(RADIATOR) AccessReject if using RadSec for radiuses interconnection

Mike McCauley mikem at open.com.au
Thu Nov 17 06:16:00 CST 2005 

Hello Jan,

I didnt see any configuration files in this post, so I cant be sure but:

Looks like Case 2 is the only one with a problem.
In Case 2, the log file for cesnet shows a bad password for semik.
I suspect that the problem is that the AuthRADSEC clause at eduroam and the 
ServerRADSEC clause at cesnet do not have the same Secret configured. 
Since RADSEC tunnels ordinary Radius requests, it is important that the Radius 
requests have their passwords encrypted with the same shared secret.

Hope that helps.

Cheers.

On Thursday 17 November 2005 21:50, Jan Tomasek wrote:
> Hi,
>
> I'm doing tests of RadSec here at CESNET. I'm experimenting with two
> servers:
>
> 		radsec1.eduroam.cz (Czech level radius)
> 			 /
> 			/
> 	radsec1.cesnet.cz (CESNET local radius)
>
> Logs with trace=4 are attached, config files too. As client for this
> tests I used radtest from FreeRadius running on my workstation
> (semik.cesnet.cz/195.113.134.138).
>
> In CASE1 I'm sending access-request to radsec1.cesnet.cz to check if it
> works and is able comunicate with backend LDAP:
>
>  semik:~/tmp/freerad$./bin/radtest semik at cesnet.cz \
> 	heslicko radsec1.cesnet.cz 0 radSEC
>  Sending Access-Request of id 140 to 195.113.187.25:1812
>         User-Name = "semik at cesnet.cz"
>         User-Password = "heslicko"
>         NAS-IP-Address = semik
>         NAS-Port = 0
>  rad_recv: Access-Accept packet from host 195.113.187.25:1812, id=140,
> length=20
>
> everthing is fine.
>
> In CASE2 I'm sending request to radsec1.eduroam.cz to check if radsec is
> working. RadSec is working - I see packets comming both directions but
> authentication somehow fails.
>
> In CASE3 I modified configuration of radsec1.eduroam.cz to comunicate
> with radsec1.cesnet.cz by radius protocol and it works!
>
> Checkout cas23.diff.png file. There is visualised diference between
> case2 and 3. To me it looks that Radiator somehow forgots about realm
> (brackets are empty!). In both cases it is doing same search in LDAP. It
> is visible in Radiator debug log that it gets right paswors but later
> checks fails. I can't explain why it is doing that second LDAP search.
>
> I did not try to debug Radiator source, I hope that someone in OCS is
> more familiar with code than me to be able quickly figure where is problem.
>
> Thanks for any help!
>
> PS: This is re-post, my previous mail somehow disapear without any
> notification... Grrr!! I guess it might be due attachements. I put them
> online:
>
> http://www.tomasek.cz/stuff/radsec/case1_radsec1.cesnet.cz.log
> http://www.tomasek.cz/stuff/radsec/case2_radsec1.cesnet.cz.log
> http://www.tomasek.cz/stuff/radsec/case2_radsec1.eduroam.cz.log
> http://www.tomasek.cz/stuff/radsec/case3_radsec1.cesnet.cz.log
> http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.cfg
> http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.log

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list