(RADIATOR) Authenticating problem between ascend max and radiator
Hugh Irvine
hugh at open.com.au
Tue Oct 17 17:10:29 CDT 2006
Hello -
Thanks for sending the debug log.
The log is not complete however because it only shows accounting
requests, and no authentication requests.
It would be useful to see a more complete debug showing
authentication requests, accounting starts and accounting stops.
The usual cause of this sort of problem is "old-style" or "new-style"
Ascend reply attributes. You can try the following for your
dictionary definitions:
# use the "old-style" Ascend attributes for access accepts
DictionaryFile %D/dictionary, %D/dictionary.ascend
Please let me know how you get on.
regards
Hugh
On 17 Oct 2006, at 23:03, ITI at kbclease.be wrote:
> Hello,
>
> We are currently migrating our radius server from a VACMAN radius
> server
> 4.5 to Radiator 3.15. The old system was running on NT4, the new
> one is
> running on W2K. We use Vasco digipasses for authentication. We have
> two
> main applications for which we use radius: webmail and dial-in.
> Webmail
> seems to work fine, with every digipass. The dial-in however, poses
> some
> problems. Our dial-in router is an Ascend Max 2000. With the VACMAN
> server, everybody is able to log on. With the Radiator server, some
> users
> experience problems. We purchased three batches of digipasses (we have
> around 85). One batch seems to work perfect, while -some- users of the
> other batches can't login.
>
> *** radiator configuration file:
> Foreground
> LogStdout
> LogDir d:/logs/radius
> DbDir c:/Program Files/Radiator
> Trace 4
> <Log SQL>
> DBSource dbi:CSV:f_dir=d:/data/radius/
> </Log>
> <Client 10.234.199.195> <-- webserver
> Secret mysecret
> DupInterval 0
> </Client>
> <Client 10.234.224.51> <-- ascend max
> Secret mysecret
> </Client>
> <Realm DEFAULT>
> <Log SQL>
> DBSource dbi:CSV:f_dir=d:/data/radius/
> Table RADLOG
> Trace 3
> </Log>
> <AuthBy SQLDIGIPASS>
> <AuthLog SQL>
> LogSuccess 1
> DBSource dbi:CSV:f_dir=d:/data/radius/
> Table RADAUTHLOG
> FailureQuery insert into RADAUTHLOG
> (TIME_STAMP,
> USERNAME, TYPE, REASON) values (%t, %2, %0,%1)
> SuccessQuery insert into RADAUTHLOG
> (TIME_STAMP,
> USERNAME, TYPE, REASON) values (%t, %2, %0,%1)
> </AuthLog>
> DBSource dbi:CSV:f_dir=d:/data/radius/
> DBUsername mysecret
> DBAuth mysecret
> EAPType Generic-Token
> ITimeWindow 5
> IThreshold 5
> SyncWindow 60
> AutoMPPEKeys
> <AuthLog SQL>
> DBSource dbi:CSV:f_dir=d:/data/radius/
> </AuthLog>
> </AuthBy>
> </Realm>
>
> *** radiator log file (user is able to log on):
> Tue Oct 17 14:11:19 2006: DEBUG: Packet dump:
> *** Received from 10.234.224.51 port 1029 ....
> Code: Accounting-Request
> Identifier: 141
> Authentic: V<186><226><192><193><18><227><21><226>9N<160><153>4<173>l
> Attributes:
> User-Name = "John Doe"
> NAS-IP-Address = 10.234.224.51
> NAS-Port = 20102
> NAS-Port-Type = Async
> Acct-Status-Type = Stop
> Acct-Delay-Time = 0
> Acct-Session-Id = "361074260"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 35
> Acct-Input-Octets = 34767
> Acct-Output-Octets = 12924
> Acct-Input-Packets = 612
> Acct-Output-Packets = 146
> Ascend-Disconnect-Cause = pppRcvTerminate
> Ascend-Connect-Progress = prLanSessionUp
> Ascend-Xmit-Rate = 50667
> Ascend-Data-Rate = 28800
> Ascend-PreSession-Time = 27
> Ascend-Pre-Input-Octets = 458
> Ascend-Pre-Output-Octets = 351
> Ascend-Pre-Input-Packets = 11
> Ascend-Pre-Output-Packets = 14
> Ascend-First-Dest = 224.0.1.22
> Ascend-Multilink-ID = 2
> Ascend-Num-In-Multilink = 0
> Acct-Link-Count = 0
> Acct-Multi-Session-Id = "00000002"
> Ascend-Modem-PortNo = 4
> Ascend-Modem-SlotNo = 2
> Calling-Station-Id = "27227791"
> Called-Station-Id = "27044790"
> Framed-Protocol = MP
> Framed-IP-Address = 10.234.202.2
>
> Tue Oct 17 14:11:19 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 17 14:11:19 2006: DEBUG: Deleting session for Joeri
> Scapicchio,
> 10.234.224.51, 20102
> Tue Oct 17 14:11:20 2006: DEBUG: Handling with
> Radius::AuthSQLDIGIPASS:
> Tue Oct 17 14:11:20 2006: DEBUG: AuthBy SQLDIGIPASS result: ACCEPT,
> Tue Oct 17 14:11:20 2006: DEBUG: Accounting accepted
> Tue Oct 17 14:11:20 2006: DEBUG: Packet dump:
> *** Sending to 10.234.224.51 port 1029 ....
