(RADIATOR) Authenticating problem between ascend max and radiator

ITI at kbclease.be ITI at kbclease.be
Tue Oct 17 08:03:45 CDT 2006 

Hello,

We are currently migrating our radius server from a VACMAN radius server 
4.5 to Radiator 3.15. The old system was running on NT4, the new one is 
running on W2K. We use Vasco digipasses for authentication. We have two 
main applications for which we use radius: webmail and dial-in. Webmail 
seems to work fine, with every digipass. The dial-in however, poses some 
problems. Our dial-in router is an Ascend Max 2000. With the VACMAN 
server, everybody is able to log on. With the Radiator server, some users 
experience problems. We purchased three batches of digipasses (we have 
around 85). One batch seems to work perfect, while -some- users of the 
other batches can't login.

*** radiator configuration file:
Foreground
LogStdout
LogDir  d:/logs/radius
DbDir   c:/Program Files/Radiator
Trace           4
<Log SQL>
                        DBSource        dbi:CSV:f_dir=d:/data/radius/
</Log>
<Client 10.234.199.195> <-- webserver
        Secret  mysecret
        DupInterval 0
</Client>
<Client 10.234.224.51> <-- ascend max
        Secret  mysecret
</Client>
<Realm DEFAULT>
        <Log SQL>
                DBSource        dbi:CSV:f_dir=d:/data/radius/
                Table           RADLOG
                Trace           3
        </Log>
        <AuthBy SQLDIGIPASS>
                <AuthLog SQL>
                        LogSuccess 1
                        DBSource        dbi:CSV:f_dir=d:/data/radius/
                        Table           RADAUTHLOG
                        FailureQuery    insert into RADAUTHLOG(TIME_STAMP, 
USERNAME, TYPE, REASON) values (%t, %2, %0,%1)
                        SuccessQuery    insert into RADAUTHLOG(TIME_STAMP, 
USERNAME, TYPE, REASON) values (%t, %2, %0,%1)
                </AuthLog>
                DBSource        dbi:CSV:f_dir=d:/data/radius/
                DBUsername      mysecret
                DBAuth  mysecret
                EAPType Generic-Token
                ITimeWindow 5
                IThreshold 5
                SyncWindow 60
                AutoMPPEKeys
                <AuthLog SQL>
                        DBSource        dbi:CSV:f_dir=d:/data/radius/
                </AuthLog>
        </AuthBy>
</Realm>

*** radiator log file (user is able to log on):
Tue Oct 17 14:11:19 2006: DEBUG: Packet dump:
*** Received from 10.234.224.51 port 1029 ....
Code:       Accounting-Request
Identifier: 141
Authentic:  V<186><226><192><193><18><227><21><226>9N<160><153>4<173>l
Attributes:
        User-Name = "John Doe"
        NAS-IP-Address = 10.234.224.51
        NAS-Port = 20102
        NAS-Port-Type = Async
        Acct-Status-Type = Stop
        Acct-Delay-Time = 0
        Acct-Session-Id = "361074260"
        Acct-Authentic = RADIUS
        Acct-Session-Time = 35
        Acct-Input-Octets = 34767
        Acct-Output-Octets = 12924
        Acct-Input-Packets = 612
        Acct-Output-Packets = 146
        Ascend-Disconnect-Cause = pppRcvTerminate
        Ascend-Connect-Progress = prLanSessionUp
        Ascend-Xmit-Rate = 50667
        Ascend-Data-Rate = 28800
        Ascend-PreSession-Time = 27
        Ascend-Pre-Input-Octets = 458
        Ascend-Pre-Output-Octets = 351
        Ascend-Pre-Input-Packets = 11
        Ascend-Pre-Output-Packets = 14
        Ascend-First-Dest = 224.0.1.22
        Ascend-Multilink-ID = 2
        Ascend-Num-In-Multilink = 0
        Acct-Link-Count = 0
        Acct-Multi-Session-Id = "00000002"
        Ascend-Modem-PortNo = 4
        Ascend-Modem-SlotNo = 2
        Calling-Station-Id = "27227791"
        Called-Station-Id = "27044790"
        Framed-Protocol = MP
        Framed-IP-Address = 10.234.202.2

