(RADIATOR) Anyone using Cisco URT ?
Hugh Irvine
hugh at open.com.au
Thu Jan 13 22:12:12 CST 2005
Hello Ed -
Thanks for sending all of this information.
I must confess I am quite confused by what you have sent.
The dictionary definitions you show below are inconsistent at best, and
the vendor-specific is probably wrong.
I know the initial debug was showing an error with an unknown attribute
- but it also showed a completely broken vendor-specific (there is no
vendor '1397702995') so this indicates a bug in the NAS software.
I also don't see definitions in the standard dictionary for these
attributes and the encoding shown in the debug is very strange.
Allow-Multiple-Users = false,
Logon-User-Only = false
So in summary it looks like a combination of errors, both in the NAS
software and in the reply attributes.
regards
Hugh
On 14 Jan 2005, at 00:28, Ed Spick wrote:
> Hi Hugh,
>
> I have ran both radiator and the Cisco vps at trace 5 - it looks like
> the vps is receiving a null string for the vlan-association from
> radiator - in my config it should have been sent itdept as the vlan
> associations - not sure what this attribute should be sent as - string
> or integer - any thoughts ?
>
> cheers
> ed
>
> In my test setup
>
> The Cisco vps1 is 172.16.0.5 - appears in log as Called-Station-Id
> The test switch is 172.16.1.11 - appears in log as NAS-IP-Address
> The vlan that the pc begins in is called urt-logon (10.254.254.0/24)
> and the test pc picked up 10.254.254.177 in it, after authentication I
> want it to be switched to another vlan called itdept
>
> added to dictionary :
>
> ATTRIBUTE Vlan-Association 92 string
> # Vendor-attrib for Cisco urt ?
> VENDORATTR 1397702995 Vlan-association 92 string
>
>
> Radiator Config :
>
> LogDir /var/log/radiator
> DbDir /usr/local/radiator/Radiator-3.11
> Trace 5
> AuthPort 1645,1812
> AcctPort 1646,1813
>
> # vpses for Dynamic Ports
> # vps1.soas.ac.uk
> <Client 172.16.0.5>
> Secret xxxxxxxxxxxxxxxx
> Identifier SOAS-URT
> NasType Cisco
> SNMPCommunity xxxxxxxxxx
> DupInterval 2
> </Client>
> # vps1.soas.ac.uk
> <Client 172.16.5.253>
> Secret xxxxxxxxxxxxxxxx
> Identifier SOAS-URT
> NasType Cisco
> SNMPCommunity xxxxxxxxxx
> DupInterval 2
> </Client>
>
> <Handler Client-Identifier=SOAS-URT>
> # Strip the realm from the uid before looking for authentication
> RewriteUsername s/^([^@]+).*/$1/
> # Limit all users in this realm to max of 1 session
> MaxSessions 1
> <AuthBy FILE>
> Filename /usr/local/radiator/etc/vlanusers
> </AuthBy>
> AcctLogFileName %L/logfile
> PasswordLogFileName %L/logfile
> </Handler>
>
> /usr/local/radiator/etc/vlanusers
>
> test1 User-Password = "xxxxxxxxx"
> Vlan-Association = SOAS\itdept,
> Allow-Multiple-Users = false,
> Logon-User-Only = false
>
> Radiator - Logfile
>
> Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
> *** Received from 172.16.0.5 port 1242 ....
>
> Packet length = 106
> 01 13 00 6a df dd 96 db 0b 79 ee 5c 57 66 f6 ba
> 13 64 f0 5e 20 10 30 30 30 36 2e 35 62 61 63 2e
> 64 61 39 31 04 0d 31 37 32 2e 31 36 2e 31 2e 31
> 31 57 08 46 61 30 2f 32 30 1e 0c 31 37 32 2e 31
> 36 2e 30 2e 35 3d 06 00 00 00 05 05 06 00 a9 5f
> 74 01 07 74 65 73 74 31 02 12 2f 3b b5 90 44 9e
> c1 45 b4 b2 8f 6c 36 d3 28 37
> Code: Access-Request
> Identifier: 19
> Authentic: <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
> Attributes:
> NAS-Identifier = "0006.5bac.da91"
> NAS-IP-Address = UNKNOWN
> NAS-Port-Id = "Fa0/20"
> Called-Station-Id = "172.16.0.5"
> NAS-Port-Type = Virtual
> NAS-Port = 11100020
> User-Name = "test1"
> User-Password =
> "/;<181><144>D<158><193>E<180><178><143>l6<211>(7"
>
> Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler
> 'Client-Identifier=SOAS-URT'
> Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
> Thu Jan 13 17:42:59 2005: DEBUG: Deleting session for test1,
> UNKNOWN, 11100020
> Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE looks for match
> with test1
> Thu Jan 13 17:42:59 2005:1105638179:test1:xxxxxxxx:xxxxxxxx:PASS
> Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE ACCEPT:
> Thu Jan 13 17:42:59 2005: DEBUG: Access accepted for test1
> Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
> *** Sending to 172.16.0.5 port 1242 ....
