(RADIATOR) Anyone using Cisco URT ?

Hugh Irvine hugh at open.com.au
Thu Jan 13 23:46:14 CST 2005


Hello Ed -

Further to this, here is the attribute that is received:

  ......1a 10 53 4f 41 53 5c 75
  72 74 2d 6c 6f 67 6f 6e ....

1a = 26 = vendor specific

10 = 16 = length

what should follow is 4 octets of vendor number, followed by a 1 octet 
attribute number, followed by a 1 octet length, followed by the data

however it appears that what follows is just a string

  ...... 53 4f 41 53 5c 75
  72 74 2d 6c 6f 67 6f 6e

As mentioned previously this is certainly a NAS bug.

regards

Hugh


On 14 Jan 2005, at 00:28, Ed Spick wrote:

>  Hi Hugh,
>
>  I have ran both radiator and the Cisco vps at trace 5 - it looks like 
> the vps is receiving a null string for the vlan-association from 
> radiator - in my config it should have been sent itdept as the vlan 
> associations - not sure what this attribute should be sent as - string 
> or integer - any thoughts ?
>
>  cheers
>  ed
>
>  In my test setup
>
>  The Cisco vps1 is 172.16.0.5 - appears in log as Called-Station-Id
> The test switch is 172.16.1.11 - appears in log as NAS-IP-Address
> The vlan that the pc begins in is called urt-logon (10.254.254.0/24) 
> and the test pc picked up 10.254.254.177 in it, after authentication I 
> want it to be switched to another vlan called itdept
>
> added to dictionary :
>
> ATTRIBUTE       Vlan-Association                92      string
>  # Vendor-attrib for Cisco urt ?
>  VENDORATTR      1397702995      Vlan-association        92      string
>
>
> Radiator Config :
>
> LogDir          /var/log/radiator
>  DbDir           /usr/local/radiator/Radiator-3.11
>  Trace           5
>  AuthPort        1645,1812
>  AcctPort        1646,1813
>
>  # vpses for Dynamic Ports
>  # vps1.soas.ac.uk
>  <Client 172.16.0.5>
>          Secret xxxxxxxxxxxxxxxx
>          Identifier      SOAS-URT
>          NasType         Cisco
>          SNMPCommunity   xxxxxxxxxx
>          DupInterval 2
>  </Client>
>  # vps1.soas.ac.uk
>  <Client 172.16.5.253>
>          Secret xxxxxxxxxxxxxxxx
>          Identifier      SOAS-URT
>          NasType        Cisco
>          SNMPCommunity   xxxxxxxxxx
>          DupInterval 2
>  </Client>
>
>  <Handler Client-Identifier=SOAS-URT>
>  # Strip the realm from the uid before looking for authentication
>  RewriteUsername s/^([^@]+).*/$1/
>  # Limit all users in this realm to max of 1 session
>  MaxSessions 1
>          <AuthBy FILE>
>                  Filename /usr/local/radiator/etc/vlanusers
>          </AuthBy>
>          AcctLogFileName %L/logfile
>          PasswordLogFileName %L/logfile
>  </Handler>
>
> /usr/local/radiator/etc/vlanusers
>
> test1   User-Password = "xxxxxxxxx"
>          Vlan-Association = SOAS\itdept,
>          Allow-Multiple-Users = false,
>          Logon-User-Only = false
>
> Radiator - Logfile
>
> Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
>  *** Received from 172.16.0.5 port 1242 ....
>
>  Packet length = 106
>  01 13 00 6a df dd 96 db 0b 79 ee 5c 57 66 f6 ba
>  13 64 f0 5e 20 10 30 30 30 36 2e 35 62 61 63 2e
>  64 61 39 31 04 0d 31 37 32 2e 31 36 2e 31 2e 31
>  31 57 08 46 61 30 2f 32 30 1e 0c 31 37 32 2e 31
>  36 2e 30 2e 35 3d 06 00 00 00 05 05 06 00 a9 5f
>  74 01 07 74 65 73 74 31 02 12 2f 3b b5 90 44 9e
>  c1 45 b4 b2 8f 6c 36 d3 28 37
>  Code:       Access-Request
>  Identifier: 19
>  Authentic:  <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
>  Attributes:
>          NAS-Identifier = "0006.5bac.da91"
>          NAS-IP-Address = UNKNOWN
>          NAS-Port-Id = "Fa0/20"
>          Called-Station-Id = "172.16.0.5"
>          NAS-Port-Type = Virtual
>          NAS-Port = 11100020
>          User-Name = "test1"
>          User-Password = 
> "/;<181><144>D<158><193>E<180><178><143>l6<211>(7"
>
>  Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler 
> 'Client-Identifier=SOAS-URT'
>  Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
>  Thu Jan 13 17:42:59 2005: DEBUG:  Deleting session for test1, 
> UNKNOWN, 11100020
