(RADIATOR) Re: AccessReject if using RadSec for radiuses interconnection

Jan Tomasek jan at tomasek.cz
Thu Nov 17 06:37:38 CST 2005 

Hi Mike,

> We havent seen the config file for the eduroam end yet.

Configuration for radsec1.eduroam.cz (Czech level radius)
>>>http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.cfg

>>I forgot link to configuration of radsec1.cesnet.cz:
>>http://www.tomasek.cz/stuff/radsec/case1-2-3_radsec1.cesnet.cz.cfg

> Looks like Case 2 is the only one with a problem.

Excactly.

> In Case 2, the log file for cesnet shows a bad password for semik.
> I suspect that the problem is that the AuthRADSEC clause at eduroam
> and the ServerRADSEC clause at cesnet do not have the same Secret
> configured.
> Since RADSEC tunnels ordinary Radius requests, it is important that
> the Radius requests have their passwords encrypted with the same
> shared secret.

Oh! I'm deaf :( I overlooked that! Shame on me... I hope you didn't lost
much time with this. Thanks you very much for your help! :)



I've one remaining question about this. Is there reason why if RadSec is
in use is not full username (including realm) shown? This is piece from log:

Thu Nov 17 13:27:54 2005: DEBUG: LDAP got result for
uid=semik,ou=People,dc=cesnet,dc=cz
Thu Nov 17 13:27:54 2005: DEBUG: LDAP got radiusPassword: heslicko
Thu Nov 17 13:27:54 2005: DEBUG: Radius::AuthLDAP2 looks for match with
semik []
Thu Nov 17 13:27:54 2005: DEBUG: Radius::AuthLDAP2 ACCEPT: : semik []

Note that empty []! If I switch to radius protocol (case3), or
comunicate directly radsec1.cesnet.cz (case1). Than [] contains my full
username.

Thu Nov 17 10:48:11 2005: DEBUG: LDAP got result for
uid=semik,ou=People,dc=cesnet,dc=cz
Thu Nov 17 10:48:11 2005: DEBUG: LDAP got radiusPassword: heslicko
Thu Nov 17 10:48:11 2005: DEBUG: Radius::AuthLDAP2 looks for match with
semik [semik at cesnet.cz]
Thu Nov 17 10:48:11 2005: DEBUG: Radius::AuthLDAP2 ACCEPT: : semik
[semik at cesnet.cz]


Thanks :)
-- 
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone(work): +420 2 2435 5279         http://www.cesnet.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051117/350e94b8/attachment.bin>

More information about the radiator mailing list