> Code: Accounting-Response
> Identifier: 141
> Authentic: V<186><226><192><193><18><227><21><226>9N<160><153>4<173>l
> Attributes:
>
> *** radiator log file (another user is not able to log on):
> Tue Oct 17 13:24:42 2006: DEBUG: Packet dump:
> *** Received from 10.234.224.51 port 1032 ....
> Code: Accounting-Request
> Identifier: 29
> Authentic: <210>.<220>$jb<179>n<169>~<130>r<155>+<147>b
> Attributes:
> NAS-IP-Address = 10.234.224.51
> NAS-Port = 20103
> NAS-Port-Type = Async
> Acct-Status-Type = Stop
> Acct-Delay-Time = 0
> Acct-Session-Id = "361074254"
> Ascend-Disconnect-Cause = pppPAPAuthFail
> Ascend-Connect-Progress = prLCPOpened
> Ascend-Xmit-Rate = 50667
> Ascend-Data-Rate = 28800
> Ascend-PreSession-Time = 27
> Ascend-Pre-Input-Octets = 252
> Ascend-Pre-Output-Octets = 171
> Ascend-Pre-Input-Packets = 7
> Ascend-Pre-Output-Packets = 9
> Ascend-Modem-PortNo = 10
> Ascend-Modem-SlotNo = 2
> Calling-Station-Id = "92108040"
> Called-Station-Id = "27044790"
>
> Tue Oct 17 13:24:42 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 17 13:24:42 2006: DEBUG: Deleting session for ,
> 10.234.224.51,
> 20103
> Tue Oct 17 13:24:42 2006: DEBUG: Handling with
> Radius::AuthSQLDIGIPASS:
> Tue Oct 17 13:24:42 2006: DEBUG: AuthBy SQLDIGIPASS result: ACCEPT,
> Tue Oct 17 13:24:42 2006: DEBUG: Accounting accepted
> Tue Oct 17 13:24:42 2006: DEBUG: Packet dump:
> *** Sending to 10.234.224.51 port 1032 ....
> Code: Accounting-Response
> Identifier: 29
> Authentic: <210>.<220>$jb<179>n<169>~<130>r<155>+<147>b
> Attributes:
>
> Notice how there isn't a User-Name field, and how the acct-status-
> type is
> 'stop'.
> This digipass works fine with the old radius server.
> A possible reason why the webmail works fine and the dial-in isn't, is
> because they use a different auth protocol. The ascend max uses PAP
> (PPP).
> Webmail does 'access requests (port 1645)' and the max router does
> 'accounting requests (1646)'.
>
> We took a look at the ascend max, but there don't seem to be much
> options
> you can change regarding the radius/accounting server.
>
> Any ideas?
>
> Kind regards,
>
> Koen
> Disclaimer.
> This e-mail and any attached files are confidential and may contain
> information which is protected by intellectual property rights.If
> you are
> not the addressee named above any disclosure, reproduction, copying,
> communication or distribution, of this e-mail is prohibited.Please
> notify
> the sender and destroy this e-mail.This e-mail does not contain any
> professional advice and does not constitute an offer regarding any
> financial, banking, insurance or other product service toward the
> addressee.If you like to obtain specific information, professional
> advice,
> an offer, or want to contract you have to contact the KBC company
> mentioned above, its branch or agent.
>
> The integrity, security, completeness, correctness, timeliness of this
> message cannot be guaranteed, and may be subject of corruption,
> interception, unauthorized amendments, delay or interruption, for
> which we
> accept no liability.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list