(RADIATOR) Re: AccessReject if using RadSec for radiuses interconnection

Mike McCauley mikem at open.com.au
Thu Nov 17 18:50:17 CST 2005 

Hello Jan,

On Thursday 17 November 2005 22:37, Jan Tomasek wrote:
> Hi Mike,
>
> > We havent seen the config file for the eduroam end yet.
>
> Configuration for radsec1.eduroam.cz (Czech level radius)
>
> >>>http://www.tomasek.cz/stuff/radsec/case3_radsec1.eduroam.cz.cfg
> >>
> >>I forgot link to configuration of radsec1.cesnet.cz:
> >>http://www.tomasek.cz/stuff/radsec/case1-2-3_radsec1.cesnet.cz.cfg
> >
> > Looks like Case 2 is the only one with a problem.
>
> Excactly.
>
> > In Case 2, the log file for cesnet shows a bad password for semik.
> > I suspect that the problem is that the AuthRADSEC clause at eduroam
> > and the ServerRADSEC clause at cesnet do not have the same Secret
> > configured.
> > Since RADSEC tunnels ordinary Radius requests, it is important that
> > the Radius requests have their passwords encrypted with the same
> > shared secret.
>
> Oh! I'm deaf :( I overlooked that! Shame on me... I hope you didn't lost
> much time with this. Thanks you very much for your help! :)
>
>
>
> I've one remaining question about this. Is there reason why if RadSec is
> in use is not full username (including realm) shown? This is piece from
> log:

That was a small bug.
Now fixed in the latest patch set.

BTW in response to reports from another tester, we have also made some other 
improvements to RADSEC. None of them should break what you are doing. See the 
patch set history for details.

Cheers.

>
> Thu Nov 17 13:27:54 2005: DEBUG: LDAP got result for
> uid=semik,ou=People,dc=cesnet,dc=cz
> Thu Nov 17 13:27:54 2005: DEBUG: LDAP got radiusPassword: heslicko
> Thu Nov 17 13:27:54 2005: DEBUG: Radius::AuthLDAP2 looks for match with
> semik []
> Thu Nov 17 13:27:54 2005: DEBUG: Radius::AuthLDAP2 ACCEPT: : semik []
>
> Note that empty []! If I switch to radius protocol (case3), or
> comunicate directly radsec1.cesnet.cz (case1). Than [] contains my full
> username.
>
> Thu Nov 17 10:48:11 2005: DEBUG: LDAP got result for
> uid=semik,ou=People,dc=cesnet,dc=cz
> Thu Nov 17 10:48:11 2005: DEBUG: LDAP got radiusPassword: heslicko
> Thu Nov 17 10:48:11 2005: DEBUG: Radius::AuthLDAP2 looks for match with
> semik [semik at cesnet.cz]
> Thu Nov 17 10:48:11 2005: DEBUG: Radius::AuthLDAP2 ACCEPT: : semik
> [semik at cesnet.cz]
>
>
> Thanks :)

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list