>  Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
>  Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE looks for match 
> with test1
>  Thu Jan 13 17:42:59 2005:1105638179:test1:xxxxxxxx:xxxxxxxx:PASS
>  Thu Jan 13 17:42:59 2005: DEBUG: Radius::AuthFILE ACCEPT:
>  Thu Jan 13 17:42:59 2005: DEBUG: Access accepted for test1
>  Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
>  *** Sending to 172.16.0.5 port 1242 ....
>
>  Packet length = 50
>  02 13 00 32 17 e9 1a cb 1a d1 77 1e 41 8c c7 e3
>  d8 2a c2 1b 5c 0e 00 53 4f 41 53 5c 69 74 64 65
>  70 74 1a 08 00 66 61 6c 73 65 18 08 00 66 61 6c
>  73 65
>  Code:       Access-Accept
>  Identifier: 19
>  Authentic:  <223><221><150><219><11>y<238>\Wf<246><186><19>d<240>^
>  Attributes:
>          Vlan-Association = SOAS\itdept
>          Allow-Multiple-Users = false
>          Logon-User-Only = false
>
>  Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
>  *** Received from 172.16.0.5 port 1243 ....
>
>  Packet length = 163
>  04 13 00 a3 4d 3c ff 67 a6 ab 08 a8 78 ec 77 5e
>  0d 7d 90 c0 28 06 00 00 00 01 1f 10 31 30 2e 32
>  35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
>  2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
>  21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
>  ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
>  32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
>  72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
>  00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
>  30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
>  73 74 31
>  Code:       Accounting-Request
>  Identifier: 19
>  Authentic:  M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
>  Attributes:
>          Acct-Status-Type = Start
>          Calling-Station-Id = "10.254.254.177"
>          NAS-Identifier = "0006.5bac.da91"
>          Framed-IP-Netmask = 255.255.255.0
>          Proxy-State = 10.254.254.1
>          NAS-IP-Address = 172.16.1.11
>          NAS-Port-Id = "Fa0/20"
>          Called-Station-Id = "172.16.0.5"
>          Vlan-association = rt-logon
>          NAS-Port-Type = Virtual
>          NAS-Port = 11100020
>          Acct-Session-Id = "181340460006.5bac.da91"
>          User-Name = "test1"
>
>  Thu Jan 13 17:42:59 2005: DEBUG: Handling request with Handler 
> 'Client-Identifier=SOAS-URT'
>  Thu Jan 13 17:42:59 2005: DEBUG: Rewrote user name to test1
>  Thu Jan 13 17:42:59 2005
>          Acct-Status-Type = Start
>          Calling-Station-Id = "10.254.254.177"
>          NAS-Identifier = "0006.5bac.da91"
>          Framed-IP-Netmask = 255.255.255.0
>          Proxy-State = 10.254.254.1
>          NAS-IP-Address = 172.16.1.11
>          NAS-Port-Id = "Fa0/20"
>          Called-Station-Id = "172.16.0.5"
>          Vlan-association = rt-logon
>          NAS-Port-Type = Virtual
>          NAS-Port = 11100020
>          Acct-Session-Id = "181340460006.5bac.da91"
>          User-Name = "test1"
>          Timestamp = 1105638179
>
>  Thu Jan 13 17:42:59 2005: DEBUG:  Adding session for test1, 
> 172.16.1.11, 11100020
>  Thu Jan 13 17:42:59 2005: DEBUG: Handling with Radius::AuthFILE:
>  Thu Jan 13 17:42:59 2005: DEBUG: Accounting accepted
>  Thu Jan 13 17:42:59 2005: DEBUG: Packet dump:
>  *** Sending to 172.16.0.5 port 1243 ....
>
>  Packet length = 34
>  05 13 00 22 3e ba 3d 5b e4 bd fb 09 b1 15 0c 45
>  20 c6 31 db 21 0e 31 30 2e 32 35 34 2e 32 35 34
>  2e 31
>  Code:       Accounting-Response
>  Identifier: 19
>  Authentic:  M<<255>g<166><171><8><168>x<236>w^<13>}<144><192>
>  Attributes:
>          Proxy-State = 10.254.254.1
>
>  Thu Jan 13 17:43:00 2005: DEBUG: Packet dump:
>  *** Received from 172.16.0.5 port 1244 ....
>
>  Packet length = 163
>  04 13 00 a3 f8 5f 41 68 22 46 1d 7c e5 4c fc e8
>  80 93 8f 9f 28 06 00 00 00 02 1f 10 31 30 2e 32
>  35 34 2e 32 35 34 2e 31 37 37 20 10 30 30 30 36
>  2e 35 62 61 63 2e 64 61 39 31 09 06 ff ff ff 00
>  21 0e 31 30 2e 32 35 34 2e 32 35 34 2e 31 04 06
>  ac 10 01 0b 57 08 46 61 30 2f 32 30 1e 0c 31 37