Tue Oct 17 14:11:19 2006: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Oct 17 14:11:19 2006: DEBUG:  Deleting session for Joeri Scapicchio, 
10.234.224.51, 20102
Tue Oct 17 14:11:20 2006: DEBUG: Handling with Radius::AuthSQLDIGIPASS: 
Tue Oct 17 14:11:20 2006: DEBUG: AuthBy SQLDIGIPASS result: ACCEPT, 
Tue Oct 17 14:11:20 2006: DEBUG: Accounting accepted
Tue Oct 17 14:11:20 2006: DEBUG: Packet dump:
*** Sending to 10.234.224.51 port 1029 ....
Code:       Accounting-Response
Identifier: 141
Authentic:  V<186><226><192><193><18><227><21><226>9N<160><153>4<173>l
Attributes:

*** radiator log file (another user is not able to log on):
Tue Oct 17 13:24:42 2006: DEBUG: Packet dump:
*** Received from 10.234.224.51 port 1032 ....
Code:       Accounting-Request
Identifier: 29
Authentic:  <210>.<220>$jb<179>n<169>~<130>r<155>+<147>b
Attributes:
        NAS-IP-Address = 10.234.224.51
        NAS-Port = 20103
        NAS-Port-Type = Async
        Acct-Status-Type = Stop
        Acct-Delay-Time = 0
        Acct-Session-Id = "361074254"
        Ascend-Disconnect-Cause = pppPAPAuthFail
        Ascend-Connect-Progress = prLCPOpened
        Ascend-Xmit-Rate = 50667
        Ascend-Data-Rate = 28800
        Ascend-PreSession-Time = 27
        Ascend-Pre-Input-Octets = 252
        Ascend-Pre-Output-Octets = 171
        Ascend-Pre-Input-Packets = 7
        Ascend-Pre-Output-Packets = 9
        Ascend-Modem-PortNo = 10
        Ascend-Modem-SlotNo = 2
        Calling-Station-Id = "92108040"
        Called-Station-Id = "27044790"

Tue Oct 17 13:24:42 2006: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Oct 17 13:24:42 2006: DEBUG:  Deleting session for , 10.234.224.51, 
20103
Tue Oct 17 13:24:42 2006: DEBUG: Handling with Radius::AuthSQLDIGIPASS: 
Tue Oct 17 13:24:42 2006: DEBUG: AuthBy SQLDIGIPASS result: ACCEPT, 
Tue Oct 17 13:24:42 2006: DEBUG: Accounting accepted
Tue Oct 17 13:24:42 2006: DEBUG: Packet dump:
*** Sending to 10.234.224.51 port 1032 ....
Code:       Accounting-Response
Identifier: 29
Authentic:  <210>.<220>$jb<179>n<169>~<130>r<155>+<147>b
Attributes:

Notice how there isn't a User-Name field, and how the acct-status-type is 
'stop'.
This digipass works fine with the old radius server.
A possible reason why the webmail works fine and the dial-in isn't, is 
because they use a different auth protocol. The ascend max uses PAP (PPP). 
Webmail does 'access requests (port 1645)' and the max router does 
'accounting requests (1646)'.

We took a look at the ascend max, but there don't seem to be much options 
you can change regarding the radius/accounting server.

Any ideas?

Kind regards,
 
Koen
Disclaimer.
This e-mail and any attached files are confidential and may contain 
information which is protected by intellectual property rights.If you are 
not the addressee named above any disclosure, reproduction, copying, 
communication or distribution, of this e-mail is prohibited.Please notify 
the sender and destroy this e-mail.This e-mail does not contain any 
professional advice and does not constitute an offer regarding any 
financial, banking, insurance or other product service toward the 
addressee.If you like to obtain specific information, professional advice, 
an offer, or want to contract you have to contact the KBC company 
mentioned above, its branch or agent.

The integrity, security, completeness, correctness, timeliness of this 
message cannot be guaranteed, and may be subject of corruption, 
interception, unauthorized amendments, delay or interruption, for which we 
accept no liability.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list