(RADIATOR) puzzling auth failure
Hugh Irvine
hugh at open.com.au
Mon Jun 13 05:26:47 CDT 2005
Hello Tariq -
My first guess would be incorrect shared secrets.
I suggest setting up a test for this NAS with a simple AuthBy FILE
and a plaintext password so you can see where the problem lies.
BTW - if you are not using DEFAULT entries in your database I
recommend adding "NoDefault" to your AuthBy clause.
regards
Hugh
On 13 Jun 2005, at 19:18, Tariq Rashid wrote:
>
>
> hi - we have many lucent stingers which auth to radiator fine and
> have done
> so for a long time. however we have one which seems to be
> configured exactly
> as the many others ... but we get auth failures with this one (see log
> below).
>
> if we point the NAS to an old livingston-based server (old C code)
> the auths
> work fine .. but if we use radiator it fails (versions 3.7 to 3.11).
>
> we've had issues before with CHAP whic disappear when PAP is
> enforced... but
> this seems not be the case here.
>
> we were suspicious that the password fields of the request packet
> are not
> the required lengthin bytes according to the RFCs.
>
> any ideas? anyone with similar experiences?
>
> tariq
>
>
> ------------
>
> Fri Jun 10 12:29:26 2005: DEBUG: Packet dump:
> *** Received from 217.206.246.231 port 9142 ....
>
> Packet length = 79
> 01 60 00 4f 23 5b c6 3b 2b 1b 06 72 47 23 56 66
> 02 ab 07 c1 01 19 6d 61 72 63 64 62 6c 40 75 6b
> 6f 6e 6c 69 6e 65 2e 63 6f 2e 75 6b 00 02 10 50
> ad 8d 37 b7 7d 5c 26 5f e4 00 9e 0d 60 04 06 d9
> ce f6 e7 05 06 00 00 00 00 3d 06 00 00 00 05
> Code: Access-Request
> Identifier: 96
> Authentic: #[<198>;+<27><6>rG#Vf<2><171><7><193>
> Attributes:
> User-Name = "marcdbl at ukonline.co.uk"
> Password = "P<173><141>7<183>}\&_<228><0><158><13>`"
> NAS-Identifier = "217.206.246.231"
> NAS-Port = 0
> NAS-Port-Type = Virtual
>
> Fri Jun 10 12:29:26 2005: DEBUG: Rewrote user name to
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Rewrote user name to
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Rewrote user name to
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Rewrote user name to
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Rewrote user name to
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Handling request with Handler
> 'Realm=ukonline.co.uk'
> Fri Jun 10 12:29:26 2005: DEBUG: SDB1 Deleting session for
> marcdbl at ukonline.co.uk, 217.206.246.231, 0
> Fri Jun 10 12:29:26 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='217.206.246.231' and ACCTSESSIONID=''':
> Fri Jun 10 12:29:26 2005: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='marcdbl at ukonline.co.uk'':
> Fri Jun 10 12:29:26 2005: DEBUG: Handling with Radius::AuthGROUP
> Fri Jun 10 12:29:26 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Jun 10 12:29:26 2005: INFO: Connecting to 212.135.1.207, port 389
> Fri Jun 10 12:29:26 2005: INFO: Attempting to bind to LDAP server
> 212.135.1.207:389)
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got result for
> uid=marcdbl at ukonline.co.uk,ou=users,domain=ukonline.co.uk,vip=easynet-
> uk,o=e
> asynet.net
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got dialAttr: Cisco-AVPair =
> "ip:dns-servers=195.40.1.36 212.135.1.36"
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got dialUserCLI:
> uko-0808:01932560805
> Fri Jun 10 12:29:26 2005: ERR: Bad attribute=value pair:
> uko-0808:01932560805
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got ipAddr: 82.110.142.216
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got ipNetmask: 255.255.255.255
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got protocol: PPP
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got userPassword: *******.*****
> Fri Jun 10 12:29:26 2005: DEBUG: LDAP got services: pstn isdn mail
> dialweb unmetered-dial uk.cdsl dial
> Fri Jun 10 12:29:26 2005: ERR: Bad attribute=value pair:
> pstn,isdn,mail,dialweb,unmetered-dial,uk.cdsl,dial
> Fri Jun 10 12:29:26 2005: DEBUG: POST Search Hook -- Start Processing
> Fri Jun 10 12:29:26 2005: DEBUG: Time of Day Restriction Check
> Fri Jun 10 12:29:26 2005: DEBUG: No time checking done or required
> Fri Jun 10 12:29:26 2005: DEBUG: Timeout -1
> Fri Jun 10 12:29:26 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with
> marcdbl at ukonline.co.uk
> Fri Jun 10 12:29:26 2005: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password
> Fri Jun 10 12:29:26 2005: INFO: Connecting to 212.135.1.207, port 389
> Fri Jun 10 12:29:26 2005: INFO: Attempting to bind to LDAP server
> 212.135.1.207:389)
> Fri Jun 10 12:29:26 2005: DEBUG: No entries for DEFAULT found in LDAP
> database
> Fri Jun 10 12:29:26 2005: INFO: Access rejected for
> marcdbl at ukonline.co.uk: Bad Password
> Fri Jun 10 12:29:26 2005: DEBUG: Packet dump:
> *** Sending to 217.206.246.231 port 9142 ....
>
> Packet length = 36
> 03 60 00 24 79 5c ff e5 9f 4a 01 dd 07 7f e8 5a
> d3 3f 4c 57 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 96
> Authentic: #[<198>;+<27><6>rG#Vf<2><171><7><193>
> Attributes:
> Reply-Message = "Request Denied"
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list