>  32 2e 31 36 2e 30 2e 35 1a 10 53 4f 41 53 5c 75
>  72 74 2d 6c 6f 67 6f 6e 3d 06 00 00 00 05 05 06
>  00 a9 5f 74 2c 18 31 38 31 33 34 30 34 36 30 30
>  30 36 2e 35 62 61 63 2e 64 61 39 31 01 07 74 65
>  73 74 31
>  Code:       Accounting-Request
>  Identifier: 19
>  Authentic:  <248>_Ah"F<29>|<229>L<252><232><128><147><143><159>
>  Attributes:
>          Acct-Status-Type = Stop
>          Calling-Station-Id = "10.254.254.177"
>          NAS-Identifier = "0006.5bac.da91"
>          Framed-IP-Netmask = 255.255.255.0
>          Proxy-State = 10.254.254.1
>          NAS-IP-Address = 172.16.1.11
>          NAS-Port-Id = "Fa0/20"
>          Called-Station-Id = "172.16.0.5"
>          Vlan-association = rt-logon
>          NAS-Port-Type = Virtual
>          NAS-Port = 11100020
>          Acct-Session-Id = "181340460006.5bac.da91"
>          User-Name = "test1"
>
>  Thu Jan 13 17:43:00 2005: INFO: Duplicate request id 19 received from 
> 172.16.0.5(1244): ignored
>
>
> Debugging output from the Cisco VPS-1 (172.16.0.5) for the same 
> session :
>
> Thu Jan 13 17:42:58 GMT 2005 TRACE:(UrtClientTask) Received client 
> packet> (SECURITY_PACKET_DH): {VERSION = 1} {IP = 10.254.254.177} 
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 199}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address 
> in cache: 0006.5bac.da91
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending 
> (SECURITY_PACKET_AUTH): {IP = 10.254.254.177} {Port = 1298} {XID = 
> 0006.5bac.da91} {Data = 199}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client 
> packet> (SECURITY_PACKET_PMSG): {VERSION = 1} {IP = 10.254.254.177} 
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 3}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending 
> (SECURITY_PACKET_PMSG): {IP = 10.254.254.177} {Port = 1298} {XID = 
> 0006.5bac.da91} {Data = 0}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Received client 
> packet> (SECURITY_PACKET_LOGON): {VERSION = 1} {IP = 10.254.254.177} 
> {Port = 1298} {MAC = 0006.5bac.da91} {Data = 2099}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Decrypted client 
> packet> (USER_LOGON): {VERSION = 1} {IP = 10.254.254.177} {Port = 
> 1298} {XID = 181340460006.5bac.da91} {SID = 181340460006.5bac.da91} 
> {MAC = 0006.5bac.da91} {User = SOAS-URT\test1} {Password = XXX} {Old 
> IP = 10.254.254.177} {Subnet = 255.255.255.0} {Gateway = 10.254.254.1} 
> {Data = 2099}
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Found MAC Address 
> in cache: 0006.5bac.da91
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to 
> authenticate 'test1' for domain 'SOAS-URT'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to 
> authenticate 'test1' for domain 'SOAS-URT' using RADIUS server: 
> 212.219.139.220
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Successfully 
> authenticated 'test1' for domain 'SOAS-URT'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Logon assigned 
> VLAN for MAC 0006.5bac.da91 is 'urt-logon' in VTP domain 'SOAS'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) Attempting to 
> determine assigned associations for 'SOAS-URT\test1' in VTP domain 
> 'SOAS'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) RADIUS returned 
> attribute string is:
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) User assigned VLAN 
> for MAC 0006.5bac.da91 is 'null' in VTP domain 'SOAS'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientTask) MAC 0006.5bac.da91 
> stays on current VLAN 'urt-logon'
>  Thu Jan 13 17:42:59 GMT 2005 TRACE:(UrtClientPacket) Sending 
> (CONTINUE_ON_SAME_SUBNET): {IP = 10.254.254.177} {Port = 1298} {XID = 
> 181340460006.5bac.da91} {Data = 1}
>  Thu Jan 13 17:43:00 GMT 2005 TRACE:(UrtClientTask) Received client 
> packet> (SECURITY_PACKET_ENCRYPT): {VERSION = 1} {IP = 10.254.254.177} 
> {Port = 1299} {MAC = 0006.5bac.da91} {Data = 2064}
>
>
> At 05:29 13/01/2005, Hugh Irvine wrote:
>
>
> Hello Ed -
>
>  It is not clear to me exactly what is happening.
>
>  The error message you show below normally occurs when decoding an 