>
> Packet length = 50
> 02 13 00 32 17 e9 1a cb 1a d1 77 1e 41 8c c7 e3
> d8 2a c2 1b 5c 0e 00 53 4f 41 53 5c 69 74 64 65
> 70 74 1a 08 00 66 61 6c 73 65 18 08 00 66 61 6c
> 73 65
> Code: Access-Accept
> Identifier: 19
> Authentic: <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
> Attributes:
> Vlan-Association = SOAS\itdept
> Allow-Multiple-Users = false
> Logon-User-Only = false
>
> Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
> *** Received from 172.16.0.5 port 1243 ....
>
> Packet length = 163
> 04 13 00 a3 4d 3c ff 67 a6 ab 08 a8 78 ec 77 5e
> 0d 7d 90 c0 28 06 00 00 00 01 1f 10 31 30 2e 32
> 35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
> 2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
> 21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
> ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
> 32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
> 72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
> 00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
> 30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
> 73 74 31
> Code: Accounting-Request
> Identifier: 19
> Authentic: M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
> Attributes:
> Acct-Status-Type = Start
> Calling-Station-Id = "10.254.254.177"
> NAS-Identifier = "0006.5bac.da91"
> Framed-IP-Netmask = 255.255.255.0
> Proxy-State = 10.254.254.1
> NAS-IP-Address = 172.16.1.11
> NAS-Port-Id = "Fa0/20"
> Called-Station-Id = "172.16.0.5"
> Vlan-association = rt-logon
> NAS-Port-Type = Virtual
> NAS-Port = 11100020
> Acct-Session-Id = "181340460006.5bac.da91"
> User-Name = "test1"
>
> Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler
> 'Client-Identifier=SOAS-URT'
> Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
> Thu Jan 13 17:42:59 2005
> Acct-Status-Type = Start
> Calling-Station-Id = "10.254.254.177"
> NAS-Identifier = "0006.5bac.da91"
> Framed-IP-Netmask = 255.255.255.0
> Proxy-State = 10.254.254.1
> NAS-IP-Address = 172.16.1.11
> NAS-Port-Id = "Fa0/20"
> Called-Station-Id = "172.16.0.5"
> Vlan-association = rt-logon
> NAS-Port-Type = Virtual
> NAS-Port = 11100020
> Acct-Session-Id = "181340460006.5bac.da91"
> User-Name = "test1"
> Timestamp = 1105638179
>
> Thu Jan 13 17:42:59 2005: DEBUG: Adding session for test1,
> 172.16.1.11, 11100020
> Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Jan 13 17:42:59 2005: DEBUG: Accounting accepted
> Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
> *** Sending to 172.16.0.5 port 1243 ....
>
> Packet length = 34
> 05 13 00 22 3e ba 3d 5b e4 bd fb 09 b1 15 0c 45
> 20 c6 31 db 21 0e 31 30 2e 32 35 34 2e 32 35 34
> 2e 31
> Code: Accounting-Response
> Identifier: 19
> Authentic: M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
> Attributes:
> Proxy-State = 10.254.254.1
>
> Thu Jan 13 17:43:00 2005: DEBUG: Packet dump:
> *** Received from 172.16.0.5 port 1244 ....
>
> Packet length = 163
> 04 13 00 a3 f8 5f 41 68 22 46 1d 7c e5 4c fc e8
> 80 93 8f 9f 28 06 00 00 00 02 1f 10 31 30 2e 32
> 35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
> 2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
> 21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
> ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
> 32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
> 72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
> 00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
> 30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
> 73 74 31
> Code: Accounting-Request
> Identifier: 19
> Authentic: <248>_Ah"F<29>|<229>L<252><232><128><147><143><159>
> Attributes:
> Acct-Status-Type = Stop
> Calling-Station-Id = "10.254.254.177"
> NAS-Identifier = "0006.5bac.da91"
> Framed-IP-Netmask = 255.255.255.0
> Proxy-State = 10.254.254.1
> NAS-IP-Address = 172.16.1.11
> NAS-Port-Id = "Fa0/20"
> Called-Station-Id = "172.16.0.5"
> Vlan-association = rt-logon
> NAS-Port-Type = Virtual
> NAS-Port = 11100020
> Acct-Session-Id = "181340460006.5bac.da91"
> User-Name = "test1"
>
> Thu Jan 13 17:43:00 2005: INFO: Duplicate request id 19 received from
> 172.16.0.5(1244): ignored
>
>
> Debugging output from the Cisco VPS-1 (172.16.0.5) for the same
> session :
>
> Thu Jan 13 17:42:58 GMT 2005 TRACE:(UrtClientTask) Received client
> packet> (SECURITY_PACKET_DH): {VERSION = 1} {IP = 10.254.254.177}
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 199}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address
> in cache: 0006.5bac.da91
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
> (SECURITY_PACKET_AUTH): {IP = 10.254.254.177} {Port = 1298} {XID =
> 0006.5bac.da91} {Data = 199}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client
> packet> (SECURITY_PACKET_PMSG): {VERSION = 1} {IP = 10.254.254.177}
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 3}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
> (SECURITY_PACKET_PMSG): {IP = 10.254.254.177} {Port = 1298} {XID =
