No subject

Christoph Schmidt Christoph.Schmidt at controlware.de
Wed Mar 1 09:01:09 CST 2006


Dear all,

as a newbie on this list I don't know if this issue has been in this list before...
(I haven't found anything about this)
We have a working environment with the Radiator RADIUS server. In our configuration all users authenticating e.g. on a Cisco router retrieve a PreClientHook:
PreClientHook   file:"%D/setAreaRealm"
Now we extended the system with the TACACS+ server and it seems that the PreClientHook is not working.
For Authentication purposes an "AreaRealm" will be added to the userID like user at realm1.
Authenticating at the NAS with user at realm will have a successful authentication, but authorization on the device itself will fail.
Logs:
###################################################################################
1. RADIUS Authentication:
Wed Mar  1 14:38:54 2006: INFO: radius-auth: accept to xx.xx.xx.xx from 0.0.0.0 by cschmidt realm nms profile oper
###################################################################################
2a. TACACS+ Authentication without @realm1:
Wed Mar  1 14:27:08 2006: INFO: radius-auth: reject to xx.xx.xx.xx from yy.yy.yy.yy by NAS_xy realm
Wed Mar  1 14:27:08 2006: INFO: Access rejected for a45100: No such user
###################################################################################
2b. TACACS+ Authentication with @realm1:
Wed Mar  1 14:28:03 2006: INFO: radius-auth: accept to 10.9.9.254 from 10.9.9.132 by a45100 realm nms profile admin
---------------------
Username: a45100 at ger

Translating "ger" 

Password:

% Authorization failed.

Connection closed by foreign host.
------------------------
###################################################################################
3. TACACS+ Authentication with @realm1 and tacacsplustest-utility
------------------------
server:/tmp/Radiator-3.14/goodies # ./tacacsplustest -key tacacstest -user cschmidt at ger -password "veryverysecret"
sending Authentication request...
OK
sending Authorization request...
OK
sending Accounting request...
Received incorrect response type: 1
-------------------------
Log:
Wed Mar  1 15:29:32 2006: INFO: radius-auth: accept to 127.0.0.1 from testclient by cschmidt realm ger profile oper
###################################################################################

Any ideas or help would be very appreciated...

best regards

Ch. Schmidt



___________________________________________________

Christoph Schmidt
Security Consultant
Competence Center Security

Controlware GmbH
Waldstrasse 92, 63128 Dietzenbach, Germany
Tel.: +49 6074 - 858-619
Fax: +49 6074 - 858-318
christoph.schmidt at controlware.de 
www.controlware.de 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list