(RADIATOR) AccessReject if using RadSec for radiuses interconnection

Jan Tomasek jan at tomasek.cz
Thu Nov 17 05:50:50 CST 2005 

Hi,

I'm doing tests of RadSec here at CESNET. I'm experimenting with two
servers:

		radsec1.eduroam.cz (Czech level radius)
			 /
			/
	radsec1.cesnet.cz (CESNET local radius)

Logs with trace=4 are attached, config files too. As client for this
tests I used radtest from FreeRadius running on my workstation
(semik.cesnet.cz/195.113.134.138).

In CASE1 I'm sending access-request to radsec1.cesnet.cz to check if it
works and is able comunicate with backend LDAP:

 semik:~/tmp/freerad$./bin/radtest semik at cesnet.cz \
	heslicko radsec1.cesnet.cz 0 radSEC
 Sending Access-Request of id 140 to 195.113.187.25:1812
        User-Name = "semik at cesnet.cz"
        User-Password = "heslicko"
        NAS-IP-Address = semik
        NAS-Port = 0
 rad_recv: Access-Accept packet from host 195.113.187.25:1812, id=140,
length=20

everthing is fine.

In CASE2 I'm sending request to radsec1.eduroam.cz to check if radsec is
working. RadSec is working - I see packets comming both directions but
authentication somehow fails.

In CASE3 I modified configuration of radsec1.eduroam.cz to comunicate
with radsec1.cesnet.cz by radius protocol and it works!

Checkout cas23.diff.png file. There is visualised diference between
case2 and 3. To me it looks that Radiator somehow forgots about realm
(brackets are empty!). In both cases it is doing same search in LDAP. It
is visible in Radiator debug log that it gets right paswors but later
checks fails. I can't explain why it is doing that second LDAP search.

I did not try to debug Radiator source, I hope that someone in OCS is
more familiar with code than me to be able quickly figure where is problem.

Thanks for any help!

PS: This is re-post, my previous mail somehow disapear without any
notification... Grrr!! I guess it might be due attachements. I put them
online:

http://www.tomasek.cz/stuff/radsec/case1_radsec1.cesnet.cz.log
http://www.tomasek.cz/stuff/radsec/case2_radsec1.cesnet.cz.log
http://www.tomasek.cz/stuff/radsec/case2_radsec1.eduroam.cz.log
http://www.tomasek.cz/stuff/radsec/case3_radsec1.cesnet.cz.log
http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.cfg
http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.log
-- 
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone(work): +420 2 2435 5279         http://www.cesnet.cz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051117/0389c862/attachment.bin>

More information about the radiator mailing list