(RADIATOR) Cisco switch (Catalyst 2950)!!! / Mysql ERR!!!
Jhonny Freire de Oliveira
joliveira at nic.ul.pt
Thu May 5 03:48:40 CDT 2005
Hi,
I'm trying to authenticate a Cisco switch (Catalyst 2950) on my radius server (Radiator), unfortunately where other clients authenticate with no trouble at all, this one fails...
As you can see, in the debugging that I provide, Radiator behaves in two different ways for the same User-Name, is this a known issue? Is there any work around?
I also would like to know why I keep on getting the Mysql Error that appears on the debugging.
--> debug from Cisco Catalyst 2950
Wed May 4 18:03:57 2005: DEBUG: Packet dump:
*** Received from 192.168.1.10 port 1812 ....
Code: Access-Request
Identifier: 10
Authentic: <246>'<29>J<241>`Bc1<20>P/<191><254><215>}
Attributes:
NAS-IP-Address = 192.168.1.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "teste at teste.net"
Calling-Station-Id = "192.168.1.120"
User-Password = " xxxxxxxxxxxxxxxxxxxxxxxx"
Wed May 4 18:03:57 2005: DEBUG: Handling request with Handler 'Client-Identifier = ap'
Wed May 4 18:03:57 2005: DEBUG: Deleting session for teste at teste.net, 192.168.1.10, 1
Wed May 4 18:03:57 2005: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='192.168.1.10' and NASPORT=01':
Wed May 4 18:03:57 2005: DEBUG: Handling with Radius::AuthSQL
Wed May 4 18:03:57 2005: DEBUG: Handling with Radius::AuthSQL:
Wed May 4 18:03:57 2005: DEBUG: Query is: 'select SECRET from RADCLIENTLIST where NASIDENTIFIER='teste at teste.net'':
Wed May 4 18:03:57 2005: DEBUG: Radius::AuthSQL looks for match with teste at teste.net
Wed May 4 18:03:57 2005: DEBUG: Query is: 'select SECRET from RADCLIENTLIST where NASIDENTIFIER='DEFAULT'':
Wed May 4 18:03:57 2005: DEBUG: AuthBy SQL result: REJECT, No such user
Wed May 4 18:03:57 2005: INFO: Access rejected for teste at teste.net: No such user
Wed May 4 18:03:57 2005: DEBUG: Packet dump:
*** Sending to 192.168.1.10 port 1812 ....
Code: Access-Reject
Identifier: 10
Authentic: <246>'<29>J<241>`Bc1<20>P/<191><254><215>}
Attributes:
Reply-Message = "Request Denied"
--> debug from some other client
Wed May 4 18:03:30 2005: DEBUG: Packet dump:
*** Received from 10.100.29.11 port 32769 ....
Code: Access-Request
Identifier: 87
Authentic: <141><213><222><255><145>)<169><172>p<237>T<244><15>n<207><171>
Attributes:
User-Name = "teste at teste.net"
User-Password = "xxxxxxxxxxxxxxxxxxxxxxxx"
Service-Type = Login-User
NAS-IP-Address = 192.168.1.3
Wed May 4 18:03:30 2005: DEBUG: Handling request with Handler 'Realm=/teste\.net/'
Wed May 4 18:03:30 2005: DEBUG: Deleting session for teste at teste.net, 192.168.1.3,
Wed May 4 18:03:30 2005: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='192.168.1.3' and NASPORT=0':
Wed May 4 18:03:30 2005: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='192.168.1.3' and NASPORT=0': MySQL server has gone away
Wed May 4 18:03:30 2005: DEBUG: Handling with Radius::AuthLDAP2:
Wed May 4 18:03:30 2005: INFO: Connecting to 192.168.1.2, port 389
Wed May 4 18:03:30 2005: INFO: Attempting to bind to LDAP server 192.168.1.2:389
Wed May 4 18:03:30 2005: DEBUG: LDAP got result for CN=Para teste da AD!,CN=Users,DC=teste,DC=net
Wed May 4 18:03:30 2005: DEBUG: Radius::AuthLDAP2 looks for match with teste at teste.net
Wed May 4 18:03:30 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed May 4 18:03:30 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
Wed May 4 18:03:30 2005: DEBUG: Access accepted for teste at teste.net
Wed May 4 18:03:30 2005: DEBUG: Packet dump:
*** Sending to 10.100.29.11 port 32769 ....
Code: Access-Accept
Identifier: 87
Authentic: <141><213><222><255><145>)<169><172>p<237>T<244><15>n<207><171>
Attributes:
-->radius.cfg
AuthPort 1812
AcctPort 1813
LogDir /var/log/radius
DbDir /etc/radiator
DictionaryFile %D/dictionary
PidFile /var/run/radiusd.pid
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
# You can put client details in a database table
# and get their details from there with something like this:
<ClientListSQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
# for APs accountig , IDENTIFIER added
GetClientQuery select NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL,DEFAULTREALM,\
NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS,LIVINGSTONHOLE,\
FRAMEDGROUPBASEADDRESS,FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME,\
NOIGNOREDUPLICATES,PREHANDLERHOOK,IDENTIFIER from RADCLIENTLIST
# If RefreshPeriod is set to non-zero, it specifies the period in seconds that the client list will
# be refreshed by rereading the database. Each RefreshPeriod the previous client list
# is cleared and a new list of clients read from the database
# The same effect can be got by signalling the process with with SIGHUP
#RefreshPeriod 600
</ClientListSQL>
<SessionDatabase SQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
</SessionDatabase>
<AuthLog SQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
LogSuccess 1
LogFailure 1
</AuthLog>
#<StatsLog SQL>
# DBSource dbi:mysql:radius:localhost
# DBUsername dbuser
# DBAuth Ultrasecret
#</StatsLog>
#<Log SQL>
# DBSource dbi:mysql:radius:localhost
# DBUsername dbuser
# DBAuth Ultrasecret
#</Log>
# APs thorough wlccp
<Handler User-Name=/^(some|teste)$/>
<AuthBy SQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
EAPType LEAP
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
# You can arrange to log accounting to a file if the
# SQL insert fails with AcctFailedLogFileName
# That way you could recover from a broken SQL
# server
AcctFailedLogFileName %D/missedaccounting
# Alternatively, you can arrange to save failed SQL accounting insert queries to a text
# file with SQLRecoveryFile
SQLRecoveryFile %L/missedaccounting
</AuthBy>
# Log accounting to a detail file
AcctLogFileName %L/wlsm-%m.detail
</Handler>
#for the APs
<Handler Client-Identifier = ap>
<AuthBy SQL>
DBSource dbi:mysql:radius:localhost
DBUsername dbuser
DBAuth Ultrasecret
AuthSelect select SECRET from RADCLIENTLIST where NASIDENTIFIER=%0
</AuthBy>
AcctLogFileName %L/apacc-%m.detail
</Handler>
#For AD users
<Handler Realm=/teste\.net/>
<AuthBy LDAP2>
Host 192.168.1.2
Port 389
Version 3
AuthDN cn=NIC,ou=adm,dc=teste,dc=net
AuthPassword Verysecret
BaseDN dc=teste,dc=net
EAPType TTLS
ServerChecksPassword
UsernameAttr userPrincipalName
AuthAttrDef logonHours,MS-Login-Hours,check
EAPTLS_CAFile /usr/share/doc/Radiator-Locked-3.12/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile /usr/share/doc/Radiator-Locked-3.12/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /usr/share/doc/Radiator-Locked-3.12/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 0
</AuthBy>
AcctLogFileName %L/%R-%m.detail
</Handler>
-->Catalyst 2590 configuration
Current configuration :
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication login VTYRAD group radius enable
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXX
!
ip subnet-zero
!
vtp domain somedomain
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
vlan 2
!
vlan 504
name XXXXXXXXXX
!
interface FastEthernet0/1
switchport access vlan 504
spanning-tree portfast
!
interface FastEthernet0/2
!.......
!.......
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan504
ip address 192.168.1.10 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
radius-server host 192.168.1.200 auth-port 1812 acct-port 1813 key XXXXXXXXXXXXXXXXX
radius-server retransmit 3
!
line con 0
line vty 0 4
login authentication VTYRAD
line vty 5 15
!
!
end
Regards,
--
____________________________________________________________________
Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
joliveira at nic.ul.pt Reitoria da UL, Alameda da Universidade
Tel: +351 210113447 Campo Grande - 1649-004 Lisboa, Portugal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050505/dfbc3f23/attachment.html>
More information about the radiator
mailing list