>  incoming radius request.
>
>  You can verify this by looking at a trace 5 debug from Radiator.
>
>  The name used in the dictionary is not important as the name gets 
>  encoded into the attribute number specified in the dictionary 
>  definition.
>
>  Please post the trace 5 debug and a copy of your configuration file 
> (no 
>  secrets) so we can see what is happening.
>
>  You should also have a look at the debug messages on the Cisco to see 
>  what it thinks is going on.
>
>  regards
>
>  Hugh
>
>
>  On 12 Jan 2005, at 20:52, Ed Spick wrote:
>
>  > Hail Radiators,
>  >
>  > We are using a pre-802.1x Cisco dynamic vlan assignment product 
> called 
>  > User Registration Tool (URT) This allows you to use dynamically 
>  > assigned vlans on switches such as the cat3500XL series (which 
> can't 
>  > do 802.1x). Currently we use this in an ethernet address to vlan 
> type 
>  > of association, however it can be configured as a proxy to take 
>  > authentication from ldap/radius. I have setup my clients suitably 
> and 
>  > I am using a flat user file first off, however when my test user 
>  > authenticates I get error messages in my radiator log :
>  >
>  > Wed Jan 12 14:01:57 2005: ERR: Attribute number 92 (vendor 
> 1397702995) 
>  > is not defined in your dictionary
>  >
>  > I need to reply the vtp domain and vlan name to the URT system and 
>  > have tried using one similar to the 802.1x examples I have found 
>  > elsewhere on the mail list :
>  >
>  > test1   User-Password = "linotype"
>  >         Tunnel-Type=1:VLAN,
>  >         Tunnel-Medium-Type=1:Ether_802,
>  >         Tunnel-Private-Group-ID=1:61
>  >
>  > The log shows that these vlan reply attributes do seem to be sent 
> by 
>  > radiator but they don't seem received / understood by the Cisco kit 
> as 
>  > the logged in user is not put into the appropriate vlan (61) (I 
> have 
>  > tried this sent as ascii too)
>  >
>  > The Cisco documentation for this URT product suggests adding a 
> Radius 
>  > attribute of VTPDomainName\VLANName;VTPDomainName\VLANName;
>  > It also suggests that this should be attribute 24 - rather than the 
> 94 
>  > that keeps popping up in the log
>  > {cisco url for those really interested !
>  > http://www.cisco.com/en/US/customer/products/sw/secursw/ps2136/
>  > products_white_paper09186a00800c933f.shtml
>  > }
>  >
>  > Is adding attributes to the dictionary merely a matter of editing 
> and 
>  > restarting ?
>  >
>  > Any help gratefully received.
>  >
>  > Thanks
>  > Ed Spicke"
>  >         Tunnel-Type=1:VLAN,
>  >         Tunnel-Medium-Type=1:Ether_802,
>  > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  > Network Support
>  > S.O.A.S
>  > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  > =========================================
>  >
>  > --
>  > Archive at http://www.open.com.au/archives/radiator/
>  > Announcements on radiator-announce at open.com.au
>  > To unsubscribe, email 'majordomo at open.com.au' with
>  > 'unsubscribe radiator' in the body of the message.
>  >
>  >
>
>  NB:
>
>  Have you read the reference manual ("doc/ref.html")?
>  Have you searched the mailing list archive 
>  (www.open.com.au/archives/radiator)?
>  Have you had a quick look on Google (www.google.com)?
>  Have you included a copy of your configuration file (no secrets),
>  together with a trace 4 debug showing what is happening?
>
>  --
>  Radiator: the most portable, flexible and configurable RADIUS server
>  anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>  -
>  Nets: internetwork inventory and management - graphical, extensible,
>  flexible with hardware, software, platform and database independence.
>  -
>  CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>  --
>  Archive at http://www.open.com.au/archives/radiator/
>  Announcements on radiator-announce at open.com.au
>  To unsubscribe, email 'majordomo at open.com.au' with
>  'unsubscribe radiator' in the body of the message.
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list