> 0006.5bac.da91} {Data = 0}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client
> packet> (SECURITY_PACKET_LOGON): {VERSION = 1} {IP = 10.254.254.177}
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 2099}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Decrypted client
> packet> (USER_LOGON): {VERSION = 1} {IP = 10.254.254.177} {Port =
> 1298} {XID = 181340460006.5bac.da91} {SID = 181340460006.5bac.da91}
> {MAC = 0006.5bac.da91} {User = SOAS-URT\test1} {Password = XXX} {Old
> IP = 10.254.254.177} {Subnet = 255.255.255.0} {Gateway = 10.254.254.1}
> {Data = 2099}
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address
> in cache: 0006.5bac.da91
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to
> authenticate 'test1' for domain 'SOAS-URT'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to
> authenticate 'test1' for domain 'SOAS-URT' using RADIUS server:
> 212.219.139.220
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Successfully
> authenticated 'test1' for domain 'SOAS-URT'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Logon assigned
> VLAN for MAC 0006.5bac.da91 is 'urt-logon' in VTP domain 'SOAS'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to
> determine assigned associations for 'SOAS-URT\test1' in VTP domain
> 'SOAS'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) RADIUS returned
> attribute string is:
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) User assigned VLAN
> for MAC 0006.5bac.da91 is 'null' in VTP domain 'SOAS'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) MAC 0006.5bac.da91
> stays on current VLAN 'urt-logon'
> Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending
> (CONTINUE_ON_SAME_SUBNET): {IP = 10.254.254.177} {Port = 1298} {XID =
> 181340460006.5bac.da91} {Data = 1}
> Thu Jan 13 17:43:00 GMT 2005 TRACE:(UrtClientTask) Received client
> packet> (SECURITY_PACKET_ENCRYPT): {VERSION = 1} {IP = 10.254.254.177}
> {Port = 1299} {MAC = 0006.5bac.da91} {Data = 2064}
>
>
> At 05:29 13/01/2005, Hugh Irvine wrote:
>
>
> Hello Ed -
>
> It is not clear to me exactly what is happening.
>
> The error message you show below normally occurs when decoding an
> incoming radius request.
>
> You can verify this by looking at a trace 5 debug from Radiator.
>
> The name used in the dictionary is not important as the name gets
> encoded into the attribute number specified in the dictionary
> definition.
>
> Please post the trace 5 debug and a copy of your configuration file
> (no
> secrets) so we can see what is happening.
>
> You should also have a look at the debug messages on the Cisco to see
> what it thinks is going on.
>
> regards
>
> Hugh
>
>
> On 12 Jan 2005, at 20:52, Ed Spick wrote:
>
> > Hail Radiators,
> >
> > We are using a pre-802.1x Cisco dynamic vlan assignment product
> called
> > User Registration Tool (URT) This allows you to use dynamically
> > assigned vlans on switches such as the cat3500XL series (which
> can't
> > do 802.1x). Currently we use this in an ethernet address to vlan
> type
> > of association, however it can be configured as a proxy to take
> > authentication from ldap/radius. I have setup my clients suitably
> and
> > I am using a flat user file first off, however when my test user
> > authenticates I get error messages in my radiator log :
> >
> > Wed Jan 12 14:01:57 2005: ERR: Attribute number 92 (vendor
> 1397702995)
> > is not defined in your dictionary
> >
> > I need to reply the vtp domain and vlan name to the URT system and
> > have tried using one similar to the 802.1x examples I have found
> > elsewhere on the mail list :
> >
> > test1 User-Password = "linotype"
> > Tunnel-Type=1:VLAN,
> > Tunnel-Medium-Type=1:Ether_802,
> > Tunnel-Private-Group-ID=1:61
> >
> > The log shows that these vlan reply attributes do seem to be sent
> by
> > radiator but they don't seem received / understood by the Cisco kit
> as
> > the logged in user is not put into the appropriate vlan (61) (I
> have
> > tried this sent as ascii too)
> >
> > The Cisco documentation for this URT product suggests adding a
> Radius
> > attribute of VTPDomainName\VLANName;VTPDomainName\VLANName;
> > It also suggests that this should be attribute 24 - rather than the
> 94
> > that keeps popping up in the log
> > {cisco url for those really interested !
> > http://www.cisco.com/en/US/customer/products/sw/secursw/ps2136/
> > products_white_paper09186a00800c933f.shtml
> > }
> >
> > Is adding attributes to the dictionary merely a matter of editing
> and
> > restarting ?
> >
> > Any help gratefully received.
> >
> > Thanks
> > Ed Spicke"
> > Tunnel-Type=1:VLAN,
> > Tunnel-Medium-Type=1:Ether_802,
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Network Support
> > S.O.A.S
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > =========================================
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list