password = XXX} {Old IP =
10.254.254.177} {Subnet = 255.255.255.0} {Gateway = 10.254.254.1} {Data =
2099}
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address in
cache: 0006.5bac.da91
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to
authenticate 'test1' for domain 'SOAS-URT'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to
authenticate 'test1' for domain 'SOAS-URT' using RADIUS server: 212.219.139.220
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Successfully
authenticated 'test1' for domain 'SOAS-URT'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Logon assigned VLAN for
MAC 0006.5bac.da91 is 'urt-logon' in VTP domain 'SOAS'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to determine
assigned associations for 'SOAS-URT\test1' in VTP domain 'SOAS'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) RADIUS returned
attribute string is:
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) User assigned VLAN for
MAC 0006.5bac.da91 is 'null' in VTP domain 'SOAS'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) MAC 0006.5bac.da91 stays
on current VLAN 'urt-logon'
Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
(CONTINUE_ON_SAME_SUBNET): {IP = 10.254.254.177} {Port = 1298} {XID =
181340460006.5bac.da91} {Data = 1}
Thu Jan 13 17:43:00 GMT 2005 TRACE:(UrtClientTask) Received client packet>
(SECURITY_PACKET_ENCRYPT): {VERSION = 1} {IP = 10.254.254.177} {Port =
1299} {MAC = 0006.5bac.da91} {Data = 2064}
At 05:29 13/01/2005, Hugh Irvine wrote:
>Hello Ed -
>
>It is not clear to me exactly what is happening.
>
>The error message you show below normally occurs when decoding an
>incoming radius request.
>
>You can verify this by looking at a trace 5 debug from Radiator.
>
>The name used in the dictionary is not important as the name gets
>encoded into the attribute number specified in the dictionary
>definition.
>
>Please post the trace 5 debug and a copy of your configuration file (no
>secrets) so we can see what is happening.
>
>You should also have a look at the debug messages on the Cisco to see
>what it thinks is going on.
>
>regards
>
>Hugh
>
>
>On 12 Jan 2005, at 20:52, Ed Spick wrote:
>
> > Hail Radiators,
> >
> > We are using a pre-802.1x Cisco dynamic vlan assignment product called
> > User Registration Tool (URT) This allows you to use dynamically
> > assigned vlans on switches such as the cat3500XL series (which can't
> > do 802.1x). Currently we use this in an ethernet address to vlan type
> > of association, however it can be configured as a proxy to take
> > authentication from ldap/radius. I have setup my clients suitably and
> > I am using a flat user file first off, however when my test user
> > authenticates I get error messages in my radiator log :
> >
> > Wed Jan 12 14:01:57 2005: ERR: Attribute number 92 (vendor 1397702995)
> > is not defined in your dictionary
> >
> > I need to reply the vtp domain and vlan name to the URT system and
> > have tried using one similar to the 802.1x examples I have found
> > elsewhere on the mail list :
> >
> > test1 User-Password = "linotype"
> > Tunnel-Type=1:VLAN,
> > Tunnel-Medium-Type=1:Ether_802,
> > Tunnel-Private-Group-ID=1:61
> >
> > The log shows that these vlan reply attributes do seem to be sent by
> > radiator but they don't seem received / understood by the Cisco kit as
> > the logged in user is not put into the appropriate vlan (61) (I have
> > tried this sent as ascii too)
> >
> > The Cisco documentation for this URT product suggests adding a Radius
> > attribute of VTPDomainName\VLANName;VTPDomainName\VLANName;
> > It also suggests that this should be attribute 24 - rather than the 94
> > that keeps popping up in the log
> > {cisco url for those really interested !
> > http://www.cisco.com/en/US/customer/products/sw/secursw/ps2136/
> > products_white_paper09186a00800c933f.shtml
> > }
> >
> > Is adding attributes to the dictionary merely a matter of editing and
> > restarting ?
> >
> > Any help gratefully received.
> >
> > Thanks
> > Ed Spicke"
> > Tunnel-Type=1:VLAN,
> > Tunnel-Medium-Type=1:Ether_802,
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Network Support
> > S.O.A.S
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > =========================================
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
>NB:
>
>Have you read the reference manual ("doc/ref.html")?
>Have you searched the mailing list archive
>(www.open.com.au/archives/radiator)?
>Have you had a quick look on Google (www.google.com)?
>Have you included a copy of your configuration file (no secrets),
>together with a trace 4 debug showing what is happening?
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
>-
>CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>--
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050113/0e9971bc/attachment.html>
More information about the radiator
mailing list